as the INSTALL and DEINSTALL scripts no longer distinguish between
the two types of files. Drop SUPPORT_FILES{,_PERMS} and modify the
packages in pkgsrc accordingly.
and /etc/sshd.conf is old (and I assume some configurations from
there don't apply any more), user and group are not created
automatically (only if PKG_CREATE_USERGROUP is at default YES),
UsePrivilegeSeparation is the default, and seems to imply that
openssh is insecure without it.
Bump PKGREVISION.
Change comment regarding MESSAGE.Interix.
Removed unused MESSAGE_SUBST settings. Move one to the options.mk
as it is for "pam" only.
around at either build-time or at run-time is:
USE_TOOLS+= perl # build-time
USE_TOOLS+= perl:run # run-time
Also remove some places where perl5/buildlink3.mk was being included
by a package Makefile, but all that the package wanted was the Perl
executable.
and extra pam file was not included in +CONTENTS.
So moved the include of options.mk to after the PLIST_SRC and
MESSAGE_SRC are defined as empty.
(MESSAGE_SRC is redefined if Interix and if PAM PKG_OPTION was enabled
then this still needs to be fixed.)
And always is defined as share/examples/rc.d
which was the default before.
This rc.d scripts are not automatically added to PLISTs now also.
So add to each corresponding PLIST as required.
This was discussed on tech-pkg in late January and late April.
Todo: remove the RCD_SCRIPTS_EXAMPLEDIR uses in MESSAGES and elsewhere
and remove the RCD_SCRIPTS_EXAMPLEDIR itself.
*before* a BSD-with-advertising license was added to their diffs, and other
work done personally by me.
sshd now works. Most permissions checks work properly. Privsep is off by
default, and the sshd user is not created, on Interix until some problems
with privsep are fixed (perhaps by abstracting the auth functionality out
to openpam).
It includes the correct buildlink3.mk file from either Linux-PAM
(security/PAM) or OpenPAM (security/openpam) and eventually will
support solaris-pam. pam.buildlink3.mk will:
* set PAMBASE to the base directory of the PAM files;
* set PAM_TYPE to the PAM implementation used.
There are two variables that can be used to tweak the selection of
the PAM implementation:
PAM_DEFAULT is a user-settable variable whose value is the default
PAM implementation to use.
PAM_ACCEPTED is a package-settable list of PAM implementations
that may be used by the package.
Modify most packages that include PAM/buildlink3.mk to include
pam.buildlink3.mk instead.
under share/examples/rc.d. The variable name already was named
RCD_SCRIPTS_EXAMPLEDIR.
This is from ideas from Greg Woods and others.
Also bumped PKGREVISION for all packages using RCD_SCRIPTS mechanism
(as requested by wiz).
hpn-patch kerberos PAM (only Linux)
The hpn-patch option uses the patch available in:
http://www.psc.edu/networking/projects/hpn-ssh/ to enable high performance
connections.
Also use VARBASE intead of hardcoding /var.
Bump PKGREVISION.
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
* Added new "IdentitiesOnly" option to ssh(1), which specifies that it should
use keys specified in ssh_config, rather than any keys in ssh-agent(1)
* Make sshd(8) re-execute itself on accepting a new connection. This security
measure ensures that all execute-time randomisations are reapplied for each
connection rather than once, for the master process' lifetime. This includes
mmap and malloc mappings, shared library addressing, shared library mapping
order, ProPolice and StackGhost cookies on systems that support such things
* Add strict permission and ownership checks to programs reading ~/.ssh/config
NB ssh(1) will now exit instead of trying to process a config with poor
ownership or permissions
* Implemented the ability to pass selected environment variables between the
client and the server. See "AcceptEnv" in sshd_config(5) and "SendEnv" in
ssh_config(5) for details
* Added a "MaxAuthTries" option to sshd(8), allowing control over the maximum
number of authentication attempts permitted per connection
* Added support for cancellation of active remote port forwarding sessions.
This may be performed using the ~C escape character, see "Escape Characters"
in ssh(1) for details
* Many sftp(1) interface improvements, including greatly enhanced "ls" support
and the ability to cancel active transfers using SIGINT (^C)
* Implement session multiplexing: a single ssh(1) connection can now carry
multiple login/command/file transfer sessions. Refer to the "ControlMaster"
and "ControlPath" options in ssh_config(5) for more information
* The sftp-server has improved support for non-POSIX filesystems (e.g. FAT)
* Portable OpenSSH: Re-introduce support for PAM password authentication, in
addition to the keyboard-interactive driver. PAM password authentication
is less flexible, and doesn't support pre-authentication password expiry but
runs in-process so Kerberos tokens, etc are retained
* Improved and more extensive regression tests
* Many bugfixes and small improvements
It says to use "pseudo-device rnd" kernel configuration.
TODO: if the above instructions are fine for other
operating systems with /dev/urandom then add.
faults, and haven't tracked down why yet.
No allow PAM authentication if Linux (and USE_PAM is defined).
This will close my 20846 PR from March 2003.
Also, install the contrib/sshd.pam.generic file as the example
sshd.pam instead of the FreeBSD version, but this okay since
it was commented out in the first place.
TODO: test the PAM support on other platforms and allow
if USE_PAM is defined.
well. Bump the PKGREVISION.
XXX The right fix is to create a autoconf check for the number of args
XXX that skeychallenge takes and do the right thing accordingly.
Finish buildlink3 changes.
Obscure LOCALBASE path so that base system compilers dont match the
prefix otherwise compiler.mk then wants to build the pkgsrc gcc
package. (ick)
the RCD_SCRIPTS rc.d script(s) to the PLIST.
This GENERATE_PLIST idea is part of Greg A. Woods'
PR #22954.
This helps when the RC_SCRIPTS are installed to
a different ${RCD_SCRIPTS_EXAMPLEDIR}. (Later,
the default RCD_SCRIPTS_EXAMPLEDIR will be changed
to be more clear that they are the examples.)
These patches also remove the etc/rc.d/ scripts from PLISTs
(of packages that use RCD_SCRIPTS). (This also removes
now unused references from openssh* makefiles. Note that
qmail package has not been changed yet.)
I have been doing automatic PLIST registration for RC_SCRIPTS
for over a year. Not all of these packages have been tested,
but many have been tested and used.
Somethings maybe to do:
- a few packages still manually install the rc.d scripts to
hard-coded etc/rc.d. These need to be fixed.
- maybe remove from mk/${OPSYS}.pkg.dist mtree specifications too.
don't know why this didn't originally work as it should, but I've
just tested it with gcc3 and Forte 8 on Solaris and I couldn't make
it fail.
fixes coredump problem on Solaris observed by some, and also
PR pkg/23120 from Alex Gerasimoff.
bump PKGREVISION to differentiate between broken and unbroken
package.
Most important chcanges: security relevant bug fixes in new PAM authentication code
Changes since OpenSSH 3.7.1p1:
==============================
* This release disables PAM by default. To enable it, set "UsePAM yes" in
sshd_config. Due to complexity, inconsistencies in the specification and
differences between vendors' PAM implementations we recommend that PAM
be left disabled in sshd_config unless there is a need for its use.
Sites using only public key or simple password authentication usually
have little need to enable PAM support.
* This release now requires zlib 1.1.4 to build correctly. Previous
versions have security problems.
* Fix compilation for versions of OpenSSL before 0.9.6. Some cipher modes
are not supported for older OpenSSL versions.
* Fix compilation problems on systems with a missing or lacking inet_ntoa()
function.
* Workaround problems related to unimplemented or broken setresuid/setreuid
functions on several platforms.
* Fix compilation on older OpenBSD systems.
* Fix handling of password-less authentication (PermitEmptyPasswords=yes)
that has not worked since the 3.7p1 release.
# OpenSSH 3.7x currently does *not* work on IRIX!
# To compile, we would need to remove the extraneous inclusion of the
# ``inet_ntoa.h'' header in openbsd-compat/inet_ntoa.c, but even though
# sshd will not work: It seems the connection is closed by the daemon
# when it tries to spawn off a child to handle the incoming connection
#
# If you need the latest security patches for your openssh, I'm afraid you'll
# have to apply them by hand to the 3.6.1p2 version.
(Now wouldn't it be nice if we had a NOT_FOR_PLATFORM_REASON that is displayed
automatically?)
Large number of changes since 3.6.1p2, the most pertinent being:
* do not expand buffer before attempting to reallocate it (buffer.c)
note that NetBSD-current already includes this fix.
other changes include:
* portability fixes
* regression test fixes
* add GSSAPI support and remove kerberos support from ssh1, retaining
kerberos passwd auth for ssh1 and 2
* man page fixes
* general bug fixes
see the ChangeLog for full details.
just setting BUILDLINK_DEPENDS.openssl. USE_OPENSSL_VERSION wasn't
actually needed here anyway since the minimum version allowed by
openssl/buildlink2.mk exceeded the version requested here.
USE_PKGINSTALL is "YES". bsd.pkg.install.mk will no longer automatically
pick up a INSTALL/DEINSTALL script in the package directory and assume that
you want it for the corresponding *_EXTRA_TMPL variable.
was commented out because it didn't work with recent openssh, is now fiexed
and commented back in). This support is conditional on ${KERBEROS} being
set, and currently enables support for both kerberos 4 and 5. This should
be refined.
This has been tested and confirmed on -current and 1.6. Testing on other
platforms (if any? solaris?) in which we support kerberos in pkgsrc should
be done.
- (djm) Add back radix.o (used by AFS support), after it went missing from
Makefile many moons ago
- (djm) Apply "owl-always-auth" patch from Openwall/Solar Designer
- (djm) Fix blibpath specification for AIX/gcc
- (djm) Some systems have basename in -lgen. Fix from ayamura@ayamura.org
(This last fix makes this compile on IRIX again.)
relevant changes are > 500 lines, see
ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/ChangeLog
Personal selection:
rekeying bugfixes and automatic rekeying
bandwidth limitation (scp -l)
Add a -t life option to ssh-agent that set the default lifetime.
The default can still be overriden by using -t in ssh-add.
sftp progress meter support.
allow usernames with embedded '@', e.g. scp user@vhost@realhost:file /tmp;
[scp.c]
1) include stalling time in total time
2) truncate filenames to 45 instead of 20 characters
3) print rate instead of progress bar, no more stars
4) scale output to tty width
have it be automatically included by bsd.pkg.mk if USE_PKGINSTALL is set
to "YES". This enforces the requirement that bsd.pkg.install.mk be
included at the end of a package Makefile. Idea suggested by Julio M.
Merino Vidal <jmmv at menta.net>.
Also mark this package as conflicting with ssh2 package.
Changes:
20021003
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/10/01 20:34:12
[ssh-agent.c]
allow root to access the agent, since there is no protection from root.
- markus@cvs.openbsd.org 2002/10/01 13:24:50
[version.h]
OpenSSH 3.5
- (djm) Bump RPM spec version numbers
- (djm) Bug #406 s/msg_send/ssh_msh_send/ for Mac OS X 1.2
20020930
- (djm) Tidy contrib/, add Makefile for GNOME passphrase dialogs,
tweak README
- (djm) OpenBSD CVS Sync
- mickey@cvs.openbsd.org 2002/09/27 10:42:09
[compat.c compat.h sshd.c]
add a generic match for a prober, such as sie big brother;
idea from stevesk@; markus@ ok
- stevesk@cvs.openbsd.org 2002/09/27 15:46:21
[ssh.1]
clarify compression level protocol 1 only; ok markus@ deraadt@
20020927
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/09/25 11:17:16
[sshd_config]
sync LoginGraceTime with default
- markus@cvs.openbsd.org 2002/09/25 15:19:02
[sshd.c]
typo; pilot@monkey.org
- markus@cvs.openbsd.org 2002/09/26 11:38:43
[auth1.c auth.h auth-krb4.c monitor.c monitor.h monitor_wrap.c]
[monitor_wrap.h]
krb4 + privsep; ok dugsong@, deraadt@
20020925
- (bal) Fix issue where successfull login does not clear failure counts
in AIX. Patch by dtucker@zip.com.au ok by djm
- (tim) Cray fixes (bug 367) based on patch from Wendy Palm @ cray.
This does not include the deattack.c fixes.
20020923
- (djm) OpenBSD CVS Sync
- stevesk@cvs.openbsd.org 2002/09/23 20:46:27
[canohost.c]
change get_peer_ipaddr() and get_local_ipaddr() to not return NULL for
non-sockets; fixes a problem passing NULL to snprintf(). ok markus@
- markus@cvs.openbsd.org 2002/09/23 22:11:05
[monitor.c]
only call auth_krb5 if kerberos is enabled; ok deraadt@
- markus@cvs.openbsd.org 2002/09/24 08:46:04
[monitor.c]
only call kerberos code for authctxt->valid
- todd@cvs.openbsd.org 2002/09/24 20:59:44
[sshd.8]
tweak the example $HOME/.ssh/rc script to not show on any cmdline the
sensitive data it handles. This fixes bug # 402 as reported by
kolya@mit.edu (Nickolai Zeldovich).
ok markus@ and stevesk@
20020923
- (tim) [configure.ac] s/return/exit/ patch by dtucker@zip.com.au
20020922
- (djm) OpenBSD CVS Sync
- stevesk@cvs.openbsd.org 2002/09/19 14:53:14
[compat.c]
- markus@cvs.openbsd.org 2002/09/19 15:51:23
[ssh-add.c]
typo; cd@kalkatraz.de
- stevesk@cvs.openbsd.org 2002/09/19 16:03:15
[serverloop.c]
log IP address also; ok markus@
- stevesk@cvs.openbsd.org 2002/09/20 18:41:29
[auth.c]
log illegal user here for missing privsep case (ssh2).
this is executed in the monitor. ok markus@
20020919
- (djm) OpenBSD CVS Sync
- stevesk@cvs.openbsd.org 2002/09/12 19:11:52
[ssh-agent.c]
%u for uid print; ok markus@
- stevesk@cvs.openbsd.org 2002/09/12 19:50:36
[session.c ssh.1]
add SSH_CONNECTION and deprecate SSH_CLIENT; bug #384. ok markus@
- stevesk@cvs.openbsd.org 2002/09/13 19:23:09
[channels.c sshconnect.c sshd.c]
remove use of SO_LINGER, it should not be needed. error check
SO_REUSEADDR. fixup comments. ok markus@
- stevesk@cvs.openbsd.org 2002/09/16 19:55:33
[session.c]
log when _PATH_NOLOGIN exists; ok markus@
- stevesk@cvs.openbsd.org 2002/09/16 20:12:11
[sshd_config.5]
more details on X11Forwarding security issues and threats; ok markus@
- stevesk@cvs.openbsd.org 2002/09/16 22:03:13
[sshd.8]
reference moduli(5) in FILES /etc/moduli.
- itojun@cvs.openbsd.org 2002/09/17 07:47:02
[channels.c]
don't quit while creating X11 listening socket.
http://mail-index.netbsd.org/current-users/2002/09/16/0005.html
got from portable. markus ok
- djm@cvs.openbsd.org 2002/09/19 01:58:18
[ssh.c sshconnect.c]
bugzilla.mindrot.org #223 - ProxyCommands don't exit.
Patch from dtucker@zip.com.au; ok markus@
20020912
- (djm) Made GNOME askpass programs return non-zero if cancel button is
pressed.
- (djm) Added getpeereid() replacement. Properly implemented for systems
with SO_PEERCRED support. Faked for systems which lack it.
- (djm) Sync sys/tree.h with OpenBSD -current. Rename tree.h and
fake-queue.h to sys-tree.h and sys-queue.h
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/09/08 20:24:08
[hostfile.h]
no comma at end of enumerator list
- itojun@cvs.openbsd.org 2002/09/09 06:48:06
[auth1.c auth.h auth-krb5.c monitor.c monitor.h]
[monitor_wrap.c monitor_wrap.h]
kerberos support for privsep. confirmed to work by lha@stacken.kth.se
patch from markus
- markus@cvs.openbsd.org 2002/09/09 14:54:15
[channels.c kex.h key.c monitor.c monitor_wrap.c radix.c uuencode.c]
signed vs unsigned from -pedantic; ok henning@
- markus@cvs.openbsd.org 2002/09/10 20:24:47
[ssh-agent.c]
check the euid of the connecting process with getpeereid(2);
ok provos deraadt stevesk
- stevesk@cvs.openbsd.org 2002/09/11 17:55:03
[ssh.1]
add agent and X11 forwarding warning text from ssh_config.5; ok markus@
- stevesk@cvs.openbsd.org 2002/09/11 18:27:26
[authfd.c authfd.h ssh.c]
don't connect to agent to test for presence if we've previously
connected; ok markus@
- djm@cvs.openbsd.org 2002/09/11 22:41:50
[sftp.1 sftp-client.c sftp-client.h sftp-common.c sftp-common.h]
[sftp-glob.c sftp-glob.h sftp-int.c sftp-server.c]
support for short/long listings and globbing in "ls"; ok markus@
- djm@cvs.openbsd.org 2002/09/12 00:13:06
[sftp-int.c]
zap unused var introduced in last commit
20020911
- (djm) Sync openbsd-compat with OpenBSD -current
20020910
- (djm) Bug #365: Read /.ssh/environment properly under CygWin.
Patch from Mark Bradshaw <bradshaw@staff.crosswalk.com>
- (djm) Bug #138: Make protocol 1 blowfish work with old OpenSSL.
Patch from Robert Halubek <rob@adso.com.pl>
20020905
- (djm) OpenBSD CVS Sync
- stevesk@cvs.openbsd.org 2002/09/04 18:52:42
[servconf.c sshd.8 sshd_config.5]
default LoginGraceTime to 2m; 1m may be too short for slow systems.
ok markus@
- (djm) Merge openssh-TODO.patch from Redhat (null) beta
- (djm) Add gnome-ssh-askpass2.c (gtk2) by merge with patch from
Nalin Dahyabhai <nalin@redhat.com>
- (djm) Add support for building gtk2 password requestor from Redhat beta
20020903
- (djm) Patch from itojun@ for Darwin OS: test getaddrinfo, reorder libcrypt
- (djm) Fix Redhat RPM build dependancy test
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/08/12 10:46:35
[ssh-agent.c]
make ssh-agent setgid, disallow ptrace.
- espie@cvs.openbsd.org 2002/08/21 11:20:59
[sshd.8]
`RSA' updated to refer to `public key', where it matters.
okay markus@
- stevesk@cvs.openbsd.org 2002/08/21 19:38:06
[servconf.c sshd.8 sshd_config sshd_config.5]
change LoginGraceTime default to 1 minute; ok mouring@ markus@
- stevesk@cvs.openbsd.org 2002/08/21 20:10:28
[ssh-agent.c]
raise listen backlog; ok markus@
- stevesk@cvs.openbsd.org 2002/08/22 19:27:53
[ssh-agent.c]
use common close function; ok markus@
- stevesk@cvs.openbsd.org 2002/08/22 19:38:42
[clientloop.c]
format with current EscapeChar; bugzilla #388 from wknox@mitre.org.
ok markus@
- stevesk@cvs.openbsd.org 2002/08/22 20:57:19
[ssh-agent.c]
shutdown(SHUT_RDWR) not needed before close here; ok markus@
- markus@cvs.openbsd.org 2002/08/22 21:33:58
[auth1.c auth2.c]
auth_root_allowed() is handled by the monitor in the privsep case,
so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
- markus@cvs.openbsd.org 2002/08/22 21:45:41
[session.c]
send signal name (not signal number) in "exit-signal" message; noticed
by galb@vandyke.com
- stevesk@cvs.openbsd.org 2002/08/27 17:13:56
[ssh-rsa.c]
RSA_public_decrypt() returns -1 on error so len must be signed;
ok markus@
- stevesk@cvs.openbsd.org 2002/08/27 17:18:40
[ssh_config.5]
some warning text for ForwardAgent and ForwardX11; ok markus@
- stevesk@cvs.openbsd.org 2002/08/29 15:57:25
[monitor.c session.c sshlogin.c sshlogin.h]
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org>
NOTE: there are also p-specific parts to this patch. ok markus@
- stevesk@cvs.openbsd.org 2002/08/29 16:02:54
[ssh.1 ssh.c]
deprecate -P as UsePrivilegedPort defaults to no now; ok markus@
- stevesk@cvs.openbsd.org 2002/08/29 16:09:02
[ssh_config.5]
more on UsePrivilegedPort and setuid root; ok markus@
- stevesk@cvs.openbsd.org 2002/08/29 19:49:42
[ssh.c]
shrink initial privilege bracket for setuid case; ok markus@
- stevesk@cvs.openbsd.org 2002/08/29 22:54:10
[ssh_config.5 sshd_config.5]
state XAuthLocation is a full pathname
20020820
- OpenBSD CVS Sync
- millert@cvs.openbsd.org 2002/08/02 14:43:15
[monitor.c monitor_mm.c]
Change mm_zalloc() sanity checks to be more in line with what
we do in calloc() and add a check to monitor_mm.c.
OK provos@ and markus@
- marc@cvs.openbsd.org 2002/08/02 16:00:07
[ssh.1 sshd.8]
note that .ssh/environment is only read when
allowed (PermitUserEnvironment in sshd_config).
OK markus@
- markus@cvs.openbsd.org 2002/08/02 21:23:41
[ssh-rsa.c]
diff is u_int (2x); ok deraadt/provos
- markus@cvs.openbsd.org 2002/08/02 22:20:30
[ssh-rsa.c]
replace RSA_verify with our own version and avoid the OpenSSL ASN.1 parser
for authentication; ok deraadt/djm
- aaron@cvs.openbsd.org 2002/08/08 13:50:23
[sshconnect1.c]
Use & to test if bits are set, not &&; markus@ ok.
- stevesk@cvs.openbsd.org 2002/08/08 23:54:52
[auth.c]
typo in comment
- stevesk@cvs.openbsd.org 2002/08/09 17:21:42
[sshd_config.5]
use Op for mdoc conformance; from esr@golux.thyrsus.com
ok aaron@
- stevesk@cvs.openbsd.org 2002/08/09 17:41:12
[sshd_config.5]
proxy vs. fake display
- stevesk@cvs.openbsd.org 2002/08/12 17:30:35
[ssh.1 sshd.8 sshd_config.5]
more PermitUserEnvironment; ok markus@
- stevesk@cvs.openbsd.org 2002/08/17 23:07:14
[ssh.1]
ForwardAgent has defaulted to no for over 2 years; be more clear here.
- stevesk@cvs.openbsd.org 2002/08/17 23:55:01
[ssh_config.5]
ordered list here
- (bal) [defines.h] Some platforms don't have SIZE_T_MAX. So assign
it to ULONG_MAX.
20020813
- (tim) [configure.ac] Display OpenSSL header/library version.
Patch by dtucker@zip.com.au
20020731
- (bal) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/07/24 16:11:18
[hostfile.c hostfile.h sshconnect.c]
print out all known keys for a host if we get a unknown host key,
see discussion at http://marc.theaimsgroup.com/?t=101069210100016&r=1&w=4
the ssharp mitm tool attacks users in a similar way, so i'd like to
pointed out again:
A MITM attack is always possible if the ssh client prints:
The authenticity of host 'bla' can't be established.
(protocol version 2 with pubkey authentication allows you to detect
MITM attacks)
- mouring@cvs.openbsd.org 2002/07/25 01:16:59
[sftp.c]
FallBackToRsh does not exist anywhere else. Remove it from here.
OK deraadt.
- markus@cvs.openbsd.org 2002/07/29 18:57:30
[sshconnect.c]
print file:line
- markus@cvs.openbsd.org 2002/07/30 17:03:55
[auth-options.c servconf.c servconf.h session.c sshd_config sshd_config.5]
add PermitUserEnvironment (off by default!); from dot@dotat.at;
ok provos, deraadt
20020730
- (bal) [uidswap.c] SCO compile correction by gert@greenie.muc.de
20020728
- (stevesk) [auth-pam.c] should use PAM_MSG_MEMBER(); from solar
- (stevesk) [CREDITS] solar
- (stevesk) [ssh-rand-helper.c] RAND_bytes() and SHA1_Final() unsigned
char arg.
20020725
- (djm) Remove some cruft from INSTALL
- (djm) Latest config.guess and config.sub from ftp://ftp.gnu.org/gnu/config/
20020723
- (bal) [bsd-cray.c bsd-cray.h] Part 2 of Cray merger.
- (bal) sync ID w/ ssh-agent.c
- (bal) OpenBSD Sync
- markus@cvs.openbsd.org 2002/07/19 15:43:33
[log.c log.h session.c sshd.c]
remove fatal cleanups after fork; based on discussions with and code
from solar.
- stevesk@cvs.openbsd.org 2002/07/19 17:42:40
[ssh.c]
display a warning from ssh when XAuthLocation does not exist or xauth
returned no authentication data. ok markus@
- stevesk@cvs.openbsd.org 2002/07/21 18:32:20
[auth-options.c]
unneeded includes
- stevesk@cvs.openbsd.org 2002/07/21 18:34:43
[auth-options.h]
remove invalid comment
- markus@cvs.openbsd.org 2002/07/22 11:03:06
[session.c]
fallback to _PATH_STDPATH on setusercontext+LOGIN_SETPATH errors;
- stevesk@cvs.openbsd.org 2002/07/22 17:32:56
[monitor.c]
u_int here; ok provos@
- stevesk@cvs.openbsd.org 2002/07/23 16:03:10
[sshd.c]
utmp_len is unsigned; display error consistent with other options.
ok markus@
- stevesk@cvs.openbsd.org 2002/07/15 17:15:31
[uidswap.c]
little more debugging; ok markus@
20020722
- (bal) AIX tty data limiting patch fix by leigh@solinno.co.uk
- (stevesk) [xmmap.c] missing prototype for fatal()
- (bal) [configure.ac defines.h loginrec.c sshd.c sshpty.c] Partial sync
with Cray (mostly #ifdef renaming). Patch by wendyp@cray.com.
- (bal) [configure.ac] Missing ;; from cray patch.
- (bal) [monitor_mm.c openbsd-compat/xmmap.h] Move xmmap() defines
into it's own header.
- (stevesk) [auth-pam.[ch] session.c] pam_getenvlist() must be
freed by the caller; add free_pam_environment() and use it.
- (stevesk) [auth-pam.c] typo in comment
20020721
- (stevesk) [auth-pam.c] merge cosmetic changes from solar's
openssh-3.4p1-owl-password-changing.diff
- (stevesk) [auth-pam.c] merge rest of solar's PAM patch;
PAM_NEW_AUTHTOK_REQD remains in #if 0 for now.
- (stevesk) [auth-pam.c] cast to avoid initialization type mismatch
warning on pam_conv struct conversation function.
- (stevesk) [auth-pam.h] license
- (stevesk) [auth-pam.h] unneeded include
- (stevesk) [auth-pam.[ch] ssh.h] move SSHD_PAM_SERVICE to auth-pam.h
20020720
- (stevesk) [ssh-keygen.c] bug #231: always init/seed_rng().
20020719
- (tim) [contrib/solaris/buildpkg.sh] create privsep user/group if needed.
Patch by dtucker@zip.com.au
- (tim) [configure.ac] test for libxnet on HP. Patch by dtucker@zip.com.au
20020718
- (tim) [defines.h] Bug 313 patch by dirk.meyer@dinoex.sub.org
- (tim) [monitor_mm.c] add missing declaration for xmmap(). Reported
by ayamura@ayamura.org
- (tim) [configure.ac] Bug 267 rework int64_t test.
- (tim) [includes.h] Bug 267 add stdint.h
20020717
- (bal) aixbff package updated by dtucker@zip.com.au
- (tim) [configure.ac] change how we do paths in AC_PATH_PROGS tests
for autoconf 2.53. Based on a patch by jrj@purdue.edu
20020716
- (tim) [contrib/solaris/opensshd.in] Only kill sshd if .pid file found
20020715
- (bal) OpenBSD CVS Sync
- itojun@cvs.openbsd.org 2002/07/12 13:29:09
[sshconnect.c]
print connect failure during debugging mode.
- markus@cvs.openbsd.org 2002/07/12 15:50:17
[cipher.c]
EVP_CIPH_CUSTOM_IV for our own rijndael
- (bal) Remove unused tty defined in do_setusercontext() pointed out by
dtucker@zip.com.au plus a a more KNF since I am near it.
- (bal) Privsep user creation support in Solaris buildpkg.sh by
dtucker@zip.com.au
20020714
- (tim) [Makefile.in] replace "id sshd" with "sshd -t"
- (bal/tim) [acconfig.h configure.ac monitor_mm.c servconf.c
openbsd-compat/Makefile.in] support compression on platforms that
have no/broken MAP_ANON. Moved code to openbsd-compat/xmmap.c
Based on patch from nalin@redhat.com of code extracted from Owl's package
- (tim) [ssh_prng_cmds.in] Bug 323 arp -n flag doesn't exist under Solaris.
report by chris@by-design.net
- (tim) [loginrec.c] Bug 347: Fix typo (WTMPX_FILE) report by rodney@bond.net
- (tim) [loginrec.c] Bug 348: add missing found = 1; to wtmpx_islogin()
report by rodney@bond.net
20020712
- (tim) [Makefile.in] quiet down install-files: and check-user:
- (tim) [configure.ac] remove unused filepriv line
20020710
- (tim) [contrib/cygwin/ssh-host-config] explicitely sets the permissions
on /var/empty to 755 Patch by vinschen@redhat.com
- (bal) OpenBSD CVS Sync
- itojun@cvs.openbsd.org 2002/07/09 11:56:50
[sshconnect.c]
silently try next address on connect(2). markus ok
- itojun@cvs.openbsd.org 2002/07/09 11:56:27
[canohost.c]
suppress log on reverse lookup failiure, as there's no real value in
doing so.
markus ok
- itojun@cvs.openbsd.org 2002/07/09 12:04:02
[sshconnect.c]
ed static function (less warnings)
- stevesk@cvs.openbsd.org 2002/07/09 17:46:25
[sshd_config.5]
clarify no preference ordering in protocol list; ok markus@
- itojun@cvs.openbsd.org 2002/07/10 10:28:15
[sshconnect.c]
bark if all connection attempt fails.
- deraadt@cvs.openbsd.org 2002/07/10 17:53:54
[rijndael.c]
use right sizeof in memcpy; markus ok
20020709
- (bal) NO_IPPORT_RESERVED_CONCEPT used instead of CYGWIN so other platforms
lacking that concept can share it. Patch by vinschen@redhat.com
20020708
- (tim) [openssh/contrib/solaris/buildpkg.sh] add PKG_INSTALL_ROOT to
work in a jumpstart environment. patch by kbrint@rufus.net
- (tim) [Makefile.in] workaround for broken pakadd on some systems.
- (tim) [configure.ac] fix libc89 utimes test. Mention default path for
--with-privsep-path=
20020707
- (tim) [Makefile.in] use umask instead of chmod on $(PRIVSEP_PATH)
- (tim) [acconfig.h configure.ac sshd.c]
s/BROKEN_FD_PASSING/DISABLE_FD_PASSING/
- (tim) [contrib/cygwin/ssh-host-config] sshd account creation fixes
patch from vinschen@redhat.com
- (bal) [realpath.c] Updated with OpenBSD tree.
- (bal) OpenBSD CVS Sync
- deraadt@cvs.openbsd.org 2002/07/04 04:15:33
[key.c monitor_wrap.c sftp-glob.c ssh-dss.c ssh-rsa.c]
patch memory leaks; grendel@zeitbombe.org
- deraadt@cvs.openbsd.org 2002/07/04 08:12:15
[channels.c packet.c]
blah blah minor nothing as i read and re-read and re-read...
- markus@cvs.openbsd.org 2002/07/04 10:41:47
[key.c monitor_wrap.c ssh-dss.c ssh-rsa.c]
don't allocate, copy, and discard if there is not interested in the data;
ok deraadt@
- deraadt@cvs.openbsd.org 2002/07/06 01:00:49
[log.c]
KNF
- deraadt@cvs.openbsd.org 2002/07/06 01:01:26
[ssh-keyscan.c]
KNF, realloc fix, and clean usage
- stevesk@cvs.openbsd.org 2002/07/06 17:47:58
[ssh-keyscan.c]
unused variable
- (bal) Minor KNF on ssh-keyscan.c
20020705
- (tim) [configure.ac] AIX 4.2.1 has authenticate() in libs.
Reported by Darren Tucker <dtucker@zip.com.au>
- (tim) [contrib/cygwin/ssh-host-config] double slash corrction
from vinschen@redhat.com
20020704
- (bal) Limit data to TTY for AIX only (Newer versions can't handle the
faster data rate) Bug #124
- (bal) glob.c defines TILDE and AIX also defines it. #undef it first.
bug #265
- (bal) One too many nulls in ports-aix.c
20020703
- (bal) Updated contrib/cygwin/ patch by vinschen@redhat.com
- (bal) minor correction to utimes() replacement. Patch by
onoe@sm.sony.co.jp
- OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/06/27 08:49:44
[dh.c ssh-keyscan.c sshconnect.c]
more checks for NULL pointers; from grendel@zeitbombe.org; ok deraadt@
- deraadt@cvs.openbsd.org 2002/06/27 09:08:00
[monitor.c]
improve mm_zalloc check; markus ok
- deraadt@cvs.openbsd.org 2002/06/27 10:35:47
[auth2-none.c monitor.c sftp-client.c]
use xfree()
- stevesk@cvs.openbsd.org 2002/06/27 19:49:08
[ssh-keyscan.c]
use convtime(); ok markus@
- millert@cvs.openbsd.org 2002/06/28 01:49:31
[monitor_mm.c]
tree(3) wants an int return value for its compare functions and
the difference between two pointers is not an int. Just do the
safest thing and store the result in a long and then return 0,
-1, or 1 based on that result.
- deraadt@cvs.openbsd.org 2002/06/28 01:50:37
[monitor_wrap.c]
use ssize_t
- deraadt@cvs.openbsd.org 2002/06/28 10:08:25
[sshd.c]
range check -u option at invocation
- deraadt@cvs.openbsd.org 2002/06/28 23:05:06
[sshd.c]
gidset[2] -> gidset[1]; markus ok
- deraadt@cvs.openbsd.org 2002/06/30 21:54:16
[auth2.c session.c sshd.c]
lint asks that we use names that do not overlap
- deraadt@cvs.openbsd.org 2002/06/30 21:59:45
[auth-bsdauth.c auth-skey.c auth2-chall.c clientloop.c key.c
monitor_wrap.c monitor_wrap.h scard.h session.h sftp-glob.c ssh.c
sshconnect2.c sshd.c]
minor KNF
- deraadt@cvs.openbsd.org 2002/07/01 16:15:25
[msg.c]
%u
- markus@cvs.openbsd.org 2002/07/01 19:48:46
[sshconnect2.c]
for compression=yes, we fallback to no-compression if the server does
not support compression, vice versa for compression=no. ok mouring@
- markus@cvs.openbsd.org 2002/07/03 09:55:38
[ssh-keysign.c]
use RSA_blinding_on() for rsa hostkeys (suggested by Bill Sommerfeld)
in order to avoid a possible Kocher timing attack pointed out by Charles
Hannum; ok provos@
- markus@cvs.openbsd.org 2002/07/03 14:21:05
[ssh-keysign.8 ssh-keysign.c ssh.c ssh_config]
re-enable ssh-keysign's sbit, but make ssh-keysign read
/etc/ssh/ssh_config and exit if HostbasedAuthentication is disabled
globally. based on discussions with deraadt, itojun and sommerfeld;
ok itojun@
- (bal) Failed password attempts don't increment counter on AIX. Bug #145
- (bal) Missed Makefile.in change. keysign needs readconf.o
- (bal) Clean up aix_usrinfo(). Ignore TTY= period I guess.
20020702
- (djm) Use PAM_MSG_MEMBER for PAM_TEXT_INFO messages, use xmalloc &
friends consistently. Spotted by Solar Designer <solar@openwall.com>
20020629
- (bal) fix to auth2-pam.c to swap fatal() arguments, A bit of style
clean up while I'm near it.
20020628
- (stevesk) [sshd_config] PAMAuthenticationViaKbdInt no; commented
options should contain default value. from solar.
- (bal) Cygwin uid0 fix by vinschen@redhat.com
- (bal) s/config.h/includes.h/ in openbsd-compat/ for *.c. Otherwise wise
have issues of our fixes not propogating right (ie bcopy instead of
memmove). OK tim
- (bal) FreeBSD needs <sys/types.h> to detect if mmap() is supported.
Bug #303
20020627
- OpenBSD CVS Sync
- deraadt@cvs.openbsd.org 2002/06/26 14:49:36
[monitor.c]
correct %u
- deraadt@cvs.openbsd.org 2002/06/26 14:50:04
[monitor_fdpass.c]
use ssize_t for recvmsg() and sendmsg() return
- markus@cvs.openbsd.org 2002/06/26 14:51:33
[ssh-add.c]
fix exit code for -X/-x
- deraadt@cvs.openbsd.org 2002/06/26 15:00:32
[monitor_wrap.c]
more %u
- markus@cvs.openbsd.org 2002/06/26 22:27:32
[ssh-keysign.c]
bug #304, xfree(data) called to early; openssh@sigint.cs.purdue.edu
OPENSSH_USER
OPENSSH_UID
OPENSSH_GROUP
OPENSSH_GID
OPENSSH_CHROOT
Use these to automatically create user/group if they do not already
exist. Assists platforms which do not have an 'sshd' user by default,
while adding flexibility for NetBSD systems.
Checked by Stoned Elipot <seb@netbsd.org>.
libcrypt-before-libcrypto into a section that is protected by something
we can set in the configure script (check_for_libcrypt_before). This
should fix the latter part of pkg/18091 by grant beattie.
/var/run directory, tmpfs is mounted on /var/run by default.
/var/run does not exist by default on Solaris 7, but some daemons
appear to make use of it after it is created (eg. syslogd).
installs the binaries directly in /usr and places the manpages and example
files in the correct hier(7) locations. We don't register installation in
this case because the package database can't handle it. We deal with the
ssh config files and directories as follows:
NetBSD-1.5.* use /etc/ssh_config, /etc/sshd_config
NetBSD-1.6 use /etc/ssh/ssh_config, /etc/ssh/sshd_config
We also emit a warning in the MESSAGE file that /etc/ssh.conf and
/etc/sshd.conf should be renamed in order to keep using them. Lastly,
there is a new target "tarball" to generate a tarball of the installed
files that might be used to install quickly on many machines, though it
may be only of limited utility.
These changes are only active if UPDATE_INTREE_OPENSSH is defined.
