It says to use "pseudo-device rnd" kernel configuration.
TODO: if the above instructions are fine for other
operating systems with /dev/urandom then add.
faults, and haven't tracked down why yet.
No allow PAM authentication if Linux (and USE_PAM is defined).
This will close my 20846 PR from March 2003.
Also, install the contrib/sshd.pam.generic file as the example
sshd.pam instead of the FreeBSD version, but this okay since
it was commented out in the first place.
TODO: test the PAM support on other platforms and allow
if USE_PAM is defined.
well. Bump the PKGREVISION.
XXX The right fix is to create a autoconf check for the number of args
XXX that skeychallenge takes and do the right thing accordingly.
Finish buildlink3 changes.
Obscure LOCALBASE path so that base system compilers dont match the
prefix otherwise compiler.mk then wants to build the pkgsrc gcc
package. (ick)
the RCD_SCRIPTS rc.d script(s) to the PLIST.
This GENERATE_PLIST idea is part of Greg A. Woods'
PR #22954.
This helps when the RC_SCRIPTS are installed to
a different ${RCD_SCRIPTS_EXAMPLEDIR}. (Later,
the default RCD_SCRIPTS_EXAMPLEDIR will be changed
to be more clear that they are the examples.)
These patches also remove the etc/rc.d/ scripts from PLISTs
(of packages that use RCD_SCRIPTS). (This also removes
now unused references from openssh* makefiles. Note that
qmail package has not been changed yet.)
I have been doing automatic PLIST registration for RC_SCRIPTS
for over a year. Not all of these packages have been tested,
but many have been tested and used.
Somethings maybe to do:
- a few packages still manually install the rc.d scripts to
hard-coded etc/rc.d. These need to be fixed.
- maybe remove from mk/${OPSYS}.pkg.dist mtree specifications too.
don't know why this didn't originally work as it should, but I've
just tested it with gcc3 and Forte 8 on Solaris and I couldn't make
it fail.
fixes coredump problem on Solaris observed by some, and also
PR pkg/23120 from Alex Gerasimoff.
bump PKGREVISION to differentiate between broken and unbroken
package.
Most important chcanges: security relevant bug fixes in new PAM authentication code
Changes since OpenSSH 3.7.1p1:
==============================
* This release disables PAM by default. To enable it, set "UsePAM yes" in
sshd_config. Due to complexity, inconsistencies in the specification and
differences between vendors' PAM implementations we recommend that PAM
be left disabled in sshd_config unless there is a need for its use.
Sites using only public key or simple password authentication usually
have little need to enable PAM support.
* This release now requires zlib 1.1.4 to build correctly. Previous
versions have security problems.
* Fix compilation for versions of OpenSSL before 0.9.6. Some cipher modes
are not supported for older OpenSSL versions.
* Fix compilation problems on systems with a missing or lacking inet_ntoa()
function.
* Workaround problems related to unimplemented or broken setresuid/setreuid
functions on several platforms.
* Fix compilation on older OpenBSD systems.
* Fix handling of password-less authentication (PermitEmptyPasswords=yes)
that has not worked since the 3.7p1 release.
# OpenSSH 3.7x currently does *not* work on IRIX!
# To compile, we would need to remove the extraneous inclusion of the
# ``inet_ntoa.h'' header in openbsd-compat/inet_ntoa.c, but even though
# sshd will not work: It seems the connection is closed by the daemon
# when it tries to spawn off a child to handle the incoming connection
#
# If you need the latest security patches for your openssh, I'm afraid you'll
# have to apply them by hand to the 3.6.1p2 version.
(Now wouldn't it be nice if we had a NOT_FOR_PLATFORM_REASON that is displayed
automatically?)
Large number of changes since 3.6.1p2, the most pertinent being:
* do not expand buffer before attempting to reallocate it (buffer.c)
note that NetBSD-current already includes this fix.
other changes include:
* portability fixes
* regression test fixes
* add GSSAPI support and remove kerberos support from ssh1, retaining
kerberos passwd auth for ssh1 and 2
* man page fixes
* general bug fixes
see the ChangeLog for full details.
just setting BUILDLINK_DEPENDS.openssl. USE_OPENSSL_VERSION wasn't
actually needed here anyway since the minimum version allowed by
openssl/buildlink2.mk exceeded the version requested here.
USE_PKGINSTALL is "YES". bsd.pkg.install.mk will no longer automatically
pick up a INSTALL/DEINSTALL script in the package directory and assume that
you want it for the corresponding *_EXTRA_TMPL variable.
was commented out because it didn't work with recent openssh, is now fiexed
and commented back in). This support is conditional on ${KERBEROS} being
set, and currently enables support for both kerberos 4 and 5. This should
be refined.
This has been tested and confirmed on -current and 1.6. Testing on other
platforms (if any? solaris?) in which we support kerberos in pkgsrc should
be done.
- (djm) Add back radix.o (used by AFS support), after it went missing from
Makefile many moons ago
- (djm) Apply "owl-always-auth" patch from Openwall/Solar Designer
- (djm) Fix blibpath specification for AIX/gcc
- (djm) Some systems have basename in -lgen. Fix from ayamura@ayamura.org
(This last fix makes this compile on IRIX again.)
relevant changes are > 500 lines, see
ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/ChangeLog
Personal selection:
rekeying bugfixes and automatic rekeying
bandwidth limitation (scp -l)
Add a -t life option to ssh-agent that set the default lifetime.
The default can still be overriden by using -t in ssh-add.
sftp progress meter support.
allow usernames with embedded '@', e.g. scp user@vhost@realhost:file /tmp;
[scp.c]
1) include stalling time in total time
2) truncate filenames to 45 instead of 20 characters
3) print rate instead of progress bar, no more stars
4) scale output to tty width
have it be automatically included by bsd.pkg.mk if USE_PKGINSTALL is set
to "YES". This enforces the requirement that bsd.pkg.install.mk be
included at the end of a package Makefile. Idea suggested by Julio M.
Merino Vidal <jmmv at menta.net>.
Also mark this package as conflicting with ssh2 package.
Changes:
20021003
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/10/01 20:34:12
[ssh-agent.c]
allow root to access the agent, since there is no protection from root.
- markus@cvs.openbsd.org 2002/10/01 13:24:50
[version.h]
OpenSSH 3.5
- (djm) Bump RPM spec version numbers
- (djm) Bug #406 s/msg_send/ssh_msh_send/ for Mac OS X 1.2
20020930
- (djm) Tidy contrib/, add Makefile for GNOME passphrase dialogs,
tweak README
- (djm) OpenBSD CVS Sync
- mickey@cvs.openbsd.org 2002/09/27 10:42:09
[compat.c compat.h sshd.c]
add a generic match for a prober, such as sie big brother;
idea from stevesk@; markus@ ok
- stevesk@cvs.openbsd.org 2002/09/27 15:46:21
[ssh.1]
clarify compression level protocol 1 only; ok markus@ deraadt@
20020927
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/09/25 11:17:16
[sshd_config]
sync LoginGraceTime with default
- markus@cvs.openbsd.org 2002/09/25 15:19:02
[sshd.c]
typo; pilot@monkey.org
- markus@cvs.openbsd.org 2002/09/26 11:38:43
[auth1.c auth.h auth-krb4.c monitor.c monitor.h monitor_wrap.c]
[monitor_wrap.h]
krb4 + privsep; ok dugsong@, deraadt@
20020925
- (bal) Fix issue where successfull login does not clear failure counts
in AIX. Patch by dtucker@zip.com.au ok by djm
- (tim) Cray fixes (bug 367) based on patch from Wendy Palm @ cray.
This does not include the deattack.c fixes.
20020923
- (djm) OpenBSD CVS Sync
- stevesk@cvs.openbsd.org 2002/09/23 20:46:27
[canohost.c]
change get_peer_ipaddr() and get_local_ipaddr() to not return NULL for
non-sockets; fixes a problem passing NULL to snprintf(). ok markus@
- markus@cvs.openbsd.org 2002/09/23 22:11:05
[monitor.c]
only call auth_krb5 if kerberos is enabled; ok deraadt@
- markus@cvs.openbsd.org 2002/09/24 08:46:04
[monitor.c]
only call kerberos code for authctxt->valid
- todd@cvs.openbsd.org 2002/09/24 20:59:44
[sshd.8]
tweak the example $HOME/.ssh/rc script to not show on any cmdline the
sensitive data it handles. This fixes bug # 402 as reported by
kolya@mit.edu (Nickolai Zeldovich).
ok markus@ and stevesk@
20020923
- (tim) [configure.ac] s/return/exit/ patch by dtucker@zip.com.au
20020922
- (djm) OpenBSD CVS Sync
- stevesk@cvs.openbsd.org 2002/09/19 14:53:14
[compat.c]
- markus@cvs.openbsd.org 2002/09/19 15:51:23
[ssh-add.c]
typo; cd@kalkatraz.de
- stevesk@cvs.openbsd.org 2002/09/19 16:03:15
[serverloop.c]
log IP address also; ok markus@
- stevesk@cvs.openbsd.org 2002/09/20 18:41:29
[auth.c]
log illegal user here for missing privsep case (ssh2).
this is executed in the monitor. ok markus@
20020919
- (djm) OpenBSD CVS Sync
- stevesk@cvs.openbsd.org 2002/09/12 19:11:52
[ssh-agent.c]
%u for uid print; ok markus@
- stevesk@cvs.openbsd.org 2002/09/12 19:50:36
[session.c ssh.1]
add SSH_CONNECTION and deprecate SSH_CLIENT; bug #384. ok markus@
- stevesk@cvs.openbsd.org 2002/09/13 19:23:09
[channels.c sshconnect.c sshd.c]
remove use of SO_LINGER, it should not be needed. error check
SO_REUSEADDR. fixup comments. ok markus@
- stevesk@cvs.openbsd.org 2002/09/16 19:55:33
[session.c]
log when _PATH_NOLOGIN exists; ok markus@
- stevesk@cvs.openbsd.org 2002/09/16 20:12:11
[sshd_config.5]
more details on X11Forwarding security issues and threats; ok markus@
- stevesk@cvs.openbsd.org 2002/09/16 22:03:13
[sshd.8]
reference moduli(5) in FILES /etc/moduli.
- itojun@cvs.openbsd.org 2002/09/17 07:47:02
[channels.c]
don't quit while creating X11 listening socket.
http://mail-index.netbsd.org/current-users/2002/09/16/0005.html
got from portable. markus ok
- djm@cvs.openbsd.org 2002/09/19 01:58:18
[ssh.c sshconnect.c]
bugzilla.mindrot.org #223 - ProxyCommands don't exit.
Patch from dtucker@zip.com.au; ok markus@
20020912
- (djm) Made GNOME askpass programs return non-zero if cancel button is
pressed.
- (djm) Added getpeereid() replacement. Properly implemented for systems
with SO_PEERCRED support. Faked for systems which lack it.
- (djm) Sync sys/tree.h with OpenBSD -current. Rename tree.h and
fake-queue.h to sys-tree.h and sys-queue.h
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/09/08 20:24:08
[hostfile.h]
no comma at end of enumerator list
- itojun@cvs.openbsd.org 2002/09/09 06:48:06
[auth1.c auth.h auth-krb5.c monitor.c monitor.h]
[monitor_wrap.c monitor_wrap.h]
kerberos support for privsep. confirmed to work by lha@stacken.kth.se
patch from markus
- markus@cvs.openbsd.org 2002/09/09 14:54:15
[channels.c kex.h key.c monitor.c monitor_wrap.c radix.c uuencode.c]
signed vs unsigned from -pedantic; ok henning@
- markus@cvs.openbsd.org 2002/09/10 20:24:47
[ssh-agent.c]
check the euid of the connecting process with getpeereid(2);
ok provos deraadt stevesk
- stevesk@cvs.openbsd.org 2002/09/11 17:55:03
[ssh.1]
add agent and X11 forwarding warning text from ssh_config.5; ok markus@
- stevesk@cvs.openbsd.org 2002/09/11 18:27:26
[authfd.c authfd.h ssh.c]
don't connect to agent to test for presence if we've previously
connected; ok markus@
- djm@cvs.openbsd.org 2002/09/11 22:41:50
[sftp.1 sftp-client.c sftp-client.h sftp-common.c sftp-common.h]
[sftp-glob.c sftp-glob.h sftp-int.c sftp-server.c]
support for short/long listings and globbing in "ls"; ok markus@
- djm@cvs.openbsd.org 2002/09/12 00:13:06
[sftp-int.c]
zap unused var introduced in last commit
20020911
- (djm) Sync openbsd-compat with OpenBSD -current
20020910
- (djm) Bug #365: Read /.ssh/environment properly under CygWin.
Patch from Mark Bradshaw <bradshaw@staff.crosswalk.com>
- (djm) Bug #138: Make protocol 1 blowfish work with old OpenSSL.
Patch from Robert Halubek <rob@adso.com.pl>
20020905
- (djm) OpenBSD CVS Sync
- stevesk@cvs.openbsd.org 2002/09/04 18:52:42
[servconf.c sshd.8 sshd_config.5]
default LoginGraceTime to 2m; 1m may be too short for slow systems.
ok markus@
- (djm) Merge openssh-TODO.patch from Redhat (null) beta
- (djm) Add gnome-ssh-askpass2.c (gtk2) by merge with patch from
Nalin Dahyabhai <nalin@redhat.com>
- (djm) Add support for building gtk2 password requestor from Redhat beta
20020903
- (djm) Patch from itojun@ for Darwin OS: test getaddrinfo, reorder libcrypt
- (djm) Fix Redhat RPM build dependancy test
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/08/12 10:46:35
[ssh-agent.c]
make ssh-agent setgid, disallow ptrace.
- espie@cvs.openbsd.org 2002/08/21 11:20:59
[sshd.8]
`RSA' updated to refer to `public key', where it matters.
okay markus@
- stevesk@cvs.openbsd.org 2002/08/21 19:38:06
[servconf.c sshd.8 sshd_config sshd_config.5]
change LoginGraceTime default to 1 minute; ok mouring@ markus@
- stevesk@cvs.openbsd.org 2002/08/21 20:10:28
[ssh-agent.c]
raise listen backlog; ok markus@
- stevesk@cvs.openbsd.org 2002/08/22 19:27:53
[ssh-agent.c]
use common close function; ok markus@
- stevesk@cvs.openbsd.org 2002/08/22 19:38:42
[clientloop.c]
format with current EscapeChar; bugzilla #388 from wknox@mitre.org.
ok markus@
- stevesk@cvs.openbsd.org 2002/08/22 20:57:19
[ssh-agent.c]
shutdown(SHUT_RDWR) not needed before close here; ok markus@
- markus@cvs.openbsd.org 2002/08/22 21:33:58
[auth1.c auth2.c]
auth_root_allowed() is handled by the monitor in the privsep case,
so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
- markus@cvs.openbsd.org 2002/08/22 21:45:41
[session.c]
send signal name (not signal number) in "exit-signal" message; noticed
by galb@vandyke.com
- stevesk@cvs.openbsd.org 2002/08/27 17:13:56
[ssh-rsa.c]
RSA_public_decrypt() returns -1 on error so len must be signed;
ok markus@
- stevesk@cvs.openbsd.org 2002/08/27 17:18:40
[ssh_config.5]
some warning text for ForwardAgent and ForwardX11; ok markus@
- stevesk@cvs.openbsd.org 2002/08/29 15:57:25
[monitor.c session.c sshlogin.c sshlogin.h]
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org>
NOTE: there are also p-specific parts to this patch. ok markus@
- stevesk@cvs.openbsd.org 2002/08/29 16:02:54
[ssh.1 ssh.c]
deprecate -P as UsePrivilegedPort defaults to no now; ok markus@
- stevesk@cvs.openbsd.org 2002/08/29 16:09:02
[ssh_config.5]
more on UsePrivilegedPort and setuid root; ok markus@
- stevesk@cvs.openbsd.org 2002/08/29 19:49:42
[ssh.c]
shrink initial privilege bracket for setuid case; ok markus@
- stevesk@cvs.openbsd.org 2002/08/29 22:54:10
[ssh_config.5 sshd_config.5]
state XAuthLocation is a full pathname
20020820
- OpenBSD CVS Sync
- millert@cvs.openbsd.org 2002/08/02 14:43:15
[monitor.c monitor_mm.c]
Change mm_zalloc() sanity checks to be more in line with what
we do in calloc() and add a check to monitor_mm.c.
OK provos@ and markus@
- marc@cvs.openbsd.org 2002/08/02 16:00:07
[ssh.1 sshd.8]
note that .ssh/environment is only read when
allowed (PermitUserEnvironment in sshd_config).
OK markus@
- markus@cvs.openbsd.org 2002/08/02 21:23:41
[ssh-rsa.c]
diff is u_int (2x); ok deraadt/provos
- markus@cvs.openbsd.org 2002/08/02 22:20:30
[ssh-rsa.c]
replace RSA_verify with our own version and avoid the OpenSSL ASN.1 parser
for authentication; ok deraadt/djm
- aaron@cvs.openbsd.org 2002/08/08 13:50:23
[sshconnect1.c]
Use & to test if bits are set, not &&; markus@ ok.
- stevesk@cvs.openbsd.org 2002/08/08 23:54:52
[auth.c]
typo in comment
- stevesk@cvs.openbsd.org 2002/08/09 17:21:42
[sshd_config.5]
use Op for mdoc conformance; from esr@golux.thyrsus.com
ok aaron@
- stevesk@cvs.openbsd.org 2002/08/09 17:41:12
[sshd_config.5]
proxy vs. fake display
- stevesk@cvs.openbsd.org 2002/08/12 17:30:35
[ssh.1 sshd.8 sshd_config.5]
more PermitUserEnvironment; ok markus@
- stevesk@cvs.openbsd.org 2002/08/17 23:07:14
[ssh.1]
ForwardAgent has defaulted to no for over 2 years; be more clear here.
- stevesk@cvs.openbsd.org 2002/08/17 23:55:01
[ssh_config.5]
ordered list here
- (bal) [defines.h] Some platforms don't have SIZE_T_MAX. So assign
it to ULONG_MAX.
20020813
- (tim) [configure.ac] Display OpenSSL header/library version.
Patch by dtucker@zip.com.au
20020731
- (bal) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/07/24 16:11:18
[hostfile.c hostfile.h sshconnect.c]
print out all known keys for a host if we get a unknown host key,
see discussion at http://marc.theaimsgroup.com/?t=101069210100016&r=1&w=4
the ssharp mitm tool attacks users in a similar way, so i'd like to
pointed out again:
A MITM attack is always possible if the ssh client prints:
The authenticity of host 'bla' can't be established.
(protocol version 2 with pubkey authentication allows you to detect
MITM attacks)
- mouring@cvs.openbsd.org 2002/07/25 01:16:59
[sftp.c]
FallBackToRsh does not exist anywhere else. Remove it from here.
OK deraadt.
- markus@cvs.openbsd.org 2002/07/29 18:57:30
[sshconnect.c]
print file:line
- markus@cvs.openbsd.org 2002/07/30 17:03:55
[auth-options.c servconf.c servconf.h session.c sshd_config sshd_config.5]
add PermitUserEnvironment (off by default!); from dot@dotat.at;
ok provos, deraadt
20020730
- (bal) [uidswap.c] SCO compile correction by gert@greenie.muc.de
20020728
- (stevesk) [auth-pam.c] should use PAM_MSG_MEMBER(); from solar
- (stevesk) [CREDITS] solar
- (stevesk) [ssh-rand-helper.c] RAND_bytes() and SHA1_Final() unsigned
char arg.
20020725
- (djm) Remove some cruft from INSTALL
- (djm) Latest config.guess and config.sub from ftp://ftp.gnu.org/gnu/config/
20020723
- (bal) [bsd-cray.c bsd-cray.h] Part 2 of Cray merger.
- (bal) sync ID w/ ssh-agent.c
- (bal) OpenBSD Sync
- markus@cvs.openbsd.org 2002/07/19 15:43:33
[log.c log.h session.c sshd.c]
remove fatal cleanups after fork; based on discussions with and code
from solar.
- stevesk@cvs.openbsd.org 2002/07/19 17:42:40
[ssh.c]
display a warning from ssh when XAuthLocation does not exist or xauth
returned no authentication data. ok markus@
- stevesk@cvs.openbsd.org 2002/07/21 18:32:20
[auth-options.c]
unneeded includes
- stevesk@cvs.openbsd.org 2002/07/21 18:34:43
[auth-options.h]
remove invalid comment
- markus@cvs.openbsd.org 2002/07/22 11:03:06
[session.c]
fallback to _PATH_STDPATH on setusercontext+LOGIN_SETPATH errors;
- stevesk@cvs.openbsd.org 2002/07/22 17:32:56
[monitor.c]
u_int here; ok provos@
- stevesk@cvs.openbsd.org 2002/07/23 16:03:10
[sshd.c]
utmp_len is unsigned; display error consistent with other options.
ok markus@
- stevesk@cvs.openbsd.org 2002/07/15 17:15:31
[uidswap.c]
little more debugging; ok markus@
20020722
- (bal) AIX tty data limiting patch fix by leigh@solinno.co.uk
- (stevesk) [xmmap.c] missing prototype for fatal()
- (bal) [configure.ac defines.h loginrec.c sshd.c sshpty.c] Partial sync
with Cray (mostly #ifdef renaming). Patch by wendyp@cray.com.
- (bal) [configure.ac] Missing ;; from cray patch.
- (bal) [monitor_mm.c openbsd-compat/xmmap.h] Move xmmap() defines
into it's own header.
- (stevesk) [auth-pam.[ch] session.c] pam_getenvlist() must be
freed by the caller; add free_pam_environment() and use it.
- (stevesk) [auth-pam.c] typo in comment
20020721
- (stevesk) [auth-pam.c] merge cosmetic changes from solar's
openssh-3.4p1-owl-password-changing.diff
- (stevesk) [auth-pam.c] merge rest of solar's PAM patch;
PAM_NEW_AUTHTOK_REQD remains in #if 0 for now.
- (stevesk) [auth-pam.c] cast to avoid initialization type mismatch
warning on pam_conv struct conversation function.
- (stevesk) [auth-pam.h] license
- (stevesk) [auth-pam.h] unneeded include
- (stevesk) [auth-pam.[ch] ssh.h] move SSHD_PAM_SERVICE to auth-pam.h
20020720
- (stevesk) [ssh-keygen.c] bug #231: always init/seed_rng().
20020719
- (tim) [contrib/solaris/buildpkg.sh] create privsep user/group if needed.
Patch by dtucker@zip.com.au
- (tim) [configure.ac] test for libxnet on HP. Patch by dtucker@zip.com.au
20020718
- (tim) [defines.h] Bug 313 patch by dirk.meyer@dinoex.sub.org
- (tim) [monitor_mm.c] add missing declaration for xmmap(). Reported
by ayamura@ayamura.org
- (tim) [configure.ac] Bug 267 rework int64_t test.
- (tim) [includes.h] Bug 267 add stdint.h
20020717
- (bal) aixbff package updated by dtucker@zip.com.au
- (tim) [configure.ac] change how we do paths in AC_PATH_PROGS tests
for autoconf 2.53. Based on a patch by jrj@purdue.edu
20020716
- (tim) [contrib/solaris/opensshd.in] Only kill sshd if .pid file found
20020715
- (bal) OpenBSD CVS Sync
- itojun@cvs.openbsd.org 2002/07/12 13:29:09
[sshconnect.c]
print connect failure during debugging mode.
- markus@cvs.openbsd.org 2002/07/12 15:50:17
[cipher.c]
EVP_CIPH_CUSTOM_IV for our own rijndael
- (bal) Remove unused tty defined in do_setusercontext() pointed out by
dtucker@zip.com.au plus a a more KNF since I am near it.
- (bal) Privsep user creation support in Solaris buildpkg.sh by
dtucker@zip.com.au
20020714
- (tim) [Makefile.in] replace "id sshd" with "sshd -t"
- (bal/tim) [acconfig.h configure.ac monitor_mm.c servconf.c
openbsd-compat/Makefile.in] support compression on platforms that
have no/broken MAP_ANON. Moved code to openbsd-compat/xmmap.c
Based on patch from nalin@redhat.com of code extracted from Owl's package
- (tim) [ssh_prng_cmds.in] Bug 323 arp -n flag doesn't exist under Solaris.
report by chris@by-design.net
- (tim) [loginrec.c] Bug 347: Fix typo (WTMPX_FILE) report by rodney@bond.net
- (tim) [loginrec.c] Bug 348: add missing found = 1; to wtmpx_islogin()
report by rodney@bond.net
20020712
- (tim) [Makefile.in] quiet down install-files: and check-user:
- (tim) [configure.ac] remove unused filepriv line
20020710
- (tim) [contrib/cygwin/ssh-host-config] explicitely sets the permissions
on /var/empty to 755 Patch by vinschen@redhat.com
- (bal) OpenBSD CVS Sync
- itojun@cvs.openbsd.org 2002/07/09 11:56:50
[sshconnect.c]
silently try next address on connect(2). markus ok
- itojun@cvs.openbsd.org 2002/07/09 11:56:27
[canohost.c]
suppress log on reverse lookup failiure, as there's no real value in
doing so.
markus ok
- itojun@cvs.openbsd.org 2002/07/09 12:04:02
[sshconnect.c]
ed static function (less warnings)
- stevesk@cvs.openbsd.org 2002/07/09 17:46:25
[sshd_config.5]
clarify no preference ordering in protocol list; ok markus@
- itojun@cvs.openbsd.org 2002/07/10 10:28:15
[sshconnect.c]
bark if all connection attempt fails.
- deraadt@cvs.openbsd.org 2002/07/10 17:53:54
[rijndael.c]
use right sizeof in memcpy; markus ok
20020709
- (bal) NO_IPPORT_RESERVED_CONCEPT used instead of CYGWIN so other platforms
lacking that concept can share it. Patch by vinschen@redhat.com
20020708
- (tim) [openssh/contrib/solaris/buildpkg.sh] add PKG_INSTALL_ROOT to
work in a jumpstart environment. patch by kbrint@rufus.net
- (tim) [Makefile.in] workaround for broken pakadd on some systems.
- (tim) [configure.ac] fix libc89 utimes test. Mention default path for
--with-privsep-path=
20020707
- (tim) [Makefile.in] use umask instead of chmod on $(PRIVSEP_PATH)
- (tim) [acconfig.h configure.ac sshd.c]
s/BROKEN_FD_PASSING/DISABLE_FD_PASSING/
- (tim) [contrib/cygwin/ssh-host-config] sshd account creation fixes
patch from vinschen@redhat.com
- (bal) [realpath.c] Updated with OpenBSD tree.
- (bal) OpenBSD CVS Sync
- deraadt@cvs.openbsd.org 2002/07/04 04:15:33
[key.c monitor_wrap.c sftp-glob.c ssh-dss.c ssh-rsa.c]
patch memory leaks; grendel@zeitbombe.org
- deraadt@cvs.openbsd.org 2002/07/04 08:12:15
[channels.c packet.c]
blah blah minor nothing as i read and re-read and re-read...
- markus@cvs.openbsd.org 2002/07/04 10:41:47
[key.c monitor_wrap.c ssh-dss.c ssh-rsa.c]
don't allocate, copy, and discard if there is not interested in the data;
ok deraadt@
- deraadt@cvs.openbsd.org 2002/07/06 01:00:49
[log.c]
KNF
- deraadt@cvs.openbsd.org 2002/07/06 01:01:26
[ssh-keyscan.c]
KNF, realloc fix, and clean usage
- stevesk@cvs.openbsd.org 2002/07/06 17:47:58
[ssh-keyscan.c]
unused variable
- (bal) Minor KNF on ssh-keyscan.c
20020705
- (tim) [configure.ac] AIX 4.2.1 has authenticate() in libs.
Reported by Darren Tucker <dtucker@zip.com.au>
- (tim) [contrib/cygwin/ssh-host-config] double slash corrction
from vinschen@redhat.com
20020704
- (bal) Limit data to TTY for AIX only (Newer versions can't handle the
faster data rate) Bug #124
- (bal) glob.c defines TILDE and AIX also defines it. #undef it first.
bug #265
- (bal) One too many nulls in ports-aix.c
20020703
- (bal) Updated contrib/cygwin/ patch by vinschen@redhat.com
- (bal) minor correction to utimes() replacement. Patch by
onoe@sm.sony.co.jp
- OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/06/27 08:49:44
[dh.c ssh-keyscan.c sshconnect.c]
more checks for NULL pointers; from grendel@zeitbombe.org; ok deraadt@
- deraadt@cvs.openbsd.org 2002/06/27 09:08:00
[monitor.c]
improve mm_zalloc check; markus ok
- deraadt@cvs.openbsd.org 2002/06/27 10:35:47
[auth2-none.c monitor.c sftp-client.c]
use xfree()
- stevesk@cvs.openbsd.org 2002/06/27 19:49:08
[ssh-keyscan.c]
use convtime(); ok markus@
- millert@cvs.openbsd.org 2002/06/28 01:49:31
[monitor_mm.c]
tree(3) wants an int return value for its compare functions and
the difference between two pointers is not an int. Just do the
safest thing and store the result in a long and then return 0,
-1, or 1 based on that result.
- deraadt@cvs.openbsd.org 2002/06/28 01:50:37
[monitor_wrap.c]
use ssize_t
- deraadt@cvs.openbsd.org 2002/06/28 10:08:25
[sshd.c]
range check -u option at invocation
- deraadt@cvs.openbsd.org 2002/06/28 23:05:06
[sshd.c]
gidset[2] -> gidset[1]; markus ok
- deraadt@cvs.openbsd.org 2002/06/30 21:54:16
[auth2.c session.c sshd.c]
lint asks that we use names that do not overlap
- deraadt@cvs.openbsd.org 2002/06/30 21:59:45
[auth-bsdauth.c auth-skey.c auth2-chall.c clientloop.c key.c
monitor_wrap.c monitor_wrap.h scard.h session.h sftp-glob.c ssh.c
sshconnect2.c sshd.c]
minor KNF
- deraadt@cvs.openbsd.org 2002/07/01 16:15:25
[msg.c]
%u
- markus@cvs.openbsd.org 2002/07/01 19:48:46
[sshconnect2.c]
for compression=yes, we fallback to no-compression if the server does
not support compression, vice versa for compression=no. ok mouring@
- markus@cvs.openbsd.org 2002/07/03 09:55:38
[ssh-keysign.c]
use RSA_blinding_on() for rsa hostkeys (suggested by Bill Sommerfeld)
in order to avoid a possible Kocher timing attack pointed out by Charles
Hannum; ok provos@
- markus@cvs.openbsd.org 2002/07/03 14:21:05
[ssh-keysign.8 ssh-keysign.c ssh.c ssh_config]
re-enable ssh-keysign's sbit, but make ssh-keysign read
/etc/ssh/ssh_config and exit if HostbasedAuthentication is disabled
globally. based on discussions with deraadt, itojun and sommerfeld;
ok itojun@
- (bal) Failed password attempts don't increment counter on AIX. Bug #145
- (bal) Missed Makefile.in change. keysign needs readconf.o
- (bal) Clean up aix_usrinfo(). Ignore TTY= period I guess.
20020702
- (djm) Use PAM_MSG_MEMBER for PAM_TEXT_INFO messages, use xmalloc &
friends consistently. Spotted by Solar Designer <solar@openwall.com>
20020629
- (bal) fix to auth2-pam.c to swap fatal() arguments, A bit of style
clean up while I'm near it.
20020628
- (stevesk) [sshd_config] PAMAuthenticationViaKbdInt no; commented
options should contain default value. from solar.
- (bal) Cygwin uid0 fix by vinschen@redhat.com
- (bal) s/config.h/includes.h/ in openbsd-compat/ for *.c. Otherwise wise
have issues of our fixes not propogating right (ie bcopy instead of
memmove). OK tim
- (bal) FreeBSD needs <sys/types.h> to detect if mmap() is supported.
Bug #303
20020627
- OpenBSD CVS Sync
- deraadt@cvs.openbsd.org 2002/06/26 14:49:36
[monitor.c]
correct %u
- deraadt@cvs.openbsd.org 2002/06/26 14:50:04
[monitor_fdpass.c]
use ssize_t for recvmsg() and sendmsg() return
- markus@cvs.openbsd.org 2002/06/26 14:51:33
[ssh-add.c]
fix exit code for -X/-x
- deraadt@cvs.openbsd.org 2002/06/26 15:00:32
[monitor_wrap.c]
more %u
- markus@cvs.openbsd.org 2002/06/26 22:27:32
[ssh-keysign.c]
bug #304, xfree(data) called to early; openssh@sigint.cs.purdue.edu
OPENSSH_USER
OPENSSH_UID
OPENSSH_GROUP
OPENSSH_GID
OPENSSH_CHROOT
Use these to automatically create user/group if they do not already
exist. Assists platforms which do not have an 'sshd' user by default,
while adding flexibility for NetBSD systems.
Checked by Stoned Elipot <seb@netbsd.org>.
libcrypt-before-libcrypto into a section that is protected by something
we can set in the configure script (check_for_libcrypt_before). This
should fix the latter part of pkg/18091 by grant beattie.
/var/run directory, tmpfs is mounted on /var/run by default.
/var/run does not exist by default on Solaris 7, but some daemons
appear to make use of it after it is created (eg. syslogd).
installs the binaries directly in /usr and places the manpages and example
files in the correct hier(7) locations. We don't register installation in
this case because the package database can't handle it. We deal with the
ssh config files and directories as follows:
NetBSD-1.5.* use /etc/ssh_config, /etc/sshd_config
NetBSD-1.6 use /etc/ssh/ssh_config, /etc/ssh/sshd_config
We also emit a warning in the MESSAGE file that /etc/ssh.conf and
/etc/sshd.conf should be renamed in order to keep using them. Lastly,
there is a new target "tarball" to generate a tarball of the installed
files that might be used to install quickly on many machines, though it
may be only of limited utility.
These changes are only active if UPDATE_INTREE_OPENSSH is defined.
Note: it was already as part of CONFIGURE_ENV value, this change only makes
it more "readable" IMHO.
Remove explicit addition of PKG_SYSCONFDIR to BUILD_DEFS in a couple of
Makefiles.
20020626
- (stevesk) [monitor.c] remove duplicate proto15 dispatch entry for PAM
- (bal) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/06/23 21:34:07
[channels.c]
tcode is u_int
- markus@cvs.openbsd.org 2002/06/24 13:12:23
[ssh-agent.1]
the socket name contains ssh-agent's ppid; via mpech@ from form@
- markus@cvs.openbsd.org 2002/06/24 14:33:27
[channels.c channels.h clientloop.c serverloop.c]
move channel counter to u_int
- markus@cvs.openbsd.org 2002/06/24 14:55:38
[authfile.c kex.c ssh-agent.c]
cat to (void) when output from buffer_get_X is ignored
- itojun@cvs.openbsd.org 2002/06/24 15:49:22
[msg.c]
printf type pedant
- deraadt@cvs.openbsd.org 2002/06/24 17:57:20
[sftp-server.c sshpty.c]
explicit (u_int) for uid and gid
- markus@cvs.openbsd.org 2002/06/25 16:22:42
[authfd.c]
unnecessary cast
- markus@cvs.openbsd.org 2002/06/25 18:51:04
[sshd.c]
lightweight do_setusercontext after chroot()
- (bal) Updated AIX package build. Patch by dtucker@zip.com.au
- (tim) [Makefile.in] fix test on installing ssh-rand-helper.8
- (bal) added back in error check for mmap(). I screwed up, Pointed
out by stevesk@
- (tim) [README.privsep] UnixWare tip no longer needed.
- (bal) fixed NeXTStep missing munmap() issue. It defines HAVE_MMAP,
but it all damned lies.
- (stevesk) [README.privsep] more for sshd pseudo-account.
- (tim) [contrib/caldera/openssh.spec] add support for privsep
- (djm) setlogin needs pgid==pid on BSD/OS; from itojun@
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/06/26 08:53:12
[bufaux.c]
limit size of BNs to 8KB; ok provos/deraadt
- markus@cvs.openbsd.org 2002/06/26 08:54:18
[buffer.c]
limit append to 1MB and buffers to 10MB
- markus@cvs.openbsd.org 2002/06/26 08:55:02
[channels.c]
limit # of channels to 10000
- markus@cvs.openbsd.org 2002/06/26 08:58:26
[session.c]
limit # of env vars to 1000; ok deraadt/djm
- deraadt@cvs.openbsd.org 2002/06/26 13:20:57
[monitor.c]
be careful in mm_zalloc
- deraadt@cvs.openbsd.org 2002/06/26 13:49:26
[session.c]
disclose less information from environment files; based on input
from djm, and dschultz@uclink.Berkeley.EDU
- markus@cvs.openbsd.org 2002/06/26 13:55:37
[auth2-chall.c]
make sure # of response matches # of queries, fixes int overflow;
from ISS
- markus@cvs.openbsd.org 2002/06/26 13:56:27
[version.h]
3.4
- (djm) Require krb5 devel for RPM build w/ KrbV
- (djm) Improve PAMAuthenticationViaKbdInt text from Nalin Dahyabhai
<nalin@redhat.com>
- (djm) Update spec files for release
- (djm) Fix int overflow in auth2-pam.c, similar to one discovered by ISS
- (djm) Release 3.4p1
20020625
- (stevesk) [INSTALL acconfig.h configure.ac defines.h] remove --with-rsh
- (stevesk) [README.privsep] minor updates
- (djm) Create privsep directory and warn if privsep user is missing
during make install
- (bal) Started list of PrivSep issues in TODO
- (bal) if mmap() is substandard, don't allow compression on server side.
Post 'event' we will add more options.
- (tim) [contrib/caldera/openssh.spec] Sync with Caldera
- (bal) moved aix_usrinfo() and noted not setting real TTY. Patch by
dtucker@zip.com.au
- (tim) [acconfig.h configure.ac sshd.c] BROKEN_FD_PASSING fix from Markus
for Cygwin, Cray, & SCO
20020624
- OpenBSD CVS Sync
- deraadt@cvs.openbsd.org 2002/06/23 03:25:50
[tildexpand.c]
KNF
- deraadt@cvs.openbsd.org 2002/06/23 03:26:19
[cipher.c key.c]
KNF
- deraadt@cvs.openbsd.org 2002/06/23 03:30:58
[scard.c ssh-dss.c ssh-rsa.c sshconnect.c sshconnect2.c sshd.c sshlogin.c
sshpty.c]
various KNF and %d for unsigned
- deraadt@cvs.openbsd.org 2002/06/23 09:30:14
[sftp-client.c sftp-client.h sftp-common.c sftp-int.c sftp-server.c
sftp.c]
bunch of u_int vs int stuff
- deraadt@cvs.openbsd.org 2002/06/23 09:39:55
[ssh-keygen.c]
u_int stuff
- deraadt@cvs.openbsd.org 2002/06/23 09:46:51
[bufaux.c servconf.c]
minor KNF. things the fingers do while you read
- deraadt@cvs.openbsd.org 2002/06/23 10:29:52
[ssh-agent.c sshd.c]
some minor KNF and %u
- deraadt@cvs.openbsd.org 2002/06/23 20:39:45
[session.c]
compression_level is u_int
- deraadt@cvs.openbsd.org 2002/06/23 21:06:13
[sshpty.c]
KNF
- deraadt@cvs.openbsd.org 2002/06/23 21:06:41
[channels.c channels.h session.c session.h]
display, screen, row, col, xpixel, ypixel are u_int; markus ok
- deraadt@cvs.openbsd.org 2002/06/23 21:10:02
[packet.c]
packet_get_int() returns unsigned for reason & seqnr
- (bal) Also fixed IPADDR_IN_DISPLAY case where display, screen, row, col,
xpixel are u_int.
20020623
- (stevesk) [configure.ac] bug #255 LOGIN_NEEDS_UTMPX for AIX.
- (bal) removed GNUism for getops in ssh-agent since glibc lacks optreset.
- (bal) add extern char *getopt. Based on report by dtucker@zip.com.au
- OpenBSD CVS Sync
- stevesk@cvs.openbsd.org 2002/06/22 02:00:29
[ssh.h]
correct comment
- stevesk@cvs.openbsd.org 2002/06/22 02:40:23
[ssh.1]
section 5 not 4 for ssh_config
- naddy@cvs.openbsd.org 2002/06/22 11:51:39
[ssh.1]
typo
- stevesk@cvs.openbsd.org 2002/06/22 16:32:54
[sshd.8]
add /var/empty in FILES section
- stevesk@cvs.openbsd.org 2002/06/22 16:40:19
[sshd.c]
check /var/empty owner mode; ok provos@
- stevesk@cvs.openbsd.org 2002/06/22 16:41:57
[scp.1]
typo
- stevesk@cvs.openbsd.org 2002/06/22 16:45:29
[ssh-agent.1 sshd.8 sshd_config.5]
use process ID vs. pid/PID/process identifier
- stevesk@cvs.openbsd.org 2002/06/22 20:05:27
[sshd.c]
don't call setsid() if debugging or run from inetd; no "Operation not
permitted" errors now; ok millert@ markus@
- stevesk@cvs.openbsd.org 2002/06/22 23:09:51
[monitor.c]
save auth method before monitor_reset_key_state(); bugzilla bug #284;
ok provos@
Remove `-p' from mkdir arguments, it is already part of ${MKDIR}.
While here substitute a couple of ${PREFIX} by `%D' in
`@exec ${MKDIR} ...' lines and add a couple of missing `%D' in such lines too!
(the following change may include pre-3.2.3p1 change)
20020622
- (djm) Update README.privsep; spotted by fries@
- (djm) Release 3.3p1
20020621
- (djm) Sync:
- djm@cvs.openbsd.org 2002/06/21 05:50:51
[monitor.c]
Don't initialise compression buffers when compression=no in sshd_config;
ok Niels@
- ID sync for auth-passwd.c
- (djm) Warn and disable compression on platforms which can't handle both
useprivilegeseparation=yes and compression=yes
- (djm) contrib/redhat/openssh.spec hacking:
- Merge in spec changes from seba@iq.pl (Sebastian Pachuta)
- Add new {ssh,sshd}_config.5 manpages
- Add new ssh-keysign program and remove setuid from ssh client
20020620
- (bal) Fixed AIX environment handling, use setpcred() instead of existing
code. (Bugzilla Bug 261)
- (bal) OpenBSD CVS Sync
- todd@cvs.openbsd.org 2002/06/14 21:35:00
[monitor_wrap.c]
spelling; from Brian Poole <raj@cerias.purdue.edu>
- markus@cvs.openbsd.org 2002/06/15 00:01:36
[authfd.c authfd.h ssh-add.c ssh-agent.c]
break agent key lifetime protocol and allow other contraints for key
usage.
- markus@cvs.openbsd.org 2002/06/15 00:07:38
[authfd.c authfd.h ssh-add.c ssh-agent.c]
fix stupid typo
- markus@cvs.openbsd.org 2002/06/15 01:27:48
[authfd.c authfd.h ssh-add.c ssh-agent.c]
remove the CONSTRAIN_IDENTITY messages and introduce a new
ADD_ID message with contraints instead. contraints can be
only added together with the private key.
- itojun@cvs.openbsd.org 2002/06/16 21:30:58
[ssh-keyscan.c]
use TAILQ_xx macro. from lukem@netbsd. markus ok
- deraadt@cvs.openbsd.org 2002/06/17 06:05:56
[scp.c]
make usage like man page
- deraadt@cvs.openbsd.org 2002/06/19 00:27:55
[auth-bsdauth.c auth-skey.c auth1.c auth2-chall.c auth2-none.c authfd.c
authfd.h monitor_wrap.c msg.c nchan.c radix.c readconf.c scp.c sftp.1
ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c
ssh-keysign.c ssh.1 sshconnect.c sshconnect.h sshconnect2.c ttymodes.c
xmalloc.h]
KNF done automatically while reading....
- markus@cvs.openbsd.org 2002/06/19 18:01:00
[cipher.c monitor.c monitor_wrap.c packet.c packet.h]
make the monitor sync the transfer ssh1 session key;
transfer keycontext only for RC4 (this is still depends on EVP
implementation details and is broken).
- stevesk@cvs.openbsd.org 2002/06/20 19:56:07
[ssh.1 sshd.8]
move configuration file options from ssh.1/sshd.8 to
ssh_config.5/sshd_config.5; ok deraadt@ millert@
- stevesk@cvs.openbsd.org 2002/06/20 20:00:05
[scp.1 sftp.1]
ssh_config(5)
- stevesk@cvs.openbsd.org 2002/06/20 20:03:34
[ssh_config sshd_config]
refer to config file man page
- markus@cvs.openbsd.org 2002/06/20 23:05:56
[servconf.c servconf.h session.c sshd.c]
allow Compression=yes/no in sshd_config
- markus@cvs.openbsd.org 2002/06/20 23:37:12
[sshd_config]
add Compression
- stevesk@cvs.openbsd.org 2002/05/25 20:40:08
[LICENCE]
missed Per Allansson (auth2-chall.c)
- (bal) Cygwin special handling of empty passwords wrong. Patch by
vinschen@redhat.com
- (bal) Missed integrating ssh_config.5 and sshd_config.5
- (bal) Still more Makefile.in updates for ssh{d}_config.5
20020613
- (bal) typo of setgroup for cygwin. Patch by vinschen@redhat.com
20020612
- (bal) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/06/11 23:03:54
[ssh.c]
remove unused cruft.
- markus@cvs.openbsd.org 2002/06/12 01:09:52
[ssh.c]
ssh_connect returns 0 on success
- (bal) Build noop setgroups() for cygwin to clean up code (For other
platforms without the setgroups() requirement, you MUST define
SETGROUPS_NOOP in the configure.ac) Based on patch by vinschen@redhat.com
- (bal) Some platforms don't have ONLCR (Notable Mint)
20020611
- (bal) ssh-agent.c RCSD fix (|unexpand already done)
- (bal) OpenBSD CVS Sync
- stevesk@cvs.openbsd.org 2002/06/09 22:15:15
[ssh.1]
update for no setuid root and ssh-keysign; ok deraadt@
- itojun@cvs.openbsd.org 2002/06/09 22:17:21
[sshconnect.c]
pass salen to sockaddr_ntop so that we are happy on linux/solaris
- stevesk@cvs.openbsd.org 2002/06/10 16:53:06
[auth-rsa.c ssh-rsa.c]
display minimum RSA modulus in error(); ok markus@
- stevesk@cvs.openbsd.org 2002/06/10 16:56:30
[ssh-keysign.8]
merge in stuff from my man page; ok markus@
- stevesk@cvs.openbsd.org 2002/06/10 17:36:23
[ssh-add.1 ssh-add.c]
use convtime() to parse and validate key lifetime. can now
use '-t 2h' etc. ok markus@ provos@
- stevesk@cvs.openbsd.org 2002/06/10 17:45:20
[readconf.c ssh.1]
change RhostsRSAAuthentication and RhostsAuthentication default to no
since ssh is no longer setuid root by default; ok markus@
- stevesk@cvs.openbsd.org 2002/06/10 21:21:10
[ssh_config]
update defaults for RhostsRSAAuthentication and RhostsAuthentication
here too (all options commented out with default value).
- markus@cvs.openbsd.org 2002/06/10 22:28:41
[channels.c channels.h session.c]
move creation of agent socket to session.c; no need for uidswapping
in channel.c.
- markus@cvs.openbsd.org 2002/06/11 04:14:26
[ssh.c sshconnect.c sshconnect.h]
no longer use uidswap.[ch] from the ssh client
run less code with euid==0 if ssh is installed setuid root
just switch the euid, don't switch the complete set of groups
(this is only needed by sshd). ok provos@
- mpech@cvs.openbsd.org 2002/06/11 05:46:20
[auth-krb4.c monitor.h serverloop.c session.c ssh-agent.c sshd.c]
pid_t cleanup. Markus need this now to keep hacking.
markus@, millert@ ok
- itojun@cvs.openbsd.org 2002/06/11 08:11:45
[canohost.c]
use "ntop" only after initialized
- (bal) Cygwin fix up from swap uid clean up in ssh.c patch by
vinschen@redhat.com
20020609
- (bal) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/06/08 05:07:56
[ssh.c]
nuke ptrace comment
- markus@cvs.openbsd.org 2002/06/08 05:07:09
[ssh-keysign.c]
only accept 20 byte session ids
- markus@cvs.openbsd.org 2002/06/08 05:17:01
[readconf.c readconf.h ssh.1 ssh.c]
deprecate FallBackToRsh and UseRsh; patch from djm@
- markus@cvs.openbsd.org 2002/06/08 05:40:01
[readconf.c]
just warn about Deprecated options for now
- markus@cvs.openbsd.org 2002/06/08 05:41:18
[ssh_config]
remove FallBackToRsh/UseRsh
- markus@cvs.openbsd.org 2002/06/08 12:36:53
[scp.c]
remove FallBackToRsh
- markus@cvs.openbsd.org 2002/06/08 12:46:14
[readconf.c]
silently ignore deprecated options, since FallBackToRsh might be passed
by remote scp commands.
- itojun@cvs.openbsd.org 2002/06/08 21:15:27
[sshconnect.c]
always use getnameinfo. (diag message only)
- markus@cvs.openbsd.org 2002/06/09 04:33:27
[sshconnect.c]
abort() - > fatal()
- (bal) RCSID tag updates on channels.c, clientloop.c, nchan.c,
sftp-client.c, ssh-agenet.c, ssh-keygen.c and connect.h (we did unexpand
independant of them)
20020607
- (bal) Removed --{enable/disable}-suid-ssh
- (bal) Missed __progname in ssh-keysign.c patch by dtucker@zip.com.au
- (bal) use 'LOGIN_PROGRAM' not '/usr/bin/login' in session.c patch by
Bertrand.Velle@apogee-com.fr
20020606
- (bal) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/05/15 21:56:38
[servconf.c sshd.8 sshd_config]
re-enable privsep and disable setuid for post-3.2.2
- markus@cvs.openbsd.org 2002/05/16 22:02:50
[cipher.c kex.h mac.c]
fix warnings (openssl 0.9.7 requires const)
- stevesk@cvs.openbsd.org 2002/05/16 22:09:59
[session.c ssh.c]
don't limit xauth pathlen on client side and longer print length on
server when debug; ok markus@
- deraadt@cvs.openbsd.org 2002/05/19 20:54:52
[log.h]
extra commas in enum not 100% portable
- deraadt@cvs.openbsd.org 2002/05/22 23:18:25
[ssh.c sshd.c]
spelling; abishoff@arc.nasa.gov
- markus@cvs.openbsd.org 2002/05/23 19:24:30
[authfile.c authfile.h pathnames.h ssh.c sshconnect.c sshconnect.h
sshconnect1.c sshconnect2.c ssh-keysign.8 ssh-keysign.c Makefile.in]
add /usr/libexec/ssh-keysign: a setuid helper program for hostbased
authentication in protocol v2 (needs to access the hostkeys).
- markus@cvs.openbsd.org 2002/05/23 19:39:34
[ssh.c]
add comment about ssh-keysign
- markus@cvs.openbsd.org 2002/05/24 08:45:14
[sshconnect2.c]
stat ssh-keysign first, print error if stat fails;
some debug->error; fix comment
- markus@cvs.openbsd.org 2002/05/25 08:50:39
[sshconnect2.c]
execlp->execl; from stevesk
- markus@cvs.openbsd.org 2002/05/25 18:51:07
[auth.h auth2.c auth2-hostbased.c auth2-kbdint.c auth2-none.c
auth2-passwd.c auth2-pubkey.c Makefile.in]
split auth2.c into one file per method; ok provos@/deraadt@
- stevesk@cvs.openbsd.org 2002/05/26 20:35:10
[ssh.1]
sort ChallengeResponseAuthentication; ok markus@
- stevesk@cvs.openbsd.org 2002/05/28 16:45:27
[monitor_mm.c]
print strerror(errno) on mmap/munmap error; ok markus@
- stevesk@cvs.openbsd.org 2002/05/28 17:28:02
[uidswap.c]
format spec change/casts and some KNF; ok markus@
- stevesk@cvs.openbsd.org 2002/05/28 21:24:00
[uidswap.c]
use correct function name in fatal()
- stevesk@cvs.openbsd.org 2002/05/29 03:06:30
[ssh.1 sshd.8]
spelling
- markus@cvs.openbsd.org 2002/05/29 11:21:57
[sshd.c]
don't start if privsep is enabled and SSH_PRIVSEP_USER or
_PATH_PRIVSEP_CHROOT_DIR are missing; ok deraadt@
- markus@cvs.openbsd.org 2002/05/30 08:07:31
[cipher.c]
use rijndael/aes from libcrypto (openssl >= 0.9.7) instead of
our own implementation. allow use of AES hardware via libcrypto,
ok deraadt@
- markus@cvs.openbsd.org 2002/05/31 10:30:33
[sshconnect2.c]
extent ssh-keysign protocol:
pass # of socket-fd to ssh-keysign, keysign verfies locally used
ip-address using this socket-fd, restricts fake local hostnames
to actual local hostnames; ok stevesk@
- markus@cvs.openbsd.org 2002/05/31 11:35:15
[auth.h auth2.c]
move Authmethod definitons to per-method file.
- markus@cvs.openbsd.org 2002/05/31 13:16:48
[key.c]
add comment:
key_verify returns 1 for a correct signature, 0 for an incorrect signature
and -1 on error.
- markus@cvs.openbsd.org 2002/05/31 13:20:50
[ssh-rsa.c]
pad received signature with leading zeros, because RSA_verify expects
a signature of RSA_size. the drafts says the signature is transmitted
unpadded (e.g. putty does not pad), reported by anakin@pobox.com
- deraadt@cvs.openbsd.org 2002/06/03 12:04:07
[ssh.h]
compatiblity -> compatibility
decriptor -> descriptor
authentciated -> authenticated
transmition -> transmission
- markus@cvs.openbsd.org 2002/06/04 19:42:35
[monitor.c]
only allow enabled authentication methods; ok provos@
- markus@cvs.openbsd.org 2002/06/04 19:53:40
[monitor.c]
save the session id (hash) for ssh2 (it will be passed with the
initial sign request) and verify that this value is used during
authentication; ok provos@
- markus@cvs.openbsd.org 2002/06/04 23:02:06
[packet.c]
remove __FUNCTION__
- markus@cvs.openbsd.org 2002/06/04 23:05:49
[cipher.c monitor.c monitor_fdpass.c monitor_mm.c monitor_wrap.c]
__FUNCTION__ -> __func__
- markus@cvs.openbsd.org 2002/06/05 16:08:07
[ssh-agent.1 ssh-agent.c]
'-a bind_address' binds the agent to user-specified unix-domain
socket instead of /tmp/ssh-XXXXXXXX/agent.<pid>; ok djm@ (some time ago).
- markus@cvs.openbsd.org 2002/06/05 16:08:07
[ssh-agent.1 ssh-agent.c]
'-a bind_address' binds the agent to user-specified unix-domain
socket instead of /tmp/ssh-XXXXXXXX/agent.<pid>; ok djm@ (some time ago).
- markus@cvs.openbsd.org 2002/06/05 16:48:54
[ssh-agent.c]
copy current request into an extra buffer and just flush this
request on errors, ok provos@
- markus@cvs.openbsd.org 2002/06/05 19:57:12
[authfd.c authfd.h ssh-add.1 ssh-add.c ssh-agent.c]
ssh-add -x for lock and -X for unlocking the agent.
todo: encrypt private keys with locked...
- markus@cvs.openbsd.org 2002/06/05 20:56:39
[ssh-add.c]
add -x/-X to usage
- markus@cvs.openbsd.org 2002/06/05 21:55:44
[authfd.c authfd.h ssh-add.1 ssh-add.c ssh-agent.c]
ssh-add -t life, Set lifetime (in seconds) when adding identities;
ok provos@
- stevesk@cvs.openbsd.org 2002/06/06 01:09:41
[monitor.h]
no trailing comma in enum; china@thewrittenword.com
- markus@cvs.openbsd.org 2002/06/06 17:12:44
[sftp-server.c]
discard remaining bytes of current request; ok provos@
- markus@cvs.openbsd.org 2002/06/06 17:30:11
[sftp-server.c]
use get_int() macro (hide iqueue)
- (bal) Missed msg.[ch] in merge. Required for ssh-keysign.
- (bal) Forgot to add msg.c Makefile.in.
- (bal) monitor_mm.c typos.
- (bal) Refixed auth2.c. It was never fully commited while spliting out
authentication to different files.
- (bal) ssh-keysign should build and install correctly now. Phase two
would be to clean out any dead wood and disable ssh setuid on install.
- (bal) Reverse logic, use __func__ first since it's C99
20020604
- (stevesk) [channels.c] bug #164 patch from YOSHIFUJI Hideaki (changed
setsockopt from debug to error for now).
20020527
- (tim) [configure.ac.orig monitor_fdpass.c] Enahnce msghdr tests to address
build problem on Irix reported by Dave Love <d.love@dl.ac.uk>. Back out
last monitor_fdpass.c changes that are no longer needed with new tests.
Patch tested on Irix by Jan-Frode Myklebust <janfrode@parallab.uib.no>
20020522
- (djm) Fix spelling mistakes, spotted by Solar Designer i
<solar@openwall.com>
- Sync scard/ (not sure when it drifted)
- (djm) OpenBSD CVS Sync:
[auth.c]
Fix typo/thinko. Pass in as to auth_approval(), not NULL.
Closes PR 2659.
- Crank version
- Crank RPM spec versions
20020521
- (stevesk) [sshd.c] bug 245; disable setsid() for now
- (stevesk) [sshd.c] #ifndef HAVE_CYGWIN for setgroups()
20020517
- (tim) [configure.ac] remove extra MD5_MSG="no" line.
20020515
- (bal) CVS ID fix up on auth-passwd.c
- (bal) OpenBSD CVS Sync
- deraadt@cvs.openbsd.org 2002/05/07 19:54:36
[ssh.h]
use ssh uid
- deraadt@cvs.openbsd.org 2002/05/08 21:06:34
[ssh.h]
move to sshd.sshd instead
- stevesk@cvs.openbsd.org 2002/05/11 20:24:48
[ssh.h]
typo in comment
- itojun@cvs.openbsd.org 2002/05/13 02:37:39
[auth-skey.c auth2.c]
less warnings. skey_{respond,query} are public (in auth.h)
- markus@cvs.openbsd.org 2002/05/13 20:44:58
[auth-options.c auth.c auth.h]
move the packet_send_debug handling from auth-options.c to auth.c;
ok provos@
- millert@cvs.openbsd.org 2002/05/13 15:53:19
[sshd.c]
Call setsid() in the child after sshd accepts the connection and forks.
This is needed for privsep which calls setlogin() when it changes uids.
Without this, there is a race where the login name of an existing
connection, as returned by getlogin(), may be changed to the privsep
user (sshd). markus@ OK
- markus@cvs.openbsd.org 2002/05/13 21:26:49
[auth-rhosts.c]
handle debug messages during rhosts-rsa and hostbased authentication;
ok provos@
- mouring@cvs.openbsd.org 2002/05/15 15:47:49
[kex.c monitor.c monitor_wrap.c sshd.c]
'monitor' variable clashes with at least one lame platform (NeXT). i
Renamed to 'pmonitor'. provos@
- deraadt@cvs.openbsd.org 2002/05/04 02:39:35
[servconf.c sshd.8 sshd_config]
enable privsep by default; provos ok
- millert@cvs.openbsd.org 2002/05/06 23:34:33
[ssh.1 sshd.8]
Kill/adjust r(login|exec)d? references now that those are no longer in
the tree.
- markus@cvs.openbsd.org 2002/05/15 21:02:53
[servconf.c sshd.8 sshd_config]
disable privsep and enable setuid for the 3.2.2 release
- (bal) Fixed up PAM case. I think.
- (bal) Clarified openbsd-compat/*-cray.* Licence provided by Wendy
- (bal) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/05/15 21:05:29
[version.h]
enter OpenSSH_3.2.2
- (bal) Caldara, Suse, and Redhat openssh.specs updated.
which the basesrc USE_KERBEROS variable. Discussed on packages@
This fixes PR#17182 from Takahiro Kambe. The problem was pointed out by
FUKAUMI Naoki on a Japanese NetBSD mailing list.
- a defect in the BSD_AUTH access control handling for
OpenBSD and BSD/OS systems:
Under certain conditions, on systems using YP with netgroups
in the password database, it is possible that sshd does ACL
checks for the requested user name but uses the password
database entry of a different user for authentication. This
means that denied users might authenticate successfully while
permitted users could be locked out (OpenBSD PR 2659).
- login/tty problems on Solaris (bug #245)
- build problems on Cygwin systems
Security Changes:
=================
- fixed buffer overflow in Kerberos/AFS token passing
- fixed overflow in Kerberos client code
- sshd no longer auto-enables Kerberos/AFS
- experimental support for privilege separation,
see UsePrivilegeSeparation in sshd(8) and
http://www.citi.umich.edu/u/provos/ssh/privsep.html
for more information.
- only accept RSA keys of size SSH_RSA_MINIMUM_MODULUS_SIZE (768) or larger
Other Changes:
==============
- improved smartcard support (including support for OpenSC, see www.opensc.org)
- improved Kerberos support (including support for MIT-Kerberos V)
- fixed stderr handling in protocol v2
- client reports failure if -R style TCP forwarding fails in protocol v2
- support configuration of TCP forwarding during interactive sessions (~C)
- improved support for older sftp servers
- improved support for importing old DSA keys (from ssh.com software).
- client side suport for PASSWD_CHANGEREQ in protocol v2
- fixed waitpid race conditions
- record correct lastlogin time
* Build properly on systems that don't have /dev/urandom by testing for
the presence of /dev/urandom, instead of just testing for Solaris.
* Add disabled code to handle PAM (not quite working yet with security/PAM).
* Make the sshd rc.d script more /etc/rc.subr-friendly.
* Minimize amount of diffs from pristine OpenSSH sources.
* Disabled scard-install (patch/patch-ah -- Do we need/want it?)
Changes since 2.9.9.2:
- Don't allow authorized_keys specified environment variables when
UseLogin in active
- Fix IPv4 default in ssh-keyscan
- Fix early (and double) free of remote user when using Kerberos
- fix krb5 authorization check
- enable authorized_keys2 again
- ignore SIGPIPE early, makes ssh work if agent dies, netbsd-pr via itojun@
- make ~& (backgrounding) work again for proto v1; add support ~& for v2, too
- pad using the padding field from the ssh2 packet instead of sending
extra ignore messages
- missing free and sync dss/rsa code
- crank c->path to 256 so they can hold a full hostname
- cleanup libwrap support
- Fix fd leak in loginrec.c
- avoid possible FD_ISSET overflow for channels established
during channnel_after_select()
- chdir $HOME after krb_afslog()
- stat subsystem command before calling do_exec
- close all channels if the connection to the remote host has been closed,
should fix sshd's hanging with WCHAN==wait
- add NoHostAuthenticationForLocalhost; note that the hostkey is
now check for localhost, too
- loginrec.c: fix type conversion problems exposed when using 64-bit off_t
- Update spec files for new x11-askpass
The automatic truncation in gensolpkg doesn't work for packages which
have the same package name for the first 5-6 chars.
e.g. amanda-server and amanda-client would be named amanda and amanda.
Now, we add a SVR4_PKGNAME and use amacl for amanda-client and amase for
amanda-server.
All svr4 packages also have a vendor tag, so we have to reserve some chars
for this tag, which is normaly 3 or 4 chars. Thats why we can only use 6
or 5 chars for SVR4_PKGNAME. I used 5 for all the packages, to give the
vendor tag enough room.
All p5-* packages and a few other packages have now a SVR4_PKGNAME.
foo-* to foo-[0-9]*. This is to cause the dependencies to match only the
packages whose base package name is "foo", and not those named "foo-bar".
A concrete example is p5-Net-* matching p5-Net-DNS as well as p5-Net. Also
change dependency examples in Packages.txt to reflect this.
- don't install setuid unless SSH_SUID=YES
- use libwrap (--with-tcp-wrappers) on NetBSD
I also want to fix S/Key support and Kerberos IV,
so I've left some comments in Makefile for that.
when X11 forwarding = yes.
20010617
- (djm) Pull in small fix from -CURRENT for session.c:
typo, use pid not s->pid, mstone@cs.loyola.edu
20010615
- (stevesk) don't set SA_RESTART and set SIGCHLD to SIG_DFL
around grantpt().
20010614
- (bal) Applied X11 Cookie Patch. X11 Cookie behavior has changed to
no longer use /tmp/ssh-XXXXX/
20010528
- (tim) [conifgure.in] add setvbuf test needed for sftp-int.c
Patch by Corinna Vinschen <vinschen@redhat.com>
20010512
- (bal) Patch to partial sync up contrib/solaris/ packaging software.
Patch by pete <ninjaz@webexpress.com>
20010509
- (bal) UseLogin patch for Solaris/UNICOS. Patch by Wayne Davison
<wayne@blorf.net>
- (bal) ./configure support to disable SIA on OSF1. Patch by
Chris Adams <cmadams@hiwaay.net>
- (bal) Updates from the Sony NEWS-OS platform by NAKAJI Hiroyuki
<nakaji@tutrp.tut.ac.jp>
20010508
- (bal) Fixed configure test for USE_SIA.
20010506
- (djm) Update config.guess and config.sub with latest versions (from
ftp://ftp.gnu.org/gnu/config/) to allow configure on ia64-hpux.
Suggested by Jason Mader <jason@ncac.gwu.edu>
20010504
- (bal) Updated Cygwin README by Corinna Vinschen <vinschen@redhat.com>
- (bal) Avoid socket file security issues in ssh-agent for Cygwin.
Patch by Egor Duda <deo@logos-m.ru>
20010430
- (djm) Add .cvsignore files, suggested by Wayne Davison <wayne@blorf.net>
- (tim) [contrib/caldera/openssh.spec] add Requires line for Caldera 3.1
Important Changes:
==================
WARNING: SSH protocol v2 is now the default protocol version
use the 'Protocol' option from ssh(1) and sshd(8) if
you want to change this.
SSH protocol v2 implementation adds support for:
HostbasedAuthentication, similar to RhostsRSA in SSH protocol
v1
Rekeying (negotiate new encryption keys for the current SSH
session, try ~R in interactive SSH sessions)
updated DH group exchange:
draft-ietf-secsh-dh-group-exchange-01.txt
client option HostKeyAlgorithms
server options ClientAliveInterval and ClientAliveCountMax
tty mode passing
general:
gid swapping in sshd (fixes access to /home/group/user based
directory structures)
Dan Kaminsky <dankamin@cisco.com> contributed an experimental
SOCKS4 proxy to the ssh client (yes, client not the server).
Use 'ssh -D 1080 server' if you want to try this out.
server option PrintLastLog
improvements for scp > 2GB
improved ListenAddress option.
You can now use ListenAddress host:port
improved interoperability (bug detection for older implementations)
improved documentation
first component is now a package name+version/pattern, no more
executable/patchname/whatnot.
While there, introduce BUILD_USES_MSGFMT as shorthand to pull in
devel/gettext unless /usr/bin/msgfmt exists (i.e. on post-1.5 -current).
Patch by Alistair Crooks <agc@netbsd.org>
20010322
- (djm) Better AIX no tty fix, spotted by Gert Doering <gert@greenie.muc.de>
- (djm) Released 2.5.2p2
20010321
- (djm) Fix ttyname breakage for AIX and Tru64. Patch from Steve
VanDevender <stevev@darkwing.uoregon.edu>
- (djm) Make sure pam_retval is initialised on call to pam_end. Patch
from Solar Designer <solar@openwall.com>
- (djm) Don't loop forever when changing password via PAM. Patch
from Solar Designer <solar@openwall.com>
- (djm) Generate config files before build
- (djm) Correctly handle SIA and AIX when no tty present. Spotted and
suggested fix from Mike Battersby <mib@unimelb.edu.au>
20010320
- (bal) glob.c update to added GLOB_LIMITS (OpenBSD CVS).
- (bal) glob.c update to set gl_pathv to NULL (OpenBSD CVS).
- (bal) Oops. Missed globc.h change (OpenBSD CVS).
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2001/03/19 17:07:23
[auth.c readconf.c]
undo /etc/shell and proto 2,1 change for openssh-2.5.2
- markus@cvs.openbsd.org 2001/03/19 17:12:10
[version.h]
version 2.5.2
- (djm) Update RPM spec version
- (djm) Release 2.5.2p1
- tim@mindrot.org 2001/03/19 18:33:47 [defines.h]
change S_ISLNK macro to work for UnixWare 2.03
- tim@mindrot.org 2001/03/19 20:45:11 [openbsd-compat/glob.c]
add get_arg_max(). Use sysconf() if ARG_MAX is not defined
20010319
- (djm) Seed PRNG at startup, rather than waiting for arc4random calls to
do it implicitly.
- (djm) Add getusershell() functions from OpenBSD CVS
- OpenBSD CVS Sync
- markus@cvs.openbsd.org 2001/03/18 12:07:52
[auth-options.c]
ignore permitopen="host:port" if AllowTcpForwarding==no
- (djm) Make scp work on systems without 64-bit ints
- tim@mindrot.org 2001/03/18 18:28:39 [defines.h]
move HAVE_LONG_LONG_INT where it works
- (bal) Use 'NGROUPS' for NeXT Since 'MAX_NGROUPS' is wrapped up in -lposix
stuff. Change suggested by Mark Miller <markm@swoon.net>
- (bal) Small fix to scp. %lu vs %ld
- (bal) NeXTStep lacks S_ISLNK. Plus split up S_IS*
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2001/03/19 03:52:51
[sftp-client.c]
Report ssh connection closing correctly; ok deraadt@
- deraadt@cvs.openbsd.org 2001/03/18 23:30:55
[compat.c compat.h sshd.c]
specifically version match on ssh scanners. do not log scan
information to the console
- djm@cvs.openbsd.org 2001/03/19 12:10:17
[sshd.8]
Document permitopen authorized_keys option; ok markus@
- djm@cvs.openbsd.org 2001/03/19 05:49:52
[ssh.1]
document PreferredAuthentications option; ok markus@
- (bal) Minor NeXT fixed. Forgot to #undef NGROUPS_MAX
20010318
- (bal) Fixed scp type casing issue which causes "scp: protocol error:
size not delimited" fatal errors when tranfering.
- OpenBSD CVS Sync
- markus@cvs.openbsd.org 2001/03/17 17:27:59
[auth.c]
check /etc/shells, too
- tim@mindrot.org 2001/03/17 18:45:25 [compat.c]
openbsd-compat/fake-regex.h
20010317
- Support usrinfo() on AIX. Based on patch from Gert Doering
<gert@greenie.muc.de>
- OpenBSD CVS Sync
- markus@cvs.openbsd.org 2001/03/15 15:05:59
[scp.c]
use %lld in printf, ok millert@/deraadt@; report from ssh@client.fi
- markus@cvs.openbsd.org 2001/03/15 22:07:08
[session.c]
pass Session to do_child + KNF
- djm@cvs.openbsd.org 2001/03/16 08:16:18
[sftp-client.c sftp-client.h sftp-glob.c sftp-int.c]
Revise globbing for get/put to be more shell-like. In particular,
"get/put file* directory/" now works. ok markus@
- markus@cvs.openbsd.org 2001/03/16 09:55:53
[sftp-int.c]
fix memset and whitespace
- markus@cvs.openbsd.org 2001/03/16 13:44:24
[sftp-int.c]
discourage strcat/strcpy
- markus@cvs.openbsd.org 2001/03/16 19:06:30
[auth-options.c channels.c channels.h serverloop.c session.c]
implement "permitopen" key option, restricts -L style forwarding to
to specified host:port pairs. based on work by harlan@genua.de
- Check for gl_matchc support in glob_t and fall back to the
openbsd-compat/glob.[ch] support if it does not exist.
20010315
- OpenBSD CVS Sync
- markus@cvs.openbsd.org 2001/03/14 08:57:14
[sftp-client.c]
Wall
- markus@cvs.openbsd.org 2001/03/14 15:15:58
[sftp-int.c]
add version command
- deraadt@cvs.openbsd.org 2001/03/14 22:50:25
[sftp-server.c]
note no getopt()
- (stevesk) ssh-keyscan.c: specify "openbsd-compat/fake-queue.h"
- (bal) Cygwin README change by Corinna Vinschen <vinschen@redhat.com>
20010314
- OpenBSD CVS Sync
- markus@cvs.openbsd.org 2001/03/13 17:34:42
[auth-options.c]
missing xfree, deny key on parse error; ok stevesk@
- djm@cvs.openbsd.org 2001/03/13 22:42:54
[sftp-client.c sftp-client.h sftp-glob.c sftp-glob.h sftp-int.c]
sftp client filename globbing for get, put, ch{mod,grp,own}. ok markus@
- (bal) Fix strerror() in bsd-misc.c
- (djm) Add replacement glob() from OpenBSD libc if the system glob is
missing or lacks the GLOB_ALTDIRFUNC extension
- (djm) Remove -I$(srcdir)/openbsd-compat from CFLAGS, refer to headers
relatively. Avoids conflict between glob.h and /usr/include/glob.h
20010313
- OpenBSD CVS Sync
- markus@cvs.openbsd.org 2001/03/12 22:02:02
[key.c key.h ssh-add.c ssh-keygen.c sshconnect.c sshconnect2.c]
remove old key_fingerprint interface, s/_ex//
20010312
- OpenBSD CVS Sync
- markus@cvs.openbsd.org 2001/03/11 13:25:36
[auth2.c key.c]
debug
- jakob@cvs.openbsd.org 2001/03/11 15:03:16
[key.c key.h]
add improved fingerprint functions. based on work by Carsten
Raskgaard <cara@int.tele.dk> and modified by me. ok markus@.
- jakob@cvs.openbsd.org 2001/03/11 15:04:16
[ssh-keygen.1 ssh-keygen.c]
print both md5, sha1 and bubblebabble fingerprints when using
ssh-keygen -l -v. ok markus@.
- jakob@cvs.openbsd.org 2001/03/11 15:13:09
[key.c]
cleanup & shorten some var names key_fingerprint_bubblebabble.
- deraadt@cvs.openbsd.org 2001/03/11 16:39:03
[ssh-keygen.c]
KNF, and SHA1 binary output is just creeping featurism
- tim@mindrot.org 2001/03/11 17:29:32 [configure.in]
test if snprintf() supports %ll
add /dev to search path for PRNGD/EGD socket
fix my mistake in USER_PATH test program
- OpenBSD CVS Sync
- markus@cvs.openbsd.org 2001/03/11 18:29:51
[key.c]
style+cleanup
- markus@cvs.openbsd.org 2001/03/11 22:33:24
[ssh-keygen.1 ssh-keygen.c]
remove -v again. use -B instead for bubblebabble. make -B consistent
with -l and make -B work with /path/to/known_hosts. ok deraadt@
- (djm) Bump portable version number for generating test RPMs
- (djm) Add "static_openssl" RPM build option, remove rsh build dependency
- (bal) Reorder includes in Makefile.
20010311
- OpenBSD CVS Sync
- markus@cvs.openbsd.org 2001/03/10 12:48:27
[sshconnect2.c]
ignore nonexisting private keys; report rjmooney@mediaone.net
- deraadt@cvs.openbsd.org 2001/03/10 12:53:51
[readconf.c ssh_config]
default to SSH2, now that m68k runs fast
- stevesk@cvs.openbsd.org 2001/03/10 15:02:05
[ttymodes.c ttymodes.h]
remove unused sgtty macros; ok markus@
- deraadt@cvs.openbsd.org 2001/03/10 15:31:00
[compat.c compat.h sshconnect.c]
all known netscreen ssh versions, and older versions of OSU ssh cannot
handle password padding (newer OSU is fixed)
- tim@mindrot.org 2001/03/10 16:33:42 [configure.in Makefile.in sshd_config]
make sure $bindir is in USER_PATH so scp will work
- OpenBSD CVS Sync
- markus@cvs.openbsd.org 2001/03/10 17:51:04
[kex.c match.c match.h readconf.c readconf.h sshconnect2.c]
add PreferredAuthentications
20010310
- OpenBSD CVS Sync
- deraadt@cvs.openbsd.org 2001/03/09 03:14:39
[ssh-keygen.c]
create *.pub files with umask 0644, so that you can mv them to
authorized_keys
- deraadt@cvs.openbsd.org 2001/03/09 12:30:29
[sshd.c]
typo; slade@shore.net
- Removed log.o from sftp client. Not needed.
20010309
- OpenBSD CVS Sync
- stevesk@cvs.openbsd.org 2001/03/08 18:47:12
[auth1.c]
unused; ok markus@
- stevesk@cvs.openbsd.org 2001/03/08 20:44:48
[sftp.1]
spelling, cleanup; ok deraadt@
- markus@cvs.openbsd.org 2001/03/08 21:42:33
[compat.c compat.h readconf.h ssh.c sshconnect1.c sshconnect2.c]
implement client side of SSH2_MSG_USERAUTH_PK_OK (test public key ->
no need to do enter passphrase or do expensive sign operations if the
server does not accept key).
20010308
- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2001/03/07 10:11:23
[sftp-client.c sftp-client.h sftp-int.c sftp-server.c sftp.1 sftp.c sftp.h]
Support for new draft (draft-ietf-secsh-filexfer-01). New symlink handling
functions and small protocol change.
- markus@cvs.openbsd.org 2001/03/08 00:15:48
[readconf.c ssh.1]
turn off useprivilegedports by default. only rhost-auth needs
this. older sshd's may need this, too.
- (stevesk) Reliant Unix (SNI) needs HAVE_BOGUS_SYS_QUEUE_H;
Dirk Markwardt <D.Markwardt@tu-bs.de>
20010307
- (bal) OpenBSD CVS Sync
- deraadt@cvs.openbsd.org 2001/03/06 06:11:18
[ssh-keyscan.c]
appease gcc
- deraadt@cvs.openbsd.org 2001/03/06 06:11:44
[sftp-int.c sftp.1 sftp.c]
sftp -b batchfile; mouring@etoh.eviladmin.org
- deraadt@cvs.openbsd.org 2001/03/06 15:10:42
[sftp.1]
order things
- deraadt@cvs.openbsd.org 2001/03/07 01:19:06
[ssh.1 sshd.8]
the name "secure shell" is boring, noone ever uses it
- deraadt@cvs.openbsd.org 2001/03/07 04:05:58
[ssh.1]
removed dated comment
- Cygwin contrib improvements from Corinna Vinschen <vinschen@redhat.com>
20010306
- (bal) OpenBSD CVS Sync
- deraadt@cvs.openbsd.org 2001/03/05 14:28:47
[sshd.8]
alpha order; jcs@rt.fm
- stevesk@cvs.openbsd.org 2001/03/05 15:44:51
[servconf.c]
sync error message; ok markus@
- deraadt@cvs.openbsd.org 2001/03/05 15:56:16
[myproposal.h ssh.1]
switch to aes128-cbc/hmac-md5 by default in SSH2 -- faster;
provos & markus ok
- deraadt@cvs.openbsd.org 2001/03/05 16:07:15
[sshd.8]
detail default hmac setup too
- markus@cvs.openbsd.org 2001/03/05 17:17:21
[kex.c kex.h sshconnect2.c sshd.c]
generate a 2*need size (~300 instead of 1024/2048) random private
exponent during the DH key agreement. according to Niels (the great
german advisor) this is safe since /etc/primes contains strong
primes only.
References:
P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key
agreement with short exponents, In Advances in Cryptology
- EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
- stevesk@cvs.openbsd.org 2001/03/05 17:40:48
[ssh.1]
more ssh_known_hosts2 documentation; ok markus@
- stevesk@cvs.openbsd.org 2001/03/05 17:58:22
[dh.c]
spelling
- deraadt@cvs.openbsd.org 2001/03/06 00:33:04
[authfd.c cli.c ssh-agent.c]
EINTR/EAGAIN handling is required in more cases
- millert@cvs.openbsd.org 2001/03/06 01:06:03
[ssh-keyscan.c]
Don't assume we wil get the version string all in one read().
deraadt@ OK'd
- millert@cvs.openbsd.org 2001/03/06 01:08:27
[clientloop.c]
If read() fails with EINTR deal with it the same way we treat EAGAIN
20010305
- (bal) CVS ID touch up on sshpty.[ch] and sshlogin.[ch]
- (bal) CVS ID touch up on sftp-int.c
- (bal) CVS ID touch up on uuencode.c
- (bal) CVS ID touch up on auth2.c, serverloop.c, session.c & sshd.c
- (bal) OpenBSD CVS Sync
- deraadt@cvs.openbsd.org 2001/02/17 23:48:48
[sshd.8]
it's the OpenSSH one
- deraadt@cvs.openbsd.org 2001/02/21 07:37:04
[ssh-keyscan.c]
inline -> __inline__, and some indent
- deraadt@cvs.openbsd.org 2001/02/21 09:05:54
[authfile.c]
improve fd handling
- deraadt@cvs.openbsd.org 2001/02/21 09:12:56
[sftp-server.c]
careful with & and &&; markus ok
- stevesk@cvs.openbsd.org 2001/02/21 21:14:04
[ssh.c]
-i supports DSA identities now; ok markus@
- deraadt@cvs.openbsd.org 2001/02/22 04:29:37
[servconf.c]
grammar; slade@shore.net
- deraadt@cvs.openbsd.org 2001/02/22 06:43:55
[ssh-keygen.1 ssh-keygen.c]
document -d, and -t defaults to rsa1
- deraadt@cvs.openbsd.org 2001/02/22 08:03:51
[ssh-keygen.1 ssh-keygen.c]
bye bye -d
- deraadt@cvs.openbsd.org 2001/02/22 18:09:06
[sshd_config]
activate RSA 2 key
- markus@cvs.openbsd.org 2001/02/22 21:57:27
[ssh.1 sshd.8]
typos/grammar from matt@anzen.com
- markus@cvs.openbsd.org 2001/02/22 21:59:44
[auth.c auth.h auth1.c auth2.c misc.c misc.h ssh.c]
use pwcopy in ssh.c, too
- markus@cvs.openbsd.org 2001/02/23 15:34:53
[serverloop.c]
debug2->3
- markus@cvs.openbsd.org 2001/02/23 18:15:13
[sshd.c]
the random session key depends now on the session_key_int
sent by the 'attacker'
dig1 = md5(cookie|session_key_int);
dig2 = md5(dig1|cookie|session_key_int);
fake_session_key = dig1|dig2;
this change is caused by a mail from anakin@pobox.com
patch based on discussions with my german advisor niels@openbsd.org
- deraadt@cvs.openbsd.org 2001/02/24 10:37:55
[readconf.c]
look for id_rsa by default, before id_dsa
- deraadt@cvs.openbsd.org 2001/02/24 10:37:26
[sshd_config]
ssh2 rsa key before dsa key
- markus@cvs.openbsd.org 2001/02/27 10:35:27
[packet.c]
fix random padding
- markus@cvs.openbsd.org 2001/02/27 11:00:11
[compat.c]
support SSH-2.0-2.1 ; from Christophe_Moret@hp.com
- deraadt@cvs.openbsd.org 2001/02/28 05:34:28
[misc.c]
pull in protos
- deraadt@cvs.openbsd.org 2001/02/28 05:36:28
[sftp.c]
do not kill the subprocess on termination (we will see if this helps
things or hurts things)
- markus@cvs.openbsd.org 2001/02/28 08:45:39
[clientloop.c]
fix byte counts for ssh protocol v1
- markus@cvs.openbsd.org 2001/02/28 08:54:55
[channels.c nchan.c nchan.h]
make sure remote stderr does not get truncated.
remove closed fd's from the select mask.
- markus@cvs.openbsd.org 2001/02/28 09:57:07
[packet.c packet.h sshconnect2.c]
in ssh protocol v2 use ignore messages for padding (instead of
trailing \0).
- markus@cvs.openbsd.org 2001/02/28 12:55:07
[channels.c]
unify debug messages
- deraadt@cvs.openbsd.org 2001/02/28 17:52:54
[misc.c]
for completeness, copy pw_gecos too
- markus@cvs.openbsd.org 2001/02/28 21:21:41
[sshd.c]
generate a fake session id, too
- markus@cvs.openbsd.org 2001/02/28 21:27:48
[channels.c packet.c packet.h serverloop.c]
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message
use random content in ignore messages.
- markus@cvs.openbsd.org 2001/02/28 21:31:32
[channels.c]
typo
- deraadt@cvs.openbsd.org 2001/03/01 02:11:25
[authfd.c]
split line so that p will have an easier time next time around
- deraadt@cvs.openbsd.org 2001/03/01 02:29:04
[ssh.c]
shorten usage by a line
- deraadt@cvs.openbsd.org 2001/03/01 02:45:10
[auth-rsa.c auth2.c deattack.c packet.c]
KNF
- deraadt@cvs.openbsd.org 2001/03/01 03:38:33
[cli.c cli.h rijndael.h ssh-keyscan.1]
copyright notices on all source files
- markus@cvs.openbsd.org 2001/03/01 22:46:37
[ssh.c]
don't truncate remote ssh-2 commands; from mkubita@securities.cz
use min, not max for logging, fixes overflow.
- deraadt@cvs.openbsd.org 2001/03/02 06:21:01
[sshd.8]
explain SIGHUP better
- deraadt@cvs.openbsd.org 2001/03/02 09:42:49
[sshd.8]
doc the dsa/rsa key pair files
- deraadt@cvs.openbsd.org 2001/03/02 18:54:31
[atomicio.c atomicio.h auth-chall.c auth.c auth2-chall.c crc32.h
scp.c serverloop.c session.c sftp-server.8 sftp.1 ssh-add.1 ssh-add.c
ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh.1 sshd.8]
make copyright lines the same format
- deraadt@cvs.openbsd.org 2001/03/03 06:53:12
[ssh-keyscan.c]
standard theo sweep
- millert@cvs.openbsd.org 2001/03/03 21:19:41
[ssh-keyscan.c]
Dynamically allocate read_wait and its copies. Since maxfd is
based on resource limits it is often (usually?) larger than FD_SETSIZE.
- millert@cvs.openbsd.org 2001/03/03 21:40:30
[sftp-server.c]
Dynamically allocate fd_set; deraadt@ OK
- millert@cvs.openbsd.org 2001/03/03 21:41:07
[packet.c]
Dynamically allocate fd_set; deraadt@ OK
- deraadt@cvs.openbsd.org 2001/03/03 22:07:50
[sftp-server.c]
KNF
- markus@cvs.openbsd.org 2001/03/03 23:52:22
[sftp.c]
clean up arg processing. based on work by Christophe_Moret@hp.com
- markus@cvs.openbsd.org 2001/03/03 23:59:34
[log.c ssh.c]
log*.c -> log.c
- markus@cvs.openbsd.org 2001/03/04 00:03:59
[channels.c]
debug1->2
- stevesk@cvs.openbsd.org 2001/03/04 10:57:53
[ssh.c]
add -m to usage; ok markus@
- stevesk@cvs.openbsd.org 2001/03/04 11:04:41
[sshd.8]
small cleanup and clarify for PermitRootLogin; ok markus@
- stevesk@cvs.openbsd.org 2001/03/04 11:16:06
[servconf.c sshd.8]
kill obsolete RandomSeed; ok markus@ deraadt@
- stevesk@cvs.openbsd.org 2001/03/04 12:54:04
[sshd.8]
spelling
- millert@cvs.openbsd.org 2001/03/04 17:42:28
[authfd.c channels.c dh.c log.c readconf.c servconf.c sftp-int.c
ssh.c sshconnect.c sshd.c]
log functions should not be passed strings that end in newline as they
get passed on to syslog() and when logging to stderr, do_log() appends
its own newline.
- deraadt@cvs.openbsd.org 2001/03/04 18:21:28
[sshd.8]
list SSH2 ciphers
- (bal) Put HAVE_PW_CLASS_IN_PASSWD back into pwcopy()
- (bal) Fix up logging since it changed. removed log-*.c
- (djm) Fix up LOG_AUTHPRIV for systems that have it
- (stevesk) OpenBSD sync:
- deraadt@cvs.openbsd.org 2001/03/05 08:37:27
[ssh-keyscan.c]
skip inlining, why bother
- (stevesk) sftp.c: handle __progname
20010304
- (bal) Remove make-ssh-known-hosts.1 since it's no longer valid.
- (bal) Updated contrib/README to remove 'make-ssh-known-hosts' and
give Mark Roth credit for mdoc2man.pl
20010303
- (djm) Remove make-ssh-known-hosts.pl, ssh-keyscan is better.
- (djm) Document PAM ChallengeResponseAuthentication in sshd.8
- (djm) Disable and comment ChallengeResponseAuthentication in sshd_config
- (djm) Allow PRNGd entropy collection from localhost TCP socket. Replace
"--with-egd-pool" configure option with "--with-prngd-socket" and
"--with-prngd-port" options. Debugged and improved by Lutz Jaenicke
<Lutz.Jaenicke@aet.TU-Cottbus.DE>
20010301
- (djm) Properly add -lcrypt if needed.
- (djm) Force standard PAM conversation function in a few more places.
Patch from Redhat 2.5.1p1-2 RPM, probably Nalin Dahyabhai
<nalin@redhat.com>
- (djm) Cygwin needs pw->pw_gecos copied too. Patch from Corinna Vinschen
<vinschen@redhat.com>
- (djm) Released 2.5.1p2
20010228
- (djm) Detect endianness in configure and use it in rijndael.c. Fixes
"Bad packet length" bugs.
- (djm) Fully revert PAM session patch (again). All PAM session init is
now done before the final fork().
- (djm) EGD detection patch from Tim Rice <tim@multitalents.net>
- (djm) Remove /tmp from EGD socket search list
20010227
- (bal) Applied shutdown() patch for sftp.c by Corinna Vinschen
<vinschen@redhat.com>
- (bal) OpenBSD Sync
- markus@cvs.openbsd.org 2001/02/23 15:37:45
[session.c]
handle SSH_PROTOFLAG_SCREEN_NUMBER for buggy clients
- (bal) sshd.init support for all Redhat release. Patch by Jim Knoble
<jmknoble@jmknoble.cx>
- (djm) Fix up POSIX saved uid support. Report from Mark Miller
<markm@swoon.net>
- (djm) Search for -lcrypt on FreeBSD too
- (djm) fatal() on OpenSSL version mismatch
- (djm) Move PAM init to after fork for non-Solaris derived PAMs
- (djm) Warning fix on entropy.c saved uid stuff. Patch from Mark Miller
<markm@swoon.net>
- (djm) Fix PAM fix
- (djm) Remove 'noreplace' flag from sshd_config in RPM spec files. This
change is being made as 2.5.x configfiles are not back-compatible with
2.3.x.
- (djm) Avoid warnings for missing broken IP_TOS. Patch from Mark Miller
<markm@swoon.net>
- (djm) Open Server 5 doesn't need BROKEN_SAVED_UIDS. Patch from Tim Rice
<tim@multitalents.net>
- (djm) Avoid multiple definition of _PATH_LS. Patch from Tim Rice
<tim@multitalents.net>
20010226
- (bal) Fixed bsd-snprinf.c so it now honors 'BROKEN_SNPRINTF' again.
- (djm) Some systems (SCO3, NeXT) have weird saved uid semantics.
Based on patch from Tim Rice <tim@multitalents.net>
20010225
- (djm) Use %{_libexecdir} rather than hardcoded path in RPM specfile
Patch from Adrian Ho <lexfiend@usa.net>
- (bal) Replace 'unsigned long long' to 'u_int64_t' since not every
platform defines u_int64_t as being that.
20010224
- (bal) Missed part of the UNIX sockets patch. Patch by Corinna
Vinschen <vinschen@redhat.com>
- (bal) Reorder where 'strftime' is detected to resolve linking
issues on SCO. Patch by Tim Rice <tim@multitalents.net>
20010224
- (bal) pam_stack fix to correctly detect between RH7 and older RHs.
Patch by Pekka Savola <pekkas@netcore.fi>
- (bal) Renamed sigaction.[ch] to sigact.[ch]. Causes problems with
some platforms.
- (bal) Generalize lack of UNIX sockets since this also effects Cray
not just Cygwin. Based on patch by Wendy Palm <wendyp@cray.com>
20010223
- (bal) Fix --define rh7 in openssh.spec file. Patch by Steve Tell
<tell@telltronics.org>
- (bal) Patch to force OpenSSH rpm to require the same version of OpenSSL
that it was compiled against. Patch by Pekka Savola <pekkas@netcore.fi>
- (bal) Double -I for OpenSSL on SCO. Patch by Tim Rice
<tim@multitalents.net>
20010222
- (bal) Corrected SCO luid patch by svaughan <svaughan@asterion.com>
- (bal) Added mdoc2man.pl from Mark Roth <roth@feep.net>
- (bal) Removed reference to liblogin from contrib/README. It was
integrated into OpenSSH a long while ago.
- (stevesk) remove erroneous #ifdef sgi code.
Michael Stone <mstone@cs.loyola.edu>
20010221
- (bal) Removed -L/usr/ucblib -R/usr/ucblib for Solaris platform.
- (bal) Fixed OpenSSL rework to use $saved_*. Patch by Tim Rice
<tim@multitalents.net>
- (bal) Reverted out of 2001/02/15 patch by djm below because it
breaks Solaris.
- (djm) Move PAM session setup back to before setuid to user.
fixes problems on Solaris-drived PAMs.
- (stevesk) session.c: back out to where we were before:
- (djm) Move PAM session initialisation until after fork in sshd. Patch
from Nalin Dahyabhai <nalin@redhat.com>
20010220
- (bal) Fix mixed up params to memmove() from Jan 5th in setenv.c and
getcwd.c.
- (bal) OpenBSD CVS Sync:
- deraadt@cvs.openbsd.org 2001/02/19 23:09:05
[sshd.c]
clarify message to make it not mention "ident"
20010219
- (bal) Markus' blessing to rename login.[ch] -> sshlogin.[ch] and
pty.[ch] -> sshpty.[ch]
- (djm) Rework search for OpenSSL location. Skip directories which don't
exist, don't add -L$ssldir/lib if it doesn't exist. Should help SCO
with its limit of 6 -L options.
- OpenBSD CVS Sync:
- reinhard@cvs.openbsd.org 2001/02/17 08:24:40
[sftp.1]
typo
- deraadt@cvs.openbsd.org 2001/02/17 16:28:58
[ssh.c]
cleanup -V output; noted by millert
- deraadt@cvs.openbsd.org 2001/02/17 16:48:48
[sshd.8]
it's the OpenSSH one
- markus@cvs.openbsd.org 2001/02/18 11:33:54
[dispatch.c]
typo, SSH2_MSG_KEXINIT, from aspa@kronodoc.fi
- markus@cvs.openbsd.org 2001/02/19 02:53:32
[compat.c compat.h serverloop.c]
ssh-1.2.{18-22} has broken handling of ignore messages; report from
itojun@
- markus@cvs.openbsd.org 2001/02/19 03:35:23
[version.h]
OpenSSH_2.5.1 adds bug compat with 1.2.{18-22}
- deraadt@cvs.openbsd.org 2001/02/19 03:36:25
[scp.c]
np is changed by recursion; vinschen@redhat.com
- Update versions in RPM spec files
- Release 2.5.1p1
20010218
- (bal) Patch for fix FCHMOD reference in ftp-client.c by Tim Rice
<tim@multitalents.net>
- (Bal) Patch for lack of RA_RESTART in misc.c for mysignal by
stevesk
- (djm) Fix my breaking of cygwin builds, Patch from Corinna Vinschen
<vinschen@redhat.com> and myself.
- (djm) Close listen_sock on bind() failures. Patch from Arkadiusz
Miskiewicz <misiek@pld.ORG.PL>
- (djm) Robustify EGD/PRNGd code in face of socket closures. Patch from
Todd C. Miller <Todd.Miller@courtesan.com>
- (djm) Use ttyname() to determine name of tty returned by openpty()
rather then risking overflow. Patch from Marek Michalkiewicz
<marekm@amelek.gda.pl>
- (djm) Swapped tests for no_libsocket and no_libnsl in configure.in.
Patch from Marek Michalkiewicz <marekm@amelek.gda.pl>
- (djm) Doc fixes from Pekka Savola <pekkas@netcore.fi>
- (djm) Use SA_INTERRUPT along SA_RESTART if present (equivalent for
SunOS)
- (djm) SCO needs librpc for libwrap. Patch from Tim Rice
<tim@multitalents.net>
- (stevesk) misc.c: cpp rework of SA_(INTERRUPT|RESTART) handling.
- (stevesk) scp.c: use mysignal() for updateprogressmeter() handler.
- (djm) SA_INTERRUPT is the converse of SA_RESTART, apply it only for
SIGALRM.
- (djm) Move entropy.c over to mysignal()
- (djm) SunOS 4.x also needs to define HAVE_BOGUS_SYS_QUEUE_H as it has
a <sys/queue.h> that lacks the TAILQ_* macros. Patch from Todd C.
Miller <Todd.Miller@courtesan.com>
- (djm) Update RPM spec files for 2.5.0p1
- (djm) Merge BSD_AUTH support from Markus Friedl and David J. MacKenzie
enable with --with-bsd-auth.
- (stevesk) entropy.c: typo; should be SIGPIPE
20010217
- (bal) OpenBSD Sync:
- markus@cvs.openbsd.org 2001/02/16 13:38:18
[channel.c]
remove debug
- markus@cvs.openbsd.org 2001/02/16 14:03:43
[session.c]
proper payload-length check for x11 w/o screen-number
20010216
- (bal) added '--with-prce' to allow overriding of system regex when
required (tested by David Dulek <ddulek@fastenal.com>)
- (bal) Added DG/UX case and set that they have a broken IPTOS.
- (djm) Mini-configure reorder patch from Tim Rice <tim@multitalents.net>
Fixes linking on SCO.
- (djm) Make gnome-ssh-askpass handle multi-line prompts. Patch from
Nalin Dahyabhai <nalin@redhat.com>
- (djm) BSD license for gnome-ssh-askpass (was X11)
- (djm) KNF on gnome-ssh-askpass
- (djm) USE_PIPES for a few more sysv platforms
- (djm) Cleanup configure.in a little
- (djm) Ask users to check config.log when we can't find necessary libs
- (djm) Set "login ID" on systems with setluid. Only enabled for SCO
OpenServer for now. Based on patch from svaughan <svaughan@asterion.com>
- (djm) OpenBSD CVS:
- markus@cvs.openbsd.org 2001/02/15 16:19:59
[channels.c channels.h serverloop.c sshconnect.c sshconnect.h]
[sshconnect1.c sshconnect2.c]
genericize password padding function for SSH1 and SSH2.
add stylized echo to 2, too.
- (djm) Add roundup() macro to defines.h
- (stevesk) set SA_RESTART flag in mysignal() for SIGCHLD;
needed on Unixware 2.x.
20010215
- (djm) Move PAM session setup back to before setuid to user. Fixes
problems on Solaris-derived PAMs.
- (djm) Clean up PAM namespace. Suggested by Darren Moffat
<Darren.Moffat@eng.sun.com>
- (bal) Sync w/ OpenSSH for new release
- markus@cvs.openbsd.org 2001/02/12 12:45:06
[sshconnect1.c]
fix xmalloc(0), ok dugsong@
- markus@cvs.openbsd.org 2001/02/11 12:59:25
[Makefile.in sshd.8 sshconnect2.c readconf.h readconf.c packet.c
sshd.c ssh.c ssh.1 servconf.h servconf.c myproposal.h kex.h kex.c]
1) clean up the MAC support for SSH-2
2) allow you to specify the MAC with 'ssh -m'
3) or the 'MACs' keyword in ssh(d)_config
4) add hmac-{md5,sha1}-96
ok stevesk@, provos@
- markus@cvs.openbsd.org 2001/02/12 16:16:23
[auth-passwd.c auth.c auth.h auth1.c auth2.c servconf.c servconf.h
ssh-keygen.c sshd.8]
PermitRootLogin={yes,without-password,forced-commands-only,no}
(before this change, root could login even if PermitRootLogin==no)
- deraadt@cvs.openbsd.org 2001/02/12 22:56:09
[clientloop.c packet.c ssh-keyscan.c]
deal with EAGAIN/EINTR selects which were skipped
- markus@cvs.openssh.org 2001/02/13 22:49:40
[auth1.c auth2.c]
setproctitle(user) only if getpwnam succeeds
- markus@cvs.openbsd.org 2001/02/12 23:26:20
[sshd.c]
missing memset; from solar@openwall.com
- stevesk@cvs.openbsd.org 2001/02/12 20:53:33
[sftp-int.c]
lumask now works with 1 numeric arg; ok markus@, djm@
- djm@cvs.openbsd.org 2001/02/14 9:46:03
[sftp-client.c sftp-int.c sftp.1]
Fix and document 'preserve modes & times' option ('-p' flag in sftp);
ok markus@
- (bal) replaced PATH_MAX in sftp-int.c w/ MAXPATHLEN.
- (djm) Move to Jim's 1.2.0 X11 askpass program
- (stevesk) OpenBSD sync:
- deraadt@cvs.openbsd.org 2001/02/15 01:38:04
[serverloop.c]
indent
20010214
- (djm) Don't try to close PAM session or delete credentials if the
session has not been open or credentials not set. Based on patch from
Andrew Bartlett <abartlet@pcug.org.au>
- (djm) Move PAM session initialisation until after fork in sshd. Patch
from Nalin Dahyabhai <nalin@redhat.com>
- (bal) Missing function prototype in bsd-snprintf.c patch by
Mark Miller <markm@swoon.net>
- (djm) Split out and improve OSF SIA auth code. Patch from Chris Adams
<cmadams@hiwaay.net> with a little modification and KNF.
- (stevesk) fix for SIA patch, misplaced session_setup_sia()
20010213
- (djm) Only test -S potential EGD sockets if they exist and are readable.
- (bal) Cleaned out bsd-snprintf.c. VARARGS have been banished and
I did a base KNF over the whe whole file to make it more acceptable.
(backed out of original patch and removed it from ChangeLog)
- (bal) Use chown() if fchown() does not exist in ftp-server.c patch by
Tim Rice <tim@multitalents.net>
- (stevesk) auth1.c: fix PAM passwordless check.
20010212
- (djm) Update Redhat specfile to allow --define "skip_x11_askpass 1",
--define "skip_gnome_askpass 1", --define "rh7 1" and make the
implicit rpm-3.0.5 dependancy explicit. Patch and suggestions from
Pekka Savola <pekkas@netcore.fi>
- (djm) Clean up PCRE text in INSTALL
- (djm) Fix OSF SIA auth NULL pointer deref. Report from Mike Battersby
<mib@unimelb.edu.au>
- (bal) NCR SVR4 compatiblity provide by Don Bragg <thewizarddon@yahoo.com>
- (stevesk) session.c: remove debugging code.
20010211
- (bal) OpenBSD Sync
- markus@cvs.openbsd.org 2001/02/07 22:35:46
[auth1.c auth2.c sshd.c]
move k_setpag() to a central place; ok dugsong@
- markus@cvs.openbsd.org 2001/02/10 12:52:02
[auth2.c]
offer passwd before s/key
- markus@cvs.openbsd.org 2001/02/8 22:37:10
[canohost.c]
remove last call to sprintf; ok deraadt@
- markus@cvs.openbsd.org 2001/02/10 1:33:32
[canohost.c]
add debug message, since sshd blocks here if DNS is not available
- markus@cvs.openbsd.org 2001/02/10 12:44:02
[cli.c]
don't call vis() for \r
- danh@cvs.openbsd.org 2001/02/10 0:12:43
[scp.c]
revert a small change to allow -r option to work again; ok deraadt@
- danh@cvs.openbsd.org 2001/02/10 15:14:11
[scp.c]
fix memory leak; ok markus@
- djm@cvs.openbsd.org 2001/02/10 0:45:52
[scp.1]
Mention that you can quote pathnames with spaces in them
- markus@cvs.openbsd.org 2001/02/10 1:46:28
[ssh.c]
remove mapping of argv[0] -> hostname
- markus@cvs.openbsd.org 2001/02/06 22:26:17
[sshconnect2.c]
do not ask for passphrase in batch mode; report from ejb@ql.org
- itojun@cvs.opebsd.org 2001/02/08 10:47:05
[sshconnect.c sshconnect1.c sshconnect2.c]
%.30s is too short for IPv6 numeric address. use %.128s for now.
markus ok
- markus@cvs.openbsd.org 2001/02/09 12:28:35
[sshconnect2.c]
do not free twice, thanks to /etc/malloc.conf
- markus@cvs.openbsd.org 2001/02/09 17:10:53
[sshconnect2.c]
partial success: debug->log; "Permission denied" if no more auth methods
- markus@cvs.openbsd.org 2001/02/10 12:09:21
[sshconnect2.c]
remove some lines
- markus@cvs.openbsd.org 2001/02/09 13:38:07
[auth-options.c]
reset options if no option is given; from han.holl@prismant.nl
- markus@cvs.openbsd.org 2001/02/08 21:58:28
[channels.c]
nuke sprintf, ok deraadt@
- markus@cvs.openbsd.org 2001/02/08 21:58:28
[channels.c]
nuke sprintf, ok deraadt@
- markus@cvs.openbsd.org 2001/02/06 22:43:02
[clientloop.h]
remove confusing callback code
- deraadt@cvs.openbsd.org 2001/02/08 14:39:36
[readconf.c]
snprintf
- itojun@cvs.openbsd.org 2001/02/08 19:30:52
sync with netbsd tree changes.
- more strict prototypes, include necessary headers
- use paths.h/pathnames.h decls
- size_t typecase to int -> u_long
- itojun@cvs.openbsd.org 2001/02/07 18:04:50
[ssh-keyscan.c]
fix size_t -> int cast (use u_long). markus ok
- markus@cvs.openbsd.org 2001/02/07 22:43:16
[ssh-keyscan.c]
s/getline/Linebuf_getline/; from roumen.petrov@skalasoft.com
- itojun@cvs.openbsd.org 2001/02/09 9:04:59
[ssh-keyscan.c]
do not assume malloc() returns zero-filled region. found by
malloc.conf=AJ.
- markus@cvs.openbsd.org 2001/02/08 22:35:30
[sshconnect.c]
don't connect if batch_mode is true and stricthostkeychecking set to
'ask'
- djm@cvs.openbsd.org 2001/02/04 21:26:07
[sshd_config]
type: ok markus@
- deraadt@cvs.openbsd.org 2001/02/06 22:07:50
[sshd_config]
enable sftp-server by default
- deraadt 2001/02/07 8:57:26
[xmalloc.c]
deal with new ANSI malloc stuff
- markus@cvs.openbsd.org 2001/02/07 16:46:08
[xmalloc.c]
typo in fatal()
- itojun@cvs.openbsd.org 2001/02/07 18:04:50
[xmalloc.c]
fix size_t -> int cast (use u_long). markus ok
- 1.47 Thu Feb 8 23:11:42 GMT 2001 by dugsong
[serverloop.c sshconnect1.c]
mitigate SSH1 traffic analysis - from Solar Designer
<solar@openwall.com>, ok provos@
- (bal) fixed sftp-client.c. Return 'status' instead of '0'
(from the OpenBSD tree)
- (bal) Synced ssh.1, ssh-add.1 and sshd.8 w/ OpenBSD
- (bal) sftp-sever.c '%8lld' to '%8llu' (OpenBSD Sync)
- (bal) uuencode.c resync w/ OpenBSD tree, plus whitespace.
- (bal) A bit more whitespace cleanup
- (djm) Set PAM_RHOST earlier, patch from Andrew Bartlett
<abartlet@pcug.org.au>
- (stevesk) misc.c: ssh.h not needed.
- (stevesk) compat.c: more friendly cpp error
- (stevesk) OpenBSD sync:
- stevesk@cvs.openbsd.org 2001/02/11 06:15:57
[LICENSE]
typos and small cleanup; ok deraadt@
20010210
- (djm) Sync sftp and scp stuff from OpenBSD:
- djm@cvs.openbsd.org 2001/02/07 03:55:13
[sftp-client.c]
Don't free handles before we are done with them. Based on work from
Corinna Vinschen <vinschen@redhat.com>. ok markus@
- djm@cvs.openbsd.org 2001/02/06 22:32:53
[sftp.1]
Punctuation fix from Pekka Savola <pekkas@netcore.fi>
- deraadt@cvs.openbsd.org 2001/02/07 04:07:29
[sftp.1]
pretty up significantly
- itojun@cvs.openbsd.org 2001/02/07 06:49:42
[sftp.1]
.Bl-.El mismatch. markus ok
- djm@cvs.openbsd.org 2001/02/07 06:12:30
[sftp-int.c]
Check that target is a directory before doing ls; ok markus@
- itojun@cvs.openbsd.org 2001/02/07 11:01:18
[scp.c sftp-client.c sftp-server.c]
unsigned long long -> %llu, not %qu. markus ok
- stevesk@cvs.openbsd.org 2001/02/07 11:10:39
[sftp.1 sftp-int.c]
more man page cleanup and sync of help text with man page; ok markus@
- markus@cvs.openbsd.org 2001/02/07 14:58:34
[sftp-client.c]
older servers reply with SSH2_FXP_NAME + count==0 instead of EOF
- djm@cvs.openbsd.org 2001/02/07 15:27:19
[sftp.c]
Don't forward agent and X11 in sftp. Suggestion from Roumen Petrov
<roumen.petrov@skalasoft.com>
- stevesk@cvs.openbsd.org 2001/02/07 15:36:04
[sftp-int.c]
portable; ok markus@
- stevesk@cvs.openbsd.org 2001/02/07 15:55:47
[sftp-int.c]
lowercase cmds[].c also; ok markus@
- markus@cvs.openbsd.org 2001/02/07 17:04:52
[pathnames.h sftp.c]
allow sftp over ssh protocol 1; ok djm@
- deraadt@cvs.openbsd.org 2001/02/08 07:38:55
[scp.c]
memory leak fix, and snprintf throughout
- deraadt@cvs.openbsd.org 2001/02/08 08:02:02
[sftp-int.c]
plug a memory leak
- stevesk@cvs.openbsd.org 2001/02/08 10:11:23
[session.c sftp-client.c]
%i -> %d
- stevesk@cvs.openbsd.org 2001/02/08 10:57:59
[sftp-int.c]
typo
- stevesk@cvs.openbsd.org 2001/02/08 15:28:07
[sftp-int.c pathnames.h]
_PATH_LS; ok markus@
- djm@cvs.openbsd.org 2001/02/09 04:46:25
[sftp-int.c]
Check for NULL attribs for chown, chmod & chgrp operations, only send
relevant attribs back to server; ok markus@
- djm@cvs.openbsd.org 2001/02/06 15:05:25
[sftp.c]
Use getopt to process commandline arguments
- djm@cvs.openbsd.org 2001/02/06 15:06:21
[sftp.c ]
Wait for ssh subprocess at exit
- djm@cvs.openbsd.org 2001/02/06 15:18:16
[sftp-int.c]
stat target for remote chdir before doing chdir
- djm@cvs.openbsd.org 2001/02/06 15:32:54
[sftp.1]
Punctuation fix from Pekka Savola <pekkas@netcore.fi>
- provos@cvs.openbsd.org 2001/02/05 22:22:02
[sftp-int.c]
cleanup get_pathname, fix pwd after failed cd. okay djm@
- (djm) Update makefile.in for _PATH_SFTP_SERVER
- (bal) sftp-client.c replace NULL w/ 0 in do_ls() (pending in OpenBSD tree)
20010209
- (bal) patch to vis.c to deal with HAVE_VIS right by Robert Mooney
<rjmooney@mediaone.net>
- (bal) .c.o rule in openbsd-compat/Makefile.in did not make it to the
main tree while porting forward. Pointed out by Lutz Jaenicke
<Lutz.Jaenicke@aet.TU-Cottbus.DE>
- (bal) double entry in configure.in. Pointed out by Lutz Jaenicke
<Lutz.Jaenicke@aet.TU-Cottbus.DE>
- (stevesk) OpenBSD sync:
- markus@cvs.openbsd.org 2001/02/08 11:20:01
[auth2.c]
strict checking
- markus@cvs.openbsd.org 2001/02/08 11:15:22
[version.h]
update to 2.3.2
- markus@cvs.openbsd.org 2001/02/08 11:12:30
[auth2.c]
fix typo
- (djm) Update spec files
- (bal) OpenBSD sync:
- deraadt@cvs.openbsd.org 2001/02/08 14:38:54
[scp.c]
memory leak fix, and snprintf throughout
- markus@cvs.openbsd.org 2001/02/06 22:43:02
[clientloop.c]
remove confusing callback code
- (djm) Add CVS Id's to files that we have missed
- (bal) OpenBSD Sync (more):
- itojun@cvs.openbsd.org 2001/02/08 19:30:52
sync with netbsd tree changes.
- more strict prototypes, include necessary headers
- use paths.h/pathnames.h decls
- size_t typecase to int -> u_long
- markus@cvs.openbsd.org 2001/02/06 22:07:42
[ssh.c]
fatal() if subsystem fails
- markus@cvs.openbsd.org 2001/02/06 22:43:02
[ssh.c]
remove confusing callback code
- jakob@cvs.openbsd.org 2001/02/06 23:03:24
[ssh.c]
add -1 option (force protocol version 1). ok markus@
- jakob@cvs.openbsd.org 2001/02/06 23:06:21
[ssh.c]
reorder -{1,2,4,6} options. ok markus@
- (bal) Missing 'const' in readpass.h
- (bal) OpenBSD Sync (so at least the thing compiles for 2.3.2 =)
- djm@cvs.openbsd.org 2001/02/06 23:30:28
[sftp-client.c]
replace arc4random with counter for request ids; ok markus@
- (djm) Define _PATH_TTY for systems that don't. Report from Lutz
Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>
20010208
- (djm) Don't delete external askpass program in make uninstall target.
Report and fix from Roumen Petrov <roumen.petrov@skalasoft.com>
- (djm) Fix linking of sftp, don't need arc4random any more.
- (djm) Try to use shell that supports "test -S" for EGD socket search.
Based on patch from Tim Rice <tim@multitalents.net>
20010207
- (bal) Save the whole path to AR in configure. Some Solaris 2.7 installs
seem lose track of it while in openbsd-compat/ (two confirmed reports)
- (djm) Much KNF on PAM code
- (djm) Revise auth-pam.c conversation function to be a little more
readable.
- (djm) Revise kbd-int PAM conversation function to fold all text messages
to before first prompt. Fixes hangs if last pam_message did not require
a reply.
- (djm) Fix password changing when using PAM kbd-int authentication
20010205
- (bal) Disable groupaccess by setting NGROUPS_MAX to 0 for platforms
that don't have NGROUPS_MAX.
- (bal) AIX patch for auth1.c by William L. Jones <jones@hpc.utexas.edu>
- (stevesk) OpenBSD sync:
- stevesk@cvs.openbsd.org 2001/02/04 08:32:27
[many files; did this manually to our top-level source dir]
unexpand and remove end-of-line whitespace; ok markus@
- stevesk@cvs.openbsd.org 2001/02/04 15:21:19
[sftp-server.c]
SSH2_FILEXFER_ATTR_UIDGID support; ok markus@
- deraadt@cvs.openbsd.org 2001/02/04 17:02:32
[sftp-int.c]
? == help
- deraadt@cvs.openbsd.org 2001/02/04 16:47:46
[sftp-int.c]
sort commands, so that abbreviations work as expected
- stevesk@cvs.openbsd.org 2001/02/04 15:17:52
[sftp-int.c]
debugging sftp: precedence and missing break. chmod, chown, chgrp
seem to be working now.
- markus@cvs.openbsd.org 2001/02/04 14:41:21
[sftp-int.c]
use base 8 for umask/chmod
- markus@cvs.openbsd.org 2001/02/04 11:11:54
[sftp-int.c]
fix LCD
- markus@cvs.openbsd.org 2001/02/04 08:10:44
[ssh.1]
typo; dpo@club-internet.fr
- stevesk@cvs.openbsd.org 2001/02/04 06:30:12
[auth2.c authfd.c packet.c]
remove duplicate #include's; ok markus@
- deraadt@cvs.openbsd.org 2001/02/04 16:56:23
[scp.c sshd.c]
alpha happiness
- stevesk@cvs.openbsd.org 2001/02/04 15:12:17
[sshd.c]
precedence; ok markus@
- deraadt@cvs.openbsd.org 2001/02/04 08:14:15
[ssh.c sshd.c]
make the alpha happy
- markus@cvs.openbsd.org 2001/01/31 13:37:24
[channels.c channels.h serverloop.c ssh.c]
do not disconnect if local port forwarding fails, e.g. if port is
already in use
- markus@cvs.openbsd.org 2001/02/01 14:58:09
[channels.c]
use ipaddr in channel messages, ietf-secsh wants this
- markus@cvs.openbsd.org 2001/01/31 12:26:20
[channels.c]
ssh.com-2.0.1x does not send additional info in CHANNEL_OPEN_FAILURE
messages; bug report from edmundo@rano.org
- markus@cvs.openbsd.org 2001/01/31 13:48:09
[sshconnect2.c]
unused
- deraadt@cvs.openbsd.org 2001/02/04 08:23:08
[sftp-client.c sftp-server.c]
make gcc on the alpha even happier
20010204
- (bal) I think this is the last of the bsd-*.h that don't belong.
- (bal) Minor Makefile fix
- (bal) openbsd-compat/Makefile minor fix. Ensure dependancies are done
right.
- (bal) Changed order of LIB="" in -with-skey due to library resolving.
- (bal) next-posix.h changed to bsd-nextstep.h
- (djm) OpenBSD CVS sync:
- markus@cvs.openbsd.org 2001/02/03 03:08:38
[auth-options.c auth-rh-rsa.c auth-rhosts.c auth.c canohost.c]
[canohost.h servconf.c servconf.h session.c sshconnect1.c sshd.8]
[sshd_config]
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
- markus@cvs.openbsd.org 2001/02/03 03:19:51
[ssh.1 sshd.8 sshd_config]
Skey is now called ChallengeResponse
- markus@cvs.openbsd.org 2001/02/03 03:43:09
[sshd.8]
use no-pty option in .ssh/authorized_keys* if you need a 8-bit clean
channel. note from Erik.Anggard@cygate.se (pr/1659)
- stevesk@cvs.openbsd.org 2001/02/03 10:03:06
[ssh.1]
typos; ok markus@
- djm@cvs.openbsd.org 2001/02/04 04:11:56
[scp.1 sftp-server.c ssh.1 sshd.8 sftp-client.c sftp-client.h]
[sftp-common.c sftp-common.h sftp-int.c sftp-int.h sftp.1 sftp.c]
Basic interactive sftp client; ok theo@
- (djm) Update RPM specs for new sftp binary
- (djm) Update several bits for new optional reverse lookup stuff. I
think I got them all.
- (djm) Makefile.in fixes
- (stevesk) add mysignal() wrapper and use it for the protocol 2
SIGCHLD handler.
- (djm) Use setvbuf() instead of setlinebuf(). Suggest from stevesk@
20010203
- (bal) Cygwin clean up by Corinna Vinschen <vinschen@redhat.com>
- (bal) renamed queue.h to fake-queue.h (even if it's an OpenBSD
based file) to ensure #include space does not get confused.
- (bal) Minor Makefile.in tweak. dirname may not exist on some
platforms so builds fail. (NeXT being a well known one)
20010202
- (bal) Makefile fix where sourcedir != builddir by Corinna Vinschen
<vinschen@redhat.com>
- (bal) Makefile fix to use $(MAKE) instead of 'make' for platforms
that use 'gmake'. Patch by Tim Rice <tim@multitalents.net>
20010201
- (bal) Minor fix to Makefile to stop rebuilding executables if no
changes have occured to any of the supporting code. Patch by
Roumen Petrov <roumen.petrov@skalasoft.com>
20010131
- (djm) OpenBSD CVS Sync:
- djm@cvs.openbsd.org 2001/01/30 15:48:53
[sshconnect.c]
Make warning message a little more consistent. ok markus@
- (djm) Fix autoconf logic for --with-lastlog=no Report and diagnosis from
Philipp Buehler <lists@fips.de> and Kevin Steves <stevesk@sweden.hp.com>
respectively.
- (djm) Don't log SSH2 PAM KbdInt responses to debug, they may contain
passwords.
- (bal) Reorder. Move all bsd-*, fake-*, next-*, and cygwin* stuff to
openbsd-compat/. And resolve all ./configure and Makefile.in issues
assocated.
20010130
- (djm) OpenBSD CVS Sync:
- markus@cvs.openbsd.org 2001/01/29 09:55:37
[channels.c channels.h clientloop.c serverloop.c]
fix select overflow; ok deraadt@ and stevesk@
- markus@cvs.openbsd.org 2001/01/29 12:42:35
[canohost.c canohost.h channels.c clientloop.c]
add get_peer_ipaddr(socket), x11-fwd in ssh2 requires ipaddr, not DNS
- markus@cvs.openbsd.org 2001/01/29 12:47:32
[rsa.c rsa.h ssh-agent.c sshconnect1.c sshd.c]
handle rsa_private_decrypt failures; helps against the Bleichenbacher
pkcs#1 attack
- djm@cvs.openbsd.org 2001/01/29 05:36:11
[ssh.1 ssh.c]
Allow invocation of sybsystem by commandline (-s); ok markus@
- (stevesk) configure.in: remove duplicate PROG_LS
20010129
- (stevesk) sftp-server.c: use %lld vs. %qd
20010128
- (bal) Put USE_PIPES back into sco3.2v5
- (bal) OpenBSD Sync
- markus@cvs.openbsd.org 2001/01/28 10:15:34
[dispatch.c]
re-keying is not supported; ok deraadt@
- markus@cvs.openbsd.org 2001/01/28 10:24:04
[ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8]
cleanup AUTHORS sections
- markus@cvs.openbsd.org 2001/01/28 10:37:26
[sshd.c sshd.8]
remove -Q, no longer needed
- stevesk@cvs.openbsd.org 2001/01/28 20:36:16
[readconf.c ssh.1]
``StrictHostKeyChecking ask'' documentation and small cleanup.
ok markus@
- stevesk@cvs.openbsd.org 2001/01/28 20:43:25
[sshd.8]
spelling. ok markus@
- stevesk@cvs.openbsd.org 2001/01/28 20:53:21
[xmalloc.c]
use size_t for strlen() return. ok markus@
- stevesk@cvs.openbsd.org 2001/01/28 22:27:05
[authfile.c]
spelling. use sizeof vs. strlen(). ok markus@
- niklas@cvs.openbsd.org 2001/01/29 1:59:14
[atomicio.h canohost.h clientloop.h deattack.h dh.h dispatch.h
groupaccess.c groupaccess.h hmac.h hostfile.h includes.h kex.h
key.h log.h login.h match.h misc.h myproposal.h nchan.ms pathnames.h
radix.h readpass.h rijndael.h serverloop.h session.h sftp.h ssh-add.1
ssh-dss.h ssh-keygen.1 ssh-keyscan.1 ssh-rsa.h ssh1.h ssh_config
sshconnect.h sshd_config tildexpand.h uidswap.h uuencode.h]
$OpenBSD$
- (bal) Minor auth2.c resync. Whitespace and moving of an #include.
20010126
- (bal) SSH_PROGRAM vs _PATH_SSH_PROGRAM fix pointed out by Roumen
Petrov <roumen.petrov@skalasoft.com>
- (bal) OpenBSD Sync
- deraadt@cvs.openbsd.org 2001/01/25 8:06:33
[ssh-agent.c]
call _exit() in signal handler
20010125
- (djm) Sync bsd-* support files:
- deraadt@cvs.openbsd.org 2000/01/26 03:43:20
[rresvport.c bindresvport.c]
new bindresvport() semantics that itojun, shin, jean-luc and i have
agreed on, which will be happy for the future. bindresvport_sa() for
sockaddr *, too. docs later..
- deraadt@cvs.openbsd.org 2000/01/24 02:24:21
[bindresvport.c]
in bindresvport(), if sin is non-NULL, example sin->sin_family for
the actual family being processed
- (djm) Mention PRNGd in documentation, it is nicer than EGD
- (djm) Automatically search for "well-known" EGD/PRNGd sockets in autoconf
- (bal) AC_FUNC_STRFTIME added to autoconf
- (bal) OpenBSD Resync
- stevesk@cvs.openbsd.org 2001/01/24 21:03:50
[channels.c]
missing freeaddrinfo(); ok markus@
20010124
- (bal) OpenBSD Resync
- markus@cvs.openbsd.org 2001/01/23 10:45:10
[ssh.h]
nuke comment
- (bal) no 64bit support patch from Tim Rice <tim@multitalents.net>
- (bal) #ifdef around S_IFSOCK if platform does not support it.
patch by Tim Rice <tim@multitalents.net>
- (bal) fake-regex.h cleanup based on Tim Rice's patch.
- (stevesk) sftp-server.c: fix chmod() mode mask
20010123
- (bal) regexp.h typo in configure.in. Should have been regex.h
- (bal) SSH_USER_DIR to _PATH_SSH_USER_DIR patch by stevesk@
- (bal) SSH_ASKPASS_DEFAULT to _PATH_SSH_ASKPASS_DEFAULT
- (bal) OpenBSD Resync
- markus@cvs.openbsd.org 2001/01/22 8:15:00
[auth-krb4.c sshconnect1.c]
only AFS needs radix.[ch]
- markus@cvs.openbsd.org 2001/01/22 8:32:53
[auth2.c]
no need to include; from mouring@etoh.eviladmin.org
- stevesk@cvs.openbsd.org 2001/01/22 16:55:21
[key.c]
free() -> xfree(); ok markus@
- stevesk@cvs.openbsd.org 2001/01/22 17:22:28
[sshconnect2.c sshd.c]
fix memory leaks in SSH2 key exchange; ok markus@
- markus@cvs.openbsd.org 2001/01/22 23:06:39
[auth1.c auth2.c readconf.c readconf.h servconf.c servconf.h
sshconnect1.c sshconnect2.c sshd.c]
rename skey -> challenge response.
auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
20010122
- (bal) OpenBSD Resync
- markus@cvs.openbsd.org 2001/01/19 12:45:26 GMT 2001 by markus
[servconf.c ssh.h sshd.c]
only auth-chall.c needs #ifdef SKEY
- markus@cvs.openbsd.org 2001/01/19 15:55:10 GMT 2001 by markus
[auth-krb4.c auth-options.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c
auth1.c auth2.c channels.c clientloop.c dh.c dispatch.c nchan.c
packet.c pathname.h readconf.c scp.c servconf.c serverloop.c
session.c ssh-add.c ssh-keygen.c ssh-keyscan.c ssh.c ssh.h
ssh1.h sshconnect1.c sshd.c ttymodes.c]
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
- markus@cvs.openbsd.org 2001/01/19 16:48:14
[sshd.8]
fix typo; from stevesk@
- markus@cvs.openbsd.org 2001/01/19 16:50:58
[ssh-dss.c]
clear and free digest, make consistent with other code (use dlen); from
stevesk@
- markus@cvs.openbsd.org 2001/01/20 15:55:20 GMT 2001 by markus
[auth-options.c auth-options.h auth-rsa.c auth2.c]
pass the filename to auth_parse_options()
- markus@cvs.openbsd.org 2001/01/20 17:59:40 GMT 2001
[readconf.c]
fix SIGSEGV from -o ""; problem noted by jehsom@togetherweb.com
- stevesk@cvs.openbsd.org 2001/01/20 18:20:29
[sshconnect2.c]
dh_new_group() does not return NULL. ok markus@
- markus@cvs.openbsd.org 2001/01/20 21:33:42
[ssh-add.c]
do not loop forever if askpass does not exist; from
andrew@pimlott.ne.mediaone.net
- djm@cvs.openbsd.org 2001/01/20 23:00:56
[servconf.c]
Check for NULL return from strdelim; ok markus
- djm@cvs.openbsd.org 2001/01/20 23:02:07
[readconf.c]
KNF; ok markus
- jakob@cvs.openbsd.org 2001/01/21 9:00:33
[ssh-keygen.1]
remove -R flag; ok markus@
- markus@cvs.openbsd.org 2001/01/21 19:05:40
[atomicio.c automicio.h auth-chall.c auth-krb4.c auth-options.c
auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c
auth.c auth.h auth1.c auth2-chall.c auth2.c authfd.c authfile.c
bufaux.c bufaux.h buffer.c canahost.c canahost.h channels.c
cipher.c cli.c clientloop.c clientloop.h compat.c compress.c
deattack.c dh.c dispatch.c groupaccess.c hmac.c hostfile.c kex.c
key.c key.h log-client.c log-server.c log.c log.h login.c login.h
match.c misc.c misc.h nchan.c packet.c pty.c radix.h readconf.c
readpass.c readpass.h rsa.c scp.c servconf.c serverloop.c serverloop.h
session.c sftp-server.c ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c
ssh-keyscan.c ssh-rsa.c ssh.c ssh.h sshconnect.c sshconnect.h
sshconnect1.c sshconnect2.c sshd.c tildexpand.c tildexpand.h
ttysmodes.c uidswap.c xmalloc.c]
split ssh.h and try to cleanup the #include mess. remove unnecessary
#includes. rename util.[ch] -> misc.[ch]
- (bal) renamed 'PIDDIR' to '_PATH_SSH_PIDDIR' to match OpenBSD tree
- (bal) Moved #ifdef KRB4 in auth-krb4.c above the #include to resolve
conflict when compiling for non-kerb install
- (bal) removed the #ifdef SKEY in auth1.c to match Markus' changes
on 1/19.
20010120
- (bal) OpenBSD Resync
- markus@cvs.openbsd.org 2001/01/19 12:45:26
[ssh-chall.c servconf.c servconf.h ssh.h sshd.c]
only auth-chall.c needs #ifdef SKEY
- (bal) Slight auth2-pam.c clean up.
- (bal) Includes a fake-regexp.h to be only used if regcomp() is found,
but no 'regexp.h' found (SCO OpenServer 3 lacks the header).
20010119
- (djm) Update versions in RPM specfiles
- (bal) OpenBSD Resync
- markus@cvs.openbsd.org 2001/01/18 16:20:21
[log-client.c log-server.c log.c readconf.c servconf.c ssh.1 ssh.h
sshd.8 sshd.c]
log() is at pri=LOG_INFO, since LOG_NOTICE goes to /dev/console on many
systems
- markus@cvs.openbsd.org 2001/01/18 16:59:59
[auth-passwd.c auth.c auth.h auth1.c auth2.c serverloop.c session.c
session.h sshconnect1.c]
1) removes fake skey from sshd, since this will be much
harder with /usr/libexec/auth/login_XXX
2) share/unify code used in ssh-1 and ssh-2 authentication (server side)
3) make addition of BSD_AUTH and other challenge reponse methods
easier.
- markus@cvs.openbsd.org 2001/01/18 17:12:43
[auth-chall.c auth2-chall.c]
rename *-skey.c *-chall.c since the files are not skey specific
- (djm) Merge patch from Tim Waugh (via Nalin Dahyabhai <nalin@redhat.com>)
to fix NULL pointer deref and fake authloop breakage in PAM code.
- (bal) Updated contrib/cygwin/ by Corinna Vinschen <vinschen@redhat.com>
- (bal) Minor cygwin patch to auth1.c. Suggested by djm.
20010118
- (bal) Super Sized OpenBSD Resync
- markus@cvs.openbsd.org 2001/01/11 22:14:20 GMT 2001 by markus
[sshd.c]
maxfd+1
- markus@cvs.openbsd.org 2001/01/13 17:59:18
[ssh-keygen.1]
small ssh-keygen manpage cleanup; stevesk@pobox.com
- markus@cvs.openbsd.org 2001/01/13 18:03:07
[scp.c ssh-keygen.c sshd.c]
getopt() returns -1 not EOF; stevesk@pobox.com
- markus@cvs.openbsd.org 2001/01/13 18:06:54
[ssh-keyscan.c]
use SSH_DEFAULT_PORT; from stevesk@pobox.com
- markus@cvs.openbsd.org 2001/01/13 18:12:47
[ssh-keyscan.c]
free() -> xfree(); fix memory leak; from stevesk@pobox.com
- markus@cvs.openbsd.org 2001/01/13 18:14:13
[ssh-add.c]
typo, from stevesk@sweden.hp.com
- markus@cvs.openbsd.org 2001/01/13 18:32:50
[packet.c session.c ssh.c sshconnect.c sshd.c]
split out keepalive from packet_interactive (from dale@accentre.com)
set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
- markus@cvs.openbsd.org 2001/01/13 18:36:45
[packet.c packet.h]
reorder, typo
- markus@cvs.openbsd.org 2001/01/13 18:38:00
[auth-options.c]
fix comment
- markus@cvs.openbsd.org 2001/01/13 18:43:31
[session.c]
Wall
- markus@cvs.openbsd.org 2001/01/13 19:14:08
[clientloop.h clientloop.c ssh.c]
move callback to headerfile
- markus@cvs.openbsd.org 2001/01/15 21:40:10
[ssh.c]
use log() instead of stderr
- markus@cvs.openbsd.org 2001/01/15 21:43:51
[dh.c]
use error() not stderr!
- markus@cvs.openbsd.org 2001/01/15 21:45:29
[sftp-server.c]
rename must fail if newpath exists, debug off by default
- markus@cvs.openbsd.org 2001/01/15 21:46:38
[sftp-server.c]
readable long listing for sftp-server, ok deraadt@
- markus@cvs.openbsd.org 2001/01/16 19:20:06
[key.c ssh-rsa.c]
make "ssh-rsa" key format for ssh2 confirm to the ietf-drafts; from
galb@vandyke.com. note that you have to delete older ssh2-rsa keys,
since they are in the wrong format, too. they must be removed from
.ssh/authorized_keys2 and .ssh/known_hosts2, etc.
(cd; grep -v ssh-rsa .ssh/authorized_keys2 > TMP && mv TMP
.ssh/authorized_keys2) additionally, we now check that
BN_num_bits(rsa->n) >= 768.
- markus@cvs.openbsd.org 2001/01/16 20:54:27
[sftp-server.c]
remove some statics. simpler handles; idea from nisse@lysator.liu.se
- deraadt@cvs.openbsd.org 2001/01/16 23:58:08
[bufaux.c radix.c sshconnect.h sshconnect1.c]
indent
- (bal) Added bsd-strmode.[ch] since some non-OpenBSD platforms may
be missing such feature.
20010117
- (djm) Only write random seed file at exit
- (djm) Make PAM support optional, enable with --with-pam
- (djm) Try to use libcrypt on Linux, but link it after OpenSSL (which
provides a crypt() of its own)
- (djm) Avoid a warning in bsd-bindresvport.c
- (djm) Try to avoid adding -I/usr/include to CPPFLAGS during SSL tests. This
can cause weird segfaults errors on Solaris
- (djm) Avoid warning in PAM code by making read_passphrase arguments const
- (djm) Add --with-pam to RPM spec files
20010115
- (bal) sftp-server.c change to use chmod() if fchmod() does not exist.
- (bal) utimes() support via utime() interface on machine that lack utimes().
20010114
- (stevesk) initial work for OpenBSD "support supplementary group in
{Allow,Deny}Groups" patch:
- import getgrouplist.c from OpenBSD (bsd-getgrouplist.c)
- add bsd-getgrouplist.h
- new files groupaccess.[ch]
- build but don't use yet (need to merge auth.c changes)
- (stevesk) complete:
- markus@cvs.openbsd.org 2001/01/13 11:56:48
[auth.c sshd.8]
support supplementary group in {Allow,Deny}Groups
from stevesk@pobox.com
20010112
- (bal) OpenBSD Sync
- markus@cvs.openbsd.org 2001/01/10 22:56:22
[bufaux.h bufaux.c sftp-server.c sftp.h getput.h]
cleanup sftp-server implementation:
add buffer_get_int64, buffer_put_int64, GET_64BIT, PUT_64BIT
parse SSH2_FILEXFER_ATTR_EXTENDED
send SSH2_FX_EOF if readdir returns no more entries
reply to SSH2_FXP_EXTENDED message
use #defines from the draft
move #definations to sftp.h
more info:
http://www.ietf.org/internet-drafts/draft-ietf-secsh-filexfer-00.txt
- markus@cvs.openbsd.org 2001/01/10 19:43:20
[sshd.c]
XXX - generate_empheral_server_key() is not safe against races,
because it calls log()
- markus@cvs.openbsd.org 2001/01/09 21:19:50
[packet.c]
allow TCP_NDELAY for ipv6; from netbsd via itojun@
20010110
- (djm) SNI/Reliant Unix needs USE_PIPES and $DISPLAY hack. Report from
Bladt Norbert <Norbert.Bladt@adi.ch>
20010109
- (bal) Resync CVS ID of cli.c
- (stevesk) auth1.c: free should be after WITH_AIXAUTHENTICATE
code.
- (bal) OpenBSD Sync
- markus@cvs.openbsd.org 2001/01/08 22:29:05
[auth2.c compat.c compat.h servconf.c servconf.h sshd.8
sshd_config version.h]
implement option 'Banner /etc/issue.net' for ssh2, move version to
2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner
is enabled).
- markus@cvs.openbsd.org 2001/01/08 22:03:23
[channels.c ssh-keyscan.c]
O_NDELAY -> O_NONBLOCK; thanks stevesk@pobox.com
- markus@cvs.openbsd.org 2001/01/08 21:55:41
[sshconnect1.c]
more cleanups and fixes from stevesk@pobox.com:
1) try_agent_authentication() for loop will overwrite key just
allocated with key_new(); don't alloc
2) call ssh_close_authentication_connection() before exit
try_agent_authentication()
3) free mem on bad passphrase in try_rsa_authentication()
- markus@cvs.openbsd.org 2001/01/08 21:48:17
[kex.c]
missing free; thanks stevesk@pobox.com
- (bal) Detect if clock_t structure exists, if not define it.
- (bal) Detect if O_NONBLOCK exists, if not define it.
- (bal) removed news4-posix.h (now empty)
- (bal) changed bsd-bindresvport.c and bsd-rresvport.c to use 'socklen_t'
instead of 'int'
- (stevesk) sshd_config: sync
- (stevesk) defines.h: remove spurious ``;''
20010108
- (bal) Fixed another typo in cli.c
- (bal) OpenBSD Sync
- markus@cvs.openbsd.org 2001/01/07 21:26:55
[cli.c]
typo
- markus@cvs.openbsd.org 2001/01/07 21:26:55
[cli.c]
missing free, stevesk@pobox.com
- markus@cvs.openbsd.org 2001/01/07 19:06:25
[auth1.c]
missing free, stevesk@pobox.com
- markus@cvs.openbsd.org 2001/01/07 11:28:04
[log-client.c log-server.c log.c readconf.c servconf.c ssh.1
ssh.h sshd.8 sshd.c]
rename SYSLOG_LEVEL_INFO->SYSLOG_LEVEL_NOTICE
syslog priority changes:
fatal() LOG_ERR -> LOG_CRIT
log() LOG_INFO -> LOG_NOTICE
- Updated TODO
20010107
- (bal) OpenBSD Sync
- markus@cvs.openbsd.org 2001/01/06 11:23:27
[ssh-rsa.c]
remove unused
- itojun@cvs.openbsd.org 2001/01/05 08:23:29
[ssh-keyscan.1]
missing .El
- markus@cvs.openbsd.org 2001/01/04 22:41:03
[session.c sshconnect.c]
consistent use of _PATH_BSHELL; from stevesk@pobox.com
- djm@cvs.openbsd.org 2001/01/04 22:35:32
[ssh.1 sshd.8]
Mention AES as available SSH2 Cipher; ok markus
- markus@cvs.openbsd.org 2001/01/04 22:25:58
[sshd.c]
sync usage()/man with defaults; from stevesk@pobox.com
- markus@cvs.openbsd.org 2001/01/04 22:21:26
[sshconnect2.c]
handle SSH2_MSG_USERAUTH_BANNER; fixes bug when connecting to a server
that prints a banner (e.g. /etc/issue.net)
20010105
- (bal) contrib/caldera/ provided by Tim Rice <tim@multitalents.net>
- (bal) bsd-getcwd.c and bsd-setenv.c changed from bcopy() to memmove()
20010104
- (djm) Fix memory leak on systems with BROKEN_GETADDRINFO. Based on
work by Chris Vaughan <vaughan99@yahoo.com>
20010103
- (bal) fixed up sshconnect.c so it was closer inline with the OpenBSD
tree (mainly positioning)
- (bal) OpenSSH CVS Update
- markus@cvs.openbsd.org 2001/01/02 20:41:02
[packet.c]
log remote ip on disconnect; PR 1600 from jcs@rt.fm
- markus@cvs.openbsd.org 2001/01/02 20:50:56
[sshconnect.c]
strict_host_key_checking for host_status != HOST_CHANGED &&
ip_status == HOST_CHANGED
- (bal) authfile.c: Synced CVS ID tag
- (bal) UnixWare 2.0 fixes by Tim Rice <tim@multitalents.net>
- (bal) Disable sftp-server if no 64bit int support exists. Based on
patch by Tim Rice <tim@multitalents.net>
- (bal) Makefile.in changes to uninstall: target to remove sftp-server
and sftp-server.8 manpage.
20010102
- (bal) OpenBSD CVS Update
- markus@cvs.openbsd.org 2001/01/01 14:52:49
[scp.c]
use shared fatal(); from stevesk@pobox.com
20001231
- (bal) Reverted out of MAXHOSTNAMELEN. This should be set per OS.
for multiple reasons.
- (bal) Reverted out of a partial NeXT patch.
20001230
- (bal) OpenBSD CVS Update
- markus@cvs.openbsd.org 2000/12/28 18:58:30
[ssh-keygen.c]
enable 'ssh-keygen -l -f ~/.ssh/{authorized_keys,known_hosts}{,2}
- markus@cvs.openbsd.org 2000/12/29 22:19:13
[channels.c]
missing xfree; from vaughan99@yahoo.com
- (bal) Resynced CVS ID with OpenBSD for channel.c and uidswap.c
- (bal) if no MAXHOSTNAMELEN is defined. Default to 64 character defination.
Suggested by Christian Kurz <shorty@debian.org>
- (bal) Add in '.c.o' section to Makefile.in to address make programs that
don't honor CPPFLAGS by default. Suggested by Lutz Jaenicke
<Lutz.Jaenicke@aet.TU-Cottbus.DE>
20001229
- (bal) Fixed spelling of 'authorized_keys' in ssh-copy-id.1 by Christian
Kurz <shorty@debian.org>
- (bal) OpenBSD CVS Update
- markus@cvs.openbsd.org 2000/12/28 14:25:51
[auth.h auth2.c]
count authentication failures only
- markus@cvs.openbsd.org 2000/12/28 14:25:03
[sshconnect.c]
fingerprint for MITM attacks, too.
- markus@cvs.openbsd.org 2000/12/28 12:03:57
[sshd.8 sshd.c]
document -D
- markus@cvs.openbsd.org 2000/12/27 14:19:21
[serverloop.c]
less chatty
- markus@cvs.openbsd.org 2000/12/27 12:34
[auth1.c sshconnect2.c sshd.c]
typo
- markus@cvs.openbsd.org 2000/12/27 12:30:19
[readconf.c readconf.h ssh.1 sshconnect.c]
new option: HostKeyAlias: allow the user to record the host key
under a different name. This is useful for ssh tunneling over
forwarded connections or if you run multiple sshd's on different
ports on the same machine.
- markus@cvs.openbsd.org 2000/12/27 11:51:53
[ssh.1 ssh.c]
multiple -t force pty allocation, document ORIGINAL_COMMAND
- markus@cvs.openbsd.org 2000/12/27 11:41:31
[sshd.8]
update for ssh-2
- (stevesk) compress.[ch] sync with openbsd; missed in prototype
fix merge.
20001228
- (bal) Patch to add libutil.h to loginrec.c only if the platform has
libutil.h. Suggested by Pekka Savola <pekka@netcore.fi>
- (djm) Update to new x11-askpass in RPM spec
- (bal) SCO patch to not include <sys/queue.h> since it's unrelated
header. Patch by Tim Rice <tim@multitalents.net>
- Updated TODO w/ known HP/UX issue
- (bal) removed extra <netdb.h> noticed by Kevin Steves and removed the
bad reference to 'NeXT including it else were' on the #ifdef version.
20001227
- (bal) Typo in configure.in: entut?ent should be endut?ent. Suggested by
Takumi Yamane <yamtak@b-session.com>
- (bal) Checks for getrlimit(), sysconf(), and setdtablesize(). Patch
by Corinna Vinschen <vinschen@redhat.com>
- (djm) Fix catman-do target for non-bash
- (bal) Typo in configure.in: entut?ent should be endut?ent. Suggested by
Takumi Yamane <yamtak@b-session.com>
- (bal) Checks for getrlimit(), sysconf(), and setdtablesize(). Patch
by Corinna Vinschen <vinschen@redhat.com>
- (djm) Fix catman-do target for non-bash
- (bal) Fixed NeXT's lack of CPPFLAGS honoring.
- (bal) ssh-keyscan.c: NeXT (and older BSDs) don't support getrlimit() w/
'RLIMIT_NOFILE'
- (djm) Remove *.Ylonen files. They are no longer in the OpenBSD tree,
the info in COPYING.Ylonen has been moved to the start of each
SSH1-derived file and README.Ylonen is well out of date.
20001223
- (bal) Fixed Makefile.in to support recompile of all ssh and sshd objects
if a change to config.h has occurred. Suggested by Gert Doering
<gert@greenie.muc.de>
- (bal) OpenBSD CVS Update:
- markus@cvs.openbsd.org 2000/12/22 16:49:40
[ssh-keygen.c]
fix ssh-keygen -x -t type > file; from Roumen.Petrov@skalasoft.com
20001222
- Updated RCSID for pty.c
- (bal) OpenBSD CVS Updates:
- markus@cvs.openbsd.org 2000/12/21 15:10:16
[auth-rh-rsa.c hostfile.c hostfile.h sshconnect.c]
print keyfile:line for changed hostkeys, for deraadt@, ok deraadt@
- markus@cvs.openbsd.org 2000/12/20 19:26:56
[authfile.c]
allow ssh -i userkey for root
- markus@cvs.openbsd.org 2000/12/20 19:37:21
[authfd.c authfd.h kex.c sshconnect2.c sshd.c uidswap.c uidswap.h]
fix prototypes; from stevesk@pobox.com
- markus@cvs.openbsd.org 2000/12/20 19:32:08
[sshd.c]
init pointer to NULL; report from Jan.Ivan@cern.ch
- markus@cvs.openbsd.org 2000/12/19 23:17:54
[auth-krb4.c auth-options.c auth-options.h auth-rhosts.c auth-rsa.c
auth1.c auth2-skey.c auth2.c authfd.c authfd.h authfile.c bufaux.c
bufaux.h buffer.c canohost.c channels.c clientloop.c compress.c
crc32.c deattack.c getput.h hmac.c hmac.h hostfile.c kex.c kex.h
key.c key.h log.c login.c match.c match.h mpaux.c mpaux.h packet.c
packet.h radix.c readconf.c rsa.c scp.c servconf.c servconf.h
serverloop.c session.c sftp-server.c ssh-agent.c ssh-dss.c ssh-dss.h
ssh-keygen.c ssh-keyscan.c ssh-rsa.c ssh-rsa.h ssh.c ssh.h uuencode.c
uuencode.h sshconnect1.c sshconnect2.c sshd.c tildexpand.c]
replace 'unsigned bla' with 'u_bla' everywhere. also replace 'char
unsigned' with u_char.
20001221
- (stevesk) OpenBSD CVS updates:
- markus@cvs.openbsd.org 2000/12/19 15:43:45
[authfile.c channels.c sftp-server.c ssh-agent.c]
remove() -> unlink() for consistency
- markus@cvs.openbsd.org 2000/12/19 15:48:09
[ssh-keyscan.c]
replace <ssl/x.h> with <openssl/x.h>
- markus@cvs.openbsd.org 2000/12/17 02:33:40
[uidswap.c]
typo; from wsanchez@apple.com
20001220
- (djm) Workaround PAM inconsistencies between Solaris derived PAM code
and Linux-PAM. Based on report and fix from Andrew Morgan
<morgan@transmeta.com>
20001218
- (stevesk) rsa.c: entropy.h not needed.
- (bal) split CFLAGS into CFLAGS and CPPFLAGS in configure.in and Makefile.
Suggested by Wilfredo Sanchez <wsanchez@apple.com>
20001216
- (stevesk) OpenBSD CVS updates:
- markus@cvs.openbsd.org 2000/12/16 02:53:57
[scp.c]
allow + in usernames; request from Florian.Weimer@RUS.Uni-Stuttgart.DE
- markus@cvs.openbsd.org 2000/12/16 02:39:57
[scp.c]
unused; from stevesk@pobox.com
20001215
- (stevesk) Old OpenBSD patch wasn't completely applied:
- markus@cvs.openbsd.org 2000/01/24 22:11:20
[scp.c]
allow '.' in usernames; from jedgar@fxp.org
- (stevesk) OpenBSD CVS updates:
- markus@cvs.openbsd.org 2000/12/13 16:26:53
[ssh-keyscan.c]
fatal already adds \n; from stevesk@pobox.com
- markus@cvs.openbsd.org 2000/12/13 16:25:44
[ssh-agent.c]
remove redundant spaces; from stevesk@pobox.com
- ho@cvs.openbsd.org 2000/12/12 15:50:21
[pty.c]
When failing to set tty owner and mode on a read-only filesystem, don't
abort if the tty already has correct owner and reasonably sane modes.
Example; permit 'root' to login to a firewall with read-only root fs.
(markus@ ok)
- deraadt@cvs.openbsd.org 2000/12/13 06:36:05
[pty.c]
KNF
- markus@cvs.openbsd.org 2000/12/12 14:45:21
[sshd.c]
source port < 1024 is no longer required for rhosts-rsa since it
adds no additional security.
- markus@cvs.openbsd.org 2000/12/12 16:11:49
[ssh.1 ssh.c]
rhosts-rsa is no longer automagically disabled if ssh is not privileged.
UsePrivilegedPort=no disables rhosts-rsa _only_ for old servers.
these changes should not change the visible default behaviour of the ssh client.
- deraadt@cvs.openbsd.org 2000/12/11 10:27:33
[scp.c]
when copying 0-sized files, do not re-print ETA time at completion
- provos@cvs.openbsd.org 2000/12/15 10:30:15
[kex.c kex.h sshconnect2.c sshd.c]
compute diffie-hellman in parallel between server and client. okay markus@
20001213
- (djm) Make sure we reset the SIGPIPE disposition after we fork. Report
from Andreas M. Kirchwitz <amk@krell.zikzak.de>
- (stevesk) OpenBSD CVS update:
- markus@cvs.openbsd.org 2000/12/12 15:30:02
[ssh-keyscan.c ssh.c sshd.c]
consistently use __progname; from stevesk@pobox.com
20001211
- (bal) Applied patch to include ssh-keyscan into Redhat's package, and
patch to install ssh-keyscan manpage. Patch by Pekka Savola
<pekka@netcore.fi>
- (bal) OpenbSD CVS update
- markus@cvs.openbsd.org 2000/12/10 17:01:53
[sshconnect1.c]
always request new challenge for skey/tis-auth, fixes interop with
other implementations; report from roth@feep.net
20001210
- (bal) OpenBSD CVS updates
- markus@cvs.openbsd.org 2000/12/09 13:41:51
[cipher.c cipher.h rijndael.c rijndael.h rijndael_boxes.h]
undo rijndael changes
- markus@cvs.openbsd.org 2000/12/09 13:48:31
[rijndael.c]
fix byte order bug w/o introducing new implementation
- markus@cvs.openbsd.org 2000/12/09 14:08:27
[sftp-server.c]
"" -> "." for realpath; from vinschen@redhat.com
- markus@cvs.openbsd.org 2000/12/09 14:06:54
[ssh-agent.c]
extern int optind; from stevesk@sweden.hp.com
- provos@cvs.openbsd.org 2000/12/09 23:51:11
[compat.c]
remove unnecessary '\n'
20001209
- (bal) OpenBSD CVS updates:
- djm@cvs.openbsd.org 2000/12/07 4:24:59
[ssh.1]
Typo fix from Wilfredo Sanchez <wsanchez@apple.com>; ok theo
20001207
- (bal) OpenBSD CVS updates:
- markus@cvs.openbsd.org 2000/12/06 22:58:14
[compat.c compat.h packet.c]
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
- markus@cvs.openbsd.org 2000/12/06 23:10:39
[rijndael.c]
unexpand(1)
- markus@cvs.openbsd.org 2000/12/06 23:05:43
[cipher.c cipher.h rijndael.c rijndael.h rijndael_boxes.h]
new rijndael implementation. fixes endian bugs
20001206
- (bal) OpenBSD CVS updates:
- markus@cvs.openbsd.org 2000/12/05 20:34:09
[channels.c channels.h clientloop.c serverloop.c]
async connects for -R/-L; ok deraadt@
- todd@cvs.openssh.org 2000/12/05 16:47:28
[sshd.c]
tweak comment to reflect real location of pid file; ok provos@
- (stevesk) Import <sys/queue.h> from OpenBSD for systems that don't
have it (used in ssh-keyscan).
- (stevesk) OpenBSD CVS update:
- markus@cvs.openbsd.org 2000/12/06 19:57:48
[ssh-keyscan.c]
err(3) -> internal error(), from stevesk@sweden.hp.com
20001205
- (bal) OpenBSD CVS updates:
- markus@cvs.openbsd.org 2000/12/04 19:24:02
[ssh-keyscan.c ssh-keyscan.1]
David Maziere's ssh-keyscan, ok niels@
- (bal) Updated Makefile.in to include ssh-keyscan that was just added
to the recent OpenBSD source tree.
- (stevesk) fix typos in contrib/hpux/README
20001204
- (bal) More C functions defined in NeXT that are unaccessable without
defining -POSIX.
- (bal) OpenBSD CVS updates:
- markus@cvs.openbsd.org 2000/12/03 11:29:04
[compat.c]
remove fallback to SSH_BUG_HMAC now that the drafts are updated
- markus@cvs.openbsd.org 2000/12/03 11:27:55
[compat.c]
correctly match "2.1.0.pl2 SSH" etc; from
pekkas@netcore.fi/bugzilla.redhat
- markus@cvs.openbsd.org 2000/12/03 11:15:03
[auth2.c compat.c compat.h sshconnect2.c]
support f-secure/ssh.com 2.0.12; ok niels@
20001203
- (bal) OpenBSD CVS updates:
- markus@cvs.openbsd.org 2000/11/30 22:54:31
[channels.c]
debug->warn if tried to do -R style fwd w/o client requesting this;
ok neils@
- markus@cvs.openbsd.org 2000/11/29 20:39:17
[cipher.c]
des_cbc_encrypt -> des_ncbc_encrypt since it already updates the IV
- markus@cvs.openbsd.org 2000/11/30 18:33:05
[ssh-agent.c]
agents must not dump core, ok niels@
- markus@cvs.openbsd.org 2000/11/30 07:04:02
[ssh.1]
T is for both protocols
- markus@cvs.openbsd.org 2000/12/01 00:00:51
[ssh.1]
typo; from green@FreeBSD.org
- markus@cvs.openbsd.org 2000/11/30 07:02:35
[ssh.c]
check -T before isatty()
- provos@cvs.openbsd.org 2000/11/29 13:51:27
[sshconnect.c]
show IP address and hostname when new key is encountered. okay markus@
- markus@cvs.openbsd.org 2000/11/30 22:53:35
[sshconnect.c]
disable agent/x11/port fwding if hostkey has changed; ok niels@
- marksu@cvs.openbsd.org 2000/11/29 21:11:59
[sshd.c]
sshd -D, startup w/o deamon(), for monitoring scripts or inittab;
from handler@sub-rosa.com and eric@urbanrange.com; ok niels@
- (djm) Added patch from Nalin Dahyabhai <nalin@redhat.com> to enable
PAM authentication using KbdInteractive.
- (djm) Added another TODO
20001202
- (bal) Backed out of part of Alain St-Denis' loginrec.c patch.
- (bal) Irix need some sort of mansubdir, patch by Michael Stone
<mstone@cs.loyola.edu>
20001129
- (djm) Back out all the serverloop.c hacks. sshd will now hang again
if there are background children with open fds.
- (djm) bsd-rresvport.c bzero -> memset
- (djm) Don't fail in defines.h on absence of 64 bit types (we will
still fail during compilation of sftp-server).
- (djm) Fail if ar is not found during configure
- (djm) OpenBSD CVS updates:
- provos@cvs.openbsd.org 2000/11/22 08:38:31
[sshd.8]
talk about /etc/primes, okay markus@
- markus@cvs.openbsd.org 2000/11/23 14:03:48
[ssh.c sshconnect1.c sshconnect2.c]
complain about invalid ciphers for ssh1/ssh2, fall back to reasonable
defaults
- markus@cvs.openbsd.org 2000/11/25 09:42:53
[sshconnect1.c]
reorder check for illegal ciphers, bugreport from espie@
- markus@cvs.openbsd.org 2000/11/25 10:19:34
[ssh-keygen.c ssh.h]
print keytype when generating a key.
reasonable defaults for RSA1/RSA/DSA keys.
- (djm) Patch from Pekka Savola <Pekka.Savola@netcore.fi> to include a few
more manpage paths in fixpaths calls
- (djm) Also add xauth path at Pekka's suggestion.
- (djm) Add Redhat RPM patch for AUTHPRIV SyslogFacility
20001125
- (djm) Give up privs when reading seed file
20001123
- (bal) Merge OpenBSD changes:
- markus@cvs.openbsd.org 2000/11/15 22:31:36
[auth-options.c]
case insensitive key options; from stevesk@sweeden.hp.com
- markus@cvs.openbsd.org 2000/11/16 17:55:43
[dh.c]
do not use perror() in sshd, after child is forked()
- markus@cvs.openbsd.org 2000/11/14 23:42:40
[auth-rsa.c]
parse option only if key matches; fix some confusing seen by the client
- markus@cvs.openbsd.org 2000/11/14 23:44:19
[session.c]
check no_agent_forward_flag for ssh-2, too
- markus@cvs.openbsd.org 2000/11/15
[ssh-agent.1]
reorder SYNOPSIS; typo, use .It
- markus@cvs.openbsd.org 2000/11/14 23:48:55
[ssh-agent.c]
do not reorder keys if a key is removed
- markus@cvs.openbsd.org 2000/11/15 19:58:08
[ssh.c]
just ignore non existing user keys
- millert@cvs.openbsd.org 200/11/15 20:24:43
[ssh-keygen.c]
Add missing \n at end of error message.
20001122
- (bal) Minor patch to ensure platforms lacking IRIX job limit supports
are compilable.
- (bal) Updated TODO as of 11/18/2000 with known things to resolve.
20001117
- (bal) Changed from 'primes' to 'primes.out' for consistancy sake. It
has no affect the output. Patch by Corinna Vinschen <vinschen@redhat.com>
- (stevesk) Reworked progname support.
- (bal) Misplaced #include "includes.h" in bsd-setproctitle.c. Patch by
Shinichi Maruyama <marya@st.jip.co.jp>
20001116
- (bal) Added in MAXSYMLINK test in bsd-realpath.c. Required for some SCO
releases.
- (bal) Make builds work outside of source tree. Patch by Mark D. Roth
<roth@feep.net>
20001113
- (djm) Add pointer to http://www.imasy.or.jp/~gotoh/connect.c to
contrib/README
- (djm) Merge OpenBSD changes:
- markus@cvs.openbsd.org 2000/11/06 16:04:56
[channels.c channels.h clientloop.c nchan.c serverloop.c]
[session.c ssh.c]
agent forwarding and -R for ssh2, based on work from
jhuuskon@messi.uku.fi
- markus@cvs.openbsd.org 2000/11/06 16:13:27
[ssh.c sshconnect.c sshd.c]
do not disabled rhosts(rsa) if server port > 1024; from
pekkas@netcore.fi
- markus@cvs.openbsd.org 2000/11/06 16:16:35
[sshconnect.c]
downgrade client to 1.3 if server is 1.4; help from mdb@juniper.net
- markus@cvs.openbsd.org 2000/11/09 18:04:40
[auth1.c]
typo; from mouring@pconline.com
- markus@cvs.openbsd.org 2000/11/12 12:03:28
[ssh-agent.c]
off-by-one when removing a key from the agent
- markus@cvs.openbsd.org 2000/11/12 12:50:39
[auth-rh-rsa.c auth2.c authfd.c authfd.h]
[authfile.c hostfile.c kex.c kex.h key.c key.h myproposal.h]
[readconf.c readconf.h rsa.c rsa.h servconf.c servconf.h ssh-add.c]
[ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config]
[sshconnect1.c sshconnect2.c sshd.8 sshd.c sshd_config ssh-dss.c]
[ssh-dss.h ssh-rsa.c ssh-rsa.h dsa.c dsa.h]
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only,
RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA
keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
- (djm) Fix up Makefile and Redhat init script to create RSA host keys
- (djm) Change to interim version
- (djm) Fix RPM spec file stupidity
- (djm) fixpaths to DSA and RSA keys too
20001112
- (bal) SCO Patch to add needed libraries for configure.in. Patch by
Phillips Porch <root@theporch.com>
- (bal) IRIX patch to adding Job Limits. Patch by Denis Parker
<dcp@sgi.com>
- (stevesk) pty.c: HP-UX 10 and 11 don't define TIOCSCTTY. Add error() to
failed ioctl(TIOCSCTTY) call.
20001111
- (djm) Added /etc/primes for kex DH group neg, fixup Makefile.in and
packaging files
- (djm) Fix new Makefile.in warnings
- (djm) Fix vsprintf("%h") in bsd-snprintf.c, short int va_args are
promoted to type int. Report and fix from Dan Astoorian
<djast@cs.toronto.edu>
- (djm) Hardwire sysconfdir in RPM spec files as some RPM versions get
it wrong. Report from Bennett Todd <bet@rahul.net>
20001110
- (bal) Fixed dropped answer from skey_keyinfo() in auth1.c
- (bal) Changed from --with-skey to --with-skey=PATH in configure.in
- (bal) Added in check to verify S/Key library is being detected in
configure.in
- (bal) next-posix.h - added another prototype wrapped in POSIX ifdef/endif.
Patch by Mark Miller <markm@swoon.net>
- (bal) Added 'util.h' header to loginrec.c only if HAVE_UTIL_H is defined
to remove warnings under MacOS X. Patch by Mark Miller <markm@swoon.net>
- (bal) Fixed LDFLAG mispelling in configure.in for --with-afs
20001107
- (bal) acconfig.in - removed the double "USE_PIPES" entry. Patch by
Mark Miller <markm@swoon.net>
- (bal) sshd.init files corrected to assign $? to RETVAL. Patch by
Jarno Huuskonen <jhuuskon@messi.uku.fi>
- (bal) fixpaths fixed to stop it from quitely failing. Patch by
Mark D. Roth <roth@feep.net>
20001106
- (djm) Use Jim's new 1.0.3 askpass in Redhat RPMs
- (djm) Manually fix up missed diff hunks (mainly RCS idents)
- (djm) Remove UPGRADING document in favour of a link to the better
maintained FAQ on www.openssh.com
- (djm) Fix multiple dependancy on gnome-libs from Pekka Savola
<pekkas@netcore.fi>
- (djm) Don't need X11-askpass in RPM spec file if building without it
from Pekka Savola <pekkas@netcore.fi>
- (djm) Release 2.3.0p1
- (bal) typo in configure.in in regards to --with-ldflags from Marko
Asplund <aspa@kronodoc.fi>
- (bal) fixed next-posix.h. Forgot prototype of getppid().
