X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/c7cbf3777ab3ab08d002f8ce100bd8227d6820e9..09925c002465cce27d461f64ae6cf43ead5ef31d:/ChangeLog diff --git a/ChangeLog b/ChangeLog index 66a80f91..8bc5e9a4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,407 @@ +20081209 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2008/12/09 02:38:18 + [clientloop.c] + The ~C escape handler does not work correctly for multiplexed sessions - + it opens a commandline on the master session, instead of on the slave + that requested it. Disable it on slave sessions until such time as it + is fixed; bz#1543 report from Adrian Bridgett via Colin Watson + ok markus@ + +20081208 + - (djm) [configure.ac] bz#1538: better test for ProPolice/SSP: actually + use some stack in main(). + Report and suggested fix from vapier AT gentoo.org + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2008/12/02 19:01:07 + [clientloop.c] + we have to use the recipient's channel number (RFC 4254) for + SSH2_MSG_CHANNEL_SUCCESS/SSH2_MSG_CHANNEL_FAILURE messages, + otherwise we trigger 'Non-public channel' error messages on sshd + systems with clientkeepalive enabled; noticed by sturm; ok djm; + - markus@cvs.openbsd.org 2008/12/02 19:08:59 + [serverloop.c] + backout 1.149, since it's not necessary and openssh clients send + broken CHANNEL_FAILURE/SUCCESS messages since about 2004; ok djm@ + - markus@cvs.openbsd.org 2008/12/02 19:09:38 + [channels.c] + s/remote_id/id/ to be more consistent with other code; ok djm@ + +20081201 + - (dtucker) [contrib/cygwin/{Makefile,ssh-host-config}] Add new doc files + and tweak the is-sshd-running check in ssh-host-config. Patch from + vinschen at redhat com. + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2008/11/21 15:47:38 + [packet.c] + packet_disconnect() on padding error, too. should reduce the success + probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 + ok djm@ + - dtucker@cvs.openbsd.org 2008/11/30 11:59:26 + [monitor_fdpass.c] + Retry sendmsg/recvmsg on EAGAIN and EINTR; ok djm@ + +20081123 + - (dtucker) [monitor_fdpass.c] Reduce diff vs OpenBSD by moving some + declarations, removing an unnecessary union member and adding whitespace. + cmsgbuf.tmp thing spotted by des at des no, ok djm some time ago. + +20081118 + - (tim) [addrmatch.c configure.ac] Some platforms do not have sin6_scope_id + member of sockaddr_in6. Also reported in Bug 1491 by David Leonard. OK and + feedback by djm@ + +20081111 + - (dtucker) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2008/11/05 11:22:54 + [servconf.c] + passord -> password; + fixes user/5975 from Rene Maroufi + - stevesk@cvs.openbsd.org 2008/11/07 00:42:12 + [ssh-keygen.c] + spelling/typo in comment + - stevesk@cvs.openbsd.org 2008/11/07 18:50:18 + [nchan.c] + add space to some log/debug messages for readability; ok djm@ markus@ + - dtucker@cvs.openbsd.org 2008/11/07 23:34:48 + [auth2-jpake.c] + Move JPAKE define to make life easier for portable. ok djm@ + - tobias@cvs.openbsd.org 2008/11/09 12:34:47 + [session.c ssh.1] + typo fixed (overriden -> overridden) + ok espie, jmc + - stevesk@cvs.openbsd.org 2008/11/11 02:58:09 + [servconf.c] + USE_AFS not referenced so remove #ifdef. fixes sshd -T not printing + kerberosgetafstoken. ok dtucker@ + (Id sync only, we still want the ifdef in portable) + - stevesk@cvs.openbsd.org 2008/11/11 03:55:11 + [channels.c] + for sshd -T print 'permitopen any' vs. 'permitopen' for case of no + permitopen's; ok and input dtucker@ + - djm@cvs.openbsd.org 2008/11/10 02:06:35 + [regress/putty-ciphers.sh] + PuTTY supports AES CTR modes, so interop test against them too + +20081105 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2008/11/03 08:59:41 + [servconf.c] + include MaxSessions in sshd -T output; patch from imorgan AT nas.nasa.gov + - djm@cvs.openbsd.org 2008/11/04 07:58:09 + [auth.c] + need unistd.h for close() prototype + (ID sync only) + - djm@cvs.openbsd.org 2008/11/04 08:22:13 + [auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h] + [readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5] + [sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c] + [Makefile.in] + Add support for an experimental zero-knowledge password authentication + method using the J-PAKE protocol described in F. Hao, P. Ryan, + "Password Authenticated Key Exchange by Juggling", 16th Workshop on + Security Protocols, Cambridge, April 2008. + + This method allows password-based authentication without exposing + the password to the server. Instead, the client and server exchange + cryptographic proofs to demonstrate of knowledge of the password while + revealing nothing useful to an attacker or compromised endpoint. + + This is experimental, work-in-progress code and is presently + compiled-time disabled (turn on -DJPAKE in Makefile.inc). + + "just commit it. It isn't too intrusive." deraadt@ + - stevesk@cvs.openbsd.org 2008/11/04 19:18:00 + [readconf.c] + because parse_forward() is now used to parse all forward types (DLR), + and it malloc's space for host variables, we don't need to malloc + here. fixes small memory leaks. + + previously dynamic forwards were not parsed in parse_forward() and + space was not malloc'd in that case. + + ok djm@ + - stevesk@cvs.openbsd.org 2008/11/05 03:23:09 + [clientloop.c ssh.1] + add dynamic forward escape command line; ok djm@ + +20081103 + - OpenBSD CVS Sync + - sthen@cvs.openbsd.org 2008/07/24 23:55:30 + [ssh-keygen.1] + Add "ssh-keygen -F -l" to synopsis (displays fingerprint from + known_hosts). ok djm@ + - grunk@cvs.openbsd.org 2008/07/25 06:56:35 + [ssh_config] + Add VisualHostKey to example file, ok djm@ + - grunk@cvs.openbsd.org 2008/07/25 07:05:16 + [key.c] + In random art visualization, make sure to use the end marker only at the + end. Initial diff by Dirk Loss, tweaks and ok djm@ + - markus@cvs.openbsd.org 2008/07/31 14:48:28 + [sshconnect2.c] + don't allocate space for empty banners; report t8m at centrum.cz; + ok deraadt + - krw@cvs.openbsd.org 2008/08/02 04:29:51 + [ssh_config.5] + whitepsace -> whitespace. From Matthew Clarke via bugs@. + - djm@cvs.openbsd.org 2008/08/21 04:09:57 + [session.c] + allow ForceCommand internal-sftp with arguments. based on patch from + michael.barabanov AT gmail.com; ok markus@ + - djm@cvs.openbsd.org 2008/09/06 12:24:13 + [kex.c] + OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our + replacement anymore + (ID sync only for portable - we still need this) + - markus@cvs.openbsd.org 2008/09/11 14:22:37 + [compat.c compat.h nchan.c ssh.c] + only send eow and no-more-sessions requests to openssh 5 and newer; + fixes interop problems with broken ssh v2 implementations; ok djm@ + - millert@cvs.openbsd.org 2008/10/02 14:39:35 + [session.c] + Convert an unchecked strdup to xstrdup. OK deraadt@ + - jmc@cvs.openbsd.org 2008/10/03 13:08:12 + [sshd.8] + do not give an example of how to chmod files: we can presume the user + knows that. removes an ambiguity in the permission of authorized_keys; + ok deraadt + - deraadt@cvs.openbsd.org 2008/10/03 23:56:28 + [sshconnect2.c] + Repair strnvis() buffersize of 4*n+1, with termination gauranteed by the + function. + spotted by des@freebsd, who commited an incorrect fix to the freebsd tree + and (as is fairly typical) did not report the problem to us. But this fix + is correct. + ok djm + - djm@cvs.openbsd.org 2008/10/08 23:34:03 + [ssh.1 ssh.c] + Add -y option to force logging via syslog rather than stderr. + Useful for daemonised ssh connection (ssh -f). Patch originally from + and ok'd by markus@ + - djm@cvs.openbsd.org 2008/10/09 03:50:54 + [servconf.c sshd_config.5] + support setting PermitEmptyPasswords in a Match block + requested in PR3891; ok dtucker@ + - jmc@cvs.openbsd.org 2008/10/09 06:54:22 + [ssh.c] + add -y to usage(); + - stevesk@cvs.openbsd.org 2008/10/10 04:55:16 + [scp.c] + spelling in comment; ok djm@ + - stevesk@cvs.openbsd.org 2008/10/10 05:00:12 + [key.c] + typo in error message; ok djm@ + - stevesk@cvs.openbsd.org 2008/10/10 16:43:27 + [ssh_config.5] + use 'Privileged ports can be forwarded only when logging in as root on + the remote machine.' for RemoteForward just like ssh.1 -R. + ok djm@ jmc@ + - stevesk@cvs.openbsd.org 2008/10/14 18:11:33 + [sshconnect.c] + use #define ROQUIET here; no binary change. ok dtucker@ + - stevesk@cvs.openbsd.org 2008/10/17 18:36:24 + [ssh_config.5] + correct and clarify VisualHostKey; ok jmc@ + - stevesk@cvs.openbsd.org 2008/10/30 19:31:16 + [clientloop.c sshd.c] + don't need to #include "monitor_fdpass.h" + - stevesk@cvs.openbsd.org 2008/10/31 15:05:34 + [dispatch.c] + remove unused #define DISPATCH_MIN; ok markus@ + - djm@cvs.openbsd.org 2008/11/01 04:50:08 + [sshconnect2.c] + sprinkle ARGSUSED on dispatch handlers + nuke stale unusued prototype + - stevesk@cvs.openbsd.org 2008/11/01 06:43:33 + [channels.c] + fix some typos in log messages; ok djm@ + - sobrado@cvs.openbsd.org 2008/11/01 11:14:36 + [ssh-keyscan.1 ssh-keyscan.c] + the ellipsis is not an optional argument; while here, improve spacing. + - stevesk@cvs.openbsd.org 2008/11/01 17:40:33 + [clientloop.c readconf.c readconf.h ssh.c] + merge dynamic forward parsing into parse_forward(); + 'i think this is OK' djm@ + - stevesk@cvs.openbsd.org 2008/11/02 00:16:16 + [ttymodes.c] + protocol 2 tty modes support is now 7.5 years old so remove these + debug3()s; ok deraadt@ + - stevesk@cvs.openbsd.org 2008/11/03 01:07:02 + [readconf.c] + remove valueless comment + - stevesk@cvs.openbsd.org 2008/11/03 02:44:41 + [readconf.c] + fix comment + - (djm) [contrib/caldera/ssh-host-keygen contrib/suse/rc.sshd] + Make example scripts generate keys with default sizes rather than fixed, + non-default 1024 bits; patch from imorgan AT nas.nasa.gov + - (djm) [contrib/sshd.pam.generic contrib/caldera/sshd.pam] + [contrib/redhat/sshd.pam] Move pam_nologin to account group from + incorrect auth group in example files; + patch from imorgan AT nas.nasa.gov + +20080906 + - (dtucker) [config.guess config.sub] Update to latest versions from + http://git.savannah.gnu.org/gitweb/ (2008-04-14 and 2008-06-16 + respectively). + +20080830 + - (dtucker) [openbsd-compat/bsd-poll.c] correctly check for number of FDs + larger than FD_SETSIZE (OpenSSH only ever uses poll with one fd). Patch + from Nicholas Marriott. + +20080721 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2008/07/23 07:36:55 + [servconf.c] + do not try to print options that have been compile-time disabled + in config test mode (sshd -T); report from nix-corp AT esperi.org.uk + ok dtucker@ + - (djm) [servconf.c] Print UsePAM option in config test mode (when it + has been compiled in); report from nix-corp AT esperi.org.uk + ok dtucker@ + +20080721 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2008/07/18 22:51:01 + [sftp-server.8] + no need for .Pp before or after .Sh; + - djm@cvs.openbsd.org 2008/07/21 08:19:07 + [version.h] + openssh-5.1 + - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] + [contrib/suse/openssh.spec] Update version number in README and RPM specs + - (djm) Release OpenSSH-5.1 + +20080717 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2008/07/17 08:48:00 + [sshconnect2.c] + strnvis preauth banner; pointed out by mpf@ ok markus@ + - djm@cvs.openbsd.org 2008/07/17 08:51:07 + [auth2-hostbased.c] + strip trailing '.' from hostname when HostbasedUsesNameFromPacketOnly=yes + report and patch from res AT qoxp.net (bz#1200); ok markus@ + - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Remove long-unneeded compat + code, replace with equivalent cygwin library call. Patch from vinschen + at redhat.com, ok djm@. + - (djm) [sshconnect2.c] vis.h isn't available everywhere + +20080716 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2008/07/15 02:23:14 + [sftp.1] + number of pipelined requests is now 64; + prodded by Iain.Morgan AT nasa.gov + - djm@cvs.openbsd.org 2008/07/16 11:51:14 + [clientloop.c] + rename variable first_gc -> last_gc (since it is actually the last + in the list). + - djm@cvs.openbsd.org 2008/07/16 11:52:19 + [channels.c] + this loop index should be automatic, not static + +20080714 + - (djm) OpenBSD CVS Sync + - sthen@cvs.openbsd.org 2008/07/13 21:22:52 + [ssh-keygen.c] + Change "ssh-keygen -F [host] -l" to not display random art unless + -v is also specified, making it consistent with the manual and other + uses of -l. + ok grunk@ + - djm@cvs.openbsd.org 2008/07/13 22:13:07 + [channels.c] + use struct sockaddr_storage instead of struct sockaddr for accept(2) + address argument. from visibilis AT yahoo.com in bz#1485; ok markus@ + - djm@cvs.openbsd.org 2008/07/13 22:16:03 + [sftp.c] + increase number of piplelined requests so they properly fill the + (recently increased) channel window. prompted by rapier AT psc.edu; + ok markus@ + - djm@cvs.openbsd.org 2008/07/14 01:55:56 + [sftp-server.8] + mention requirement for /dev/log inside chroot when using sftp-server + with ChrootDirectory + - (djm) [openbsd-compat/bindresvport.c] Rename variables s/sin/in/ to + avoid clash with sin(3) function; reported by + cristian.ionescu-idbohrn AT axis.com + - (djm) [openbsd-compat/rresvport.c] Add unistd.h for missing close() + prototype; reported by cristian.ionescu-idbohrn AT axis.com + - (djm) [umac.c] Rename variable s/buffer_ptr/bufp/ to avoid clash; + reported by cristian.ionescu-idbohrn AT axis.com + - (djm) [contrib/cygwin/Makefile contrib/cygwin/ssh-host-config] + [contrib/cygwin/ssh-user-config contrib/cygwin/sshd-inetd] + Revamped and simplified Cygwin ssh-host-config script that uses + unified csih configuration tool. Requires recent Cygwin. + Patch from vinschen AT redhat.com + +20080712 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2008/07/12 04:52:50 + [channels.c] + unbreak; move clearing of cctx struct to before first use + reported by dkrause@ + - djm@cvs.openbsd.org 2008/07/12 05:33:41 + [scp.1] + better description for -i flag: + s/RSA authentication/public key authentication/ + - (djm) [openbsd-compat/fake-rfc2553.c openbsd-compat/fake-rfc2553.h] + return EAI_FAMILY when trying to lookup unsupported address family; + from vinschen AT redhat.com + +20080711 + - (djm) OpenBSD CVS Sync + - stevesk@cvs.openbsd.org 2008/07/07 00:31:41 + [ttymodes.c] + we don't need arg after the debug3() was removed. from lint. + ok djm@ + - stevesk@cvs.openbsd.org 2008/07/07 23:32:51 + [key.c] + /*NOTREACHED*/ for lint warning: + warning: function key_equal falls off bottom without returning value + ok djm@ + - markus@cvs.openbsd.org 2008/07/10 18:05:58 + [channels.c] + missing bzero; from mickey; ok djm@ + - markus@cvs.openbsd.org 2008/07/10 18:08:11 + [clientloop.c monitor.c monitor_wrap.c packet.c packet.h sshd.c] + sync v1 and v2 traffic accounting; add it to sshd, too; + ok djm@, dtucker@ + +20080709 + - (djm) [Makefile.in] Print "all tests passed" when all regress tests pass + - (djm) [auth1.c] Fix format string vulnerability in protocol 1 PAM + account check failure path. The vulnerable format buffer is supplied + from PAM and should not contain attacker-supplied data. + - (djm) [auth.c] Missing unistd.h for close() + - (djm) [configure.ac] Add -Wformat-security to CFLAGS for gcc 3.x and 4.x + +20080705 + - (djm) [auth.c] Fixed test for locked account on HP/UX with shadowed + passwords disabled. bz#1083 report & patch from senthilkumar_sen AT + hotpop.com, w/ dtucker@ + - (djm) [atomicio.c configure.ac] Disable poll() fallback in atomiciov for + Tru64. readv doesn't seem to be a comparable object there. + bz#1386, patch from dtucker@ ok me + - (djm) [Makefile.in] Pass though pass to conch for interop tests + - (djm) [configure.ac] unbreak: remove extra closing brace + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2008/07/04 23:08:25 + [packet.c] + handle EINTR in packet_write_poll()l ok dtucker@ + - djm@cvs.openbsd.org 2008/07/04 23:30:16 + [auth1.c auth2.c] + Make protocol 1 MaxAuthTries logic match protocol 2's. + Do not treat the first protocol 2 authentication attempt as + a failure IFF it is for method "none". + Makes MaxAuthTries' user-visible behaviour identical for + protocol 1 vs 2. + ok dtucker@ + - djm@cvs.openbsd.org 2008/07/05 05:16:01 + [PROTOCOL] + grammar + 20080704 - (dtucker) OpenBSD CVS Sync - djm@cvs.openbsd.org 2008/07/02 13:30:34 @@ -22,9 +426,19 @@ [regress/key-options.sh] shell portability: use "=" instead of "==" in test(1) expressions, double-quote string with backslash escaped / - + - djm@cvs.openbsd.org 2008/06/30 10:31:11 + [regress/{putty-transfer,putty-kex,putty-ciphers}.sh] + remove "set -e" left over from debugging + - djm@cvs.openbsd.org 2008/06/30 10:43:03 + [regress/conch-ciphers.sh] + explicitly disable conch options that could interfere with the test - (dtucker) [sftp-server.c] Bug #1447: fall back to racy rename if link returns EXDEV. Patch from Mike Garrison, ok djm@ + - (djm) [atomicio.c channels.c clientloop.c defines.h includes.h] + [packet.c scp.c serverloop.c sftp-client.c ssh-agent.c ssh-keyscan.c] + [sshd.c] Explicitly handle EWOULDBLOCK wherever we handle EAGAIN, on + some platforms (HP nonstop) it is a distinct errno; + bz#1467 reported by sconeu AT yahoo.com; ok dtucker@ 20080702 - (dtucker) OpenBSD CVS Sync @@ -4561,3 +4975,4 @@ passwords between UnixWare and OpenServer they will still work. OK dtucker@ $Id$ +