+20100130
+ - (djm) OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2010/01/28 00:21:18
+ [clientloop.c]
+ downgrade an error() to a debug() - this particular case can be hit in
+ normal operation for certain sequences of mux slave vs session closure
+ and is harmless
+ - djm@cvs.openbsd.org 2010/01/29 00:20:41
+ [sshd.c]
+ set FD_CLOEXEC on sock_in/sock_out; bz#1706 from jchadima AT redhat.com
+ ok dtucker@
+ - djm@cvs.openbsd.org 2010/01/29 20:16:17
+ [mux.c]
+ kill correct channel (was killing already-dead mux channel, not
+ its session channel)
+ - djm@cvs.openbsd.org 2010/01/30 02:54:53
+ [mux.c]
+ don't mark channel as read failed if it is already closing; suppresses
+ harmless error messages when connecting to SSH.COM Tectia server
+ report by imorgan AT nas.nasa.gov
+
+20100129
+ - (dtucker) [openbsd-compat/openssl-compat.c] Bug #1707: Call OPENSSL_config()
+ after registering the hardware engines, which causes the openssl.cnf file to
+ be processed. See OpenSSL's man page for OPENSSL_config(3) for details.
+ Patch from Solomon Peachy, ok djm@.
+
+20100128
+ - (djm) OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2010/01/26 02:15:20
+ [mux.c]
+ -Wuninitialized and remove a // comment; from portable
+ (Id sync only)
+ - djm@cvs.openbsd.org 2010/01/27 13:26:17
+ [mux.c]
+ fix bug introduced in mux rewrite:
+
+ In a mux master, when a socket to a mux slave closes before its server
+ session (as may occur when the slave has been signalled), gracefully
+ close the server session rather than deleting its channel immediately.
+ A server may have more messages on that channel to send (e.g. an exit
+ message) that will fatal() the client if they are sent to a channel that
+ has been prematurely deleted.
+
+ spotted by imorgan AT nas.nasa.gov
+ - djm@cvs.openbsd.org 2010/01/27 19:21:39
+ [sftp.c]
+ add missing "p" flag to getopt optstring;
+ bz#1704 from imorgan AT nas.nasa.gov
+
+20100126
+ - (djm) OpenBSD CVS Sync
+ - tedu@cvs.openbsd.org 2010/01/17 21:49:09
+ [ssh-agent.1]
+ Correct and clarify ssh-add's password asking behavior.
+ Improved text dtucker and ok jmc
+ - dtucker@cvs.openbsd.org 2010/01/18 01:50:27
+ [roaming_client.c]
+ s/long long unsigned/unsigned long long/, from tim via portable
+ (Id sync only, change already in portable)
+ - djm@cvs.openbsd.org 2010/01/26 01:28:35
+ [channels.c channels.h clientloop.c clientloop.h mux.c nchan.c ssh.c]
+ rewrite ssh(1) multiplexing code to a more sensible protocol.
+
+ The new multiplexing code uses channels for the listener and
+ accepted control sockets to make the mux master non-blocking, so
+ no stalls when processing messages from a slave.
+
+ avoid use of fatal() in mux master protocol parsing so an errant slave
+ process cannot take down a running master.
+
+ implement requesting of port-forwards over multiplexed sessions. Any
+ port forwards requested by the slave are added to those the master has
+ established.
+
+ add support for stdio forwarding ("ssh -W host:port ...") in mux slaves.
+
+ document master/slave mux protocol so that other tools can use it to
+ control a running ssh(1). Note: there are no guarantees that this
+ protocol won't be incompatibly changed (though it is versioned).
+
+ feedback Salvador Fandino, dtucker@
+ channel changes ok markus@
+
+20100122
+ - (tim) [configure.ac] Due to constraints in Windows Sockets in terms of
+ socket inheritance, reduce the default SO_RCVBUF/SO_SNDBUF buffer size
+ in Cygwin to 65535. Patch from Corinna Vinschen.
+
+20100117
+ - (tim) [configure.ac] OpenServer 5 needs BROKEN_GETADDRINFO too.
+ - (tim) [configure.ac] On SVR5 systems, use the C99-conforming functions
+ snprintf() and vsnprintf() named _xsnprintf() and _xvsnprintf().
+
+20100116
+ - (dtucker) [openbsd-compat/pwcache.c] Pull in includes.h and thus defines.h
+ so we correctly detect whether or not we have a native user_from_uid.
+ - (dtucker) [openbsd-compat/openbsd-compat.h] Prototypes for user_from_uid
+ and group_from_gid.
+ - (dtucker) [openbsd-compat/openbsd-compat.h] Fix prototypes, spotted by
+ Tim.
+ - (dtucker) OpenBSD CVS Sync
+ - markus@cvs.openbsd.org 2010/01/15 09:24:23
+ [sftp-common.c]
+ unused
+ - (dtucker) [openbsd-compat/pwcache.c] Shrink ifdef area to prevent unused
+ variable warnings.
+ - (dtucker) [openbsd-compat/openbsd-compat.h] Typo.
+ - (tim) [regress/portnum.sh] Shell portability fix.
+ - (tim) [configure.ac] Define BROKEN_GETADDRINFO on SVR5 systems. The native
+ getaddrinfo() is too old and limited for addr_pton() in addrmatch.c.
+ - (tim) [roaming_client.c] Use of <sys/queue.h> is not really portable so we
+ use "openbsd-compat/sys-queue.h". s/long long unsigned/unsigned long long/
+ to keep USL compilers happy.
+
+20100115
+ - (dtucker) OpenBSD CVS Sync
+ - jmc@cvs.openbsd.org 2010/01/13 12:48:34
+ [sftp.1 sftp.c]
+ sftp.1: put ls -h in the right place
+ sftp.c: as above, plus add -p to get/put, and shorten their arg names
+ to keep the help usage nicely aligned
+ ok djm
+ - djm@cvs.openbsd.org 2010/01/13 23:47:26
+ [auth.c]
+ when using ChrootDirectory, make sure we test for the existence of the
+ user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu;
+ ok dtucker
+ - dtucker@cvs.openbsd.org 2010/01/14 23:41:49
+ [sftp-common.c]
+ use user_from{uid,gid} to lookup up ids since it keeps a small cache.
+ ok djm
+ - guenther@cvs.openbsd.org 2010/01/15 00:05:22
+ [sftp.c]
+ Reset SIGTERM to SIG_DFL before executing ssh, so that even if sftp
+ inherited SIGTERM as ignored it will still be able to kill the ssh it
+ starts.
+ ok dtucker@
+ - (dtucker) [openbsd-compat/pwcache.c] Pull in pwcache.c from OpenBSD (no
+ changes yet but there will be some to come).
+ - (dtucker) [configure.ac openbsd-compat/{Makefile.in,pwcache.c} Portability
+ for pwcache. Also, added caching of negative hits.
+
+20100114
+ - (djm) [platform.h] Add missing prototype for
+ platform_krb5_get_principal_name
+
+20100113
+ - (dtucker) [monitor_fdpass.c] Wrap poll.h include in ifdefs.
+ - (dtucker) [openbsd-compat/readpassphrase.c] Resync against OpenBSD's r1.18:
+ missing restore of SIGTTOU and some whitespace.
+ - (dtucker) [openbsd-compat/readpassphrase.c] Update to OpenBSD's r1.21.
+ - (dtucker) [openbsd-compat/readpassphrase.c] Update to OpenBSD's r1.22.
+ Fixes bz #1590, where sometimes you could not interrupt a connection while
+ ssh was prompting for a passphrase or password.
+ - (dtucker) OpenBSD CVS Sync
+ - dtucker@cvs.openbsd.org 2010/01/13 00:19:04
+ [sshconnect.c auth.c]
+ Fix a couple of typos/mispellings in comments
+ - dtucker@cvs.openbsd.org 2010/01/13 01:10:56
+ [key.c]
+ Ignore and log any Protocol 1 keys where the claimed size is not equal to
+ the actual size. Noted by Derek Martin, ok djm@
+ - dtucker@cvs.openbsd.org 2010/01/13 01:20:20
+ [canohost.c ssh-keysign.c sshconnect2.c]
+ Make HostBased authentication work with a ProxyCommand. bz #1569, patch
+ from imorgan at nas nasa gov, ok djm@
+ - djm@cvs.openbsd.org 2010/01/13 01:40:16
+ [sftp.c sftp-server.c sftp.1 sftp-common.c sftp-common.h]
+ support '-h' (human-readable units) for sftp's ls command, just like
+ ls(1); ok dtucker@
+ - djm@cvs.openbsd.org 2010/01/13 03:48:13
+ [servconf.c servconf.h sshd.c]
+ avoid run-time failures when specifying hostkeys via a relative
+ path by prepending the cwd in these cases; bz#1290; ok dtucker@
+ - djm@cvs.openbsd.org 2010/01/13 04:10:50
+ [sftp.c]
+ don't append a space after inserting a completion of a directory (i.e.
+ a path ending in '/') for a slightly better user experience; ok dtucker@
+ - (dtucker) [sftp-common.c] Wrap include of util.h in an ifdef.
+ - (tim) [defines.h] openbsd-compat/readpassphrase.c now needs _NSIG.
+ feedback and ok dtucker@
+
+20100112
+ - (dtucker) OpenBSD CVS Sync
+ - dtucker@cvs.openbsd.org 2010/01/11 01:39:46
+ [ssh_config channels.c ssh.1 channels.h ssh.c]
+ Add a 'netcat mode' (ssh -W). This connects stdio on the client to a
+ single port forward on the server. This allows, for example, using ssh as
+ a ProxyCommand to route connections via intermediate servers.
+ bz #1618, man page help from jmc@, ok markus@
+ - dtucker@cvs.openbsd.org 2010/01/11 04:46:45
+ [authfile.c sshconnect2.c]
+ Do not prompt for a passphrase if we fail to open a keyfile, and log the
+ reason the open failed to debug.
+ bz #1693, found by tj AT castaglia org, ok djm@
+ - djm@cvs.openbsd.org 2010/01/11 10:51:07
+ [ssh-keygen.c]
+ when converting keys, truncate key comments at 72 chars as per RFC4716;
+ bz#1630 reported by tj AT castaglia.org; ok markus@
+ - dtucker@cvs.openbsd.org 2010/01/12 00:16:47
+ [authfile.c]
+ Fix bug introduced in r1.78 (incorrect brace location) that broke key auth.
+ Patch from joachim joachimschipper nl.
+ - djm@cvs.openbsd.org 2010/01/12 00:58:25
+ [monitor_fdpass.c]
+ avoid spinning when fd passing on nonblocking sockets by calling poll()
+ in the EINTR/EAGAIN path, much like we do in atomicio; ok dtucker@
+ - djm@cvs.openbsd.org 2010/01/12 00:59:29
+ [roaming_common.c]
+ delete with extreme prejudice a debug() that fired with every keypress;
+ ok dtucker deraadt
+ - dtucker@cvs.openbsd.org 2010/01/12 01:31:05
+ [session.c]
+ Do not allow logins if /etc/nologin exists but is not readable by the user
+ logging in. Noted by Jan.Pechanec at Sun, ok djm@ deraadt@
+ - djm@cvs.openbsd.org 2010/01/12 01:36:08
+ [buffer.h bufaux.c]
+ add a buffer_get_string_ptr_ret() that does the same as
+ buffer_get_string_ptr() but does not fatal() on error; ok dtucker@
+ - dtucker@cvs.openbsd.org 2010/01/12 08:33:17
+ [session.c]
+ Add explicit stat so we reliably detect nologin with bad perms.
+ ok djm markus
+
+20100110
+ - (dtucker) [configure.ac misc.c readconf.c servconf.c ssh-keyscan.c]
+ Remove hacks add for RoutingDomain in preparation for its removal.
+ - (dtucker) OpenBSD CVS Sync
+ - dtucker@cvs.openbsd.org 2010/01/09 23:04:13
+ [channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h
+ ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c
+ readconf.h scp.1 sftp.1 ssh_config.5 misc.h]
+ Remove RoutingDomain from ssh since it's now not needed. It can be
+ replaced with "route exec" or "nc -V" as a proxycommand. "route exec"
+ also ensures that trafic such as DNS lookups stays withing the specified
+ routingdomain. For example (from reyk):
+ # route -T 2 exec /usr/sbin/sshd
+ or inherited from the parent process
+ $ route -T 2 exec sh
+ $ ssh 10.1.2.3
+ ok deraadt@ markus@ stevesk@ reyk@
+ - dtucker@cvs.openbsd.org 2010/01/10 03:51:17
+ [servconf.c]
+ Add ChrootDirectory to sshd.c test-mode output
+ - dtucker@cvs.openbsd.org 2010/01/10 07:15:56
+ [auth.c]
+ Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
+
+20100109