+20090107
+ - (djm) [uidswap.c] bz#1412: Support >16 supplemental groups in OS X.
+ Patch based on one from vgiffin AT apple.com; ok dtucker@
+ - (djm) [channels.c] bz#1419: support "on demand" X11 forwarding via
+ launchd on OS X; patch from vgiffin AT apple.com, slightly tweaked;
+ ok dtucker@
+
+20090107
+ - (tim) [configure.ac defines.h openbsd-compat/port-uw.c
+ openbsd-compat/xcrypt.c] Add SECUREWARE support to OpenServer 6 SVR5 ABI.
+ OK djm@ dtucker@
+ - (tim) [configure.ac] Move check_for_libcrypt_later=1 in *-*-sysv5*) section.
+ OpenServer 6 doesn't need libcrypt.
+
+20081209
+ - (djm) OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2008/12/09 02:38:18
+ [clientloop.c]
+ The ~C escape handler does not work correctly for multiplexed sessions -
+ it opens a commandline on the master session, instead of on the slave
+ that requested it. Disable it on slave sessions until such time as it
+ is fixed; bz#1543 report from Adrian Bridgett via Colin Watson
+ ok markus@
+ - djm@cvs.openbsd.org 2008/12/09 02:39:59
+ [sftp.c]
+ Deal correctly with failures in remote stat() operation in sftp,
+ correcting fail-on-error behaviour in batchmode. bz#1541 report and
+ fix from anedvedicky AT gmail.com; ok markus@
+ - djm@cvs.openbsd.org 2008/12/09 02:58:16
+ [readconf.c]
+ don't leave junk (free'd) pointers around in Forward *fwd argument on
+ failure; avoids double-free in ~C -L handler when given an invalid
+ forwarding specification; bz#1539 report from adejong AT debian.org
+ via Colin Watson; ok markus@ dtucker@
+ - djm@cvs.openbsd.org 2008/12/09 03:02:37
+ [sftp.1 sftp.c]
+ correct sftp(1) and corresponding usage syntax;
+ bz#1518 patch from imorgan AT nas.nasa.gov; ok deraadt@ improved diff jmc@
+
+20081208
+ - (djm) [configure.ac] bz#1538: better test for ProPolice/SSP: actually
+ use some stack in main().
+ Report and suggested fix from vapier AT gentoo.org
+ - (djm) OpenBSD CVS Sync
+ - markus@cvs.openbsd.org 2008/12/02 19:01:07
+ [clientloop.c]
+ we have to use the recipient's channel number (RFC 4254) for
+ SSH2_MSG_CHANNEL_SUCCESS/SSH2_MSG_CHANNEL_FAILURE messages,
+ otherwise we trigger 'Non-public channel' error messages on sshd
+ systems with clientkeepalive enabled; noticed by sturm; ok djm;
+ - markus@cvs.openbsd.org 2008/12/02 19:08:59
+ [serverloop.c]
+ backout 1.149, since it's not necessary and openssh clients send
+ broken CHANNEL_FAILURE/SUCCESS messages since about 2004; ok djm@
+ - markus@cvs.openbsd.org 2008/12/02 19:09:38
+ [channels.c]
+ s/remote_id/id/ to be more consistent with other code; ok djm@
+
+20081201
+ - (dtucker) [contrib/cygwin/{Makefile,ssh-host-config}] Add new doc files
+ and tweak the is-sshd-running check in ssh-host-config. Patch from
+ vinschen at redhat com.
+ - (dtucker) OpenBSD CVS Sync
+ - markus@cvs.openbsd.org 2008/11/21 15:47:38
+ [packet.c]
+ packet_disconnect() on padding error, too. should reduce the success
+ probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18
+ ok djm@
+ - dtucker@cvs.openbsd.org 2008/11/30 11:59:26
+ [monitor_fdpass.c]
+ Retry sendmsg/recvmsg on EAGAIN and EINTR; ok djm@
+
+20081123
+ - (dtucker) [monitor_fdpass.c] Reduce diff vs OpenBSD by moving some
+ declarations, removing an unnecessary union member and adding whitespace.
+ cmsgbuf.tmp thing spotted by des at des no, ok djm some time ago.
+
+20081118
+ - (tim) [addrmatch.c configure.ac] Some platforms do not have sin6_scope_id
+ member of sockaddr_in6. Also reported in Bug 1491 by David Leonard. OK and
+ feedback by djm@
+
+20081111
+ - (dtucker) OpenBSD CVS Sync
+ - jmc@cvs.openbsd.org 2008/11/05 11:22:54
+ [servconf.c]
+ passord -> password;
+ fixes user/5975 from Rene Maroufi
+ - stevesk@cvs.openbsd.org 2008/11/07 00:42:12
+ [ssh-keygen.c]
+ spelling/typo in comment
+ - stevesk@cvs.openbsd.org 2008/11/07 18:50:18
+ [nchan.c]
+ add space to some log/debug messages for readability; ok djm@ markus@
+ - dtucker@cvs.openbsd.org 2008/11/07 23:34:48
+ [auth2-jpake.c]
+ Move JPAKE define to make life easier for portable. ok djm@
+ - tobias@cvs.openbsd.org 2008/11/09 12:34:47
+ [session.c ssh.1]
+ typo fixed (overriden -> overridden)
+ ok espie, jmc
+ - stevesk@cvs.openbsd.org 2008/11/11 02:58:09
+ [servconf.c]
+ USE_AFS not referenced so remove #ifdef. fixes sshd -T not printing
+ kerberosgetafstoken. ok dtucker@
+ (Id sync only, we still want the ifdef in portable)
+ - stevesk@cvs.openbsd.org 2008/11/11 03:55:11
+ [channels.c]
+ for sshd -T print 'permitopen any' vs. 'permitopen' for case of no
+ permitopen's; ok and input dtucker@
+ - djm@cvs.openbsd.org 2008/11/10 02:06:35
+ [regress/putty-ciphers.sh]
+ PuTTY supports AES CTR modes, so interop test against them too
+
+20081105
+ - OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2008/11/03 08:59:41
+ [servconf.c]
+ include MaxSessions in sshd -T output; patch from imorgan AT nas.nasa.gov
+ - djm@cvs.openbsd.org 2008/11/04 07:58:09
+ [auth.c]
+ need unistd.h for close() prototype
+ (ID sync only)
+ - djm@cvs.openbsd.org 2008/11/04 08:22:13
+ [auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h]
+ [readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5]
+ [sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c]
+ [Makefile.in]
+ Add support for an experimental zero-knowledge password authentication
+ method using the J-PAKE protocol described in F. Hao, P. Ryan,
+ "Password Authenticated Key Exchange by Juggling", 16th Workshop on
+ Security Protocols, Cambridge, April 2008.
+
+ This method allows password-based authentication without exposing
+ the password to the server. Instead, the client and server exchange
+ cryptographic proofs to demonstrate of knowledge of the password while
+ revealing nothing useful to an attacker or compromised endpoint.
+
+ This is experimental, work-in-progress code and is presently
+ compiled-time disabled (turn on -DJPAKE in Makefile.inc).
+
+ "just commit it. It isn't too intrusive." deraadt@
+ - stevesk@cvs.openbsd.org 2008/11/04 19:18:00
+ [readconf.c]
+ because parse_forward() is now used to parse all forward types (DLR),
+ and it malloc's space for host variables, we don't need to malloc
+ here. fixes small memory leaks.
+
+ previously dynamic forwards were not parsed in parse_forward() and
+ space was not malloc'd in that case.
+
+ ok djm@
+ - stevesk@cvs.openbsd.org 2008/11/05 03:23:09
+ [clientloop.c ssh.1]
+ add dynamic forward escape command line; ok djm@
+
+20081103
+ - OpenBSD CVS Sync
+ - sthen@cvs.openbsd.org 2008/07/24 23:55:30
+ [ssh-keygen.1]
+ Add "ssh-keygen -F -l" to synopsis (displays fingerprint from
+ known_hosts). ok djm@
+ - grunk@cvs.openbsd.org 2008/07/25 06:56:35
+ [ssh_config]
+ Add VisualHostKey to example file, ok djm@
+ - grunk@cvs.openbsd.org 2008/07/25 07:05:16
+ [key.c]
+ In random art visualization, make sure to use the end marker only at the
+ end. Initial diff by Dirk Loss, tweaks and ok djm@
+ - markus@cvs.openbsd.org 2008/07/31 14:48:28
+ [sshconnect2.c]
+ don't allocate space for empty banners; report t8m at centrum.cz;
+ ok deraadt
+ - krw@cvs.openbsd.org 2008/08/02 04:29:51
+ [ssh_config.5]
+ whitepsace -> whitespace. From Matthew Clarke via bugs@.
+ - djm@cvs.openbsd.org 2008/08/21 04:09:57
+ [session.c]
+ allow ForceCommand internal-sftp with arguments. based on patch from
+ michael.barabanov AT gmail.com; ok markus@
+ - djm@cvs.openbsd.org 2008/09/06 12:24:13
+ [kex.c]
+ OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our
+ replacement anymore
+ (ID sync only for portable - we still need this)
+ - markus@cvs.openbsd.org 2008/09/11 14:22:37
+ [compat.c compat.h nchan.c ssh.c]
+ only send eow and no-more-sessions requests to openssh 5 and newer;
+ fixes interop problems with broken ssh v2 implementations; ok djm@
+ - millert@cvs.openbsd.org 2008/10/02 14:39:35
+ [session.c]
+ Convert an unchecked strdup to xstrdup. OK deraadt@
+ - jmc@cvs.openbsd.org 2008/10/03 13:08:12
+ [sshd.8]
+ do not give an example of how to chmod files: we can presume the user
+ knows that. removes an ambiguity in the permission of authorized_keys;
+ ok deraadt
+ - deraadt@cvs.openbsd.org 2008/10/03 23:56:28
+ [sshconnect2.c]
+ Repair strnvis() buffersize of 4*n+1, with termination gauranteed by the
+ function.
+ spotted by des@freebsd, who commited an incorrect fix to the freebsd tree
+ and (as is fairly typical) did not report the problem to us. But this fix
+ is correct.
+ ok djm
+ - djm@cvs.openbsd.org 2008/10/08 23:34:03
+ [ssh.1 ssh.c]
+ Add -y option to force logging via syslog rather than stderr.
+ Useful for daemonised ssh connection (ssh -f). Patch originally from
+ and ok'd by markus@
+ - djm@cvs.openbsd.org 2008/10/09 03:50:54
+ [servconf.c sshd_config.5]
+ support setting PermitEmptyPasswords in a Match block
+ requested in PR3891; ok dtucker@
+ - jmc@cvs.openbsd.org 2008/10/09 06:54:22
+ [ssh.c]
+ add -y to usage();
+ - stevesk@cvs.openbsd.org 2008/10/10 04:55:16
+ [scp.c]
+ spelling in comment; ok djm@
+ - stevesk@cvs.openbsd.org 2008/10/10 05:00:12
+ [key.c]
+ typo in error message; ok djm@
+ - stevesk@cvs.openbsd.org 2008/10/10 16:43:27
+ [ssh_config.5]
+ use 'Privileged ports can be forwarded only when logging in as root on
+ the remote machine.' for RemoteForward just like ssh.1 -R.
+ ok djm@ jmc@
+ - stevesk@cvs.openbsd.org 2008/10/14 18:11:33
+ [sshconnect.c]
+ use #define ROQUIET here; no binary change. ok dtucker@
+ - stevesk@cvs.openbsd.org 2008/10/17 18:36:24
+ [ssh_config.5]
+ correct and clarify VisualHostKey; ok jmc@
+ - stevesk@cvs.openbsd.org 2008/10/30 19:31:16
+ [clientloop.c sshd.c]
+ don't need to #include "monitor_fdpass.h"
+ - stevesk@cvs.openbsd.org 2008/10/31 15:05:34
+ [dispatch.c]
+ remove unused #define DISPATCH_MIN; ok markus@
+ - djm@cvs.openbsd.org 2008/11/01 04:50:08
+ [sshconnect2.c]
+ sprinkle ARGSUSED on dispatch handlers
+ nuke stale unusued prototype
+ - stevesk@cvs.openbsd.org 2008/11/01 06:43:33
+ [channels.c]
+ fix some typos in log messages; ok djm@
+ - sobrado@cvs.openbsd.org 2008/11/01 11:14:36
+ [ssh-keyscan.1 ssh-keyscan.c]
+ the ellipsis is not an optional argument; while here, improve spacing.
+ - stevesk@cvs.openbsd.org 2008/11/01 17:40:33
+ [clientloop.c readconf.c readconf.h ssh.c]
+ merge dynamic forward parsing into parse_forward();
+ 'i think this is OK' djm@
+ - stevesk@cvs.openbsd.org 2008/11/02 00:16:16
+ [ttymodes.c]
+ protocol 2 tty modes support is now 7.5 years old so remove these
+ debug3()s; ok deraadt@
+ - stevesk@cvs.openbsd.org 2008/11/03 01:07:02
+ [readconf.c]
+ remove valueless comment
+ - stevesk@cvs.openbsd.org 2008/11/03 02:44:41
+ [readconf.c]
+ fix comment
+ - (djm) [contrib/caldera/ssh-host-keygen contrib/suse/rc.sshd]
+ Make example scripts generate keys with default sizes rather than fixed,
+ non-default 1024 bits; patch from imorgan AT nas.nasa.gov
+ - (djm) [contrib/sshd.pam.generic contrib/caldera/sshd.pam]
+ [contrib/redhat/sshd.pam] Move pam_nologin to account group from
+ incorrect auth group in example files;
+ patch from imorgan AT nas.nasa.gov
+
+20080906
+ - (dtucker) [config.guess config.sub] Update to latest versions from
+ http://git.savannah.gnu.org/gitweb/ (2008-04-14 and 2008-06-16
+ respectively).
+
+20080830
+ - (dtucker) [openbsd-compat/bsd-poll.c] correctly check for number of FDs
+ larger than FD_SETSIZE (OpenSSH only ever uses poll with one fd). Patch
+ from Nicholas Marriott.
+
+20080721
+ - (djm) OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2008/07/23 07:36:55
+ [servconf.c]
+ do not try to print options that have been compile-time disabled
+ in config test mode (sshd -T); report from nix-corp AT esperi.org.uk
+ ok dtucker@
+ - (djm) [servconf.c] Print UsePAM option in config test mode (when it
+ has been compiled in); report from nix-corp AT esperi.org.uk
+ ok dtucker@
+
+20080721
+ - (djm) OpenBSD CVS Sync
+ - jmc@cvs.openbsd.org 2008/07/18 22:51:01
+ [sftp-server.8]
+ no need for .Pp before or after .Sh;
+ - djm@cvs.openbsd.org 2008/07/21 08:19:07
+ [version.h]
+ openssh-5.1
+ - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+ [contrib/suse/openssh.spec] Update version number in README and RPM specs
+ - (djm) Release OpenSSH-5.1
+
+20080717
+ - (djm) OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2008/07/17 08:48:00
+ [sshconnect2.c]
+ strnvis preauth banner; pointed out by mpf@ ok markus@
+ - djm@cvs.openbsd.org 2008/07/17 08:51:07
+ [auth2-hostbased.c]
+ strip trailing '.' from hostname when HostbasedUsesNameFromPacketOnly=yes
+ report and patch from res AT qoxp.net (bz#1200); ok markus@
+ - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Remove long-unneeded compat
+ code, replace with equivalent cygwin library call. Patch from vinschen
+ at redhat.com, ok djm@.
+ - (djm) [sshconnect2.c] vis.h isn't available everywhere
+
+20080716
+ - OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2008/07/15 02:23:14
+ [sftp.1]
+ number of pipelined requests is now 64;
+ prodded by Iain.Morgan AT nasa.gov
+ - djm@cvs.openbsd.org 2008/07/16 11:51:14
+ [clientloop.c]
+ rename variable first_gc -> last_gc (since it is actually the last
+ in the list).
+ - djm@cvs.openbsd.org 2008/07/16 11:52:19
+ [channels.c]
+ this loop index should be automatic, not static
+
+20080714
+ - (djm) OpenBSD CVS Sync
+ - sthen@cvs.openbsd.org 2008/07/13 21:22:52
+ [ssh-keygen.c]
+ Change "ssh-keygen -F [host] -l" to not display random art unless
+ -v is also specified, making it consistent with the manual and other
+ uses of -l.
+ ok grunk@
+ - djm@cvs.openbsd.org 2008/07/13 22:13:07
+ [channels.c]
+ use struct sockaddr_storage instead of struct sockaddr for accept(2)
+ address argument. from visibilis AT yahoo.com in bz#1485; ok markus@
+ - djm@cvs.openbsd.org 2008/07/13 22:16:03
+ [sftp.c]
+ increase number of piplelined requests so they properly fill the
+ (recently increased) channel window. prompted by rapier AT psc.edu;
+ ok markus@
+ - djm@cvs.openbsd.org 2008/07/14 01:55:56
+ [sftp-server.8]
+ mention requirement for /dev/log inside chroot when using sftp-server
+ with ChrootDirectory
+ - (djm) [openbsd-compat/bindresvport.c] Rename variables s/sin/in/ to
+ avoid clash with sin(3) function; reported by
+ cristian.ionescu-idbohrn AT axis.com
+ - (djm) [openbsd-compat/rresvport.c] Add unistd.h for missing close()
+ prototype; reported by cristian.ionescu-idbohrn AT axis.com
+ - (djm) [umac.c] Rename variable s/buffer_ptr/bufp/ to avoid clash;
+ reported by cristian.ionescu-idbohrn AT axis.com
+ - (djm) [contrib/cygwin/Makefile contrib/cygwin/ssh-host-config]
+ [contrib/cygwin/ssh-user-config contrib/cygwin/sshd-inetd]
+ Revamped and simplified Cygwin ssh-host-config script that uses
+ unified csih configuration tool. Requires recent Cygwin.
+ Patch from vinschen AT redhat.com
+
+20080712
+ - (djm) OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2008/07/12 04:52:50
+ [channels.c]
+ unbreak; move clearing of cctx struct to before first use
+ reported by dkrause@
+ - djm@cvs.openbsd.org 2008/07/12 05:33:41
+ [scp.1]
+ better description for -i flag:
+ s/RSA authentication/public key authentication/
+ - (djm) [openbsd-compat/fake-rfc2553.c openbsd-compat/fake-rfc2553.h]
+ return EAI_FAMILY when trying to lookup unsupported address family;
+ from vinschen AT redhat.com
+
+20080711
+ - (djm) OpenBSD CVS Sync
+ - stevesk@cvs.openbsd.org 2008/07/07 00:31:41
+ [ttymodes.c]
+ we don't need arg after the debug3() was removed. from lint.
+ ok djm@
+ - stevesk@cvs.openbsd.org 2008/07/07 23:32:51
+ [key.c]
+ /*NOTREACHED*/ for lint warning:
+ warning: function key_equal falls off bottom without returning value
+ ok djm@
+ - markus@cvs.openbsd.org 2008/07/10 18:05:58
+ [channels.c]
+ missing bzero; from mickey; ok djm@
+ - markus@cvs.openbsd.org 2008/07/10 18:08:11
+ [clientloop.c monitor.c monitor_wrap.c packet.c packet.h sshd.c]
+ sync v1 and v2 traffic accounting; add it to sshd, too;
+ ok djm@, dtucker@
+