dtucker [Tue, 8 Feb 2005 22:46:47 +0000 (22:46 +0000)]
- dtucker@cvs.openbsd.org 2005/01/28 09:45:53
[ssh_config]
Make it clear that the example entries in ssh_config are only some of the
commonly-used options and refer the user to ssh_config(5) for more
details; ok djm@
dtucker [Tue, 8 Feb 2005 10:52:47 +0000 (10:52 +0000)]
- (dtucker) [audit.c audit.h auth.c auth1.c auth2.c loginrec.c monitor.c
monitor_wrap.c monitor_wrap.h session.c sshd.c]: Prepend all of the audit
defines and enums with SSH_ to prevent namespace collisions on some
platforms (eg AIX).
dtucker [Tue, 8 Feb 2005 09:17:17 +0000 (09:17 +0000)]
- (dtucker) [regress/test-exec.sh] Bug #912: Set _POSIX2_VERSION for the
regress tests so newer versions of GNU head(1) behave themselves. Patch
by djm, so ok me.
dtucker [Wed, 2 Feb 2005 13:37:14 +0000 (13:37 +0000)]
- (dtucker) [added audit.c audit.h] Bug #125: (first stage) Add audit
instrumentation to sshd, currently disabled by default. with suggestions
from and djm@
dtucker [Wed, 2 Feb 2005 12:30:24 +0000 (12:30 +0000)]
- (dtucker) [auth.c canohost.c canohost.h configure.ac defines.h loginrec.c]
Bug #974: Teach sshd to write failed login records to btmp for failed auth
attempts (currently only for password, kbdint and C/R, only on Linux and
HP-UX), based on code from login.c from util-linux. With ashok_kovai at
hotmail.com, ok djm@
dtucker [Wed, 2 Feb 2005 07:30:33 +0000 (07:30 +0000)]
- (dtucker) [session.c sshd.c] Bug #445: Propogate KRB5CCNAME if set to child
the process. Since we also unset KRB5CCNAME at startup, if it's set after
authentication it must have been set by the platform's native auth system.
This was already done for AIX; this enables it for the general case.
dtucker [Wed, 2 Feb 2005 06:10:11 +0000 (06:10 +0000)]
- (dtucker) [auth.c loginrec.h openbsd-compat/{bsd-cray,port-aix}.{c,h}]
Make record_failed_login() call provide hostname rather than having the
implementations having to do lookups themselves. Only affects AIX and
UNICOS (the latter only uses the "user" parameter anyway). ok djm@
dtucker [Tue, 1 Feb 2005 06:35:09 +0000 (06:35 +0000)]
- (dtucker) [log.c] Bug #973: force log_init() to open syslog, since on some
platforms syslog will revert to its default values. This may result in
messages from external libraries (eg libwrap) being sent to a different
facility.
dtucker [Mon, 24 Jan 2005 10:57:40 +0000 (10:57 +0000)]
- dtucker@cvs.openbsd.org 2005/01/24 10:22:06
[scp.c sftp.c]
Have scp and sftp wait for the spawned ssh to exit before they exit
themselves. This prevents ssh from being unable to restore terminal
modes (not normally a problem on OpenBSD but common with -Portable
on POSIX platforms). From peak at argo.troja.mff.cuni.cz (bz#950);
ok djm@ markus@
dtucker [Mon, 24 Jan 2005 10:56:48 +0000 (10:56 +0000)]
- dtucker@cvs.openbsd.org 2005/01/22 08:17:59
[auth.c]
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and
DenyGroups. bz #909, ok djm@
dtucker [Mon, 24 Jan 2005 10:55:49 +0000 (10:55 +0000)]
- otto@cvs.openbsd.org 2005/01/21 08:32:02
[auth-passwd.c sshd.c]
Warn in advance for password and account expiry; initialize loginmsg
buffer earlier and clear it after privsep fork. ok and help dtucker@
markus@
dtucker [Thu, 20 Jan 2005 11:07:29 +0000 (11:07 +0000)]
- (dtucker) [loginrec.h] Bug #952: Increase size of username field to 128
bytes to prevent errors from login_init_entry() when the username is
exactly 64 bytes(!) long. From brhamon at cisco.com, ok djm@
dtucker [Thu, 20 Jan 2005 02:27:56 +0000 (02:27 +0000)]
- djm@cvs.openbsd.org 2004/12/22 02:13:19
[cipher-ctr.c cipher.c]
remove fallback AES support for old OpenSSL, as OpenBSD has had it for
many years now; ok deraadt@
(Id sync only: Portable will continue to support older OpenSSLs)
dtucker [Thu, 20 Jan 2005 01:43:38 +0000 (01:43 +0000)]
- (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user
existence via keyboard-interactive/pam, in conjunction with previous
auth2-chall.c change; with Colin Watson and djm.
dtucker [Thu, 20 Jan 2005 00:05:34 +0000 (00:05 +0000)]
- dtucker@cvs.openbsd.org 2005/01/19 13:11:47
[auth-bsdauth.c auth2-chall.c]
Have keyboard-interactive code call the drivers even for responses for
invalid logins. This allows the drivers themselves to decide how to
handle them and prevent leaking information where possible. Existing
behaviour for bsdauth is maintained by checking authctxt->valid in the
bsdauth driver. Note that any third-party kbdint drivers will now need
to be able to handle responses for invalid logins. ok markus@
dtucker [Wed, 19 Jan 2005 23:57:56 +0000 (23:57 +0000)]
- djm@cvs.openbsd.org 2004/12/23 23:11:00
[servconf.c servconf.h sshd.c sshd_config sshd_config.5]
bz #898: support AddressFamily in sshd_config. from
peak@argo.troja.mff.cuni.cz; ok deraadt@
dtucker [Tue, 18 Jan 2005 01:05:18 +0000 (01:05 +0000)]
- (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement
"make survey" and "make send-survey". This will provide data on the
configure parameters, platform and platform features to the development
team, which will allow (among other things) better targetting of testing.
It's entirely voluntary and is off be default. ok djm@
dtucker [Mon, 20 Dec 2004 01:35:42 +0000 (01:35 +0000)]
- (dtucker) [regress/rekey.sh] Touch datafile before filling with dd, since
on some wacky platforms (eg old AIXes), dd will refuse to create an output
file if it doesn't exist.
dtucker [Mon, 20 Dec 2004 01:05:08 +0000 (01:05 +0000)]
- (dtucker) [ssh-rand-helper.c] Fall back to command-based seeding if reading
from prngd is enabled at compile time but fails at run time, eg because
prngd is not running. Note that if you have prngd running when OpenSSH is
built, OpenSSL will consider itself internally seeded and rand-helper won't
be built at all unless explicitly enabled via --with-rand-helper. ok djm@
dtucker [Sat, 11 Dec 2004 02:39:50 +0000 (02:39 +0000)]
- dtucker@cvs.openbsd.org 2004/12/11 01:48:56
[auth-rsa.c auth2-pubkey.c authfile.c misc.c misc.h]
Fix debug call in error path of authorized_keys processing and fix related
warnings; ok djm@
dtucker [Sat, 11 Dec 2004 02:37:22 +0000 (02:37 +0000)]
- fgsch@cvs.openbsd.org 2004/12/10 03:10:42
[sftp.c]
- fix globbed ls for paths the same lenght as the globbed path when
we have a unique matching.
- fix globbed ls in case of a directory when we have a unique matching.
- as a side effect, if the path does not exist error (used to silently
ignore).
- don't do extra do_lstat() if we only have one matching file.
djm@ ok
dtucker [Mon, 6 Dec 2004 12:00:27 +0000 (12:00 +0000)]
- djm@cvs.openbsd.org 2004/06/26 06:16:07
[reexec.sh]
don't change the name of the copied sshd for the reexec fallback test,
makes life simpler for portable
dtucker [Mon, 6 Dec 2004 11:47:41 +0000 (11:47 +0000)]
- dtucker@cvs.openbsd.org 2004/12/06 11:41:03
[auth-rsa.c auth2-pubkey.c authfile.c misc.c misc.h ssh.h sshd.8]
Discard over-length authorized_keys entries rather than complaining when
they don't decode. bz #884, with & ok djm@
dtucker [Mon, 6 Dec 2004 11:46:45 +0000 (11:46 +0000)]
- jaredy@cvs.openbsd.org 2004/12/05 23:55:07
[sftp.1]
- explain that patterns can be used as arguments in get/put/ls/etc
commands (prodded by Michael Knudsen)
- describe ls flags as a list
- other minor improvements
ok jmc, djm
dtucker [Fri, 3 Dec 2004 03:33:47 +0000 (03:33 +0000)]
- (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is
subsequently denied by the PAM auth stack, send the PAM message to the
user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2).
ok djm@
dtucker [Sun, 7 Nov 2004 09:06:19 +0000 (09:06 +0000)]
- djm@cvs.openbsd.org 2004/11/07 00:01:46
[clientloop.c clientloop.h ssh.1 ssh.c]
add basic control of a running multiplex master connection; including the
ability to check its status and request it to exit; ok markus@
dtucker [Sun, 7 Nov 2004 09:04:10 +0000 (09:04 +0000)]
- djm@cvs.openbsd.org 2004/11/05 12:19:56
[sftp.c]
command editing and history support via libedit; ok markus@
thanks to hshoexer@ and many testers on tech@ too
dtucker [Fri, 5 Nov 2004 09:41:24 +0000 (09:41 +0000)]
- djm@cvs.openbsd.org 2004/10/29 23:56:17
[bufaux.c bufaux.h buffer.c buffer.h]
introduce a new buffer API that returns an error rather than fatal()ing
when presented with bad data; ok markus@
dtucker [Fri, 5 Nov 2004 09:38:03 +0000 (09:38 +0000)]
- djm@cvs.openbsd.org 2004/10/29 22:53:56
[clientloop.c misc.h readpass.c ssh-agent.c]
factor out common permission-asking code to separate function; ok markus@
dtucker [Fri, 5 Nov 2004 09:35:44 +0000 (09:35 +0000)]
- djm@cvs.openbsd.org 2004/10/29 21:47:15
[channels.c channels.h clientloop.c]
fix some window size change bugs for multiplexed connections: windows sizes
were not being updated if they had changed after ~^Z suspends and SIGWINCH
was not being processed unless the first connection had requested a tty;
ok markus
dtucker [Fri, 5 Nov 2004 09:06:59 +0000 (09:06 +0000)]
- jaredy@cvs.openbsd.org 2004/09/15 03:25:41
[sshd_config.5]
mention PrintLastLog only prints last login time for interactive
sessions, like PrintMotd mentions.
From Michael Knudsen, with wording changed slightly to match the
PrintMotd description.
ok djm
dtucker [Fri, 5 Nov 2004 09:05:32 +0000 (09:05 +0000)]
- deraadt@cvs.openbsd.org 2004/09/15 00:46:01
[ssh.c]
/* fallthrough */ is something a programmer understands. But
/* FALLTHROUGH */ is also understood by lint, so that is better.
dtucker [Fri, 5 Nov 2004 09:01:03 +0000 (09:01 +0000)]
- jmc@cvs.openbsd.org 2004/08/30 21:22:49
[ssh-add.1 ssh.1]
.Xsession -> .xsession;
originally from a pr from f at obiit dot org, but missed by myself;
ok markus@ matthieu@
dtucker [Tue, 2 Nov 2004 09:30:54 +0000 (09:30 +0000)]
- (dtucker) [configure.ac includes.h] Bug #947: Fix compile error on HP-UX
10.x by testing for conflicts in shadow.h and undef'ing _INCLUDE__STDC__
only if a conflict is detected.
andersk / openssh.git / log
