djm [Wed, 15 Mar 2006 00:35:54 +0000 (00:35 +0000)]
- jmc@cvs.openbsd.org 2006/02/19 19:52:10
[sshd.8]
move the sshrc stuff out of FILES, and into its own section:
FILES is not a good place to document how stuff works;
djm [Wed, 15 Mar 2006 00:32:06 +0000 (00:32 +0000)]
- jmc@cvs.openbsd.org 2006/02/13 10:16:39
[sshd.8]
no need to subsection the authorized_keys examples - instead, convert
this to look like an actual file. also use proto 2 keys, and use IETF
example addresses;
djm [Wed, 15 Mar 2006 00:30:38 +0000 (00:30 +0000)]
- djm@cvs.openbsd.org 2006/02/12 10:44:18
[readconf.c]
raise error when the user specifies a RekeyLimit that is smaller than 16
(the smallest of our cipher's blocksize) or big enough to cause integer
wraparound; ok & feedback dtucker@
djm [Wed, 15 Mar 2006 00:30:13 +0000 (00:30 +0000)]
- djm@cvs.openbsd.org 2006/02/12 06:45:34
[ssh.c ssh_config.5]
add a %l expansion code to the ControlPath, which is filled in with the
local hostname at runtime. Requested by henning@ to avoid some problems
with /home on NFS; ok dtucker@
djm [Wed, 15 Mar 2006 00:27:20 +0000 (00:27 +0000)]
- jmc@cvs.openbsd.org 2006/02/09 10:10:47
[sshd.8]
- move some text into a CAVEATS section
- merge the COMMAND EXECUTION... section into AUTHENTICATION
djm [Wed, 15 Mar 2006 00:26:55 +0000 (00:26 +0000)]
- stevesk@cvs.openbsd.org 2006/02/09 00:32:07
[includes.h]
#include <sys/endian.h> not needed; ok djm@
NB. ID Sync only - we still need this (but it may move later)
djm [Wed, 15 Mar 2006 00:24:12 +0000 (00:24 +0000)]
- stevesk@cvs.openbsd.org 2006/02/08 14:38:18
[includes.h packet.c]
move #include <netinet/in_systm.h> and <netinet/ip.h> out of
includes.h; ok markus@
dtucker [Mon, 13 Mar 2006 08:06:51 +0000 (08:06 +0000)]
- (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong)
since not all platforms support it. Instead, use internal equivalent while
computing LLONG_MIN and LLONG_MAX. Remove special case for alpha-dec-osf*
as it's no longer required. Tested by Bernhard Simon, ok djm@
dtucker [Fri, 3 Mar 2006 21:50:31 +0000 (21:50 +0000)]
- (dtucker) [contrib/cygwin/ssh-host-config] Require use of lastlog as a
file rather than directory, required as Cygwin will be importing lastlog(1).
Also tightens up permissions on the file. Patch from vinschen@redhat.com.
dtucker [Mon, 20 Feb 2006 09:17:35 +0000 (09:17 +0000)]
- (dtucker) [INSTALL configure.ac openbsd-compat/openssl-compat.{c,h}]
Add optional enabling of OpenSSL's (hardware) Engine support, via
configure --with-ssl-engine. Based in part on a diff by michal at
logix.cz.
dtucker [Sun, 12 Feb 2006 05:48:56 +0000 (05:48 +0000)]
- (dtucker) [README version.h contrib/caldera/openssh.spec
contrib/redhat/openssh.spec contrib/suse/openssh.spec] Bump version
strings to match 4.3p2 release.
tim [Tue, 7 Feb 2006 23:17:44 +0000 (23:17 +0000)]
- (tim) [session.c] Logout records were not updated on systems with
post auth privsep disabled due to bug 1086 changes. Analysis and patch
by vinschen at redhat.com. OK tim@, dtucker@.
tim [Fri, 3 Feb 2006 03:11:56 +0000 (03:11 +0000)]
- (tim) [configure.ac] test for egrep (AC_PROG_EGREP) before first
AC_CHECK_HEADERS test. Without it, if AC_CHECK_HEADERS is first run
by a platform specific check, builtin standard includes tests will be
skipped on the other platforms.
Analysis and suggestion by vinschen at redhat.com, patch by dtucker@.
OK tim@, djm@.
djm [Wed, 1 Feb 2006 11:05:25 +0000 (11:05 +0000)]
- (djm) OpenBSD CVS Sync
- jmc@cvs.openbsd.org 2006/02/01 09:06:50
[sshd.8]
- merge sections on protocols 1 and 2 into a single section
- remove configuration file section
ok markus
djm [Wed, 1 Feb 2006 00:21:01 +0000 (00:21 +0000)]
- (djm) [regress/test-exec.sh] Try 'logname' as well as 'whoami' to
determine the user's login name - needed for regress tests on Solaris
10 and OpenSolaris
djm [Tue, 31 Jan 2006 11:03:11 +0000 (11:03 +0000)]
- dtucker@cvs.openbsd.org 2005/12/14 04:36:39
[regress/scp-ssh-wrapper.sh]
Fix assumption about how many args scp will pass; ok djm@
NB. ID sync only, we already had this
djm [Tue, 31 Jan 2006 11:02:16 +0000 (11:02 +0000)]
- grunk@cvs.openbsd.org 2005/11/14 21:25:56
[regress/agent-getpeereid.sh]
all other scripts in this dir use $SUDO, not 'sudo', so pull this even
ok markus@
djm [Tue, 31 Jan 2006 10:58:23 +0000 (10:58 +0000)]
- (djm) Sync regress tests to OpenBSD:
- dtucker@cvs.openbsd.org 2005/03/10 10:20:39
[regress/forwarding.sh]
Regress test for ClearAllForwardings (bz #994); ok markus@
djm [Tue, 31 Jan 2006 10:57:27 +0000 (10:57 +0000)]
- dtucker@cvs.openbsd.org 2005/04/25 09:54:09
[regress/multiplex.sh]
Don't call cleanup in multiplex as test-exec will cleanup anyway
found by tim@, ok djm@
NB. ID sync only, we already had this
djm [Tue, 31 Jan 2006 10:49:27 +0000 (10:49 +0000)]
- djm@cvs.openbsd.org 2006/01/31 10:19:02
[misc.c misc.h scp.c sftp.c]
fix local arbitrary command execution vulnerability on local/local and
remote/remote copies (CVE-2006-0225, bz #1094), patch by
t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@
djm [Tue, 31 Jan 2006 10:47:15 +0000 (10:47 +0000)]
- reyk@cvs.openbsd.org 2006/01/30 12:22:22
[channels.c]
mark channel as write failed or dead instead of read failed on error
of the channel output filter.
ok markus@
djm [Tue, 31 Jan 2006 10:46:51 +0000 (10:46 +0000)]
- jmc@cvs.openbsd.org 2006/01/26 08:47:56
[ssh.1]
add a section on verifying host keys in dns;
written with a lot of help from jakob;
feedback dtucker/markus;
ok markus
dtucker [Fri, 20 Jan 2006 00:31:47 +0000 (00:31 +0000)]
- dtucker@cvs.openbsd.org 2006/01/20 00:14:55
[scp.1 ssh.1 ssh_config.5 sftp.1]
Document RekeyLimit. Based on patch from jan.iven at cern.ch from mindrot
#1056 with feedback from jmc, djm and markus; ok jmc@ djm@
djm [Fri, 13 Jan 2006 23:09:13 +0000 (23:09 +0000)]
- jmc@cvs.openbsd.org 2006/01/12 14:44:12
[ssh.1]
split sections on tcp and x11 forwarding into two sections.
add an example in the tcp section, based on sth i wrote for ssh faq;
help + ok: djm markus dtucker
dtucker [Mon, 9 Jan 2006 13:02:44 +0000 (13:02 +0000)]
- (dtucker) [contrib/cygwin/ssh-host-config] Make sshd service depend on
tcpip service so it's always started after IP is up. Patch from
vinschen at redhat.com.
djm [Fri, 6 Jan 2006 03:50:44 +0000 (03:50 +0000)]
- djm@cvs.openbsd.org 2006/01/05 23:43:53
[misc.c]
check that stdio file descriptors are actually closed before clobbering
them in sanitise_stdfd(). problems occurred when a lower numbered fd was
closed, but higher ones weren't. spotted by, and patch tested by
Frédéric Olivié