djm [Mon, 23 Oct 2006 17:02:41 +0000 (17:02 +0000)]
- markus@cvs.openbsd.org 2006/10/11 12:38:03
[clientloop.c serverloop.c]
exit instead of doing a blocking tcp send if we detect a client/server
timeout, since the tcp sendqueue might be already full (of alive
requests); ok dtucker, report mpf
djm [Mon, 23 Oct 2006 17:01:56 +0000 (17:01 +0000)]
- djm@cvs.openbsd.org 2006/10/09 23:36:11
[session.c]
xmalloc -> xcalloc that was missed previously, from portable
(NB. Id sync only for portable, obviously)
djm [Mon, 23 Oct 2006 17:01:16 +0000 (17:01 +0000)]
- djm@cvs.openbsd.org 2006/10/06 02:29:19
[ssh-agent.c ssh-keyscan.c ssh.c]
sys/resource.h needs sys/time.h; prompted by brad@
(NB. Id sync only for portable)
djm [Mon, 23 Oct 2006 17:00:12 +0000 (17:00 +0000)]
- (djm) OpenBSD CVS Sync
- ray@cvs.openbsd.org 2006/09/30 17:48:22
[sftp.c]
Clear errno before calling the strtol functions.
From Paul Stoeber <x0001 at x dot de1 dot cc>.
OK deraadt@.
dtucker [Tue, 17 Oct 2006 21:53:06 +0000 (21:53 +0000)]
- ray@cvs.openbsd.org 2006/09/25 04:55:38
[ssh-keyscan.1 ssh.1]
Change "a SSH" to "an SSH". Hurray, I'm not the only one who
pronounces "SSH" as "ess-ess-aich".
OK jmc@ and stevesk@.
dtucker [Fri, 6 Oct 2006 23:07:20 +0000 (23:07 +0000)]
- (dtucker) [configure.ac] Set put -lselinux into $LIBS while testing for
SELinux functions so they're detected correctly. Patch from pebenito at
gentoo.org.
tim [Tue, 3 Oct 2006 16:34:35 +0000 (16:34 +0000)]
- (tim) [configure.ac] Move CHECK_HEADERS test before platform specific
section so additional platform specific CHECK_HEADER tests will work
correctly. Fixes "<net/if_tap.h> on FreeBSD" problem report by des AT des.no
Feedback and "seems like a good idea" dtucker@
- (dtucker) [entropy.c] Bug #1238: include signal.h to fix compilation error
on Solaris 8 w/out /dev/random or prngd. Patch from rl at
math.technion.ac.il.
- otto@cvs.openbsd.org 2006/09/19 05:52:23
[sftp.c]
Use S_IS* macros insted of masking with S_IF* flags. The latter may
have multiple bits set, which lead to surprising results. Spotted by
Paul Stoeber, more to come. ok millert@ pedro@ jaredy@ djm@
- (dtucker) [configure.ac] On AIX, check to see if the compiler will allow
macro redefinitions, and if not, remove "-qlanglvl=ansi" from the flags.
Allows build out of the box with older VAC and XLC compilers. Found by
David Bronder and Bernhard Simon.
- (dtucker) [auth-pam.c] Propogate TZ environment variable to PAM auth
process so that any logging it does is with the right timezone. From
Scott Strickler, ok djm@.
- djm@cvs.openbsd.org 2006/09/16 19:53:37
[deattack.c deattack.h packet.c]
limit maximum work performed by the CRC compensation attack detector,
problem reported by Tavis Ormandy, Google Security Team;
ok markus@ deraadt@
- (djm) [Makefile.in buildpkg.sh.in configure.ac openssh.xml.in]
Support SMF in Solaris Packages if enabled by configure. Patch from
Chad Mynhier, tested by dtucker@
- (djm) [sshd.c auth.c] Set up fakepw() with privsep uid/gid, so it can
be used to drop privilege to; fixes Solaris GSSAPI crash reported by
Magnus Abrante; suggestion and feedback dtucker@
NB. this change will require that the privilege separation user must
exist on all the time, not just when UsePrivilegeSeparation=yes
- (dtucker) [configure.ac] Define BROKEN_UPDWTMP on SCO OSR6 as the native
updwdtmp seems to generate invalid wtmp entries. From Roger Cornelius,
ok djm@
- (dtucker) [configure.ac openbsd-compat/openbsd-compat.h] Check for
declaration of writev(2) and declare it ourselves if necessary. Makes
the atomiciov() calls build on really old systems. ok djm@
- (dtucker) [ssh-keyscan.c ssh-rand-helper.c ssh.c sshconnect.c
openbsd-compat/bindresvport.c openbsd-compat/getrrsetbyname.c
openbsd-compat/port-tun.c openbsd-compat/rresvport.c] Include <arpa/inet.h>
for hton* and ntoh* macros. Required on (at least) HP-UX since we define
_XOPEN_SOURCE_EXTENDED. Found by santhi.amirta at gmail com.
- (dtucker) [configure.ac includes.h openbsd-compat/glob.{c,h}] Explicitly
test for GLOB_NOMATCH and use our glob functions if it's not found.
Stops sftp from segfaulting when attempting to get a nonexistent file on
Cygwin (previous versions of OpenSSH didn't use the native glob). Partly
from and tested by Corinna Vinschen.
- (djm) [includes.h monitor.c openbsd-compat/bindresvport.c]
[openbsd-compat/rresvport.c] Some more headers: netinet/in.h
sys/socket.h and unistd.h in various places
djm [Wed, 30 Aug 2006 17:24:41 +0000 (17:24 +0000)]
- (djm) [CREDITS LICENCE Makefile.in auth.c configure.ac includes.h ]
[platform.c platform.h sshd.c openbsd-compat/Makefile.in]
[openbsd-compat/openbsd-compat.h openbsd-compat/port-solaris.c]
[openbsd-compat/port-solaris.h] Add support for Solaris process
contracts, enabled with --use-solaris-contracts. Patch from Chad
Mynhier, tweaked by dtucker@ and myself; ok dtucker@
dtucker [Wed, 30 Aug 2006 12:33:09 +0000 (12:33 +0000)]
- (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always call
loginsuccess on AIX immediately after authentication to clear the failed
login count. Previously this would only happen when an interactive
session starts (ie when a pty is allocated) but this means that accounts
that have primarily non-interactive sessions (eg scp's) may gradually
accumulate enough failures to lock out an account. This change may have
a side effect of creating two audit records, one with a tty of "ssh"
corresponding to the authentication and one with the allocated pty per
interactive session.
djm [Wed, 30 Aug 2006 01:08:33 +0000 (01:08 +0000)]
- dtucker@cvs.openbsd.org 2006/08/30 00:06:51
[sshconnect2.c]
Fix regression where SSH2 banner is printed at loglevels ERROR and FATAL
where previously it weren't. bz #1221, found by Dean Kopesky, ok djm@
djm [Wed, 30 Aug 2006 01:08:04 +0000 (01:08 +0000)]
- dtucker@cvs.openbsd.org 2006/08/29 12:02:30
[gss-genr.c]
Work around a problem in Heimdal that occurs when KRB5CCNAME file is
missing, by checking whether or not kerberos allocated us a context
before attempting to free it. Patch from Simon Wilkinson, tested by
biorn@, ok djm@
djm [Wed, 30 Aug 2006 01:07:00 +0000 (01:07 +0000)]
- dtucker@cvs.openbsd.org 2006/08/21 08:15:57
[sshd.8]
Add more detail about what permissions are and aren't accepted for
authorized_keys files. Corrections jmc@, ok djm@, "looks good" jmc@
djm [Fri, 18 Aug 2006 14:46:43 +0000 (14:46 +0000)]
- djm@cvs.openbsd.org 2006/08/18 14:40:34
[gss-genr.c ssh-gss.h]
constify host argument to match the rest of the GSSAPI functions and
unbreak compilation with -Werror
djm [Fri, 18 Aug 2006 14:33:34 +0000 (14:33 +0000)]
- djm@cvs.openbsd.org 2006/08/18 13:54:54
[gss-genr.c ssh-gss.h sshconnect2.c]
bz #1218 - disable SPNEGO as per RFC4462; diff from simon AT sxw.org.uk
ok markus@
djm [Fri, 18 Aug 2006 14:32:46 +0000 (14:32 +0000)]
- markus@cvs.openbsd.org 2006/08/18 09:15:20
[auth.h session.c sshd.c]
delay authentication related cleanups until we're authenticated and
all alarms have been cancelled; ok deraadt
djm [Fri, 18 Aug 2006 14:32:20 +0000 (14:32 +0000)]
- deraadt@cvs.openbsd.org 2006/08/18 09:13:26
[log.c log.h sshd.c]
make signal handler termination path shorter; risky code pointed out by
mark dowd; ok djm markus
djm [Fri, 18 Aug 2006 14:31:39 +0000 (14:31 +0000)]
- djm@cvs.openbsd.org 2006/08/16 11:47:15
[sshd.c]
factor inetd connection, TCP listen and main TCP accept loop out of
main() into separate functions to improve readability; ok markus@
djm [Fri, 18 Aug 2006 14:23:15 +0000 (14:23 +0000)]
- dtucker@cvs.openbsd.org 2006/08/14 12:40:25
[servconf.c servconf.h sshd_config.5]
Add ability to match groups to Match keyword in sshd_config. Feedback
djm@, stevesk@, ok stevesk@.
djm [Fri, 18 Aug 2006 14:22:40 +0000 (14:22 +0000)]
- miod@cvs.openbsd.org 2006/08/12 20:46:46
[monitor.c monitor_wrap.c]
Revert previous include file ordering change, for ssh to compile under
gcc2 (or until openssl include files are cleaned of parameter names
in function prototypes)