djm [Sat, 5 Nov 2005 04:16:12 +0000 (04:16 +0000)]
- djm@cvs.openbsd.org 2005/10/31 11:48:29
[serverloop.c]
make sure we clean up wtmp, etc. file when we receive a SIGTERM,
SIGINT or SIGQUIT when running without privilege separation (the
normal privsep case is already OK). Patch mainly by dtucker@ and
senthilkumar_sen AT hotpop.com; ok dtucker@
djm [Sat, 5 Nov 2005 04:14:59 +0000 (04:14 +0000)]
- djm@cvs.openbsd.org 2005/10/30 08:52:18
[clientloop.c packet.c serverloop.c session.c ssh-agent.c ssh-keygen.c]
[ssh.c sshconnect.c sshconnect1.c sshd.c]
no need to escape single quotes in comments, no binary change
djm [Sat, 5 Nov 2005 04:12:28 +0000 (04:12 +0000)]
- djm@cvs.openbsd.org 2005/10/30 04:01:03
[ssh-keyscan.c]
make ssh-keygen discard junk from server before SSH- ident, spotted by
dave AT cirt.net; ok dtucker@
djm [Sat, 5 Nov 2005 03:53:39 +0000 (03:53 +0000)]
- djm@cvs.openbsd.org 2005/10/11 23:37:37
[channels.c]
bz #1076 set SO_REUSEADDR on X11 forwarding listner sockets, preventing
bind() failure when a previous connection's listeners are in TIME_WAIT,
reported by plattner AT inf.ethz.ch; ok dtucker@
djm [Sat, 5 Nov 2005 03:52:50 +0000 (03:52 +0000)]
- djm@cvs.openbsd.org 2005/10/10 10:23:08
[channels.c channels.h clientloop.c serverloop.c session.c]
fix regression I introduced in 4.2: X11 forwardings initiated after
a session has exited (e.g. "(sleep 5; xterm) &") would not start.
bz #1086 reported by t8m AT centrum.cz; ok markus@ dtucker@
djm [Sat, 5 Nov 2005 03:52:18 +0000 (03:52 +0000)]
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2005/10/07 11:13:57
[ssh-keygen.c]
change DSA default back to 1024, as it's defined for 1024 bits only
and this causes interop problems with other clients. moreover,
in order to improve the security of DSA you need to change more
components of DSA key generation (e.g. the internal SHA1 hash);
ok deraadt
dtucker [Tue, 1 Nov 2005 22:07:31 +0000 (22:07 +0000)]
- (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup().
Reported by olavi at ipunplugged.com and antoine.brodin at laposte.net
via FreeBSD.
dtucker [Sun, 30 Oct 2005 04:31:55 +0000 (04:31 +0000)]
- (dtucker) [session.c] Bug #1045do not check /etc/nologin when PAM is
enabled, instead allow PAM to handle it. Note that on platforms using PAM,
the pam_nologin module should be added to sshd's session stack in order to
maintain exising behaviour. Based on patch and discussion from t8m at
centrum.cz, ok djm@
dtucker [Tue, 25 Oct 2005 08:52:31 +0000 (08:52 +0000)]
- (dtucker) [configure.ac] Bug #1104: Tru64's printf family doesn't
understand "%lld", even though the compiler has "long long", so handle
it as a special case. Patch tested by mcaskill.scott at epa.gov.
dtucker [Mon, 17 Oct 2005 13:29:23 +0000 (13:29 +0000)]
- (dtucker) [configure.ac] Bug #1097: Fix configure for cross-compiling.
/etc/default/login report and testing from aabaker at iee.org, corrections
from tim@.
dtucker [Wed, 5 Oct 2005 13:02:16 +0000 (13:02 +0000)]
- (dtucker) [configure.ac sshd.8] Enable locked account check (a prepended
"*LOCKED*" string) for FreeBSD. Patch jeremie at le-hen.org and
senthilkumar_sen at hotpop.com.
dtucker [Mon, 3 Oct 2005 08:23:44 +0000 (08:23 +0000)]
- dtucker@cvs.openbsd.org 2005/10/03 07:44:42
[canohost.c]
Relocate check_ip_options call to prevent logging of garbage for
connections with IP options set. bz#1092 from David Leonard,
"looks good" deraadt@
dtucker [Mon, 3 Oct 2005 08:16:02 +0000 (08:16 +0000)]
- djm@cvs.openbsd.org 2005/09/19 11:47:09
[sshd.c]
stop connection abort on rekey with delayed compression enabled when
post-auth privsep is disabled (e.g. when root is logged in); ok dtucker@
- (dtucker) [monitor.c] Bug #1087: Send loginmsg to preauth privsep
child during PAM account check without clearing it. This restores the
post-login warnings such as LDAP password expiry. Patch from Tomas Mraz
with help from several others.
- (dtucker) [entropy.c entropy.h sshd.c] Pass RNG seed to the reexec'ed
process when sshd relies on ssh-random-helper. Should result in faster
logins on systems without a real random device or prngd. ok djm@
tim [Fri, 9 Sep 2005 05:04:59 +0000 (05:04 +0000)]
Last commit skipped defines.h
- (tim) [defines.h openbsd-compat/port-uw.c] Add long password support to
OpenServer 6 and add osr5bigcrypt support so when someone migrates
passwords between UnixWare and OpenServer they will still work. OK dtucker@
tim [Fri, 9 Sep 2005 04:56:33 +0000 (04:56 +0000)]
- (tim) [defines.h openbsd-compat/port-uw.c] Add long password support to
OpenServer 6 and add osr5bigcrypt support so when someone migrates
passwords between UnixWare and OpenServer they will still work. OK dtucker@
djm [Wed, 31 Aug 2005 09:46:26 +0000 (09:46 +0000)]
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2005/08/30 22:08:05
[gss-serv.c sshconnect2.c]
destroy credentials if krb5_kuserok() call fails. Stops credentials being
delegated to users who are not authorised for GSSAPIAuthentication when
GSSAPIDeletegateCredentials=yes and another authentication mechanism
succeeds; bz#1073 reported by paul.moore AT centrify.com, fix by
simon AT sxw.org.uk, tested todd@ biorn@ jakob@; ok deraadt@
tim [Fri, 26 Aug 2005 20:15:19 +0000 (20:15 +0000)]
- (tim) [CREDITS LICENCE auth.c configure.ac defines.h includes.h session.c
openbsd-compat/Makefile.in openbsd-compat/openbsd-compat.h
openbsd-compat/xcrypt.c] New files [openssh/openbsd-compat/port-uw.c
openssh/openbsd-compat/port-uw.h] Support long passwords (> 8-char)
on UnixWare 7 from Dhiraj Gulati and Ahsan Rashid. Cleanup and testing
by tim@. Feedback and OK dtucker@
dtucker [Tue, 23 Aug 2005 13:32:05 +0000 (13:32 +0000)]
- (dtucker) [regress/test-exec.sh] Do not prepend an extra "/" to a fully-
qualified sshd pathname since some systems (eg Cygwin) may consider "/foo"
and "//foo" to be different. Spotted by vinschen at redhat.com.
djm [Fri, 12 Aug 2005 12:16:22 +0000 (12:16 +0000)]
- jaredy@cvs.openbsd.org 2005/08/08 13:22:48
[sftp.c]
sftp prompt enhancements:
- in non-interactive mode, do not print an empty prompt at the end
before finishing
- print newline after EOF in editline mode
- call el_end() in editline mode
ok dtucker djm
dtucker [Wed, 10 Aug 2005 11:52:36 +0000 (11:52 +0000)]
- (dtucker) [LICENCE configure.ac defines.h openbsd-compat/realpath.c]
Sync current (thread-safe) version of realpath.c from OpenBSD (which is
in turn based on FreeBSD's). ok djm@
dtucker [Wed, 3 Aug 2005 00:57:15 +0000 (00:57 +0000)]
- (dtucker) [openbsd-compat/fake-rfc2553.h] Check for EAI_* defines
individually and use a value less likely to collide with real values from
netdb.h. Fixes compile warnings on FreeBSD 5.3. ok djm@
- markus@cvs.openbsd.org 2005/07/25 11:59:40
[kex.c kex.h myproposal.h packet.c packet.h servconf.c session.c]
[sshconnect2.c sshd.c sshd_config sshd_config.5]
add a new compression method that delays compression until the user
has been authenticated successfully and set compression to 'delayed'
for sshd.
this breaks older openssh clients (< 3.5) if they insist on
compression, so you have to re-enable compression in sshd_config.
ok djm@