+20091208
+ - (dtucker) OpenBSD CVS Sync
+ - andreas@cvs.openbsd.org 2009/10/24 11:11:58
+ [roaming.h]
+ Declarations needed for upcoming changes.
+ ok markus@
+ - andreas@cvs.openbsd.org 2009/10/24 11:13:54
+ [sshconnect2.c kex.h kex.c]
+ Let the client detect if the server supports roaming by looking
+ for the resume@appgate.com kex algorithm.
+ ok markus@
+ - andreas@cvs.openbsd.org 2009/10/24 11:15:29
+ [clientloop.c]
+ client_loop() must detect if the session has been suspended and resumed,
+ and take appropriate action in that case.
+ From Martin Forssen, maf at appgate dot com
+ - andreas@cvs.openbsd.org 2009/10/24 11:19:17
+ [ssh2.h]
+ Define the KEX messages used when resuming a suspended connection.
+ ok markus@
+ - andreas@cvs.openbsd.org 2009/10/24 11:22:37
+ [roaming_common.c]
+ Do the actual suspend/resume in the client. This won't be useful until
+ the server side supports roaming.
+ Most code from Martin Forssen, maf at appgate dot com. Some changes by
+ me and markus@
+ ok markus@
+ - andreas@cvs.openbsd.org 2009/10/24 11:23:42
+ [ssh.c]
+ Request roaming to be enabled if UseRoaming is true and the server
+ supports it.
+ ok markus@
+ - reyk@cvs.openbsd.org 2009/10/28 16:38:18
+ [ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c
+ channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1
+ sftp.1 sshd_config.5 readconf.c ssh.c misc.c]
+ Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.
+ ok markus@
+ - jmc@cvs.openbsd.org 2009/10/28 21:45:08
+ [sshd_config.5 sftp.1]
+ tweak previous;
+ - djm@cvs.openbsd.org 2009/11/10 02:56:22
+ [ssh_config.5]
+ explain the constraints on LocalCommand some more so people don't
+ try to abuse it.
+ - djm@cvs.openbsd.org 2009/11/10 02:58:56
+ [sshd_config.5]
+ clarify that StrictModes does not apply to ChrootDirectory. Permissions
+ and ownership are always checked when chrooting. bz#1532
+ - dtucker@cvs.openbsd.org 2009/11/10 04:30:45
+ [sshconnect2.c channels.c sshconnect.c]
+ Set close-on-exec on various descriptors so they don't get leaked to
+ child processes. bz #1643, patch from jchadima at redhat, ok deraadt.
+ - markus@cvs.openbsd.org 2009/11/11 21:37:03
+ [channels.c channels.h]
+ fix race condition in x11/agent channel allocation: don't read after
+ the end of the select read/write fdset and make sure a reused FD
+ is not touched before the pre-handlers are called.
+ with and ok djm@
+ - djm@cvs.openbsd.org 2009/11/17 05:31:44
+ [clientloop.c]
+ fix incorrect exit status when multiplexing and channel ID 0 is recycled
+ bz#1570 reported by peter.oliver AT eon-is.co.uk; ok dtucker
+ - djm@cvs.openbsd.org 2009/11/19 23:39:50
+ [session.c]
+ bz#1606: error when an attempt is made to connect to a server
+ with ForceCommand=internal-sftp with a shell session (i.e. not a
+ subsystem session). Avoids stuck client when attempting to ssh to such a
+ service. ok dtucker@
+ - dtucker@cvs.openbsd.org 2009/11/20 00:15:41
+ [session.c]
+ Warn but do not fail if stat()ing the subsystem binary fails. This helps
+ with chrootdirectory+forcecommand=sftp-server and restricted shells.
+ bz #1599, ok djm.
+ - djm@cvs.openbsd.org 2009/11/20 00:54:01
+ [sftp.c]
+ bz#1588 change "Connecting to host..." message to "Connected to host."
+ and delay it until after the sftp protocol connection has been established.
+ Avoids confusing sequence of messages when the underlying ssh connection
+ experiences problems. ok dtucker@
+ - dtucker@cvs.openbsd.org 2009/11/20 00:59:36
+ [sshconnect2.c]
+ Use the HostKeyAlias when prompting for passwords. bz#1039, ok djm@
+ - djm@cvs.openbsd.org 2009/11/20 03:24:07
+ [misc.c]
+ correct off-by-one in percent_expand(): we would fatal() when trying
+ to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually
+ work. Note that nothing in OpenSSH actually uses close to this limit at
+ present. bz#1607 from Jan.Pechanec AT Sun.COM
+ - halex@cvs.openbsd.org 2009/11/22 13:18:00
+ [sftp.c]
+ make passing of zero-length arguments to ssh safe by
+ passing "-<switch>" "<value>" rather than "-<switch><value>"
+ ok dtucker@, guenther@, djm@
+ - dtucker@cvs.openbsd.org 2009/12/06 23:41:15
+ [sshconnect2.c]
+ zap unused variable and strlen; from Steve McClellan, ok djm
+ - djm@cvs.openbsd.org 2009/12/06 23:53:45
+ [roaming_common.c]
+ use socklen_t for getsockopt optlen parameter; reported by
+ Steve.McClellan AT radisys.com, ok dtucker@
+
+20091226
+ - (tim) [contrib/cygwin/Makefile] Install ssh-copy-id and ssh-copy-id.1
+ Gzip all man pages. Patch from Corinna Vinschen.
+
+20091221
+ - (dtucker) [auth-krb5.c platform.{c,h} openbsd-compat/port-aix.{c,h}]
+ Bug #1583: Use system's kerberos principal name on AIX if it's available.
+ Based on a patch from and tested by Miguel Sanders
+
+20091208
+ - (dtucker) Bug #1470: Disable OOM-killing of the listening sshd on Linux,
+ based on a patch from Vaclav Ovsik and Colin Watson. ok djm.
+
+20091207
+ - (dtucker) Bug #1160: use pkg-config for opensc config if it's available.
+ Tested by Martin Paljak.
+ - (dtucker) Bug #1677: add conditionals around the source for ssh-askpass.
+
+20091121
+ - (tim) [opensshd.init.in] If PidFile is set in sshd_config, use it.
+ Bug 1628. OK dtucker@
+
+20091120
+ - (djm) [ssh-rand-helper.c] Print error and usage() when passed command-
+ line arguments as none are supported. Exit when passed unrecognised
+ commandline flags. bz#1568 from gson AT araneus.fi
+
+20091118
+ - (djm) [channels.c misc.c misc.h sshd.c] add missing setsockopt() to
+ set IPV6_V6ONLY for local forwarding with GatwayPorts=yes. Unify
+ setting IPV6_V6ONLY behind a new function misc.c:sock_set_v6only()
+ bz#1648, report and fix from jan.kratochvil AT redhat.com
+ - (djm) [contrib/gnome-ssh-askpass2.c] Make askpass dialog desktop-modal.
+ bz#1645, patch from jchadima AT redhat.com
+
+20091107
+ - (dtucker) [authfile.c] Fall back to 3DES for the encryption of private
+ keys when built with OpenSSL versions that don't do AES.
+
+20091105
+ - (dtucker) [authfile.c] Add OpenSSL compat header so this still builds with
+ older versions of OpenSSL.
+
+20091024
+ - (dtucker) OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2009/10/11 23:03:15
+ [hostfile.c]
+ mention the host name that we are looking for in check_host_in_hostfile()
+ - sobrado@cvs.openbsd.org 2009/10/17 12:10:39
+ [sftp-server.c]
+ sort flags.
+ - sobrado@cvs.openbsd.org 2009/10/22 12:35:53
+ [ssh.1 ssh-agent.1 ssh-add.1]
+ use the UNIX-related macros (.At and .Ux) where appropriate.
+ ok jmc@
+ - sobrado@cvs.openbsd.org 2009/10/22 15:02:12
+ [ssh-agent.1 ssh-add.1 ssh.1]
+ write UNIX-domain in a more consistent way; while here, replace a
+ few remaining ".Tn UNIX" macros with ".Ux" ones.
+ pointed out by ratchov@, thanks!
+ ok jmc@
+ - djm@cvs.openbsd.org 2009/10/22 22:26:13
+ [authfile.c]
+ switch from 3DES to AES-128 for encryption of passphrase-protected
+ SSH protocol 2 private keys; ok several
+ - djm@cvs.openbsd.org 2009/10/23 01:57:11
+ [sshconnect2.c]
+ disallow a hostile server from checking jpake auth by sending an
+ out-of-sequence success message. (doesn't affect code enabled by default)
+ - dtucker@cvs.openbsd.org 2009/10/24 00:48:34
+ [ssh-keygen.1]
+ ssh-keygen now uses AES-128 for private keys
+ - (dtucker) [mdoc2man.awk] Teach it to understand the .Ux macro.
+ - (dtucker) [session.c openbsd-compat/port-linux.{c,h}] Bug #1637: if selinux
+ is enabled set the security context to "sftpd_t" before running the
+ internal sftp server Based on a patch from jchadima at redhat.
+
+20091011
+ - (dtucker) [configure.ac sftp-client.c] Remove the gyrations required for
+ dirent d_type and DTTOIF as we've switched OpenBSD to the more portable
+ lstat.
+ - (dtucker) OpenBSD CVS Sync
+ - markus@cvs.openbsd.org 2009/10/08 14:03:41
+ [sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5]
+ disable protocol 1 by default (after a transition period of about 10 years)
+ ok deraadt
+ - jmc@cvs.openbsd.org 2009/10/08 20:42:12
+ [sshd_config.5 ssh_config.5 sshd.8 ssh.1]
+ some tweaks now that protocol 1 is not offered by default; ok markus
+ - dtucker@cvs.openbsd.org 2009/10/11 10:41:26
+ [sftp-client.c]
+ d_type isn't portable so use lstat to get dirent modes. Suggested by and
+ "looks sane" deraadt@
+ - markus@cvs.openbsd.org 2009/10/08 18:04:27
+ [regress/test-exec.sh]
+ re-enable protocol v1 for the tests.
+
+20091007
+ - (dtucker) OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2009/08/12 00:13:00
+ [sftp.c sftp.1]
+ support most of scp(1)'s commandline arguments in sftp(1), as a first
+ step towards making sftp(1) a drop-in replacement for scp(1).
+ One conflicting option (-P) has not been changed, pending further
+ discussion.
+ Patch from carlosvsilvapt@gmail.com as part of his work in the
+ Google Summer of Code
+ - jmc@cvs.openbsd.org 2009/08/12 06:31:42
+ [sftp.1]
+ sort options;
+ - djm@cvs.openbsd.org 2009/08/13 01:11:19
+ [sftp.1 sftp.c]
+ Swizzle options: "-P sftp_server_path" moves to "-D sftp_server_path",
+ add "-P port" to match scp(1). Fortunately, the -P option is only really
+ used by our regression scripts.
+ part of larger patch from carlosvsilvapt@gmail.com for his Google Summer
+ of Code work; ok deraadt markus
+ - jmc@cvs.openbsd.org 2009/08/13 13:39:54
+ [sftp.1 sftp.c]
+ sync synopsis and usage();
+ - djm@cvs.openbsd.org 2009/08/14 18:17:49
+ [sftp-client.c]
+ make the "get_handle: ..." error messages vaguely useful by allowing
+ callers to specify their own error message strings.
+ - fgsch@cvs.openbsd.org 2009/08/15 18:56:34
+ [auth.h]
+ remove unused define. markus@ ok.
+ (Id sync only, Portable still uses this.)
+ - dtucker@cvs.openbsd.org 2009/08/16 23:29:26
+ [sshd_config.5]
+ Add PubkeyAuthentication to the list allowed in a Match block (bz #1577)
+ - djm@cvs.openbsd.org 2009/08/18 18:36:21
+ [sftp-client.h sftp.1 sftp-client.c sftp.c]
+ recursive transfer support for get/put and on the commandline
+ work mostly by carlosvsilvapt@gmail.com for the Google Summer of Code
+ with some tweaks by me; "go for it" deraadt@
+ - djm@cvs.openbsd.org 2009/08/18 21:15:59
+ [sftp.1]
+ fix "get" command usage, spotted by jmc@
+ - jmc@cvs.openbsd.org 2009/08/19 04:56:03
+ [sftp.1]
+ ether -> either;
+ - dtucker@cvs.openbsd.org 2009/08/20 23:54:28
+ [mux.c]
+ subsystem_flag is defined in ssh.c so it's extern; ok djm
+ - djm@cvs.openbsd.org 2009/08/27 17:28:52
+ [sftp-server.c]
+ allow setting an explicit umask on the commandline to override whatever
+ default the user has. bz#1229; ok dtucker@ deraadt@ markus@
+ - djm@cvs.openbsd.org 2009/08/27 17:33:49
+ [ssh-keygen.c]
+ force use of correct hash function for random-art signature display
+ as it was inheriting the wrong one when bubblebabble signatures were
+ activated; bz#1611 report and patch from fwojcik+openssh AT besh.com;
+ ok markus@
+ - djm@cvs.openbsd.org 2009/08/27 17:43:00
+ [sftp-server.8]
+ allow setting an explicit umask on the commandline to override whatever
+ default the user has. bz#1229; ok dtucker@ deraadt@ markus@
+ - djm@cvs.openbsd.org 2009/08/27 17:44:52
+ [authfd.c ssh-add.c authfd.h]
+ Do not fall back to adding keys without contraints (ssh-add -c / -t ...)
+ when the agent refuses the constrained add request. This was a useful
+ migration measure back in 2002 when constraints were new, but just
+ adds risk now.
+ bz #1612, report and patch from dkg AT fifthhorseman.net; ok markus@
+ - djm@cvs.openbsd.org 2009/08/31 20:56:02
+ [sftp-server.c]
+ check correct variable for error message, spotted by martynas@
+ - djm@cvs.openbsd.org 2009/08/31 21:01:29
+ [sftp-server.8]
+ document -e and -h; prodded by jmc@
+ - djm@cvs.openbsd.org 2009/09/01 14:43:17
+ [ssh-agent.c]
+ fix a race condition in ssh-agent that could result in a wedged or
+ spinning agent: don't read off the end of the allocated fd_sets, and
+ don't issue blocking read/write on agent sockets - just fall back to
+ select() on retriable read/write errors. bz#1633 reported and tested
+ by "noodle10000 AT googlemail.com"; ok dtucker@ markus@
+ - grunk@cvs.openbsd.org 2009/10/01 11:37:33
+ [dh.c]
+ fix a cast
+ ok djm@ markus@
+ - djm@cvs.openbsd.org 2009/10/06 04:46:40
+ [session.c]
+ bz#1596: fflush(NULL) before exec() to ensure that everying (motd
+ in particular) has made it out before the streams go away.
+ - djm@cvs.openbsd.org 2008/12/07 22:17:48
+ [regress/addrmatch.sh]
+ match string "passwordauthentication" only at start of line, not anywhere
+ in sshd -T output
+ - dtucker@cvs.openbsd.org 2009/05/05 07:51:36
+ [regress/multiplex.sh]
+ Always specify ssh_config for multiplex tests: prevents breakage caused
+ by options in ~/.ssh/config. From Dan Peterson.
+ - djm@cvs.openbsd.org 2009/08/13 00:57:17
+ [regress/Makefile]
+ regression test for port number parsing. written as part of the a2port
+ change that went into 5.2 but I forgot to commit it at the time...
+ - djm@cvs.openbsd.org 2009/08/13 01:11:55
+ [regress/sftp-batch.sh regress/sftp-badcmds.sh regress/sftp.sh
+ regress/sftp-cmds.sh regres/sftp-glob.sh]
+ date: 2009/08/13 01:11:19; author: djm; state: Exp; lines: +10 -7
+ Swizzle options: "-P sftp_server_path" moves to "-D sftp_server_path",
+ add "-P port" to match scp(1). Fortunately, the -P option is only really
+ used by our regression scripts.
+ part of larger patch from carlosvsilvapt@gmail.com for his Google Summer
+ of Code work; ok deraadt markus
+ - djm@cvs.openbsd.org 2009/08/20 18:43:07
+ [regress/ssh-com-sftp.sh]
+ fix one sftp -D ... => sftp -P ... conversion that I missed; from Carlos
+ Silva for Google Summer of Code
+ - dtucker@cvs.openbsd.org 2009/10/06 23:51:49
+ [regress/ssh2putty.sh]
+ Add OpenBSD tag to make syncs easier
+ - (dtucker) [regress/portnum.sh] Import new test.
+ - (dtucker) [configure.ac sftp-client.c] DTOTIF is in fs/ffs/dir.h on at
+ least dragonflybsd.
+ - (dtucker) d_type is not mandated by POSIX, so add fallback code using
+ stat(), needed on at least cygwin.
+
+20091002
+ - (djm) [Makefile.in] Mention readconf.o in ssh-keysign's make deps.
+ spotted by des AT des.no
+
+20090926
+ - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+ [contrib/suse/openssh.spec] Update for release
+ - (djm) [README] update relnotes URL
+ - (djm) [packet.c] Restore EWOULDBLOCK handling that got lost somewhere
+ - (djm) Release 5.3p1
+
+20090911
+ - (dtucker) [configure.ac] Change the -lresolv check so it works on Mac OS X
+ 10.6 (which doesn't have BIND8_COMPAT and thus uses res_9_query). Patch
+ from jbasney at ncsa uiuc edu.
+
+20090908
+ - (djm) [serverloop.c] Fix test for server-assigned remote forwarding port
+ (-R 0:...); bz#1578, spotted and fix by gavin AT emf.net; ok dtucker@
+
+20090901
+ - (dtucker) [configure.ac] Bug #1639: use AC_PATH_PROG to search the path for
+ krb5-config if it's not in the location specified by --with-kerberos5.
+ Patch from jchadima at redhat.
+
+20090829
+ - (dtucker) [README.platform] Add text about development packages, based on
+ text from Chris Pepper in bug #1631.
+
20090828
- dtucker [auth-sia.c] Roll back the change for bug #1241 as it apparently
causes problems in some Tru64 configurations.
the pty master on Solaris, since it never succeeds and can hang if large
amounts of data is sent to the slave (eg a copy-paste). Based on a patch
originally from Doke Scott, ok djm@
+ - (dtucker) [clientloop.c configure.ac defines.h] Make the client's IO buffer
+ size a compile-time option and set it to 64k on Cygwin, since Corinna
+ reports that it makes a significant difference to performance. ok djm@
+ - (dtucker) [configure.ac] Fix the syntax of the Solaris tcgetattr entry.
20090820
- (dtucker) [includes.h] Bug #1634: do not include system glob.h if we're not
andersk / openssh.git / blobdiff