in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
* Added new "IdentitiesOnly" option to ssh(1), which specifies that it should
use keys specified in ssh_config, rather than any keys in ssh-agent(1)
* Make sshd(8) re-execute itself on accepting a new connection. This security
measure ensures that all execute-time randomisations are reapplied for each
connection rather than once, for the master process' lifetime. This includes
mmap and malloc mappings, shared library addressing, shared library mapping
order, ProPolice and StackGhost cookies on systems that support such things
* Add strict permission and ownership checks to programs reading ~/.ssh/config
NB ssh(1) will now exit instead of trying to process a config with poor
ownership or permissions
* Implemented the ability to pass selected environment variables between the
client and the server. See "AcceptEnv" in sshd_config(5) and "SendEnv" in
ssh_config(5) for details
* Added a "MaxAuthTries" option to sshd(8), allowing control over the maximum
number of authentication attempts permitted per connection
* Added support for cancellation of active remote port forwarding sessions.
This may be performed using the ~C escape character, see "Escape Characters"
in ssh(1) for details
* Many sftp(1) interface improvements, including greatly enhanced "ls" support
and the ability to cancel active transfers using SIGINT (^C)
* Implement session multiplexing: a single ssh(1) connection can now carry
multiple login/command/file transfer sessions. Refer to the "ControlMaster"
and "ControlPath" options in ssh_config(5) for more information
* The sftp-server has improved support for non-POSIX filesystems (e.g. FAT)
* Portable OpenSSH: Re-introduce support for PAM password authentication, in
addition to the keyboard-interactive driver. PAM password authentication
is less flexible, and doesn't support pre-authentication password expiry but
runs in-process so Kerberos tokens, etc are retained
* Improved and more extensive regression tests
* Many bugfixes and small improvements
It says to use "pseudo-device rnd" kernel configuration.
TODO: if the above instructions are fine for other
operating systems with /dev/urandom then add.
faults, and haven't tracked down why yet.
No allow PAM authentication if Linux (and USE_PAM is defined).
This will close my 20846 PR from March 2003.
Also, install the contrib/sshd.pam.generic file as the example
sshd.pam instead of the FreeBSD version, but this okay since
it was commented out in the first place.
TODO: test the PAM support on other platforms and allow
if USE_PAM is defined.
well. Bump the PKGREVISION.
XXX The right fix is to create a autoconf check for the number of args
XXX that skeychallenge takes and do the right thing accordingly.
Finish buildlink3 changes.
Obscure LOCALBASE path so that base system compilers dont match the
prefix otherwise compiler.mk then wants to build the pkgsrc gcc
package. (ick)
the RCD_SCRIPTS rc.d script(s) to the PLIST.
This GENERATE_PLIST idea is part of Greg A. Woods'
PR #22954.
This helps when the RC_SCRIPTS are installed to
a different ${RCD_SCRIPTS_EXAMPLEDIR}. (Later,
the default RCD_SCRIPTS_EXAMPLEDIR will be changed
to be more clear that they are the examples.)
These patches also remove the etc/rc.d/ scripts from PLISTs
(of packages that use RCD_SCRIPTS). (This also removes
now unused references from openssh* makefiles. Note that
qmail package has not been changed yet.)
I have been doing automatic PLIST registration for RC_SCRIPTS
for over a year. Not all of these packages have been tested,
but many have been tested and used.
Somethings maybe to do:
- a few packages still manually install the rc.d scripts to
hard-coded etc/rc.d. These need to be fixed.
- maybe remove from mk/${OPSYS}.pkg.dist mtree specifications too.
don't know why this didn't originally work as it should, but I've
just tested it with gcc3 and Forte 8 on Solaris and I couldn't make
it fail.
fixes coredump problem on Solaris observed by some, and also
PR pkg/23120 from Alex Gerasimoff.
bump PKGREVISION to differentiate between broken and unbroken
package.
Most important chcanges: security relevant bug fixes in new PAM authentication code
Changes since OpenSSH 3.7.1p1:
==============================
* This release disables PAM by default. To enable it, set "UsePAM yes" in
sshd_config. Due to complexity, inconsistencies in the specification and
differences between vendors' PAM implementations we recommend that PAM
be left disabled in sshd_config unless there is a need for its use.
Sites using only public key or simple password authentication usually
have little need to enable PAM support.
* This release now requires zlib 1.1.4 to build correctly. Previous
versions have security problems.
* Fix compilation for versions of OpenSSL before 0.9.6. Some cipher modes
are not supported for older OpenSSL versions.
* Fix compilation problems on systems with a missing or lacking inet_ntoa()
function.
* Workaround problems related to unimplemented or broken setresuid/setreuid
functions on several platforms.
* Fix compilation on older OpenBSD systems.
* Fix handling of password-less authentication (PermitEmptyPasswords=yes)
that has not worked since the 3.7p1 release.
# OpenSSH 3.7x currently does *not* work on IRIX!
# To compile, we would need to remove the extraneous inclusion of the
# ``inet_ntoa.h'' header in openbsd-compat/inet_ntoa.c, but even though
# sshd will not work: It seems the connection is closed by the daemon
# when it tries to spawn off a child to handle the incoming connection
#
# If you need the latest security patches for your openssh, I'm afraid you'll
# have to apply them by hand to the 3.6.1p2 version.
(Now wouldn't it be nice if we had a NOT_FOR_PLATFORM_REASON that is displayed
automatically?)
Large number of changes since 3.6.1p2, the most pertinent being:
* do not expand buffer before attempting to reallocate it (buffer.c)
note that NetBSD-current already includes this fix.
other changes include:
* portability fixes
* regression test fixes
* add GSSAPI support and remove kerberos support from ssh1, retaining
kerberos passwd auth for ssh1 and 2
* man page fixes
* general bug fixes
see the ChangeLog for full details.
just setting BUILDLINK_DEPENDS.openssl. USE_OPENSSL_VERSION wasn't
actually needed here anyway since the minimum version allowed by
openssl/buildlink2.mk exceeded the version requested here.
USE_PKGINSTALL is "YES". bsd.pkg.install.mk will no longer automatically
pick up a INSTALL/DEINSTALL script in the package directory and assume that
you want it for the corresponding *_EXTRA_TMPL variable.
was commented out because it didn't work with recent openssh, is now fiexed
and commented back in). This support is conditional on ${KERBEROS} being
set, and currently enables support for both kerberos 4 and 5. This should
be refined.
This has been tested and confirmed on -current and 1.6. Testing on other
platforms (if any? solaris?) in which we support kerberos in pkgsrc should
be done.
- (djm) Add back radix.o (used by AFS support), after it went missing from
Makefile many moons ago
- (djm) Apply "owl-always-auth" patch from Openwall/Solar Designer
- (djm) Fix blibpath specification for AIX/gcc
- (djm) Some systems have basename in -lgen. Fix from ayamura@ayamura.org
(This last fix makes this compile on IRIX again.)
relevant changes are > 500 lines, see
ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/ChangeLog
Personal selection:
rekeying bugfixes and automatic rekeying
bandwidth limitation (scp -l)
Add a -t life option to ssh-agent that set the default lifetime.
The default can still be overriden by using -t in ssh-add.
sftp progress meter support.
allow usernames with embedded '@', e.g. scp user@vhost@realhost:file /tmp;
[scp.c]
1) include stalling time in total time
2) truncate filenames to 45 instead of 20 characters
3) print rate instead of progress bar, no more stars
4) scale output to tty width
have it be automatically included by bsd.pkg.mk if USE_PKGINSTALL is set
to "YES". This enforces the requirement that bsd.pkg.install.mk be
included at the end of a package Makefile. Idea suggested by Julio M.
Merino Vidal <jmmv at menta.net>.
Also mark this package as conflicting with ssh2 package.
Changes:
20021003
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/10/01 20:34:12
[ssh-agent.c]
allow root to access the agent, since there is no protection from root.
- markus@cvs.openbsd.org 2002/10/01 13:24:50
[version.h]
OpenSSH 3.5
- (djm) Bump RPM spec version numbers
- (djm) Bug #406 s/msg_send/ssh_msh_send/ for Mac OS X 1.2
20020930
- (djm) Tidy contrib/, add Makefile for GNOME passphrase dialogs,
tweak README
- (djm) OpenBSD CVS Sync
- mickey@cvs.openbsd.org 2002/09/27 10:42:09
[compat.c compat.h sshd.c]
add a generic match for a prober, such as sie big brother;
idea from stevesk@; markus@ ok
- stevesk@cvs.openbsd.org 2002/09/27 15:46:21
[ssh.1]
clarify compression level protocol 1 only; ok markus@ deraadt@
20020927
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/09/25 11:17:16
[sshd_config]
sync LoginGraceTime with default
- markus@cvs.openbsd.org 2002/09/25 15:19:02
[sshd.c]
typo; pilot@monkey.org
- markus@cvs.openbsd.org 2002/09/26 11:38:43
[auth1.c auth.h auth-krb4.c monitor.c monitor.h monitor_wrap.c]
[monitor_wrap.h]
krb4 + privsep; ok dugsong@, deraadt@
20020925
- (bal) Fix issue where successfull login does not clear failure counts
in AIX. Patch by dtucker@zip.com.au ok by djm
- (tim) Cray fixes (bug 367) based on patch from Wendy Palm @ cray.
This does not include the deattack.c fixes.
20020923
- (djm) OpenBSD CVS Sync
- stevesk@cvs.openbsd.org 2002/09/23 20:46:27
[canohost.c]
change get_peer_ipaddr() and get_local_ipaddr() to not return NULL for
non-sockets; fixes a problem passing NULL to snprintf(). ok markus@
- markus@cvs.openbsd.org 2002/09/23 22:11:05
[monitor.c]
only call auth_krb5 if kerberos is enabled; ok deraadt@
- markus@cvs.openbsd.org 2002/09/24 08:46:04
[monitor.c]
only call kerberos code for authctxt->valid
- todd@cvs.openbsd.org 2002/09/24 20:59:44
[sshd.8]
tweak the example $HOME/.ssh/rc script to not show on any cmdline the
sensitive data it handles. This fixes bug # 402 as reported by
kolya@mit.edu (Nickolai Zeldovich).
ok markus@ and stevesk@
20020923
- (tim) [configure.ac] s/return/exit/ patch by dtucker@zip.com.au
20020922
- (djm) OpenBSD CVS Sync
- stevesk@cvs.openbsd.org 2002/09/19 14:53:14
[compat.c]
- markus@cvs.openbsd.org 2002/09/19 15:51:23
[ssh-add.c]
typo; cd@kalkatraz.de
- stevesk@cvs.openbsd.org 2002/09/19 16:03:15
[serverloop.c]
log IP address also; ok markus@
- stevesk@cvs.openbsd.org 2002/09/20 18:41:29
[auth.c]
log illegal user here for missing privsep case (ssh2).
this is executed in the monitor. ok markus@
20020919
- (djm) OpenBSD CVS Sync
- stevesk@cvs.openbsd.org 2002/09/12 19:11:52
[ssh-agent.c]
%u for uid print; ok markus@
- stevesk@cvs.openbsd.org 2002/09/12 19:50:36
[session.c ssh.1]
add SSH_CONNECTION and deprecate SSH_CLIENT; bug #384. ok markus@
- stevesk@cvs.openbsd.org 2002/09/13 19:23:09
[channels.c sshconnect.c sshd.c]
remove use of SO_LINGER, it should not be needed. error check
SO_REUSEADDR. fixup comments. ok markus@
- stevesk@cvs.openbsd.org 2002/09/16 19:55:33
[session.c]
log when _PATH_NOLOGIN exists; ok markus@
- stevesk@cvs.openbsd.org 2002/09/16 20:12:11
[sshd_config.5]
more details on X11Forwarding security issues and threats; ok markus@
- stevesk@cvs.openbsd.org 2002/09/16 22:03:13
[sshd.8]
reference moduli(5) in FILES /etc/moduli.
- itojun@cvs.openbsd.org 2002/09/17 07:47:02
[channels.c]
don't quit while creating X11 listening socket.
http://mail-index.netbsd.org/current-users/2002/09/16/0005.html
got from portable. markus ok
- djm@cvs.openbsd.org 2002/09/19 01:58:18
[ssh.c sshconnect.c]
bugzilla.mindrot.org #223 - ProxyCommands don't exit.
Patch from dtucker@zip.com.au; ok markus@
20020912
- (djm) Made GNOME askpass programs return non-zero if cancel button is
pressed.
- (djm) Added getpeereid() replacement. Properly implemented for systems
with SO_PEERCRED support. Faked for systems which lack it.
- (djm) Sync sys/tree.h with OpenBSD -current. Rename tree.h and
fake-queue.h to sys-tree.h and sys-queue.h
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/09/08 20:24:08
[hostfile.h]
no comma at end of enumerator list
- itojun@cvs.openbsd.org 2002/09/09 06:48:06
[auth1.c auth.h auth-krb5.c monitor.c monitor.h]
[monitor_wrap.c monitor_wrap.h]
kerberos support for privsep. confirmed to work by lha@stacken.kth.se
patch from markus
- markus@cvs.openbsd.org 2002/09/09 14:54:15
[channels.c kex.h key.c monitor.c monitor_wrap.c radix.c uuencode.c]
signed vs unsigned from -pedantic; ok henning@
- markus@cvs.openbsd.org 2002/09/10 20:24:47
[ssh-agent.c]
check the euid of the connecting process with getpeereid(2);
ok provos deraadt stevesk
- stevesk@cvs.openbsd.org 2002/09/11 17:55:03
[ssh.1]
add agent and X11 forwarding warning text from ssh_config.5; ok markus@
- stevesk@cvs.openbsd.org 2002/09/11 18:27:26
[authfd.c authfd.h ssh.c]
don't connect to agent to test for presence if we've previously
connected; ok markus@
- djm@cvs.openbsd.org 2002/09/11 22:41:50
[sftp.1 sftp-client.c sftp-client.h sftp-common.c sftp-common.h]
[sftp-glob.c sftp-glob.h sftp-int.c sftp-server.c]
support for short/long listings and globbing in "ls"; ok markus@
- djm@cvs.openbsd.org 2002/09/12 00:13:06
[sftp-int.c]
zap unused var introduced in last commit
20020911
- (djm) Sync openbsd-compat with OpenBSD -current
20020910
- (djm) Bug #365: Read /.ssh/environment properly under CygWin.
Patch from Mark Bradshaw <bradshaw@staff.crosswalk.com>
- (djm) Bug #138: Make protocol 1 blowfish work with old OpenSSL.
Patch from Robert Halubek <rob@adso.com.pl>
20020905
- (djm) OpenBSD CVS Sync
- stevesk@cvs.openbsd.org 2002/09/04 18:52:42
[servconf.c sshd.8 sshd_config.5]
default LoginGraceTime to 2m; 1m may be too short for slow systems.
ok markus@
- (djm) Merge openssh-TODO.patch from Redhat (null) beta
- (djm) Add gnome-ssh-askpass2.c (gtk2) by merge with patch from
Nalin Dahyabhai <nalin@redhat.com>
- (djm) Add support for building gtk2 password requestor from Redhat beta
20020903
- (djm) Patch from itojun@ for Darwin OS: test getaddrinfo, reorder libcrypt
- (djm) Fix Redhat RPM build dependancy test
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/08/12 10:46:35
[ssh-agent.c]
make ssh-agent setgid, disallow ptrace.
- espie@cvs.openbsd.org 2002/08/21 11:20:59
[sshd.8]
`RSA' updated to refer to `public key', where it matters.
okay markus@
- stevesk@cvs.openbsd.org 2002/08/21 19:38:06
[servconf.c sshd.8 sshd_config sshd_config.5]
change LoginGraceTime default to 1 minute; ok mouring@ markus@
- stevesk@cvs.openbsd.org 2002/08/21 20:10:28
[ssh-agent.c]
raise listen backlog; ok markus@
- stevesk@cvs.openbsd.org 2002/08/22 19:27:53
[ssh-agent.c]
use common close function; ok markus@
- stevesk@cvs.openbsd.org 2002/08/22 19:38:42
[clientloop.c]
format with current EscapeChar; bugzilla #388 from wknox@mitre.org.
ok markus@
- stevesk@cvs.openbsd.org 2002/08/22 20:57:19
[ssh-agent.c]
shutdown(SHUT_RDWR) not needed before close here; ok markus@
- markus@cvs.openbsd.org 2002/08/22 21:33:58
[auth1.c auth2.c]
auth_root_allowed() is handled by the monitor in the privsep case,
so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
- markus@cvs.openbsd.org 2002/08/22 21:45:41
[session.c]
send signal name (not signal number) in "exit-signal" message; noticed
by galb@vandyke.com
- stevesk@cvs.openbsd.org 2002/08/27 17:13:56
[ssh-rsa.c]
RSA_public_decrypt() returns -1 on error so len must be signed;
ok markus@
- stevesk@cvs.openbsd.org 2002/08/27 17:18:40
[ssh_config.5]
some warning text for ForwardAgent and ForwardX11; ok markus@
- stevesk@cvs.openbsd.org 2002/08/29 15:57:25
[monitor.c session.c sshlogin.c sshlogin.h]
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org>
NOTE: there are also p-specific parts to this patch. ok markus@
- stevesk@cvs.openbsd.org 2002/08/29 16:02:54
[ssh.1 ssh.c]
deprecate -P as UsePrivilegedPort defaults to no now; ok markus@
- stevesk@cvs.openbsd.org 2002/08/29 16:09:02
[ssh_config.5]
more on UsePrivilegedPort and setuid root; ok markus@
- stevesk@cvs.openbsd.org 2002/08/29 19:49:42
[ssh.c]
shrink initial privilege bracket for setuid case; ok markus@
- stevesk@cvs.openbsd.org 2002/08/29 22:54:10
[ssh_config.5 sshd_config.5]
state XAuthLocation is a full pathname
20020820
- OpenBSD CVS Sync
- millert@cvs.openbsd.org 2002/08/02 14:43:15
[monitor.c monitor_mm.c]
Change mm_zalloc() sanity checks to be more in line with what
we do in calloc() and add a check to monitor_mm.c.
OK provos@ and markus@
- marc@cvs.openbsd.org 2002/08/02 16:00:07
[ssh.1 sshd.8]
note that .ssh/environment is only read when
allowed (PermitUserEnvironment in sshd_config).
OK markus@
- markus@cvs.openbsd.org 2002/08/02 21:23:41
[ssh-rsa.c]
diff is u_int (2x); ok deraadt/provos
- markus@cvs.openbsd.org 2002/08/02 22:20:30
[ssh-rsa.c]
replace RSA_verify with our own version and avoid the OpenSSL ASN.1 parser
for authentication; ok deraadt/djm
- aaron@cvs.openbsd.org 2002/08/08 13:50:23
[sshconnect1.c]
Use & to test if bits are set, not &&; markus@ ok.
- stevesk@cvs.openbsd.org 2002/08/08 23:54:52
[auth.c]
typo in comment
- stevesk@cvs.openbsd.org 2002/08/09 17:21:42
[sshd_config.5]
use Op for mdoc conformance; from esr@golux.thyrsus.com
ok aaron@
- stevesk@cvs.openbsd.org 2002/08/09 17:41:12
[sshd_config.5]
proxy vs. fake display
- stevesk@cvs.openbsd.org 2002/08/12 17:30:35
[ssh.1 sshd.8 sshd_config.5]
more PermitUserEnvironment; ok markus@
- stevesk@cvs.openbsd.org 2002/08/17 23:07:14
[ssh.1]
ForwardAgent has defaulted to no for over 2 years; be more clear here.
- stevesk@cvs.openbsd.org 2002/08/17 23:55:01
[ssh_config.5]
ordered list here
- (bal) [defines.h] Some platforms don't have SIZE_T_MAX. So assign
it to ULONG_MAX.
20020813
- (tim) [configure.ac] Display OpenSSL header/library version.
Patch by dtucker@zip.com.au
20020731
- (bal) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/07/24 16:11:18
[hostfile.c hostfile.h sshconnect.c]
print out all known keys for a host if we get a unknown host key,
see discussion at http://marc.theaimsgroup.com/?t=101069210100016&r=1&w=4
the ssharp mitm tool attacks users in a similar way, so i'd like to
pointed out again:
A MITM attack is always possible if the ssh client prints:
The authenticity of host 'bla' can't be established.
(protocol version 2 with pubkey authentication allows you to detect
MITM attacks)
- mouring@cvs.openbsd.org 2002/07/25 01:16:59
[sftp.c]
FallBackToRsh does not exist anywhere else. Remove it from here.
OK deraadt.
- markus@cvs.openbsd.org 2002/07/29 18:57:30
[sshconnect.c]
print file:line
- markus@cvs.openbsd.org 2002/07/30 17:03:55
[auth-options.c servconf.c servconf.h session.c sshd_config sshd_config.5]
add PermitUserEnvironment (off by default!); from dot@dotat.at;
ok provos, deraadt
20020730
- (bal) [uidswap.c] SCO compile correction by gert@greenie.muc.de
20020728
- (stevesk) [auth-pam.c] should use PAM_MSG_MEMBER(); from solar
- (stevesk) [CREDITS] solar
- (stevesk) [ssh-rand-helper.c] RAND_bytes() and SHA1_Final() unsigned
char arg.
20020725
- (djm) Remove some cruft from INSTALL
- (djm) Latest config.guess and config.sub from ftp://ftp.gnu.org/gnu/config/
20020723
- (bal) [bsd-cray.c bsd-cray.h] Part 2 of Cray merger.
- (bal) sync ID w/ ssh-agent.c
- (bal) OpenBSD Sync
- markus@cvs.openbsd.org 2002/07/19 15:43:33
[log.c log.h session.c sshd.c]
remove fatal cleanups after fork; based on discussions with and code
from solar.
- stevesk@cvs.openbsd.org 2002/07/19 17:42:40
[ssh.c]
display a warning from ssh when XAuthLocation does not exist or xauth
returned no authentication data. ok markus@
- stevesk@cvs.openbsd.org 2002/07/21 18:32:20
[auth-options.c]
unneeded includes
- stevesk@cvs.openbsd.org 2002/07/21 18:34:43
[auth-options.h]
remove invalid comment
- markus@cvs.openbsd.org 2002/07/22 11:03:06
[session.c]
fallback to _PATH_STDPATH on setusercontext+LOGIN_SETPATH errors;
- stevesk@cvs.openbsd.org 2002/07/22 17:32:56
[monitor.c]
u_int here; ok provos@
- stevesk@cvs.openbsd.org 2002/07/23 16:03:10
[sshd.c]
utmp_len is unsigned; display error consistent with other options.
ok markus@
- stevesk@cvs.openbsd.org 2002/07/15 17:15:31
[uidswap.c]
little more debugging; ok markus@
20020722
- (bal) AIX tty data limiting patch fix by leigh@solinno.co.uk
- (stevesk) [xmmap.c] missing prototype for fatal()
- (bal) [configure.ac defines.h loginrec.c sshd.c sshpty.c] Partial sync
with Cray (mostly #ifdef renaming). Patch by wendyp@cray.com.
- (bal) [configure.ac] Missing ;; from cray patch.
- (bal) [monitor_mm.c openbsd-compat/xmmap.h] Move xmmap() defines
into it's own header.
- (stevesk) [auth-pam.[ch] session.c] pam_getenvlist() must be
freed by the caller; add free_pam_environment() and use it.
- (stevesk) [auth-pam.c] typo in comment
20020721
- (stevesk) [auth-pam.c] merge cosmetic changes from solar's
openssh-3.4p1-owl-password-changing.diff
- (stevesk) [auth-pam.c] merge rest of solar's PAM patch;
PAM_NEW_AUTHTOK_REQD remains in #if 0 for now.
- (stevesk) [auth-pam.c] cast to avoid initialization type mismatch
warning on pam_conv struct conversation function.
- (stevesk) [auth-pam.h] license
- (stevesk) [auth-pam.h] unneeded include
- (stevesk) [auth-pam.[ch] ssh.h] move SSHD_PAM_SERVICE to auth-pam.h
20020720
- (stevesk) [ssh-keygen.c] bug #231: always init/seed_rng().
20020719
- (tim) [contrib/solaris/buildpkg.sh] create privsep user/group if needed.
Patch by dtucker@zip.com.au
- (tim) [configure.ac] test for libxnet on HP. Patch by dtucker@zip.com.au
20020718
- (tim) [defines.h] Bug 313 patch by dirk.meyer@dinoex.sub.org
- (tim) [monitor_mm.c] add missing declaration for xmmap(). Reported
by ayamura@ayamura.org
- (tim) [configure.ac] Bug 267 rework int64_t test.
- (tim) [includes.h] Bug 267 add stdint.h
20020717
- (bal) aixbff package updated by dtucker@zip.com.au
- (tim) [configure.ac] change how we do paths in AC_PATH_PROGS tests
for autoconf 2.53. Based on a patch by jrj@purdue.edu
20020716
- (tim) [contrib/solaris/opensshd.in] Only kill sshd if .pid file found
20020715
- (bal) OpenBSD CVS Sync
- itojun@cvs.openbsd.org 2002/07/12 13:29:09
[sshconnect.c]
print connect failure during debugging mode.
- markus@cvs.openbsd.org 2002/07/12 15:50:17
[cipher.c]
EVP_CIPH_CUSTOM_IV for our own rijndael
- (bal) Remove unused tty defined in do_setusercontext() pointed out by
dtucker@zip.com.au plus a a more KNF since I am near it.
- (bal) Privsep user creation support in Solaris buildpkg.sh by
dtucker@zip.com.au
20020714
- (tim) [Makefile.in] replace "id sshd" with "sshd -t"
- (bal/tim) [acconfig.h configure.ac monitor_mm.c servconf.c
openbsd-compat/Makefile.in] support compression on platforms that
have no/broken MAP_ANON. Moved code to openbsd-compat/xmmap.c
Based on patch from nalin@redhat.com of code extracted from Owl's package
- (tim) [ssh_prng_cmds.in] Bug 323 arp -n flag doesn't exist under Solaris.
report by chris@by-design.net
- (tim) [loginrec.c] Bug 347: Fix typo (WTMPX_FILE) report by rodney@bond.net
- (tim) [loginrec.c] Bug 348: add missing found = 1; to wtmpx_islogin()
report by rodney@bond.net
20020712
- (tim) [Makefile.in] quiet down install-files: and check-user:
- (tim) [configure.ac] remove unused filepriv line
20020710
- (tim) [contrib/cygwin/ssh-host-config] explicitely sets the permissions
on /var/empty to 755 Patch by vinschen@redhat.com
- (bal) OpenBSD CVS Sync
- itojun@cvs.openbsd.org 2002/07/09 11:56:50
[sshconnect.c]
silently try next address on connect(2). markus ok
- itojun@cvs.openbsd.org 2002/07/09 11:56:27
[canohost.c]
suppress log on reverse lookup failiure, as there's no real value in
doing so.
markus ok
- itojun@cvs.openbsd.org 2002/07/09 12:04:02
[sshconnect.c]
ed static function (less warnings)
- stevesk@cvs.openbsd.org 2002/07/09 17:46:25
[sshd_config.5]
clarify no preference ordering in protocol list; ok markus@
- itojun@cvs.openbsd.org 2002/07/10 10:28:15
[sshconnect.c]
bark if all connection attempt fails.
- deraadt@cvs.openbsd.org 2002/07/10 17:53:54
[rijndael.c]
use right sizeof in memcpy; markus ok
20020709
- (bal) NO_IPPORT_RESERVED_CONCEPT used instead of CYGWIN so other platforms
lacking that concept can share it. Patch by vinschen@redhat.com
20020708
- (tim) [openssh/contrib/solaris/buildpkg.sh] add PKG_INSTALL_ROOT to
work in a jumpstart environment. patch by kbrint@rufus.net
- (tim) [Makefile.in] workaround for broken pakadd on some systems.
- (tim) [configure.ac] fix libc89 utimes test. Mention default path for
--with-privsep-path=
20020707
- (tim) [Makefile.in] use umask instead of chmod on $(PRIVSEP_PATH)
- (tim) [acconfig.h configure.ac sshd.c]
s/BROKEN_FD_PASSING/DISABLE_FD_PASSING/
- (tim) [contrib/cygwin/ssh-host-config] sshd account creation fixes
patch from vinschen@redhat.com
- (bal) [realpath.c] Updated with OpenBSD tree.
- (bal) OpenBSD CVS Sync
- deraadt@cvs.openbsd.org 2002/07/04 04:15:33
[key.c monitor_wrap.c sftp-glob.c ssh-dss.c ssh-rsa.c]
patch memory leaks; grendel@zeitbombe.org
- deraadt@cvs.openbsd.org 2002/07/04 08:12:15
[channels.c packet.c]
blah blah minor nothing as i read and re-read and re-read...
- markus@cvs.openbsd.org 2002/07/04 10:41:47
[key.c monitor_wrap.c ssh-dss.c ssh-rsa.c]
don't allocate, copy, and discard if there is not interested in the data;
ok deraadt@
- deraadt@cvs.openbsd.org 2002/07/06 01:00:49
[log.c]
KNF
- deraadt@cvs.openbsd.org 2002/07/06 01:01:26
[ssh-keyscan.c]
KNF, realloc fix, and clean usage
- stevesk@cvs.openbsd.org 2002/07/06 17:47:58
[ssh-keyscan.c]
unused variable
- (bal) Minor KNF on ssh-keyscan.c
20020705
- (tim) [configure.ac] AIX 4.2.1 has authenticate() in libs.
Reported by Darren Tucker <dtucker@zip.com.au>
- (tim) [contrib/cygwin/ssh-host-config] double slash corrction
from vinschen@redhat.com
20020704
- (bal) Limit data to TTY for AIX only (Newer versions can't handle the
faster data rate) Bug #124
- (bal) glob.c defines TILDE and AIX also defines it. #undef it first.
bug #265
- (bal) One too many nulls in ports-aix.c
20020703
- (bal) Updated contrib/cygwin/ patch by vinschen@redhat.com
- (bal) minor correction to utimes() replacement. Patch by
onoe@sm.sony.co.jp
- OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/06/27 08:49:44
[dh.c ssh-keyscan.c sshconnect.c]
more checks for NULL pointers; from grendel@zeitbombe.org; ok deraadt@
- deraadt@cvs.openbsd.org 2002/06/27 09:08:00
[monitor.c]
improve mm_zalloc check; markus ok
- deraadt@cvs.openbsd.org 2002/06/27 10:35:47
[auth2-none.c monitor.c sftp-client.c]
use xfree()
- stevesk@cvs.openbsd.org 2002/06/27 19:49:08
[ssh-keyscan.c]
use convtime(); ok markus@
- millert@cvs.openbsd.org 2002/06/28 01:49:31
[monitor_mm.c]
tree(3) wants an int return value for its compare functions and
the difference between two pointers is not an int. Just do the
safest thing and store the result in a long and then return 0,
-1, or 1 based on that result.
- deraadt@cvs.openbsd.org 2002/06/28 01:50:37
[monitor_wrap.c]
use ssize_t
- deraadt@cvs.openbsd.org 2002/06/28 10:08:25
[sshd.c]
range check -u option at invocation
- deraadt@cvs.openbsd.org 2002/06/28 23:05:06
[sshd.c]
gidset[2] -> gidset[1]; markus ok
- deraadt@cvs.openbsd.org 2002/06/30 21:54:16
[auth2.c session.c sshd.c]
lint asks that we use names that do not overlap
- deraadt@cvs.openbsd.org 2002/06/30 21:59:45
[auth-bsdauth.c auth-skey.c auth2-chall.c clientloop.c key.c
monitor_wrap.c monitor_wrap.h scard.h session.h sftp-glob.c ssh.c
sshconnect2.c sshd.c]
minor KNF
- deraadt@cvs.openbsd.org 2002/07/01 16:15:25
[msg.c]
%u
- markus@cvs.openbsd.org 2002/07/01 19:48:46
[sshconnect2.c]
for compression=yes, we fallback to no-compression if the server does
not support compression, vice versa for compression=no. ok mouring@
- markus@cvs.openbsd.org 2002/07/03 09:55:38
[ssh-keysign.c]
use RSA_blinding_on() for rsa hostkeys (suggested by Bill Sommerfeld)
in order to avoid a possible Kocher timing attack pointed out by Charles
Hannum; ok provos@
- markus@cvs.openbsd.org 2002/07/03 14:21:05
[ssh-keysign.8 ssh-keysign.c ssh.c ssh_config]
re-enable ssh-keysign's sbit, but make ssh-keysign read
/etc/ssh/ssh_config and exit if HostbasedAuthentication is disabled
globally. based on discussions with deraadt, itojun and sommerfeld;
ok itojun@
- (bal) Failed password attempts don't increment counter on AIX. Bug #145
- (bal) Missed Makefile.in change. keysign needs readconf.o
- (bal) Clean up aix_usrinfo(). Ignore TTY= period I guess.
20020702
- (djm) Use PAM_MSG_MEMBER for PAM_TEXT_INFO messages, use xmalloc &
friends consistently. Spotted by Solar Designer <solar@openwall.com>
20020629
- (bal) fix to auth2-pam.c to swap fatal() arguments, A bit of style
clean up while I'm near it.
20020628
- (stevesk) [sshd_config] PAMAuthenticationViaKbdInt no; commented
options should contain default value. from solar.
- (bal) Cygwin uid0 fix by vinschen@redhat.com
- (bal) s/config.h/includes.h/ in openbsd-compat/ for *.c. Otherwise wise
have issues of our fixes not propogating right (ie bcopy instead of
memmove). OK tim
- (bal) FreeBSD needs <sys/types.h> to detect if mmap() is supported.
Bug #303
20020627
- OpenBSD CVS Sync
- deraadt@cvs.openbsd.org 2002/06/26 14:49:36
[monitor.c]
correct %u
- deraadt@cvs.openbsd.org 2002/06/26 14:50:04
[monitor_fdpass.c]
use ssize_t for recvmsg() and sendmsg() return
- markus@cvs.openbsd.org 2002/06/26 14:51:33
[ssh-add.c]
fix exit code for -X/-x
- deraadt@cvs.openbsd.org 2002/06/26 15:00:32
[monitor_wrap.c]
more %u
- markus@cvs.openbsd.org 2002/06/26 22:27:32
[ssh-keysign.c]
bug #304, xfree(data) called to early; openssh@sigint.cs.purdue.edu
OPENSSH_USER
OPENSSH_UID
OPENSSH_GROUP
OPENSSH_GID
OPENSSH_CHROOT
Use these to automatically create user/group if they do not already
exist. Assists platforms which do not have an 'sshd' user by default,
while adding flexibility for NetBSD systems.
Checked by Stoned Elipot <seb@netbsd.org>.
libcrypt-before-libcrypto into a section that is protected by something
we can set in the configure script (check_for_libcrypt_before). This
should fix the latter part of pkg/18091 by grant beattie.
/var/run directory, tmpfs is mounted on /var/run by default.
/var/run does not exist by default on Solaris 7, but some daemons
appear to make use of it after it is created (eg. syslogd).
installs the binaries directly in /usr and places the manpages and example
files in the correct hier(7) locations. We don't register installation in
this case because the package database can't handle it. We deal with the
ssh config files and directories as follows:
NetBSD-1.5.* use /etc/ssh_config, /etc/sshd_config
NetBSD-1.6 use /etc/ssh/ssh_config, /etc/ssh/sshd_config
We also emit a warning in the MESSAGE file that /etc/ssh.conf and
/etc/sshd.conf should be renamed in order to keep using them. Lastly,
there is a new target "tarball" to generate a tarball of the installed
files that might be used to install quickly on many machines, though it
may be only of limited utility.
These changes are only active if UPDATE_INTREE_OPENSSH is defined.
Note: it was already as part of CONFIGURE_ENV value, this change only makes
it more "readable" IMHO.
Remove explicit addition of PKG_SYSCONFDIR to BUILD_DEFS in a couple of
Makefiles.
20020626
- (stevesk) [monitor.c] remove duplicate proto15 dispatch entry for PAM
- (bal) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/06/23 21:34:07
[channels.c]
tcode is u_int
- markus@cvs.openbsd.org 2002/06/24 13:12:23
[ssh-agent.1]
the socket name contains ssh-agent's ppid; via mpech@ from form@
- markus@cvs.openbsd.org 2002/06/24 14:33:27
[channels.c channels.h clientloop.c serverloop.c]
move channel counter to u_int
- markus@cvs.openbsd.org 2002/06/24 14:55:38
[authfile.c kex.c ssh-agent.c]
cat to (void) when output from buffer_get_X is ignored
- itojun@cvs.openbsd.org 2002/06/24 15:49:22
[msg.c]
printf type pedant
- deraadt@cvs.openbsd.org 2002/06/24 17:57:20
[sftp-server.c sshpty.c]
explicit (u_int) for uid and gid
- markus@cvs.openbsd.org 2002/06/25 16:22:42
[authfd.c]
unnecessary cast
- markus@cvs.openbsd.org 2002/06/25 18:51:04
[sshd.c]
lightweight do_setusercontext after chroot()
- (bal) Updated AIX package build. Patch by dtucker@zip.com.au
- (tim) [Makefile.in] fix test on installing ssh-rand-helper.8
- (bal) added back in error check for mmap(). I screwed up, Pointed
out by stevesk@
- (tim) [README.privsep] UnixWare tip no longer needed.
- (bal) fixed NeXTStep missing munmap() issue. It defines HAVE_MMAP,
but it all damned lies.
- (stevesk) [README.privsep] more for sshd pseudo-account.
- (tim) [contrib/caldera/openssh.spec] add support for privsep
- (djm) setlogin needs pgid==pid on BSD/OS; from itojun@
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/06/26 08:53:12
[bufaux.c]
limit size of BNs to 8KB; ok provos/deraadt
- markus@cvs.openbsd.org 2002/06/26 08:54:18
[buffer.c]
limit append to 1MB and buffers to 10MB
- markus@cvs.openbsd.org 2002/06/26 08:55:02
[channels.c]
limit # of channels to 10000
- markus@cvs.openbsd.org 2002/06/26 08:58:26
[session.c]
limit # of env vars to 1000; ok deraadt/djm
- deraadt@cvs.openbsd.org 2002/06/26 13:20:57
[monitor.c]
be careful in mm_zalloc
- deraadt@cvs.openbsd.org 2002/06/26 13:49:26
[session.c]
disclose less information from environment files; based on input
from djm, and dschultz@uclink.Berkeley.EDU
- markus@cvs.openbsd.org 2002/06/26 13:55:37
[auth2-chall.c]
make sure # of response matches # of queries, fixes int overflow;
from ISS
- markus@cvs.openbsd.org 2002/06/26 13:56:27
[version.h]
3.4
- (djm) Require krb5 devel for RPM build w/ KrbV
- (djm) Improve PAMAuthenticationViaKbdInt text from Nalin Dahyabhai
<nalin@redhat.com>
- (djm) Update spec files for release
- (djm) Fix int overflow in auth2-pam.c, similar to one discovered by ISS
- (djm) Release 3.4p1
20020625
- (stevesk) [INSTALL acconfig.h configure.ac defines.h] remove --with-rsh
- (stevesk) [README.privsep] minor updates
- (djm) Create privsep directory and warn if privsep user is missing
during make install
- (bal) Started list of PrivSep issues in TODO
- (bal) if mmap() is substandard, don't allow compression on server side.
Post 'event' we will add more options.
- (tim) [contrib/caldera/openssh.spec] Sync with Caldera
- (bal) moved aix_usrinfo() and noted not setting real TTY. Patch by
dtucker@zip.com.au
- (tim) [acconfig.h configure.ac sshd.c] BROKEN_FD_PASSING fix from Markus
for Cygwin, Cray, & SCO
20020624
- OpenBSD CVS Sync
- deraadt@cvs.openbsd.org 2002/06/23 03:25:50
[tildexpand.c]
KNF
- deraadt@cvs.openbsd.org 2002/06/23 03:26:19
[cipher.c key.c]
KNF
- deraadt@cvs.openbsd.org 2002/06/23 03:30:58
[scard.c ssh-dss.c ssh-rsa.c sshconnect.c sshconnect2.c sshd.c sshlogin.c
sshpty.c]
various KNF and %d for unsigned
- deraadt@cvs.openbsd.org 2002/06/23 09:30:14
[sftp-client.c sftp-client.h sftp-common.c sftp-int.c sftp-server.c
sftp.c]
bunch of u_int vs int stuff
- deraadt@cvs.openbsd.org 2002/06/23 09:39:55
[ssh-keygen.c]
u_int stuff
- deraadt@cvs.openbsd.org 2002/06/23 09:46:51
[bufaux.c servconf.c]
minor KNF. things the fingers do while you read
- deraadt@cvs.openbsd.org 2002/06/23 10:29:52
[ssh-agent.c sshd.c]
some minor KNF and %u
- deraadt@cvs.openbsd.org 2002/06/23 20:39:45
[session.c]
compression_level is u_int
- deraadt@cvs.openbsd.org 2002/06/23 21:06:13
[sshpty.c]
KNF
- deraadt@cvs.openbsd.org 2002/06/23 21:06:41
[channels.c channels.h session.c session.h]
display, screen, row, col, xpixel, ypixel are u_int; markus ok
- deraadt@cvs.openbsd.org 2002/06/23 21:10:02
[packet.c]
packet_get_int() returns unsigned for reason & seqnr
- (bal) Also fixed IPADDR_IN_DISPLAY case where display, screen, row, col,
xpixel are u_int.
20020623
- (stevesk) [configure.ac] bug #255 LOGIN_NEEDS_UTMPX for AIX.
- (bal) removed GNUism for getops in ssh-agent since glibc lacks optreset.
- (bal) add extern char *getopt. Based on report by dtucker@zip.com.au
- OpenBSD CVS Sync
- stevesk@cvs.openbsd.org 2002/06/22 02:00:29
[ssh.h]
correct comment
- stevesk@cvs.openbsd.org 2002/06/22 02:40:23
[ssh.1]
section 5 not 4 for ssh_config
- naddy@cvs.openbsd.org 2002/06/22 11:51:39
[ssh.1]
typo
- stevesk@cvs.openbsd.org 2002/06/22 16:32:54
[sshd.8]
add /var/empty in FILES section
- stevesk@cvs.openbsd.org 2002/06/22 16:40:19
[sshd.c]
check /var/empty owner mode; ok provos@
- stevesk@cvs.openbsd.org 2002/06/22 16:41:57
[scp.1]
typo
- stevesk@cvs.openbsd.org 2002/06/22 16:45:29
[ssh-agent.1 sshd.8 sshd_config.5]
use process ID vs. pid/PID/process identifier
- stevesk@cvs.openbsd.org 2002/06/22 20:05:27
[sshd.c]
don't call setsid() if debugging or run from inetd; no "Operation not
permitted" errors now; ok millert@ markus@
- stevesk@cvs.openbsd.org 2002/06/22 23:09:51
[monitor.c]
save auth method before monitor_reset_key_state(); bugzilla bug #284;
ok provos@
Remove `-p' from mkdir arguments, it is already part of ${MKDIR}.
While here substitute a couple of ${PREFIX} by `%D' in
`@exec ${MKDIR} ...' lines and add a couple of missing `%D' in such lines too!
(the following change may include pre-3.2.3p1 change)
20020622
- (djm) Update README.privsep; spotted by fries@
- (djm) Release 3.3p1
20020621
- (djm) Sync:
- djm@cvs.openbsd.org 2002/06/21 05:50:51
[monitor.c]
Don't initialise compression buffers when compression=no in sshd_config;
ok Niels@
- ID sync for auth-passwd.c
- (djm) Warn and disable compression on platforms which can't handle both
useprivilegeseparation=yes and compression=yes
- (djm) contrib/redhat/openssh.spec hacking:
- Merge in spec changes from seba@iq.pl (Sebastian Pachuta)
- Add new {ssh,sshd}_config.5 manpages
- Add new ssh-keysign program and remove setuid from ssh client
20020620
- (bal) Fixed AIX environment handling, use setpcred() instead of existing
code. (Bugzilla Bug 261)
- (bal) OpenBSD CVS Sync
- todd@cvs.openbsd.org 2002/06/14 21:35:00
[monitor_wrap.c]
spelling; from Brian Poole <raj@cerias.purdue.edu>
- markus@cvs.openbsd.org 2002/06/15 00:01:36
[authfd.c authfd.h ssh-add.c ssh-agent.c]
break agent key lifetime protocol and allow other contraints for key
usage.
- markus@cvs.openbsd.org 2002/06/15 00:07:38
[authfd.c authfd.h ssh-add.c ssh-agent.c]
fix stupid typo
- markus@cvs.openbsd.org 2002/06/15 01:27:48
[authfd.c authfd.h ssh-add.c ssh-agent.c]
remove the CONSTRAIN_IDENTITY messages and introduce a new
ADD_ID message with contraints instead. contraints can be
only added together with the private key.
- itojun@cvs.openbsd.org 2002/06/16 21:30:58
[ssh-keyscan.c]
use TAILQ_xx macro. from lukem@netbsd. markus ok
- deraadt@cvs.openbsd.org 2002/06/17 06:05:56
[scp.c]
make usage like man page
- deraadt@cvs.openbsd.org 2002/06/19 00:27:55
[auth-bsdauth.c auth-skey.c auth1.c auth2-chall.c auth2-none.c authfd.c
authfd.h monitor_wrap.c msg.c nchan.c radix.c readconf.c scp.c sftp.1
ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c
ssh-keysign.c ssh.1 sshconnect.c sshconnect.h sshconnect2.c ttymodes.c
xmalloc.h]
KNF done automatically while reading....
- markus@cvs.openbsd.org 2002/06/19 18:01:00
[cipher.c monitor.c monitor_wrap.c packet.c packet.h]
make the monitor sync the transfer ssh1 session key;
transfer keycontext only for RC4 (this is still depends on EVP
implementation details and is broken).
- stevesk@cvs.openbsd.org 2002/06/20 19:56:07
[ssh.1 sshd.8]
move configuration file options from ssh.1/sshd.8 to
ssh_config.5/sshd_config.5; ok deraadt@ millert@
- stevesk@cvs.openbsd.org 2002/06/20 20:00:05
[scp.1 sftp.1]
ssh_config(5)
- stevesk@cvs.openbsd.org 2002/06/20 20:03:34
[ssh_config sshd_config]
refer to config file man page
- markus@cvs.openbsd.org 2002/06/20 23:05:56
[servconf.c servconf.h session.c sshd.c]
allow Compression=yes/no in sshd_config
- markus@cvs.openbsd.org 2002/06/20 23:37:12
[sshd_config]
add Compression
- stevesk@cvs.openbsd.org 2002/05/25 20:40:08
[LICENCE]
missed Per Allansson (auth2-chall.c)
- (bal) Cygwin special handling of empty passwords wrong. Patch by
vinschen@redhat.com
- (bal) Missed integrating ssh_config.5 and sshd_config.5
- (bal) Still more Makefile.in updates for ssh{d}_config.5
20020613
- (bal) typo of setgroup for cygwin. Patch by vinschen@redhat.com
20020612
- (bal) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/06/11 23:03:54
[ssh.c]
remove unused cruft.
- markus@cvs.openbsd.org 2002/06/12 01:09:52
[ssh.c]
ssh_connect returns 0 on success
- (bal) Build noop setgroups() for cygwin to clean up code (For other
platforms without the setgroups() requirement, you MUST define
SETGROUPS_NOOP in the configure.ac) Based on patch by vinschen@redhat.com
- (bal) Some platforms don't have ONLCR (Notable Mint)
20020611
- (bal) ssh-agent.c RCSD fix (|unexpand already done)
- (bal) OpenBSD CVS Sync
- stevesk@cvs.openbsd.org 2002/06/09 22:15:15
[ssh.1]
update for no setuid root and ssh-keysign; ok deraadt@
- itojun@cvs.openbsd.org 2002/06/09 22:17:21
[sshconnect.c]
pass salen to sockaddr_ntop so that we are happy on linux/solaris
- stevesk@cvs.openbsd.org 2002/06/10 16:53:06
[auth-rsa.c ssh-rsa.c]
display minimum RSA modulus in error(); ok markus@
- stevesk@cvs.openbsd.org 2002/06/10 16:56:30
[ssh-keysign.8]
merge in stuff from my man page; ok markus@
- stevesk@cvs.openbsd.org 2002/06/10 17:36:23
[ssh-add.1 ssh-add.c]
use convtime() to parse and validate key lifetime. can now
use '-t 2h' etc. ok markus@ provos@
- stevesk@cvs.openbsd.org 2002/06/10 17:45:20
[readconf.c ssh.1]
change RhostsRSAAuthentication and RhostsAuthentication default to no
since ssh is no longer setuid root by default; ok markus@
- stevesk@cvs.openbsd.org 2002/06/10 21:21:10
[ssh_config]
update defaults for RhostsRSAAuthentication and RhostsAuthentication
here too (all options commented out with default value).
- markus@cvs.openbsd.org 2002/06/10 22:28:41
[channels.c channels.h session.c]
move creation of agent socket to session.c; no need for uidswapping
in channel.c.
- markus@cvs.openbsd.org 2002/06/11 04:14:26
[ssh.c sshconnect.c sshconnect.h]
no longer use uidswap.[ch] from the ssh client
run less code with euid==0 if ssh is installed setuid root
just switch the euid, don't switch the complete set of groups
(this is only needed by sshd). ok provos@
- mpech@cvs.openbsd.org 2002/06/11 05:46:20
[auth-krb4.c monitor.h serverloop.c session.c ssh-agent.c sshd.c]
pid_t cleanup. Markus need this now to keep hacking.
markus@, millert@ ok
- itojun@cvs.openbsd.org 2002/06/11 08:11:45
[canohost.c]
use "ntop" only after initialized
- (bal) Cygwin fix up from swap uid clean up in ssh.c patch by
vinschen@redhat.com
20020609
- (bal) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/06/08 05:07:56
[ssh.c]
nuke ptrace comment
- markus@cvs.openbsd.org 2002/06/08 05:07:09
[ssh-keysign.c]
only accept 20 byte session ids
- markus@cvs.openbsd.org 2002/06/08 05:17:01
[readconf.c readconf.h ssh.1 ssh.c]
deprecate FallBackToRsh and UseRsh; patch from djm@
- markus@cvs.openbsd.org 2002/06/08 05:40:01
[readconf.c]
just warn about Deprecated options for now
- markus@cvs.openbsd.org 2002/06/08 05:41:18
[ssh_config]
remove FallBackToRsh/UseRsh
- markus@cvs.openbsd.org 2002/06/08 12:36:53
[scp.c]
remove FallBackToRsh
- markus@cvs.openbsd.org 2002/06/08 12:46:14
[readconf.c]
silently ignore deprecated options, since FallBackToRsh might be passed
by remote scp commands.
- itojun@cvs.openbsd.org 2002/06/08 21:15:27
[sshconnect.c]
always use getnameinfo. (diag message only)
- markus@cvs.openbsd.org 2002/06/09 04:33:27
[sshconnect.c]
abort() - > fatal()
- (bal) RCSID tag updates on channels.c, clientloop.c, nchan.c,
sftp-client.c, ssh-agenet.c, ssh-keygen.c and connect.h (we did unexpand
independant of them)
20020607
- (bal) Removed --{enable/disable}-suid-ssh
- (bal) Missed __progname in ssh-keysign.c patch by dtucker@zip.com.au
- (bal) use 'LOGIN_PROGRAM' not '/usr/bin/login' in session.c patch by
Bertrand.Velle@apogee-com.fr
20020606
- (bal) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/05/15 21:56:38
[servconf.c sshd.8 sshd_config]
re-enable privsep and disable setuid for post-3.2.2
- markus@cvs.openbsd.org 2002/05/16 22:02:50
[cipher.c kex.h mac.c]
fix warnings (openssl 0.9.7 requires const)
- stevesk@cvs.openbsd.org 2002/05/16 22:09:59
[session.c ssh.c]
don't limit xauth pathlen on client side and longer print length on
server when debug; ok markus@
- deraadt@cvs.openbsd.org 2002/05/19 20:54:52
[log.h]
extra commas in enum not 100% portable
- deraadt@cvs.openbsd.org 2002/05/22 23:18:25
[ssh.c sshd.c]
spelling; abishoff@arc.nasa.gov
- markus@cvs.openbsd.org 2002/05/23 19:24:30
[authfile.c authfile.h pathnames.h ssh.c sshconnect.c sshconnect.h
sshconnect1.c sshconnect2.c ssh-keysign.8 ssh-keysign.c Makefile.in]
add /usr/libexec/ssh-keysign: a setuid helper program for hostbased
authentication in protocol v2 (needs to access the hostkeys).
- markus@cvs.openbsd.org 2002/05/23 19:39:34
[ssh.c]
add comment about ssh-keysign
- markus@cvs.openbsd.org 2002/05/24 08:45:14
[sshconnect2.c]
stat ssh-keysign first, print error if stat fails;
some debug->error; fix comment
- markus@cvs.openbsd.org 2002/05/25 08:50:39
[sshconnect2.c]
execlp->execl; from stevesk
- markus@cvs.openbsd.org 2002/05/25 18:51:07
[auth.h auth2.c auth2-hostbased.c auth2-kbdint.c auth2-none.c
auth2-passwd.c auth2-pubkey.c Makefile.in]
split auth2.c into one file per method; ok provos@/deraadt@
- stevesk@cvs.openbsd.org 2002/05/26 20:35:10
[ssh.1]
sort ChallengeResponseAuthentication; ok markus@
- stevesk@cvs.openbsd.org 2002/05/28 16:45:27
[monitor_mm.c]
print strerror(errno) on mmap/munmap error; ok markus@
- stevesk@cvs.openbsd.org 2002/05/28 17:28:02
[uidswap.c]
format spec change/casts and some KNF; ok markus@
- stevesk@cvs.openbsd.org 2002/05/28 21:24:00
[uidswap.c]
use correct function name in fatal()
- stevesk@cvs.openbsd.org 2002/05/29 03:06:30
[ssh.1 sshd.8]
spelling
- markus@cvs.openbsd.org 2002/05/29 11:21:57
[sshd.c]
don't start if privsep is enabled and SSH_PRIVSEP_USER or
_PATH_PRIVSEP_CHROOT_DIR are missing; ok deraadt@
- markus@cvs.openbsd.org 2002/05/30 08:07:31
[cipher.c]
use rijndael/aes from libcrypto (openssl >= 0.9.7) instead of
our own implementation. allow use of AES hardware via libcrypto,
ok deraadt@
- markus@cvs.openbsd.org 2002/05/31 10:30:33
[sshconnect2.c]
extent ssh-keysign protocol:
pass # of socket-fd to ssh-keysign, keysign verfies locally used
ip-address using this socket-fd, restricts fake local hostnames
to actual local hostnames; ok stevesk@
- markus@cvs.openbsd.org 2002/05/31 11:35:15
[auth.h auth2.c]
move Authmethod definitons to per-method file.
- markus@cvs.openbsd.org 2002/05/31 13:16:48
[key.c]
add comment:
key_verify returns 1 for a correct signature, 0 for an incorrect signature
and -1 on error.
- markus@cvs.openbsd.org 2002/05/31 13:20:50
[ssh-rsa.c]
pad received signature with leading zeros, because RSA_verify expects
a signature of RSA_size. the drafts says the signature is transmitted
unpadded (e.g. putty does not pad), reported by anakin@pobox.com
- deraadt@cvs.openbsd.org 2002/06/03 12:04:07
[ssh.h]
compatiblity -> compatibility
decriptor -> descriptor
authentciated -> authenticated
transmition -> transmission
- markus@cvs.openbsd.org 2002/06/04 19:42:35
[monitor.c]
only allow enabled authentication methods; ok provos@
- markus@cvs.openbsd.org 2002/06/04 19:53:40
[monitor.c]
save the session id (hash) for ssh2 (it will be passed with the
initial sign request) and verify that this value is used during
authentication; ok provos@
- markus@cvs.openbsd.org 2002/06/04 23:02:06
[packet.c]
remove __FUNCTION__
- markus@cvs.openbsd.org 2002/06/04 23:05:49
[cipher.c monitor.c monitor_fdpass.c monitor_mm.c monitor_wrap.c]
__FUNCTION__ -> __func__
- markus@cvs.openbsd.org 2002/06/05 16:08:07
[ssh-agent.1 ssh-agent.c]
'-a bind_address' binds the agent to user-specified unix-domain
socket instead of /tmp/ssh-XXXXXXXX/agent.<pid>; ok djm@ (some time ago).
- markus@cvs.openbsd.org 2002/06/05 16:08:07
[ssh-agent.1 ssh-agent.c]
'-a bind_address' binds the agent to user-specified unix-domain
socket instead of /tmp/ssh-XXXXXXXX/agent.<pid>; ok djm@ (some time ago).
- markus@cvs.openbsd.org 2002/06/05 16:48:54
[ssh-agent.c]
copy current request into an extra buffer and just flush this
request on errors, ok provos@
- markus@cvs.openbsd.org 2002/06/05 19:57:12
[authfd.c authfd.h ssh-add.1 ssh-add.c ssh-agent.c]
ssh-add -x for lock and -X for unlocking the agent.
todo: encrypt private keys with locked...
- markus@cvs.openbsd.org 2002/06/05 20:56:39
[ssh-add.c]
add -x/-X to usage
- markus@cvs.openbsd.org 2002/06/05 21:55:44
[authfd.c authfd.h ssh-add.1 ssh-add.c ssh-agent.c]
ssh-add -t life, Set lifetime (in seconds) when adding identities;
ok provos@
- stevesk@cvs.openbsd.org 2002/06/06 01:09:41
[monitor.h]
no trailing comma in enum; china@thewrittenword.com
- markus@cvs.openbsd.org 2002/06/06 17:12:44
[sftp-server.c]
discard remaining bytes of current request; ok provos@
- markus@cvs.openbsd.org 2002/06/06 17:30:11
[sftp-server.c]
use get_int() macro (hide iqueue)
- (bal) Missed msg.[ch] in merge. Required for ssh-keysign.
- (bal) Forgot to add msg.c Makefile.in.
- (bal) monitor_mm.c typos.
- (bal) Refixed auth2.c. It was never fully commited while spliting out
authentication to different files.
- (bal) ssh-keysign should build and install correctly now. Phase two
would be to clean out any dead wood and disable ssh setuid on install.
- (bal) Reverse logic, use __func__ first since it's C99
20020604
- (stevesk) [channels.c] bug #164 patch from YOSHIFUJI Hideaki (changed
setsockopt from debug to error for now).
20020527
- (tim) [configure.ac.orig monitor_fdpass.c] Enahnce msghdr tests to address
build problem on Irix reported by Dave Love <d.love@dl.ac.uk>. Back out
last monitor_fdpass.c changes that are no longer needed with new tests.
Patch tested on Irix by Jan-Frode Myklebust <janfrode@parallab.uib.no>
20020522
- (djm) Fix spelling mistakes, spotted by Solar Designer i
<solar@openwall.com>
- Sync scard/ (not sure when it drifted)
- (djm) OpenBSD CVS Sync:
[auth.c]
Fix typo/thinko. Pass in as to auth_approval(), not NULL.
Closes PR 2659.
- Crank version
- Crank RPM spec versions
20020521
- (stevesk) [sshd.c] bug 245; disable setsid() for now
- (stevesk) [sshd.c] #ifndef HAVE_CYGWIN for setgroups()
20020517
- (tim) [configure.ac] remove extra MD5_MSG="no" line.
20020515
- (bal) CVS ID fix up on auth-passwd.c
- (bal) OpenBSD CVS Sync
- deraadt@cvs.openbsd.org 2002/05/07 19:54:36
[ssh.h]
use ssh uid
- deraadt@cvs.openbsd.org 2002/05/08 21:06:34
[ssh.h]
move to sshd.sshd instead
- stevesk@cvs.openbsd.org 2002/05/11 20:24:48
[ssh.h]
typo in comment
- itojun@cvs.openbsd.org 2002/05/13 02:37:39
[auth-skey.c auth2.c]
less warnings. skey_{respond,query} are public (in auth.h)
- markus@cvs.openbsd.org 2002/05/13 20:44:58
[auth-options.c auth.c auth.h]
move the packet_send_debug handling from auth-options.c to auth.c;
ok provos@
- millert@cvs.openbsd.org 2002/05/13 15:53:19
[sshd.c]
Call setsid() in the child after sshd accepts the connection and forks.
This is needed for privsep which calls setlogin() when it changes uids.
Without this, there is a race where the login name of an existing
connection, as returned by getlogin(), may be changed to the privsep
user (sshd). markus@ OK
- markus@cvs.openbsd.org 2002/05/13 21:26:49
[auth-rhosts.c]
handle debug messages during rhosts-rsa and hostbased authentication;
ok provos@
- mouring@cvs.openbsd.org 2002/05/15 15:47:49
[kex.c monitor.c monitor_wrap.c sshd.c]
'monitor' variable clashes with at least one lame platform (NeXT). i
Renamed to 'pmonitor'. provos@
- deraadt@cvs.openbsd.org 2002/05/04 02:39:35
[servconf.c sshd.8 sshd_config]
enable privsep by default; provos ok
- millert@cvs.openbsd.org 2002/05/06 23:34:33
[ssh.1 sshd.8]
Kill/adjust r(login|exec)d? references now that those are no longer in
the tree.
- markus@cvs.openbsd.org 2002/05/15 21:02:53
[servconf.c sshd.8 sshd_config]
disable privsep and enable setuid for the 3.2.2 release
- (bal) Fixed up PAM case. I think.
- (bal) Clarified openbsd-compat/*-cray.* Licence provided by Wendy
- (bal) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/05/15 21:05:29
[version.h]
enter OpenSSH_3.2.2
- (bal) Caldara, Suse, and Redhat openssh.specs updated.
which the basesrc USE_KERBEROS variable. Discussed on packages@
This fixes PR#17182 from Takahiro Kambe. The problem was pointed out by
FUKAUMI Naoki on a Japanese NetBSD mailing list.
- a defect in the BSD_AUTH access control handling for
OpenBSD and BSD/OS systems:
Under certain conditions, on systems using YP with netgroups
in the password database, it is possible that sshd does ACL
checks for the requested user name but uses the password
database entry of a different user for authentication. This
means that denied users might authenticate successfully while
permitted users could be locked out (OpenBSD PR 2659).
- login/tty problems on Solaris (bug #245)
- build problems on Cygwin systems
Security Changes:
=================
- fixed buffer overflow in Kerberos/AFS token passing
- fixed overflow in Kerberos client code
- sshd no longer auto-enables Kerberos/AFS
- experimental support for privilege separation,
see UsePrivilegeSeparation in sshd(8) and
http://www.citi.umich.edu/u/provos/ssh/privsep.html
for more information.
- only accept RSA keys of size SSH_RSA_MINIMUM_MODULUS_SIZE (768) or larger
Other Changes:
==============
- improved smartcard support (including support for OpenSC, see www.opensc.org)
- improved Kerberos support (including support for MIT-Kerberos V)
- fixed stderr handling in protocol v2
- client reports failure if -R style TCP forwarding fails in protocol v2
- support configuration of TCP forwarding during interactive sessions (~C)
- improved support for older sftp servers
- improved support for importing old DSA keys (from ssh.com software).
- client side suport for PASSWD_CHANGEREQ in protocol v2
- fixed waitpid race conditions
- record correct lastlogin time
* Build properly on systems that don't have /dev/urandom by testing for
the presence of /dev/urandom, instead of just testing for Solaris.
* Add disabled code to handle PAM (not quite working yet with security/PAM).
* Make the sshd rc.d script more /etc/rc.subr-friendly.
* Minimize amount of diffs from pristine OpenSSH sources.
* Disabled scard-install (patch/patch-ah -- Do we need/want it?)
Changes since 2.9.9.2:
- Don't allow authorized_keys specified environment variables when
UseLogin in active
- Fix IPv4 default in ssh-keyscan
- Fix early (and double) free of remote user when using Kerberos
- fix krb5 authorization check
- enable authorized_keys2 again
- ignore SIGPIPE early, makes ssh work if agent dies, netbsd-pr via itojun@
- make ~& (backgrounding) work again for proto v1; add support ~& for v2, too
- pad using the padding field from the ssh2 packet instead of sending
extra ignore messages
- missing free and sync dss/rsa code
- crank c->path to 256 so they can hold a full hostname
- cleanup libwrap support
- Fix fd leak in loginrec.c
- avoid possible FD_ISSET overflow for channels established
during channnel_after_select()
- chdir $HOME after krb_afslog()
- stat subsystem command before calling do_exec
- close all channels if the connection to the remote host has been closed,
should fix sshd's hanging with WCHAN==wait
- add NoHostAuthenticationForLocalhost; note that the hostkey is
now check for localhost, too
- loginrec.c: fix type conversion problems exposed when using 64-bit off_t
- Update spec files for new x11-askpass
The automatic truncation in gensolpkg doesn't work for packages which
have the same package name for the first 5-6 chars.
e.g. amanda-server and amanda-client would be named amanda and amanda.
Now, we add a SVR4_PKGNAME and use amacl for amanda-client and amase for
amanda-server.
All svr4 packages also have a vendor tag, so we have to reserve some chars
for this tag, which is normaly 3 or 4 chars. Thats why we can only use 6
or 5 chars for SVR4_PKGNAME. I used 5 for all the packages, to give the
vendor tag enough room.
All p5-* packages and a few other packages have now a SVR4_PKGNAME.
foo-* to foo-[0-9]*. This is to cause the dependencies to match only the
packages whose base package name is "foo", and not those named "foo-bar".
A concrete example is p5-Net-* matching p5-Net-DNS as well as p5-Net. Also
change dependency examples in Packages.txt to reflect this.
- don't install setuid unless SSH_SUID=YES
- use libwrap (--with-tcp-wrappers) on NetBSD
I also want to fix S/Key support and Kerberos IV,
so I've left some comments in Makefile for that.
when X11 forwarding = yes.
20010617
- (djm) Pull in small fix from -CURRENT for session.c:
typo, use pid not s->pid, mstone@cs.loyola.edu
20010615
- (stevesk) don't set SA_RESTART and set SIGCHLD to SIG_DFL
around grantpt().
20010614
- (bal) Applied X11 Cookie Patch. X11 Cookie behavior has changed to
no longer use /tmp/ssh-XXXXX/
20010528
- (tim) [conifgure.in] add setvbuf test needed for sftp-int.c
Patch by Corinna Vinschen <vinschen@redhat.com>
20010512
- (bal) Patch to partial sync up contrib/solaris/ packaging software.
Patch by pete <ninjaz@webexpress.com>
20010509
- (bal) UseLogin patch for Solaris/UNICOS. Patch by Wayne Davison
<wayne@blorf.net>
- (bal) ./configure support to disable SIA on OSF1. Patch by
Chris Adams <cmadams@hiwaay.net>
- (bal) Updates from the Sony NEWS-OS platform by NAKAJI Hiroyuki
<nakaji@tutrp.tut.ac.jp>
20010508
- (bal) Fixed configure test for USE_SIA.
20010506
- (djm) Update config.guess and config.sub with latest versions (from
ftp://ftp.gnu.org/gnu/config/) to allow configure on ia64-hpux.
Suggested by Jason Mader <jason@ncac.gwu.edu>
20010504
- (bal) Updated Cygwin README by Corinna Vinschen <vinschen@redhat.com>
- (bal) Avoid socket file security issues in ssh-agent for Cygwin.
Patch by Egor Duda <deo@logos-m.ru>
20010430
- (djm) Add .cvsignore files, suggested by Wayne Davison <wayne@blorf.net>
- (tim) [contrib/caldera/openssh.spec] add Requires line for Caldera 3.1
Important Changes:
==================
WARNING: SSH protocol v2 is now the default protocol version
use the 'Protocol' option from ssh(1) and sshd(8) if
you want to change this.
SSH protocol v2 implementation adds support for:
HostbasedAuthentication, similar to RhostsRSA in SSH protocol
v1
Rekeying (negotiate new encryption keys for the current SSH
session, try ~R in interactive SSH sessions)
updated DH group exchange:
draft-ietf-secsh-dh-group-exchange-01.txt
client option HostKeyAlgorithms
server options ClientAliveInterval and ClientAliveCountMax
tty mode passing
general:
gid swapping in sshd (fixes access to /home/group/user based
directory structures)
Dan Kaminsky <dankamin@cisco.com> contributed an experimental
SOCKS4 proxy to the ssh client (yes, client not the server).
Use 'ssh -D 1080 server' if you want to try this out.
server option PrintLastLog
improvements for scp > 2GB
improved ListenAddress option.
You can now use ListenAddress host:port
improved interoperability (bug detection for older implementations)
improved documentation
first component is now a package name+version/pattern, no more
executable/patchname/whatnot.
While there, introduce BUILD_USES_MSGFMT as shorthand to pull in
devel/gettext unless /usr/bin/msgfmt exists (i.e. on post-1.5 -current).
Patch by Alistair Crooks <agc@netbsd.org>
20010322
- (djm) Better AIX no tty fix, spotted by Gert Doering <gert@greenie.muc.de>
- (djm) Released 2.5.2p2
20010321
- (djm) Fix ttyname breakage for AIX and Tru64. Patch from Steve
VanDevender <stevev@darkwing.uoregon.edu>
- (djm) Make sure pam_retval is initialised on call to pam_end. Patch
from Solar Designer <solar@openwall.com>
- (djm) Don't loop forever when changing password via PAM. Patch
from Solar Designer <solar@openwall.com>
- (djm) Generate config files before build
- (djm) Correctly handle SIA and AIX when no tty present. Spotted and
suggested fix from Mike Battersby <mib@unimelb.edu.au>
20010320
- (bal) glob.c update to added GLOB_LIMITS (OpenBSD CVS).
- (bal) glob.c update to set gl_pathv to NULL (OpenBSD CVS).
- (bal) Oops. Missed globc.h change (OpenBSD CVS).
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2001/03/19 17:07:23
[auth.c readconf.c]
undo /etc/shell and proto 2,1 change for openssh-2.5.2
- markus@cvs.openbsd.org 2001/03/19 17:12:10
[version.h]
version 2.5.2
- (djm) Update RPM spec version
- (djm) Release 2.5.2p1
- tim@mindrot.org 2001/03/19 18:33:47 [defines.h]
change S_ISLNK macro to work for UnixWare 2.03
- tim@mindrot.org 2001/03/19 20:45:11 [openbsd-compat/glob.c]
add get_arg_max(). Use sysconf() if ARG_MAX is not defined
20010319
- (djm) Seed PRNG at startup, rather than waiting for arc4random calls to
do it implicitly.
- (djm) Add getusershell() functions from OpenBSD CVS
- OpenBSD CVS Sync
- markus@cvs.openbsd.org 2001/03/18 12:07:52
[auth-options.c]
ignore permitopen="host:port" if AllowTcpForwarding==no
- (djm) Make scp work on systems without 64-bit ints
- tim@mindrot.org 2001/03/18 18:28:39 [defines.h]
move HAVE_LONG_LONG_INT where it works
- (bal) Use 'NGROUPS' for NeXT Since 'MAX_NGROUPS' is wrapped up in -lposix
stuff. Change suggested by Mark Miller <markm@swoon.net>
- (bal) Small fix to scp. %lu vs %ld
- (bal) NeXTStep lacks S_ISLNK. Plus split up S_IS*
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2001/03/19 03:52:51
[sftp-client.c]
Report ssh connection closing correctly; ok deraadt@
- deraadt@cvs.openbsd.org 2001/03/18 23:30:55
[compat.c compat.h sshd.c]
specifically version match on ssh scanners. do not log scan
information to the console
- djm@cvs.openbsd.org 2001/03/19 12:10:17
[sshd.8]
Document permitopen authorized_keys option; ok markus@
- djm@cvs.openbsd.org 2001/03/19 05:49:52
[ssh.1]
document PreferredAuthentications option; ok markus@
- (bal) Minor NeXT fixed. Forgot to #undef NGROUPS_MAX
20010318
- (bal) Fixed scp type casing issue which causes "scp: protocol error:
size not delimited" fatal errors when tranfering.
- OpenBSD CVS Sync
- markus@cvs.openbsd.org 2001/03/17 17:27:59
[auth.c]
check /etc/shells, too
- tim@mindrot.org 2001/03/17 18:45:25 [compat.c]
openbsd-compat/fake-regex.h
20010317
- Support usrinfo() on AIX. Based on patch from Gert Doering
<gert@greenie.muc.de>
- OpenBSD CVS Sync
- markus@cvs.openbsd.org 2001/03/15 15:05:59
[scp.c]
use %lld in printf, ok millert@/deraadt@; report from ssh@client.fi
- markus@cvs.openbsd.org 2001/03/15 22:07:08
[session.c]
pass Session to do_child + KNF
- djm@cvs.openbsd.org 2001/03/16 08:16:18
[sftp-client.c sftp-client.h sftp-glob.c sftp-int.c]
Revise globbing for get/put to be more shell-like. In particular,
"get/put file* directory/" now works. ok markus@
- markus@cvs.openbsd.org 2001/03/16 09:55:53
[sftp-int.c]
fix memset and whitespace
- markus@cvs.openbsd.org 2001/03/16 13:44:24
[sftp-int.c]
discourage strcat/strcpy
- markus@cvs.openbsd.org 2001/03/16 19:06:30
[auth-options.c channels.c channels.h serverloop.c session.c]
implement "permitopen" key option, restricts -L style forwarding to
to specified host:port pairs. based on work by harlan@genua.de
- Check for gl_matchc support in glob_t and fall back to the
openbsd-compat/glob.[ch] support if it does not exist.
20010315
- OpenBSD CVS Sync
- markus@cvs.openbsd.org 2001/03/14 08:57:14
[sftp-client.c]
Wall
- markus@cvs.openbsd.org 2001/03/14 15:15:58
[sftp-int.c]
add version command
- deraadt@cvs.openbsd.org 2001/03/14 22:50:25
[sftp-server.c]
note no getopt()
- (stevesk) ssh-keyscan.c: specify "openbsd-compat/fake-queue.h"
- (bal) Cygwin README change by Corinna Vinschen <vinschen@redhat.com>
20010314
- OpenBSD CVS Sync
- markus@cvs.openbsd.org 2001/03/13 17:34:42
[auth-options.c]
missing xfree, deny key on parse error; ok stevesk@
- djm@cvs.openbsd.org 2001/03/13 22:42:54
[sftp-client.c sftp-client.h sftp-glob.c sftp-glob.h sftp-int.c]
sftp client filename globbing for get, put, ch{mod,grp,own}. ok markus@
- (bal) Fix strerror() in bsd-misc.c
- (djm) Add replacement glob() from OpenBSD libc if the system glob is
missing or lacks the GLOB_ALTDIRFUNC extension
- (djm) Remove -I$(srcdir)/openbsd-compat from CFLAGS, refer to headers
relatively. Avoids conflict between glob.h and /usr/include/glob.h
20010313
- OpenBSD CVS Sync
- markus@cvs.openbsd.org 2001/03/12 22:02:02
[key.c key.h ssh-add.c ssh-keygen.c sshconnect.c sshconnect2.c]
remove old key_fingerprint interface, s/_ex//
20010312
- OpenBSD CVS Sync
- markus@cvs.openbsd.org 2001/03/11 13:25:36
[auth2.c key.c]
debug
- jakob@cvs.openbsd.org 2001/03/11 15:03:16
[key.c key.h]
add improved fingerprint functions. based on work by Carsten
Raskgaard <cara@int.tele.dk> and modified by me. ok markus@.
- jakob@cvs.openbsd.org 2001/03/11 15:04:16
[ssh-keygen.1 ssh-keygen.c]
print both md5, sha1 and bubblebabble fingerprints when using
ssh-keygen -l -v. ok markus@.
- jakob@cvs.openbsd.org 2001/03/11 15:13:09
[key.c]
cleanup & shorten some var names key_fingerprint_bubblebabble.
- deraadt@cvs.openbsd.org 2001/03/11 16:39:03
[ssh-keygen.c]
KNF, and SHA1 binary output is just creeping featurism
- tim@mindrot.org 2001/03/11 17:29:32 [configure.in]
test if snprintf() supports %ll
add /dev to search path for PRNGD/EGD socket
fix my mistake in USER_PATH test program
- OpenBSD CVS Sync
- markus@cvs.openbsd.org 2001/03/11 18:29:51
[key.c]
style+cleanup
- markus@cvs.openbsd.org 2001/03/11 22:33:24
[ssh-keygen.1 ssh-keygen.c]
remove -v again. use -B instead for bubblebabble. make -B consistent
with -l and make -B work with /path/to/known_hosts. ok deraadt@
- (djm) Bump portable version number for generating test RPMs
- (djm) Add "static_openssl" RPM build option, remove rsh build dependency
- (bal) Reorder includes in Makefile.
20010311
- OpenBSD CVS Sync
- markus@cvs.openbsd.org 2001/03/10 12:48:27
[sshconnect2.c]
ignore nonexisting private keys; report rjmooney@mediaone.net
- deraadt@cvs.openbsd.org 2001/03/10 12:53:51
[readconf.c ssh_config]
default to SSH2, now that m68k runs fast
- stevesk@cvs.openbsd.org 2001/03/10 15:02:05
[ttymodes.c ttymodes.h]
remove unused sgtty macros; ok markus@
- deraadt@cvs.openbsd.org 2001/03/10 15:31:00
[compat.c compat.h sshconnect.c]
all known netscreen ssh versions, and older versions of OSU ssh cannot
handle password padding (newer OSU is fixed)
- tim@mindrot.org 2001/03/10 16:33:42 [configure.in Makefile.in sshd_config]
make sure $bindir is in USER_PATH so scp will work
- OpenBSD CVS Sync
- markus@cvs.openbsd.org 2001/03/10 17:51:04
[kex.c match.c match.h readconf.c readconf.h sshconnect2.c]
add PreferredAuthentications
20010310
- OpenBSD CVS Sync
- deraadt@cvs.openbsd.org 2001/03/09 03:14:39
[ssh-keygen.c]
create *.pub files with umask 0644, so that you can mv them to
authorized_keys
- deraadt@cvs.openbsd.org 2001/03/09 12:30:29
[sshd.c]
typo; slade@shore.net
- Removed log.o from sftp client. Not needed.
20010309
- OpenBSD CVS Sync
- stevesk@cvs.openbsd.org 2001/03/08 18:47:12
[auth1.c]
unused; ok markus@
- stevesk@cvs.openbsd.org 2001/03/08 20:44:48
[sftp.1]
spelling, cleanup; ok deraadt@
- markus@cvs.openbsd.org 2001/03/08 21:42:33
[compat.c compat.h readconf.h ssh.c sshconnect1.c sshconnect2.c]
implement client side of SSH2_MSG_USERAUTH_PK_OK (test public key ->
no need to do enter passphrase or do expensive sign operations if the
server does not accept key).
20010308
- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2001/03/07 10:11:23
[sftp-client.c sftp-client.h sftp-int.c sftp-server.c sftp.1 sftp.c sftp.h]
Support for new draft (draft-ietf-secsh-filexfer-01). New symlink handling
functions and small protocol change.
- markus@cvs.openbsd.org 2001/03/08 00:15:48
[readconf.c ssh.1]
turn off useprivilegedports by default. only rhost-auth needs
this. older sshd's may need this, too.
- (stevesk) Reliant Unix (SNI) needs HAVE_BOGUS_SYS_QUEUE_H;
Dirk Markwardt <D.Markwardt@tu-bs.de>
20010307
- (bal) OpenBSD CVS Sync
- deraadt@cvs.openbsd.org 2001/03/06 06:11:18
[ssh-keyscan.c]
appease gcc
- deraadt@cvs.openbsd.org 2001/03/06 06:11:44
[sftp-int.c sftp.1 sftp.c]
sftp -b batchfile; mouring@etoh.eviladmin.org
- deraadt@cvs.openbsd.org 2001/03/06 15:10:42
[sftp.1]
order things
- deraadt@cvs.openbsd.org 2001/03/07 01:19:06
[ssh.1 sshd.8]
the name "secure shell" is boring, noone ever uses it
- deraadt@cvs.openbsd.org 2001/03/07 04:05:58
[ssh.1]
removed dated comment
- Cygwin contrib improvements from Corinna Vinschen <vinschen@redhat.com>
20010306
- (bal) OpenBSD CVS Sync
- deraadt@cvs.openbsd.org 2001/03/05 14:28:47
[sshd.8]
alpha order; jcs@rt.fm
- stevesk@cvs.openbsd.org 2001/03/05 15:44:51
[servconf.c]
sync error message; ok markus@
- deraadt@cvs.openbsd.org 2001/03/05 15:56:16
[myproposal.h ssh.1]
switch to aes128-cbc/hmac-md5 by default in SSH2 -- faster;
provos & markus ok
- deraadt@cvs.openbsd.org 2001/03/05 16:07:15
[sshd.8]
detail default hmac setup too
- markus@cvs.openbsd.org 2001/03/05 17:17:21
[kex.c kex.h sshconnect2.c sshd.c]
generate a 2*need size (~300 instead of 1024/2048) random private
exponent during the DH key agreement. according to Niels (the great
german advisor) this is safe since /etc/primes contains strong
primes only.
References:
P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key
agreement with short exponents, In Advances in Cryptology
- EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
- stevesk@cvs.openbsd.org 2001/03/05 17:40:48
[ssh.1]
more ssh_known_hosts2 documentation; ok markus@
- stevesk@cvs.openbsd.org 2001/03/05 17:58:22
[dh.c]
spelling
- deraadt@cvs.openbsd.org 2001/03/06 00:33:04
[authfd.c cli.c ssh-agent.c]
EINTR/EAGAIN handling is required in more cases
- millert@cvs.openbsd.org 2001/03/06 01:06:03
[ssh-keyscan.c]
Don't assume we wil get the version string all in one read().
deraadt@ OK'd
- millert@cvs.openbsd.org 2001/03/06 01:08:27
[clientloop.c]
If read() fails with EINTR deal with it the same way we treat EAGAIN
20010305
- (bal) CVS ID touch up on sshpty.[ch] and sshlogin.[ch]
- (bal) CVS ID touch up on sftp-int.c
- (bal) CVS ID touch up on uuencode.c
- (bal) CVS ID touch up on auth2.c, serverloop.c, session.c & sshd.c
- (bal) OpenBSD CVS Sync
- deraadt@cvs.openbsd.org 2001/02/17 23:48:48
[sshd.8]
it's the OpenSSH one
- deraadt@cvs.openbsd.org 2001/02/21 07:37:04
[ssh-keyscan.c]
inline -> __inline__, and some indent
- deraadt@cvs.openbsd.org 2001/02/21 09:05:54
[authfile.c]
improve fd handling
- deraadt@cvs.openbsd.org 2001/02/21 09:12:56
[sftp-server.c]
careful with & and &&; markus ok
- stevesk@cvs.openbsd.org 2001/02/21 21:14:04
[ssh.c]
-i supports DSA identities now; ok markus@
- deraadt@cvs.openbsd.org 2001/02/22 04:29:37
[servconf.c]
grammar; slade@shore.net
- deraadt@cvs.openbsd.org 2001/02/22 06:43:55
[ssh-keygen.1 ssh-keygen.c]
document -d, and -t defaults to rsa1
- deraadt@cvs.openbsd.org 2001/02/22 08:03:51
[ssh-keygen.1 ssh-keygen.c]
bye bye -d
- deraadt@cvs.openbsd.org 2001/02/22 18:09:06
[sshd_config]
activate RSA 2 key
- markus@cvs.openbsd.org 2001/02/22 21:57:27
[ssh.1 sshd.8]
typos/grammar from matt@anzen.com
- markus@cvs.openbsd.org 2001/02/22 21:59:44
[auth.c auth.h auth1.c auth2.c misc.c misc.h ssh.c]
use pwcopy in ssh.c, too
- markus@cvs.openbsd.org 2001/02/23 15:34:53
[serverloop.c]
debug2->3
- markus@cvs.openbsd.org 2001/02/23 18:15:13
[sshd.c]
the random session key depends now on the session_key_int
sent by the 'attacker'
dig1 = md5(cookie|session_key_int);
dig2 = md5(dig1|cookie|session_key_int);
fake_session_key = dig1|dig2;
this change is caused by a mail from anakin@pobox.com
patch based on discussions with my german advisor niels@openbsd.org
- deraadt@cvs.openbsd.org 2001/02/24 10:37:55
[readconf.c]
look for id_rsa by default, before id_dsa
- deraadt@cvs.openbsd.org 2001/02/24 10:37:26
[sshd_config]
ssh2 rsa key before dsa key
- markus@cvs.openbsd.org 2001/02/27 10:35:27
[packet.c]
fix random padding
- markus@cvs.openbsd.org 2001/02/27 11:00:11
[compat.c]
support SSH-2.0-2.1 ; from Christophe_Moret@hp.com
- deraadt@cvs.openbsd.org 2001/02/28 05:34:28
[misc.c]
pull in protos
- deraadt@cvs.openbsd.org 2001/02/28 05:36:28
[sftp.c]
do not kill the subprocess on termination (we will see if this helps
things or hurts things)
- markus@cvs.openbsd.org 2001/02/28 08:45:39
[clientloop.c]
fix byte counts for ssh protocol v1
- markus@cvs.openbsd.org 2001/02/28 08:54:55
[channels.c nchan.c nchan.h]
make sure remote stderr does not get truncated.
remove closed fd's from the select mask.
- markus@cvs.openbsd.org 2001/02/28 09:57:07
[packet.c packet.h sshconnect2.c]
in ssh protocol v2 use ignore messages for padding (instead of
trailing \0).
- markus@cvs.openbsd.org 2001/02/28 12:55:07
[channels.c]
unify debug messages
- deraadt@cvs.openbsd.org 2001/02/28 17:52:54
[misc.c]
for completeness, copy pw_gecos too
- markus@cvs.openbsd.org 2001/02/28 21:21:41
[sshd.c]
generate a fake session id, too
- markus@cvs.openbsd.org 2001/02/28 21:27:48
[channels.c packet.c packet.h serverloop.c]
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message
use random content in ignore messages.
- markus@cvs.openbsd.org 2001/02/28 21:31:32
[channels.c]
typo
- deraadt@cvs.openbsd.org 2001/03/01 02:11:25
[authfd.c]
split line so that p will have an easier time next time around
- deraadt@cvs.openbsd.org 2001/03/01 02:29:04
[ssh.c]
shorten usage by a line
- deraadt@cvs.openbsd.org 2001/03/01 02:45:10
[auth-rsa.c auth2.c deattack.c packet.c]
KNF
- deraadt@cvs.openbsd.org 2001/03/01 03:38:33
[cli.c cli.h rijndael.h ssh-keyscan.1]
copyright notices on all source files
- markus@cvs.openbsd.org 2001/03/01 22:46:37
[ssh.c]
don't truncate remote ssh-2 commands; from mkubita@securities.cz
use min, not max for logging, fixes overflow.
- deraadt@cvs.openbsd.org 2001/03/02 06:21:01
[sshd.8]
explain SIGHUP better
- deraadt@cvs.openbsd.org 2001/03/02 09:42:49
[sshd.8]
doc the dsa/rsa key pair files
- deraadt@cvs.openbsd.org 2001/03/02 18:54:31
[atomicio.c atomicio.h auth-chall.c auth.c auth2-chall.c crc32.h
scp.c serverloop.c session.c sftp-server.8 sftp.1 ssh-add.1 ssh-add.c
ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh.1 sshd.8]
make copyright lines the same format
- deraadt@cvs.openbsd.org 2001/03/03 06:53:12
[ssh-keyscan.c]
standard theo sweep
- millert@cvs.openbsd.org 2001/03/03 21:19:41
[ssh-keyscan.c]
Dynamically allocate read_wait and its copies. Since maxfd is
based on resource limits it is often (usually?) larger than FD_SETSIZE.
- millert@cvs.openbsd.org 2001/03/03 21:40:30
[sftp-server.c]
Dynamically allocate fd_set; deraadt@ OK
- millert@cvs.openbsd.org 2001/03/03 21:41:07
[packet.c]
Dynamically allocate fd_set; deraadt@ OK
- deraadt@cvs.openbsd.org 2001/03/03 22:07:50
[sftp-server.c]
KNF
- markus@cvs.openbsd.org 2001/03/03 23:52:22
[sftp.c]
clean up arg processing. based on work by Christophe_Moret@hp.com
- markus@cvs.openbsd.org 2001/03/03 23:59:34
[log.c ssh.c]
log*.c -> log.c
- markus@cvs.openbsd.org 2001/03/04 00:03:59
[channels.c]
debug1->2
- stevesk@cvs.openbsd.org 2001/03/04 10:57:53
[ssh.c]
add -m to usage; ok markus@
- stevesk@cvs.openbsd.org 2001/03/04 11:04:41
[sshd.8]
small cleanup and clarify for PermitRootLogin; ok markus@
- stevesk@cvs.openbsd.org 2001/03/04 11:16:06
[servconf.c sshd.8]
kill obsolete RandomSeed; ok markus@ deraadt@
- stevesk@cvs.openbsd.org 2001/03/04 12:54:04
[sshd.8]
spelling
- millert@cvs.openbsd.org 2001/03/04 17:42:28
[authfd.c channels.c dh.c log.c readconf.c servconf.c sftp-int.c
ssh.c sshconnect.c sshd.c]
log functions should not be passed strings that end in newline as they
get passed on to syslog() and when logging to stderr, do_log() appends
its own newline.
- deraadt@cvs.openbsd.org 2001/03/04 18:21:28
[sshd.8]
list SSH2 ciphers
- (bal) Put HAVE_PW_CLASS_IN_PASSWD back into pwcopy()
- (bal) Fix up logging since it changed. removed log-*.c
- (djm) Fix up LOG_AUTHPRIV for systems that have it
- (stevesk) OpenBSD sync:
- deraadt@cvs.openbsd.org 2001/03/05 08:37:27
[ssh-keyscan.c]
skip inlining, why bother
- (stevesk) sftp.c: handle __progname
20010304
- (bal) Remove make-ssh-known-hosts.1 since it's no longer valid.
- (bal) Updated contrib/README to remove 'make-ssh-known-hosts' and
give Mark Roth credit for mdoc2man.pl
20010303
- (djm) Remove make-ssh-known-hosts.pl, ssh-keyscan is better.
- (djm) Document PAM ChallengeResponseAuthentication in sshd.8
- (djm) Disable and comment ChallengeResponseAuthentication in sshd_config
- (djm) Allow PRNGd entropy collection from localhost TCP socket. Replace
"--with-egd-pool" configure option with "--with-prngd-socket" and
"--with-prngd-port" options. Debugged and improved by Lutz Jaenicke
<Lutz.Jaenicke@aet.TU-Cottbus.DE>
20010301
- (djm) Properly add -lcrypt if needed.
- (djm) Force standard PAM conversation function in a few more places.
Patch from Redhat 2.5.1p1-2 RPM, probably Nalin Dahyabhai
<nalin@redhat.com>
- (djm) Cygwin needs pw->pw_gecos copied too. Patch from Corinna Vinschen
<vinschen@redhat.com>
- (djm) Released 2.5.1p2
20010228
- (djm) Detect endianness in configure and use it in rijndael.c. Fixes
"Bad packet length" bugs.
- (djm) Fully revert PAM session patch (again). All PAM session init is
now done before the final fork().
- (djm) EGD detection patch from Tim Rice <tim@multitalents.net>
- (djm) Remove /tmp from EGD socket search list
20010227
- (bal) Applied shutdown() patch for sftp.c by Corinna Vinschen
<vinschen@redhat.com>
- (bal) OpenBSD Sync
- markus@cvs.openbsd.org 2001/02/23 15:37:45
[session.c]
handle SSH_PROTOFLAG_SCREEN_NUMBER for buggy clients
- (bal) sshd.init support for all Redhat release. Patch by Jim Knoble
<jmknoble@jmknoble.cx>
- (djm) Fix up POSIX saved uid support. Report from Mark Miller
<markm@swoon.net>
- (djm) Search for -lcrypt on FreeBSD too
- (djm) fatal() on OpenSSL version mismatch
- (djm) Move PAM init to after fork for non-Solaris derived PAMs
- (djm) Warning fix on entropy.c saved uid stuff. Patch from Mark Miller
<markm@swoon.net>
- (djm) Fix PAM fix
- (djm) Remove 'noreplace' flag from sshd_config in RPM spec files. This
change is being made as 2.5.x configfiles are not back-compatible with
2.3.x.
- (djm) Avoid warnings for missing broken IP_TOS. Patch from Mark Miller
<markm@swoon.net>
- (djm) Open Server 5 doesn't need BROKEN_SAVED_UIDS. Patch from Tim Rice
<tim@multitalents.net>
- (djm) Avoid multiple definition of _PATH_LS. Patch from Tim Rice
<tim@multitalents.net>
20010226
- (bal) Fixed bsd-snprinf.c so it now honors 'BROKEN_SNPRINTF' again.
- (djm) Some systems (SCO3, NeXT) have weird saved uid semantics.
Based on patch from Tim Rice <tim@multitalents.net>
20010225
- (djm) Use %{_libexecdir} rather than hardcoded path in RPM specfile
Patch from Adrian Ho <lexfiend@usa.net>
- (bal) Replace 'unsigned long long' to 'u_int64_t' since not every
platform defines u_int64_t as being that.
20010224
- (bal) Missed part of the UNIX sockets patch. Patch by Corinna
Vinschen <vinschen@redhat.com>
- (bal) Reorder where 'strftime' is detected to resolve linking
issues on SCO. Patch by Tim Rice <tim@multitalents.net>
20010224
- (bal) pam_stack fix to correctly detect between RH7 and older RHs.
Patch by Pekka Savola <pekkas@netcore.fi>
- (bal) Renamed sigaction.[ch] to sigact.[ch]. Causes problems with
some platforms.
- (bal) Generalize lack of UNIX sockets since this also effects Cray
not just Cygwin. Based on patch by Wendy Palm <wendyp@cray.com>
20010223
- (bal) Fix --define rh7 in openssh.spec file. Patch by Steve Tell
<tell@telltronics.org>
- (bal) Patch to force OpenSSH rpm to require the same version of OpenSSL
that it was compiled against. Patch by Pekka Savola <pekkas@netcore.fi>
- (bal) Double -I for OpenSSL on SCO. Patch by Tim Rice
<tim@multitalents.net>
20010222
- (bal) Corrected SCO luid patch by svaughan <svaughan@asterion.com>
- (bal) Added mdoc2man.pl from Mark Roth <roth@feep.net>
- (bal) Removed reference to liblogin from contrib/README. It was
integrated into OpenSSH a long while ago.
- (stevesk) remove erroneous #ifdef sgi code.
Michael Stone <mstone@cs.loyola.edu>
20010221
- (bal) Removed -L/usr/ucblib -R/usr/ucblib for Solaris platform.
- (bal) Fixed OpenSSL rework to use $saved_*. Patch by Tim Rice
<tim@multitalents.net>
- (bal) Reverted out of 2001/02/15 patch by djm below because it
breaks Solaris.
- (djm) Move PAM session setup back to before setuid to user.
fixes problems on Solaris-drived PAMs.
- (stevesk) session.c: back out to where we were before:
- (djm) Move PAM session initialisation until after fork in sshd. Patch
from Nalin Dahyabhai <nalin@redhat.com>
20010220
- (bal) Fix mixed up params to memmove() from Jan 5th in setenv.c and
getcwd.c.
- (bal) OpenBSD CVS Sync:
- deraadt@cvs.openbsd.org 2001/02/19 23:09:05
[sshd.c]
clarify message to make it not mention "ident"
20010219
- (bal) Markus' blessing to rename login.[ch] -> sshlogin.[ch] and
pty.[ch] -> sshpty.[ch]
- (djm) Rework search for OpenSSL location. Skip directories which don't
exist, don't add -L$ssldir/lib if it doesn't exist. Should help SCO
with its limit of 6 -L options.
- OpenBSD CVS Sync:
- reinhard@cvs.openbsd.org 2001/02/17 08:24:40
[sftp.1]
typo
- deraadt@cvs.openbsd.org 2001/02/17 16:28:58
[ssh.c]
cleanup -V output; noted by millert
- deraadt@cvs.openbsd.org 2001/02/17 16:48:48
[sshd.8]
it's the OpenSSH one
- markus@cvs.openbsd.org 2001/02/18 11:33:54
[dispatch.c]
typo, SSH2_MSG_KEXINIT, from aspa@kronodoc.fi
- markus@cvs.openbsd.org 2001/02/19 02:53:32
[compat.c compat.h serverloop.c]
ssh-1.2.{18-22} has broken handling of ignore messages; report from
itojun@
- markus@cvs.openbsd.org 2001/02/19 03:35:23
[version.h]
OpenSSH_2.5.1 adds bug compat with 1.2.{18-22}
- deraadt@cvs.openbsd.org 2001/02/19 03:36:25
[scp.c]
np is changed by recursion; vinschen@redhat.com
- Update versions in RPM spec files
- Release 2.5.1p1
20010218
- (bal) Patch for fix FCHMOD reference in ftp-client.c by Tim Rice
<tim@multitalents.net>
- (Bal) Patch for lack of RA_RESTART in misc.c for mysignal by
stevesk
- (djm) Fix my breaking of cygwin builds, Patch from Corinna Vinschen
<vinschen@redhat.com> and myself.
- (djm) Close listen_sock on bind() failures. Patch from Arkadiusz
Miskiewicz <misiek@pld.ORG.PL>
- (djm) Robustify EGD/PRNGd code in face of socket closures. Patch from
Todd C. Miller <Todd.Miller@courtesan.com>
- (djm) Use ttyname() to determine name of tty returned by openpty()
rather then risking overflow. Patch from Marek Michalkiewicz
<marekm@amelek.gda.pl>
- (djm) Swapped tests for no_libsocket and no_libnsl in configure.in.
Patch from Marek Michalkiewicz <marekm@amelek.gda.pl>
- (djm) Doc fixes from Pekka Savola <pekkas@netcore.fi>
- (djm) Use SA_INTERRUPT along SA_RESTART if present (equivalent for
SunOS)
- (djm) SCO needs librpc for libwrap. Patch from Tim Rice
<tim@multitalents.net>
- (stevesk) misc.c: cpp rework of SA_(INTERRUPT|RESTART) handling.
- (stevesk) scp.c: use mysignal() for updateprogressmeter() handler.
- (djm) SA_INTERRUPT is the converse of SA_RESTART, apply it only for
SIGALRM.
- (djm) Move entropy.c over to mysignal()
- (djm) SunOS 4.x also needs to define HAVE_BOGUS_SYS_QUEUE_H as it has
a <sys/queue.h> that lacks the TAILQ_* macros. Patch from Todd C.
Miller <Todd.Miller@courtesan.com>
- (djm) Update RPM spec files for 2.5.0p1
- (djm) Merge BSD_AUTH support from Markus Friedl and David J. MacKenzie
enable with --with-bsd-auth.
- (stevesk) entropy.c: typo; should be SIGPIPE
20010217
- (bal) OpenBSD Sync:
- markus@cvs.openbsd.org 2001/02/16 13:38:18
[channel.c]
remove debug
- markus@cvs.openbsd.org 2001/02/16 14:03:43
[session.c]
proper payload-length check for x11 w/o screen-number
20010216
- (bal) added '--with-prce' to allow overriding of system regex when
required (tested by David Dulek <ddulek@fastenal.com>)
- (bal) Added DG/UX case and set that they have a broken IPTOS.
- (djm) Mini-configure reorder patch from Tim Rice <tim@multitalents.net>
Fixes linking on SCO.
- (djm) Make gnome-ssh-askpass handle multi-line prompts. Patch from
Nalin Dahyabhai <nalin@redhat.com>
- (djm) BSD license for gnome-ssh-askpass (was X11)
- (djm) KNF on gnome-ssh-askpass
- (djm) USE_PIPES for a few more sysv platforms
- (djm) Cleanup configure.in a little
- (djm) Ask users to check config.log when we can't find necessary libs
- (djm) Set "login ID" on systems with setluid. Only enabled for SCO
OpenServer for now. Based on patch from svaughan <svaughan@asterion.com>
- (djm) OpenBSD CVS:
- markus@cvs.openbsd.org 2001/02/15 16:19:59
[channels.c channels.h serverloop.c sshconnect.c sshconnect.h]
[sshconnect1.c sshconnect2.c]
genericize password padding function for SSH1 and SSH2.
add stylized echo to 2, too.
- (djm) Add roundup() macro to defines.h
- (stevesk) set SA_RESTART flag in mysignal() for SIGCHLD;
needed on Unixware 2.x.
20010215
- (djm) Move PAM session setup back to before setuid to user. Fixes
problems on Solaris-derived PAMs.
- (djm) Clean up PAM namespace. Suggested by Darren Moffat
<Darren.Moffat@eng.sun.com>
- (bal) Sync w/ OpenSSH for new release
- markus@cvs.openbsd.org 2001/02/12 12:45:06
[sshconnect1.c]
fix xmalloc(0), ok dugsong@
- markus@cvs.openbsd.org 2001/02/11 12:59:25
[Makefile.in sshd.8 sshconnect2.c readconf.h readconf.c packet.c
sshd.c ssh.c ssh.1 servconf.h servconf.c myproposal.h kex.h kex.c]
1) clean up the MAC support for SSH-2
2) allow you to specify the MAC with 'ssh -m'
3) or the 'MACs' keyword in ssh(d)_config
4) add hmac-{md5,sha1}-96
ok stevesk@, provos@
- markus@cvs.openbsd.org 2001/02/12 16:16:23
[auth-passwd.c auth.c auth.h auth1.c auth2.c servconf.c servconf.h
ssh-keygen.c sshd.8]
PermitRootLogin={yes,without-password,forced-commands-only,no}
(before this change, root could login even if PermitRootLogin==no)
- deraadt@cvs.openbsd.org 2001/02/12 22:56:09
[clientloop.c packet.c ssh-keyscan.c]
deal with EAGAIN/EINTR selects which were skipped
- markus@cvs.openssh.org 2001/02/13 22:49:40
[auth1.c auth2.c]
setproctitle(user) only if getpwnam succeeds
- markus@cvs.openbsd.org 2001/02/12 23:26:20
[sshd.c]
missing memset; from solar@openwall.com
- stevesk@cvs.openbsd.org 2001/02/12 20:53:33
[sftp-int.c]
lumask now works with 1 numeric arg; ok markus@, djm@
- djm@cvs.openbsd.org 2001/02/14 9:46:03
[sftp-client.c sftp-int.c sftp.1]
Fix and document 'preserve modes & times' option ('-p' flag in sftp);
ok markus@
- (bal) replaced PATH_MAX in sftp-int.c w/ MAXPATHLEN.
- (djm) Move to Jim's 1.2.0 X11 askpass program
- (stevesk) OpenBSD sync:
- deraadt@cvs.openbsd.org 2001/02/15 01:38:04
[serverloop.c]
indent
20010214
- (djm) Don't try to close PAM session or delete credentials if the
session has not been open or credentials not set. Based on patch from
Andrew Bartlett <abartlet@pcug.org.au>
- (djm) Move PAM session initialisation until after fork in sshd. Patch
from Nalin Dahyabhai <nalin@redhat.com>
- (bal) Missing function prototype in bsd-snprintf.c patch by
Mark Miller <markm@swoon.net>
- (djm) Split out and improve OSF SIA auth code. Patch from Chris Adams
<cmadams@hiwaay.net> with a little modification and KNF.
- (stevesk) fix for SIA patch, misplaced session_setup_sia()
20010213
- (djm) Only test -S potential EGD sockets if they exist and are readable.
- (bal) Cleaned out bsd-snprintf.c. VARARGS have been banished and
I did a base KNF over the whe whole file to make it more acceptable.
(backed out of original patch and removed it from ChangeLog)
- (bal) Use chown() if fchown() does not exist in ftp-server.c patch by
Tim Rice <tim@multitalents.net>
- (stevesk) auth1.c: fix PAM passwordless check.
20010212
- (djm) Update Redhat specfile to allow --define "skip_x11_askpass 1",
--define "skip_gnome_askpass 1", --define "rh7 1" and make the
implicit rpm-3.0.5 dependancy explicit. Patch and suggestions from
Pekka Savola <pekkas@netcore.fi>
- (djm) Clean up PCRE text in INSTALL
- (djm) Fix OSF SIA auth NULL pointer deref. Report from Mike Battersby
<mib@unimelb.edu.au>
- (bal) NCR SVR4 compatiblity provide by Don Bragg <thewizarddon@yahoo.com>
- (stevesk) session.c: remove debugging code.
20010211
- (bal) OpenBSD Sync
- markus@cvs.openbsd.org 2001/02/07 22:35:46
[auth1.c auth2.c sshd.c]
move k_setpag() to a central place; ok dugsong@
- markus@cvs.openbsd.org 2001/02/10 12:52:02
[auth2.c]
offer passwd before s/key
- markus@cvs.openbsd.org 2001/02/8 22:37:10
[canohost.c]
remove last call to sprintf; ok deraadt@
- markus@cvs.openbsd.org 2001/02/10 1:33:32
[canohost.c]
add debug message, since sshd blocks here if DNS is not available
- markus@cvs.openbsd.org 2001/02/10 12:44:02
[cli.c]
don't call vis() for \r
- danh@cvs.openbsd.org 2001/02/10 0:12:43
[scp.c]
revert a small change to allow -r option to work again; ok deraadt@
- danh@cvs.openbsd.org 2001/02/10 15:14:11
[scp.c]
fix memory leak; ok markus@
- djm@cvs.openbsd.org 2001/02/10 0:45:52
[scp.1]
Mention that you can quote pathnames with spaces in them
- markus@cvs.openbsd.org 2001/02/10 1:46:28
[ssh.c]
remove mapping of argv[0] -> hostname
- markus@cvs.openbsd.org 2001/02/06 22:26:17
[sshconnect2.c]
do not ask for passphrase in batch mode; report from ejb@ql.org
- itojun@cvs.opebsd.org 2001/02/08 10:47:05
[sshconnect.c sshconnect1.c sshconnect2.c]
%.30s is too short for IPv6 numeric address. use %.128s for now.
markus ok
- markus@cvs.openbsd.org 2001/02/09 12:28:35
[sshconnect2.c]
do not free twice, thanks to /etc/malloc.conf
- markus@cvs.openbsd.org 2001/02/09 17:10:53
[sshconnect2.c]
partial success: debug->log; "Permission denied" if no more auth methods
- markus@cvs.openbsd.org 2001/02/10 12:09:21
[sshconnect2.c]
remove some lines
- markus@cvs.openbsd.org 2001/02/09 13:38:07
[auth-options.c]
reset options if no option is given; from han.holl@prismant.nl
- markus@cvs.openbsd.org 2001/02/08 21:58:28
[channels.c]
nuke sprintf, ok deraadt@
- markus@cvs.openbsd.org 2001/02/08 21:58:28
[channels.c]
nuke sprintf, ok deraadt@
- markus@cvs.openbsd.org 2001/02/06 22:43:02
[clientloop.h]
remove confusing callback code
- deraadt@cvs.openbsd.org 2001/02/08 14:39:36
[readconf.c]
snprintf
- itojun@cvs.openbsd.org 2001/02/08 19:30:52
sync with netbsd tree changes.
- more strict prototypes, include necessary headers
- use paths.h/pathnames.h decls
- size_t typecase to int -> u_long
- itojun@cvs.openbsd.org 2001/02/07 18:04:50
[ssh-keyscan.c]
fix size_t -> int cast (use u_long). markus ok
- markus@cvs.openbsd.org 2001/02/07 22:43:16
[ssh-keyscan.c]
s/getline/Linebuf_getline/; from roumen.petrov@skalasoft.com
- itojun@cvs.openbsd.org 2001/02/09 9:04:59
[ssh-keyscan.c]
do not assume malloc() returns zero-filled region. found by
malloc.conf=AJ.
- markus@cvs.openbsd.org 2001/02/08 22:35:30
[sshconnect.c]
don't connect if batch_mode is true and stricthostkeychecking set to
'ask'
- djm@cvs.openbsd.org 2001/02/04 21:26:07
[sshd_config]
type: ok markus@
- deraadt@cvs.openbsd.org 2001/02/06 22:07:50
[sshd_config]
enable sftp-server by default
- deraadt 2001/02/07 8:57:26
[xmalloc.c]
deal with new ANSI malloc stuff
- markus@cvs.openbsd.org 2001/02/07 16:46:08
[xmalloc.c]
typo in fatal()
- itojun@cvs.openbsd.org 2001/02/07 18:04:50
[xmalloc.c]
fix size_t -> int cast (use u_long). markus ok
- 1.47 Thu Feb 8 23:11:42 GMT 2001 by dugsong
[serverloop.c sshconnect1.c]
mitigate SSH1 traffic analysis - from Solar Designer
<solar@openwall.com>, ok provos@
- (bal) fixed sftp-client.c. Return 'status' instead of '0'
(from the OpenBSD tree)
- (bal) Synced ssh.1, ssh-add.1 and sshd.8 w/ OpenBSD
- (bal) sftp-sever.c '%8lld' to '%8llu' (OpenBSD Sync)
- (bal) uuencode.c resync w/ OpenBSD tree, plus whitespace.
- (bal) A bit more whitespace cleanup
- (djm) Set PAM_RHOST earlier, patch from Andrew Bartlett
<abartlet@pcug.org.au>
- (stevesk) misc.c: ssh.h not needed.
- (stevesk) compat.c: more friendly cpp error
- (stevesk) OpenBSD sync:
- stevesk@cvs.openbsd.org 2001/02/11 06:15:57
[LICENSE]
typos and small cleanup; ok deraadt@
20010210
- (djm) Sync sftp and scp stuff from OpenBSD:
- djm@cvs.openbsd.org 2001/02/07 03:55:13
[sftp-client.c]
Don't free handles before we are done with them. Based on work from
Corinna Vinschen <vinschen@redhat.com>. ok markus@
- djm@cvs.openbsd.org 2001/02/06 22:32:53
[sftp.1]
Punctuation fix from Pekka Savola <pekkas@netcore.fi>
- deraadt@cvs.openbsd.org 2001/02/07 04:07:29
[sftp.1]
pretty up significantly
- itojun@cvs.openbsd.org 2001/02/07 06:49:42
[sftp.1]
.Bl-.El mismatch. markus ok
- djm@cvs.openbsd.org 2001/02/07 06:12:30
[sftp-int.c]
Check that target is a directory before doing ls; ok markus@
- itojun@cvs.openbsd.org 2001/02/07 11:01:18
[scp.c sftp-client.c sftp-server.c]
unsigned long long -> %llu, not %qu. markus ok
- stevesk@cvs.openbsd.org 2001/02/07 11:10:39
[sftp.1 sftp-int.c]
more man page cleanup and sync of help text with man page; ok markus@
- markus@cvs.openbsd.org 2001/02/07 14:58:34
[sftp-client.c]
older servers reply with SSH2_FXP_NAME + count==0 instead of EOF
- djm@cvs.openbsd.org 2001/02/07 15:27:19
[sftp.c]
Don't forward agent and X11 in sftp. Suggestion from Roumen Petrov
<roumen.petrov@skalasoft.com>
- stevesk@cvs.openbsd.org 2001/02/07 15:36:04
[sftp-int.c]
portable; ok markus@
- stevesk@cvs.openbsd.org 2001/02/07 15:55:47
[sftp-int.c]
lowercase cmds[].c also; ok markus@
- markus@cvs.openbsd.org 2001/02/07 17:04:52
[pathnames.h sftp.c]
allow sftp over ssh protocol 1; ok djm@
- deraadt@cvs.openbsd.org 2001/02/08 07:38:55
[scp.c]
memory leak fix, and snprintf throughout
- deraadt@cvs.openbsd.org 2001/02/08 08:02:02
[sftp-int.c]
plug a memory leak
- stevesk@cvs.openbsd.org 2001/02/08 10:11:23
[session.c sftp-client.c]
%i -> %d
- stevesk@cvs.openbsd.org 2001/02/08 10:57:59
[sftp-int.c]
typo
- stevesk@cvs.openbsd.org 2001/02/08 15:28:07
[sftp-int.c pathnames.h]
_PATH_LS; ok markus@
- djm@cvs.openbsd.org 2001/02/09 04:46:25
[sftp-int.c]
Check for NULL attribs for chown, chmod & chgrp operations, only send
relevant attribs back to server; ok markus@
- djm@cvs.openbsd.org 2001/02/06 15:05:25
[sftp.c]
Use getopt to process commandline arguments
- djm@cvs.openbsd.org 2001/02/06 15:06:21
[sftp.c ]
Wait for ssh subprocess at exit
- djm@cvs.openbsd.org 2001/02/06 15:18:16
[sftp-int.c]
stat target for remote chdir before doing chdir
- djm@cvs.openbsd.org 2001/02/06 15:32:54
[sftp.1]
Punctuation fix from Pekka Savola <pekkas@netcore.fi>
- provos@cvs.openbsd.org 2001/02/05 22:22:02
[sftp-int.c]
cleanup get_pathname, fix pwd after failed cd. okay djm@
- (djm) Update makefile.in for _PATH_SFTP_SERVER
- (bal) sftp-client.c replace NULL w/ 0 in do_ls() (pending in OpenBSD tree)
20010209
- (bal) patch to vis.c to deal with HAVE_VIS right by Robert Mooney
<rjmooney@mediaone.net>
- (bal) .c.o rule in openbsd-compat/Makefile.in did not make it to the
main tree while porting forward. Pointed out by Lutz Jaenicke
<Lutz.Jaenicke@aet.TU-Cottbus.DE>
- (bal) double entry in configure.in. Pointed out by Lutz Jaenicke
<Lutz.Jaenicke@aet.TU-Cottbus.DE>
- (stevesk) OpenBSD sync:
- markus@cvs.openbsd.org 2001/02/08 11:20:01
[auth2.c]
strict checking
- markus@cvs.openbsd.org 2001/02/08 11:15:22
[version.h]
update to 2.3.2
- markus@cvs.openbsd.org 2001/02/08 11:12:30
[auth2.c]
fix typo
- (djm) Update spec files
- (bal) OpenBSD sync:
- deraadt@cvs.openbsd.org 2001/02/08 14:38:54
[scp.c]
memory leak fix, and snprintf throughout
- markus@cvs.openbsd.org 2001/02/06 22:43:02
[clientloop.c]
remove confusing callback code
- (djm) Add CVS Id's to files that we have missed
- (bal) OpenBSD Sync (more):
- itojun@cvs.openbsd.org 2001/02/08 19:30:52
sync with netbsd tree changes.
- more strict prototypes, include necessary headers
- use paths.h/pathnames.h decls
- size_t typecase to int -> u_long
- markus@cvs.openbsd.org 2001/02/06 22:07:42
[ssh.c]
fatal() if subsystem fails
- markus@cvs.openbsd.org 2001/02/06 22:43:02
[ssh.c]
remove confusing callback code
- jakob@cvs.openbsd.org 2001/02/06 23:03:24
[ssh.c]
add -1 option (force protocol version 1). ok markus@
- jakob@cvs.openbsd.org 2001/02/06 23:06:21
[ssh.c]
reorder -{1,2,4,6} options. ok markus@
- (bal) Missing 'const' in readpass.h
- (bal) OpenBSD Sync (so at least the thing compiles for 2.3.2 =)
- djm@cvs.openbsd.org 2001/02/06 23:30:28
[sftp-client.c]
replace arc4random with counter for request ids; ok markus@
- (djm) Define _PATH_TTY for systems that don't. Report from Lutz
Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>
20010208
- (djm) Don't delete external askpass program in make uninstall target.
Report and fix from Roumen Petrov <roumen.petrov@skalasoft.com>
- (djm) Fix linking of sftp, don't need arc4random any more.
- (djm) Try to use shell that supports "test -S" for EGD socket search.
Based on patch from Tim Rice <tim@multitalents.net>
20010207
- (bal) Save the whole path to AR in configure. Some Solaris 2.7 installs
seem lose track of it while in openbsd-compat/ (two confirmed reports)
- (djm) Much KNF on PAM code
- (djm) Revise auth-pam.c conversation function to be a little more
readable.
- (djm) Revise kbd-int PAM conversation function to fold all text messages
to before first prompt. Fixes hangs if last pam_message did not require
a reply.
- (djm) Fix password changing when using PAM kbd-int authentication
20010205
- (bal) Disable groupaccess by setting NGROUPS_MAX to 0 for platforms
that don't have NGROUPS_MAX.
- (bal) AIX patch for auth1.c by William L. Jones <jones@hpc.utexas.edu>
- (stevesk) OpenBSD sync:
- stevesk@cvs.openbsd.org 2001/02/04 08:32:27
[many files; did this manually to our top-level source dir]
unexpand and remove end-of-line whitespace; ok markus@
- stevesk@cvs.openbsd.org 2001/02/04 15:21:19
[sftp-server.c]
SSH2_FILEXFER_ATTR_UIDGID support; ok markus@
- deraadt@cvs.openbsd.org 2001/02/04 17:02:32
[sftp-int.c]
? == help
- deraadt@cvs.openbsd.org 2001/02/04 16:47:46
[sftp-int.c]
sort commands, so that abbreviations work as expected
- stevesk@cvs.openbsd.org 2001/02/04 15:17:52
[sftp-int.c]
debugging sftp: precedence and missing break. chmod, chown, chgrp
seem to be working now.
- markus@cvs.openbsd.org 2001/02/04 14:41:21
[sftp-int.c]
use base 8 for umask/chmod
- markus@cvs.openbsd.org 2001/02/04 11:11:54
[sftp-int.c]
fix LCD
- markus@cvs.openbsd.org 2001/02/04 08:10:44
[ssh.1]
typo; dpo@club-internet.fr
- stevesk@cvs.openbsd.org 2001/02/04 06:30:12
[auth2.c authfd.c packet.c]
remove duplicate #include's; ok markus@
- deraadt@cvs.openbsd.org 2001/02/04 16:56:23
[scp.c sshd.c]
alpha happiness
- stevesk@cvs.openbsd.org 2001/02/04 15:12:17
[sshd.c]
precedence; ok markus@
- deraadt@cvs.openbsd.org 2001/02/04 08:14:15
[ssh.c sshd.c]
make the alpha happy
- markus@cvs.openbsd.org 2001/01/31 13:37:24
[channels.c channels.h serverloop.c ssh.c]
do not disconnect if local port forwarding fails, e.g. if port is
already in use
- markus@cvs.openbsd.org 2001/02/01 14:58:09
[channels.c]
use ipaddr in channel messages, ietf-secsh wants this
- markus@cvs.openbsd.org 2001/01/31 12:26:20
[channels.c]
ssh.com-2.0.1x does not send additional info in CHANNEL_OPEN_FAILURE
messages; bug report from edmundo@rano.org
- markus@cvs.openbsd.org 2001/01/31 13:48:09
[sshconnect2.c]
unused
- deraadt@cvs.openbsd.org 2001/02/04 08:23:08
[sftp-client.c sftp-server.c]
make gcc on the alpha even happier
20010204
- (bal) I think this is the last of the bsd-*.h that don't belong.
- (bal) Minor Makefile fix
- (bal) openbsd-compat/Makefile minor fix. Ensure dependancies are done
right.
- (bal) Changed order of LIB="" in -with-skey due to library resolving.
- (bal) next-posix.h changed to bsd-nextstep.h
- (djm) OpenBSD CVS sync:
- markus@cvs.openbsd.org 2001/02/03 03:08:38
[auth-options.c auth-rh-rsa.c auth-rhosts.c auth.c canohost.c]
[canohost.h servconf.c servconf.h session.c sshconnect1.c sshd.8]
[sshd_config]
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
- markus@cvs.openbsd.org 2001/02/03 03:19:51
[ssh.1 sshd.8 sshd_config]
Skey is now called ChallengeResponse
- markus@cvs.openbsd.org 2001/02/03 03:43:09
[sshd.8]
use no-pty option in .ssh/authorized_keys* if you need a 8-bit clean
channel. note from Erik.Anggard@cygate.se (pr/1659)
- stevesk@cvs.openbsd.org 2001/02/03 10:03:06
[ssh.1]
typos; ok markus@
- djm@cvs.openbsd.org 2001/02/04 04:11:56
[scp.1 sftp-server.c ssh.1 sshd.8 sftp-client.c sftp-client.h]
[sftp-common.c sftp-common.h sftp-int.c sftp-int.h sftp.1 sftp.c]
Basic interactive sftp client; ok theo@
- (djm) Update RPM specs for new sftp binary
- (djm) Update several bits for new optional reverse lookup stuff. I
think I got them all.
- (djm) Makefile.in fixes
- (stevesk) add mysignal() wrapper and use it for the protocol 2
SIGCHLD handler.
- (djm) Use setvbuf() instead of setlinebuf(). Suggest from stevesk@
20010203
- (bal) Cygwin clean up by Corinna Vinschen <vinschen@redhat.com>
- (bal) renamed queue.h to fake-queue.h (even if it's an OpenBSD
based file) to ensure #include space does not get confused.
- (bal) Minor Makefile.in tweak. dirname may not exist on some
platforms so builds fail. (NeXT being a well known one)
20010202
- (bal) Makefile fix where sourcedir != builddir by Corinna Vinschen
<vinschen@redhat.com>
- (bal) Makefile fix to use $(MAKE) instead of 'make' for platforms
that use 'gmake'. Patch by Tim Rice <tim@multitalents.net>
20010201
- (bal) Minor fix to Makefile to stop rebuilding executables if no
changes have occured to any of the supporting code. Patch by
Roumen Petrov <roumen.petrov@skalasoft.com>
20010131
- (djm) OpenBSD CVS Sync:
- djm@cvs.openbsd.org 2001/01/30 15:48:53
[sshconnect.c]
Make warning message a little more consistent. ok markus@
- (djm) Fix autoconf logic for --with-lastlog=no Report and diagnosis from
Philipp Buehler <lists@fips.de> and Kevin Steves <stevesk@sweden.hp.com>
respectively.
- (djm) Don't log SSH2 PAM KbdInt responses to debug, they may contain
passwords.
- (bal) Reorder. Move all bsd-*, fake-*, next-*, and cygwin* stuff to
openbsd-compat/. And resolve all ./configure and Makefile.in issues
assocated.
20010130
- (djm) OpenBSD CVS Sync:
- markus@cvs.openbsd.org 2001/01/29 09:55:37
[channels.c channels.h clientloop.c serverloop.c]
fix select overflow; ok deraadt@ and stevesk@
- markus@cvs.openbsd.org 2001/01/29 12:42:35
[canohost.c canohost.h channels.c clientloop.c]
add get_peer_ipaddr(socket), x11-fwd in ssh2 requires ipaddr, not DNS
- markus@cvs.openbsd.org 2001/01/29 12:47:32
[rsa.c rsa.h ssh-agent.c sshconnect1.c sshd.c]
handle rsa_private_decrypt failures; helps against the Bleichenbacher
pkcs#1 attack
- djm@cvs.openbsd.org 2001/01/29 05:36:11
[ssh.1 ssh.c]
Allow invocation of sybsystem by commandline (-s); ok markus@
- (stevesk) configure.in: remove duplicate PROG_LS
20010129
- (stevesk) sftp-server.c: use %lld vs. %qd
20010128
- (bal) Put USE_PIPES back into sco3.2v5
- (bal) OpenBSD Sync
- markus@cvs.openbsd.org 2001/01/28 10:15:34
[dispatch.c]
re-keying is not supported; ok deraadt@
- markus@cvs.openbsd.org 2001/01/28 10:24:04
[ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8]
cleanup AUTHORS sections
- markus@cvs.openbsd.org 2001/01/28 10:37:26
[sshd.c sshd.8]
remove -Q, no longer needed
- stevesk@cvs.openbsd.org 2001/01/28 20:36:16
[readconf.c ssh.1]
``StrictHostKeyChecking ask'' documentation and small cleanup.
ok markus@
- stevesk@cvs.openbsd.org 2001/01/28 20:43:25
[sshd.8]
spelling. ok markus@
- stevesk@cvs.openbsd.org 2001/01/28 20:53:21
[xmalloc.c]
use size_t for strlen() return. ok markus@
- stevesk@cvs.openbsd.org 2001/01/28 22:27:05
[authfile.c]
spelling. use sizeof vs. strlen(). ok markus@
- niklas@cvs.openbsd.org 2001/01/29 1:59:14
[atomicio.h canohost.h clientloop.h deattack.h dh.h dispatch.h
groupaccess.c groupaccess.h hmac.h hostfile.h includes.h kex.h
key.h log.h login.h match.h misc.h myproposal.h nchan.ms pathnames.h
radix.h readpass.h rijndael.h serverloop.h session.h sftp.h ssh-add.1
ssh-dss.h ssh-keygen.1 ssh-keyscan.1 ssh-rsa.h ssh1.h ssh_config
sshconnect.h sshd_config tildexpand.h uidswap.h uuencode.h]
$OpenBSD$
- (bal) Minor auth2.c resync. Whitespace and moving of an #include.
20010126
- (bal) SSH_PROGRAM vs _PATH_SSH_PROGRAM fix pointed out by Roumen
Petrov <roumen.petrov@skalasoft.com>
- (bal) OpenBSD Sync
- deraadt@cvs.openbsd.org 2001/01/25 8:06:33
[ssh-agent.c]
call _exit() in signal handler
20010125
- (djm) Sync bsd-* support files:
- deraadt@cvs.openbsd.org 2000/01/26 03:43:20
[rresvport.c bindresvport.c]
new bindresvport() semantics that itojun, shin, jean-luc and i have
agreed on, which will be happy for the future. bindresvport_sa() for
sockaddr *, too. docs later..
- deraadt@cvs.openbsd.org 2000/01/24 02:24:21
[bindresvport.c]
in bindresvport(), if sin is non-NULL, example sin->sin_family for
the actual family being processed
- (djm) Mention PRNGd in documentation, it is nicer than EGD
- (djm) Automatically search for "well-known" EGD/PRNGd sockets in autoconf
- (bal) AC_FUNC_STRFTIME added to autoconf
- (bal) OpenBSD Resync
- stevesk@cvs.openbsd.org 2001/01/24 21:03:50
[channels.c]
missing freeaddrinfo(); ok markus@
20010124
- (bal) OpenBSD Resync
- markus@cvs.openbsd.org 2001/01/23 10:45:10
[ssh.h]
nuke comment
- (bal) no 64bit support patch from Tim Rice <tim@multitalents.net>
- (bal) #ifdef around S_IFSOCK if platform does not support it.
patch by Tim Rice <tim@multitalents.net>
- (bal) fake-regex.h cleanup based on Tim Rice's patch.
- (stevesk) sftp-server.c: fix chmod() mode mask
20010123
- (bal) regexp.h typo in configure.in. Should have been regex.h
- (bal) SSH_USER_DIR to _PATH_SSH_USER_DIR patch by stevesk@
- (bal) SSH_ASKPASS_DEFAULT to _PATH_SSH_ASKPASS_DEFAULT
- (bal) OpenBSD Resync
- markus@cvs.openbsd.org 2001/01/22 8:15:00
[auth-krb4.c sshconnect1.c]
only AFS needs radix.[ch]
- markus@cvs.openbsd.org 2001/01/22 8:32:53
[auth2.c]
no need to include; from mouring@etoh.eviladmin.org
- stevesk@cvs.openbsd.org 2001/01/22 16:55:21
[key.c]
free() -> xfree(); ok markus@
- stevesk@cvs.openbsd.org 2001/01/22 17:22:28
[sshconnect2.c sshd.c]
fix memory leaks in SSH2 key exchange; ok markus@
- markus@cvs.openbsd.org 2001/01/22 23:06:39
[auth1.c auth2.c readconf.c readconf.h servconf.c servconf.h
sshconnect1.c sshconnect2.c sshd.c]
rename skey -> challenge response.
auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
20010122
- (bal) OpenBSD Resync
- markus@cvs.openbsd.org 2001/01/19 12:45:26 GMT 2001 by markus
[servconf.c ssh.h sshd.c]
only auth-chall.c needs #ifdef SKEY
- markus@cvs.openbsd.org 2001/01/19 15:55:10 GMT 2001 by markus
[auth-krb4.c auth-options.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c
auth1.c auth2.c channels.c clientloop.c dh.c dispatch.c nchan.c
packet.c pathname.h readconf.c scp.c servconf.c serverloop.c
session.c ssh-add.c ssh-keygen.c ssh-keyscan.c ssh.c ssh.h
ssh1.h sshconnect1.c sshd.c ttymodes.c]
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
- markus@cvs.openbsd.org 2001/01/19 16:48:14
[sshd.8]
fix typo; from stevesk@
- markus@cvs.openbsd.org 2001/01/19 16:50:58
[ssh-dss.c]
clear and free digest, make consistent with other code (use dlen); from
stevesk@
- markus@cvs.openbsd.org 2001/01/20 15:55:20 GMT 2001 by markus
[auth-options.c auth-options.h auth-rsa.c auth2.c]
pass the filename to auth_parse_options()
- markus@cvs.openbsd.org 2001/01/20 17:59:40 GMT 2001
[readconf.c]
fix SIGSEGV from -o ""; problem noted by jehsom@togetherweb.com
- stevesk@cvs.openbsd.org 2001/01/20 18:20:29
[sshconnect2.c]
dh_new_group() does not return NULL. ok markus@
- markus@cvs.openbsd.org 2001/01/20 21:33:42
[ssh-add.c]
do not loop forever if askpass does not exist; from
andrew@pimlott.ne.mediaone.net
- djm@cvs.openbsd.org 2001/01/20 23:00:56
[servconf.c]
Check for NULL return from strdelim; ok markus
- djm@cvs.openbsd.org 2001/01/20 23:02:07
[readconf.c]
KNF; ok markus
- jakob@cvs.openbsd.org 2001/01/21 9:00:33
[ssh-keygen.1]
remove -R flag; ok markus@
- markus@cvs.openbsd.org 2001/01/21 19:05:40
[atomicio.c automicio.h auth-chall.c auth-krb4.c auth-options.c
auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c
auth.c auth.h auth1.c auth2-chall.c auth2.c authfd.c authfile.c
bufaux.c bufaux.h buffer.c canahost.c canahost.h channels.c
cipher.c cli.c clientloop.c clientloop.h compat.c compress.c
deattack.c dh.c dispatch.c groupaccess.c hmac.c hostfile.c kex.c
key.c key.h log-client.c log-server.c log.c log.h login.c login.h
match.c misc.c misc.h nchan.c packet.c pty.c radix.h readconf.c
readpass.c readpass.h rsa.c scp.c servconf.c serverloop.c serverloop.h
session.c sftp-server.c ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c
ssh-keyscan.c ssh-rsa.c ssh.c ssh.h sshconnect.c sshconnect.h
sshconnect1.c sshconnect2.c sshd.c tildexpand.c tildexpand.h
ttysmodes.c uidswap.c xmalloc.c]
split ssh.h and try to cleanup the #include mess. remove unnecessary
#includes. rename util.[ch] -> misc.[ch]
- (bal) renamed 'PIDDIR' to '_PATH_SSH_PIDDIR' to match OpenBSD tree
- (bal) Moved #ifdef KRB4 in auth-krb4.c above the #include to resolve
conflict when compiling for non-kerb install
- (bal) removed the #ifdef SKEY in auth1.c to match Markus' changes
on 1/19.
20010120
- (bal) OpenBSD Resync
- markus@cvs.openbsd.org 2001/01/19 12:45:26
[ssh-chall.c servconf.c servconf.h ssh.h sshd.c]
only auth-chall.c needs #ifdef SKEY
- (bal) Slight auth2-pam.c clean up.
- (bal) Includes a fake-regexp.h to be only used if regcomp() is found,
but no 'regexp.h' found (SCO OpenServer 3 lacks the header).
20010119
- (djm) Update versions in RPM specfiles
- (bal) OpenBSD Resync
- markus@cvs.openbsd.org 2001/01/18 16:20:21
[log-client.c log-server.c log.c readconf.c servconf.c ssh.1 ssh.h
sshd.8 sshd.c]
log() is at pri=LOG_INFO, since LOG_NOTICE goes to /dev/console on many
systems
- markus@cvs.openbsd.org 2001/01/18 16:59:59
[auth-passwd.c auth.c auth.h auth1.c auth2.c serverloop.c session.c
session.h sshconnect1.c]
1) removes fake skey from sshd, since this will be much
harder with /usr/libexec/auth/login_XXX
2) share/unify code used in ssh-1 and ssh-2 authentication (server side)
3) make addition of BSD_AUTH and other challenge reponse methods
easier.
- markus@cvs.openbsd.org 2001/01/18 17:12:43
[auth-chall.c auth2-chall.c]
rename *-skey.c *-chall.c since the files are not skey specific
- (djm) Merge patch from Tim Waugh (via Nalin Dahyabhai <nalin@redhat.com>)
to fix NULL pointer deref and fake authloop breakage in PAM code.
- (bal) Updated contrib/cygwin/ by Corinna Vinschen <vinschen@redhat.com>
- (bal) Minor cygwin patch to auth1.c. Suggested by djm.
20010118
- (bal) Super Sized OpenBSD Resync
- markus@cvs.openbsd.org 2001/01/11 22:14:20 GMT 2001 by markus
[sshd.c]
maxfd+1
- markus@cvs.openbsd.org 2001/01/13 17:59:18
[ssh-keygen.1]
small ssh-keygen manpage cleanup; stevesk@pobox.com
- markus@cvs.openbsd.org 2001/01/13 18:03:07
[scp.c ssh-keygen.c sshd.c]
getopt() returns -1 not EOF; stevesk@pobox.com
- markus@cvs.openbsd.org 2001/01/13 18:06:54
[ssh-keyscan.c]
use SSH_DEFAULT_PORT; from stevesk@pobox.com
- markus@cvs.openbsd.org 2001/01/13 18:12:47
[ssh-keyscan.c]
free() -> xfree(); fix memory leak; from stevesk@pobox.com
- markus@cvs.openbsd.org 2001/01/13 18:14:13
[ssh-add.c]
typo, from stevesk@sweden.hp.com
- markus@cvs.openbsd.org 2001/01/13 18:32:50
[packet.c session.c ssh.c sshconnect.c sshd.c]
split out keepalive from packet_interactive (from dale@accentre.com)
set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
- markus@cvs.openbsd.org 2001/01/13 18:36:45
[packet.c packet.h]
reorder, typo
- markus@cvs.openbsd.org 2001/01/13 18:38:00
[auth-options.c]
fix comment
- markus@cvs.openbsd.org 2001/01/13 18:43:31
[session.c]
Wall
- markus@cvs.openbsd.org 2001/01/13 19:14:08
[clientloop.h clientloop.c ssh.c]
move callback to headerfile
- markus@cvs.openbsd.org 2001/01/15 21:40:10
[ssh.c]
use log() instead of stderr
- markus@cvs.openbsd.org 2001/01/15 21:43:51
[dh.c]
use error() not stderr!
- markus@cvs.openbsd.org 2001/01/15 21:45:29
[sftp-server.c]
rename must fail if newpath exists, debug off by default
- markus@cvs.openbsd.org 2001/01/15 21:46:38
[sftp-server.c]
readable long listing for sftp-server, ok deraadt@
- markus@cvs.openbsd.org 2001/01/16 19:20:06
[key.c ssh-rsa.c]
make "ssh-rsa" key format for ssh2 confirm to the ietf-drafts; from
galb@vandyke.com. note that you have to delete older ssh2-rsa keys,
since they are in the wrong format, too. they must be removed from
.ssh/authorized_keys2 and .ssh/known_hosts2, etc.
(cd; grep -v ssh-rsa .ssh/authorized_keys2 > TMP && mv TMP
.ssh/authorized_keys2) additionally, we now check that
BN_num_bits(rsa->n) >= 768.
- markus@cvs.openbsd.org 2001/01/16 20:54:27
[sftp-server.c]
remove some statics. simpler handles; idea from nisse@lysator.liu.se
- deraadt@cvs.openbsd.org 2001/01/16 23:58:08
[bufaux.c radix.c sshconnect.h sshconnect1.c]
indent
- (bal) Added bsd-strmode.[ch] since some non-OpenBSD platforms may
be missing such feature.
20010117
- (djm) Only write random seed file at exit
- (djm) Make PAM support optional, enable with --with-pam
- (djm) Try to use libcrypt on Linux, but link it after OpenSSL (which
provides a crypt() of its own)
- (djm) Avoid a warning in bsd-bindresvport.c
- (djm) Try to avoid adding -I/usr/include to CPPFLAGS during SSL tests. This
can cause weird segfaults errors on Solaris
- (djm) Avoid warning in PAM code by making read_passphrase arguments const
- (djm) Add --with-pam to RPM spec files
20010115
- (bal) sftp-server.c change to use chmod() if fchmod() does not exist.
- (bal) utimes() support via utime() interface on machine that lack utimes().
20010114
- (stevesk) initial work for OpenBSD "support supplementary group in
{Allow,Deny}Groups" patch:
- import getgrouplist.c from OpenBSD (bsd-getgrouplist.c)
- add bsd-getgrouplist.h
- new files groupaccess.[ch]
- build but don't use yet (need to merge auth.c changes)
- (stevesk) complete:
- markus@cvs.openbsd.org 2001/01/13 11:56:48
[auth.c sshd.8]
support supplementary group in {Allow,Deny}Groups
from stevesk@pobox.com
20010112
- (bal) OpenBSD Sync
- markus@cvs.openbsd.org 2001/01/10 22:56:22
[bufaux.h bufaux.c sftp-server.c sftp.h getput.h]
cleanup sftp-server implementation:
add buffer_get_int64, buffer_put_int64, GET_64BIT, PUT_64BIT
parse SSH2_FILEXFER_ATTR_EXTENDED
send SSH2_FX_EOF if readdir returns no more entries
reply to SSH2_FXP_EXTENDED message
use #defines from the draft
move #definations to sftp.h
more info:
http://www.ietf.org/internet-drafts/draft-ietf-secsh-filexfer-00.txt
- markus@cvs.openbsd.org 2001/01/10 19:43:20
[sshd.c]
XXX - generate_empheral_server_key() is not safe against races,
because it calls log()
- markus@cvs.openbsd.org 2001/01/09 21:19:50
[packet.c]
allow TCP_NDELAY for ipv6; from netbsd via itojun@
20010110
- (djm) SNI/Reliant Unix needs USE_PIPES and $DISPLAY hack. Report from
Bladt Norbert <Norbert.Bladt@adi.ch>
20010109
- (bal) Resync CVS ID of cli.c
- (stevesk) auth1.c: free should be after WITH_AIXAUTHENTICATE
code.
- (bal) OpenBSD Sync
- markus@cvs.openbsd.org 2001/01/08 22:29:05
[auth2.c compat.c compat.h servconf.c servconf.h sshd.8
sshd_config version.h]
implement option 'Banner /etc/issue.net' for ssh2, move version to
2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner
is enabled).
- markus@cvs.openbsd.org 2001/01/08 22:03:23
[channels.c ssh-keyscan.c]
O_NDELAY -> O_NONBLOCK; thanks stevesk@pobox.com
- markus@cvs.openbsd.org 2001/01/08 21:55:41
[sshconnect1.c]
more cleanups and fixes from stevesk@pobox.com:
1) try_agent_authentication() for loop will overwrite key just
allocated with key_new(); don't alloc
2) call ssh_close_authentication_connection() before exit
try_agent_authentication()
3) free mem on bad passphrase in try_rsa_authentication()
- markus@cvs.openbsd.org 2001/01/08 21:48:17
[kex.c]
missing free; thanks stevesk@pobox.com
- (bal) Detect if clock_t structure exists, if not define it.
- (bal) Detect if O_NONBLOCK exists, if not define it.
- (bal) removed news4-posix.h (now empty)
- (bal) changed bsd-bindresvport.c and bsd-rresvport.c to use 'socklen_t'
instead of 'int'
- (stevesk) sshd_config: sync
- (stevesk) defines.h: remove spurious ``;''
20010108
- (bal) Fixed another typo in cli.c
- (bal) OpenBSD Sync
- markus@cvs.openbsd.org 2001/01/07 21:26:55
[cli.c]
typo
- markus@cvs.openbsd.org 2001/01/07 21:26:55
[cli.c]
missing free, stevesk@pobox.com
- markus@cvs.openbsd.org 2001/01/07 19:06:25
[auth1.c]
missing free, stevesk@pobox.com
- markus@cvs.openbsd.org 2001/01/07 11:28:04
[log-client.c log-server.c log.c readconf.c servconf.c ssh.1
ssh.h sshd.8 sshd.c]
rename SYSLOG_LEVEL_INFO->SYSLOG_LEVEL_NOTICE
syslog priority changes:
fatal() LOG_ERR -> LOG_CRIT
log() LOG_INFO -> LOG_NOTICE
- Updated TODO
20010107
- (bal) OpenBSD Sync
- markus@cvs.openbsd.org 2001/01/06 11:23:27
[ssh-rsa.c]
remove unused
- itojun@cvs.openbsd.org 2001/01/05 08:23:29
[ssh-keyscan.1]
missing .El
- markus@cvs.openbsd.org 2001/01/04 22:41:03
[session.c sshconnect.c]
consistent use of _PATH_BSHELL; from stevesk@pobox.com
- djm@cvs.openbsd.org 2001/01/04 22:35:32
[ssh.1 sshd.8]
Mention AES as available SSH2 Cipher; ok markus
- markus@cvs.openbsd.org 2001/01/04 22:25:58
[sshd.c]
sync usage()/man with defaults; from stevesk@pobox.com
- markus@cvs.openbsd.org 2001/01/04 22:21:26
[sshconnect2.c]
handle SSH2_MSG_USERAUTH_BANNER; fixes bug when connecting to a server
that prints a banner (e.g. /etc/issue.net)
20010105
- (bal) contrib/caldera/ provided by Tim Rice <tim@multitalents.net>
- (bal) bsd-getcwd.c and bsd-setenv.c changed from bcopy() to memmove()
20010104
- (djm) Fix memory leak on systems with BROKEN_GETADDRINFO. Based on
work by Chris Vaughan <vaughan99@yahoo.com>
20010103
- (bal) fixed up sshconnect.c so it was closer inline with the OpenBSD
tree (mainly positioning)
- (bal) OpenSSH CVS Update
- markus@cvs.openbsd.org 2001/01/02 20:41:02
[packet.c]
log remote ip on disconnect; PR 1600 from jcs@rt.fm
- markus@cvs.openbsd.org 2001/01/02 20:50:56
[sshconnect.c]
strict_host_key_checking for host_status != HOST_CHANGED &&
ip_status == HOST_CHANGED
- (bal) authfile.c: Synced CVS ID tag
- (bal) UnixWare 2.0 fixes by Tim Rice <tim@multitalents.net>
- (bal) Disable sftp-server if no 64bit int support exists. Based on
patch by Tim Rice <tim@multitalents.net>
- (bal) Makefile.in changes to uninstall: target to remove sftp-server
and sftp-server.8 manpage.
20010102
- (bal) OpenBSD CVS Update
- markus@cvs.openbsd.org 2001/01/01 14:52:49
[scp.c]
use shared fatal(); from stevesk@pobox.com
20001231
- (bal) Reverted out of MAXHOSTNAMELEN. This should be set per OS.
for multiple reasons.
- (bal) Reverted out of a partial NeXT patch.
20001230
- (bal) OpenBSD CVS Update
- markus@cvs.openbsd.org 2000/12/28 18:58:30
[ssh-keygen.c]
enable 'ssh-keygen -l -f ~/.ssh/{authorized_keys,known_hosts}{,2}
- markus@cvs.openbsd.org 2000/12/29 22:19:13
[channels.c]
missing xfree; from vaughan99@yahoo.com
- (bal) Resynced CVS ID with OpenBSD for channel.c and uidswap.c
- (bal) if no MAXHOSTNAMELEN is defined. Default to 64 character defination.
Suggested by Christian Kurz <shorty@debian.org>
- (bal) Add in '.c.o' section to Makefile.in to address make programs that
don't honor CPPFLAGS by default. Suggested by Lutz Jaenicke
<Lutz.Jaenicke@aet.TU-Cottbus.DE>
20001229
- (bal) Fixed spelling of 'authorized_keys' in ssh-copy-id.1 by Christian
Kurz <shorty@debian.org>
- (bal) OpenBSD CVS Update
- markus@cvs.openbsd.org 2000/12/28 14:25:51
[auth.h auth2.c]
count authentication failures only
- markus@cvs.openbsd.org 2000/12/28 14:25:03
[sshconnect.c]
fingerprint for MITM attacks, too.
- markus@cvs.openbsd.org 2000/12/28 12:03:57
[sshd.8 sshd.c]
document -D
- markus@cvs.openbsd.org 2000/12/27 14:19:21
[serverloop.c]
less chatty
- markus@cvs.openbsd.org 2000/12/27 12:34
[auth1.c sshconnect2.c sshd.c]
typo
- markus@cvs.openbsd.org 2000/12/27 12:30:19
[readconf.c readconf.h ssh.1 sshconnect.c]
new option: HostKeyAlias: allow the user to record the host key
under a different name. This is useful for ssh tunneling over
forwarded connections or if you run multiple sshd's on different
ports on the same machine.
- markus@cvs.openbsd.org 2000/12/27 11:51:53
[ssh.1 ssh.c]
multiple -t force pty allocation, document ORIGINAL_COMMAND
- markus@cvs.openbsd.org 2000/12/27 11:41:31
[sshd.8]
update for ssh-2
- (stevesk) compress.[ch] sync with openbsd; missed in prototype
fix merge.
20001228
- (bal) Patch to add libutil.h to loginrec.c only if the platform has
libutil.h. Suggested by Pekka Savola <pekka@netcore.fi>
- (djm) Update to new x11-askpass in RPM spec
- (bal) SCO patch to not include <sys/queue.h> since it's unrelated
header. Patch by Tim Rice <tim@multitalents.net>
- Updated TODO w/ known HP/UX issue
- (bal) removed extra <netdb.h> noticed by Kevin Steves and removed the
bad reference to 'NeXT including it else were' on the #ifdef version.
20001227
- (bal) Typo in configure.in: entut?ent should be endut?ent. Suggested by
Takumi Yamane <yamtak@b-session.com>
- (bal) Checks for getrlimit(), sysconf(), and setdtablesize(). Patch
by Corinna Vinschen <vinschen@redhat.com>
- (djm) Fix catman-do target for non-bash
- (bal) Typo in configure.in: entut?ent should be endut?ent. Suggested by
Takumi Yamane <yamtak@b-session.com>
- (bal) Checks for getrlimit(), sysconf(), and setdtablesize(). Patch
by Corinna Vinschen <vinschen@redhat.com>
- (djm) Fix catman-do target for non-bash
- (bal) Fixed NeXT's lack of CPPFLAGS honoring.
- (bal) ssh-keyscan.c: NeXT (and older BSDs) don't support getrlimit() w/
'RLIMIT_NOFILE'
- (djm) Remove *.Ylonen files. They are no longer in the OpenBSD tree,
the info in COPYING.Ylonen has been moved to the start of each
SSH1-derived file and README.Ylonen is well out of date.
20001223
- (bal) Fixed Makefile.in to support recompile of all ssh and sshd objects
if a change to config.h has occurred. Suggested by Gert Doering
<gert@greenie.muc.de>
- (bal) OpenBSD CVS Update:
- markus@cvs.openbsd.org 2000/12/22 16:49:40
[ssh-keygen.c]
fix ssh-keygen -x -t type > file; from Roumen.Petrov@skalasoft.com
20001222
- Updated RCSID for pty.c
- (bal) OpenBSD CVS Updates:
- markus@cvs.openbsd.org 2000/12/21 15:10:16
[auth-rh-rsa.c hostfile.c hostfile.h sshconnect.c]
print keyfile:line for changed hostkeys, for deraadt@, ok deraadt@
- markus@cvs.openbsd.org 2000/12/20 19:26:56
[authfile.c]
allow ssh -i userkey for root
- markus@cvs.openbsd.org 2000/12/20 19:37:21
[authfd.c authfd.h kex.c sshconnect2.c sshd.c uidswap.c uidswap.h]
fix prototypes; from stevesk@pobox.com
- markus@cvs.openbsd.org 2000/12/20 19:32:08
[sshd.c]
init pointer to NULL; report from Jan.Ivan@cern.ch
- markus@cvs.openbsd.org 2000/12/19 23:17:54
[auth-krb4.c auth-options.c auth-options.h auth-rhosts.c auth-rsa.c
auth1.c auth2-skey.c auth2.c authfd.c authfd.h authfile.c bufaux.c
bufaux.h buffer.c canohost.c channels.c clientloop.c compress.c
crc32.c deattack.c getput.h hmac.c hmac.h hostfile.c kex.c kex.h
key.c key.h log.c login.c match.c match.h mpaux.c mpaux.h packet.c
packet.h radix.c readconf.c rsa.c scp.c servconf.c servconf.h
serverloop.c session.c sftp-server.c ssh-agent.c ssh-dss.c ssh-dss.h
ssh-keygen.c ssh-keyscan.c ssh-rsa.c ssh-rsa.h ssh.c ssh.h uuencode.c
uuencode.h sshconnect1.c sshconnect2.c sshd.c tildexpand.c]
replace 'unsigned bla' with 'u_bla' everywhere. also replace 'char
unsigned' with u_char.
20001221
- (stevesk) OpenBSD CVS updates:
- markus@cvs.openbsd.org 2000/12/19 15:43:45
[authfile.c channels.c sftp-server.c ssh-agent.c]
remove() -> unlink() for consistency
- markus@cvs.openbsd.org 2000/12/19 15:48:09
[ssh-keyscan.c]
replace <ssl/x.h> with <openssl/x.h>
- markus@cvs.openbsd.org 2000/12/17 02:33:40
[uidswap.c]
typo; from wsanchez@apple.com
20001220
- (djm) Workaround PAM inconsistencies between Solaris derived PAM code
and Linux-PAM. Based on report and fix from Andrew Morgan
<morgan@transmeta.com>
20001218
- (stevesk) rsa.c: entropy.h not needed.
- (bal) split CFLAGS into CFLAGS and CPPFLAGS in configure.in and Makefile.
Suggested by Wilfredo Sanchez <wsanchez@apple.com>
20001216
- (stevesk) OpenBSD CVS updates:
- markus@cvs.openbsd.org 2000/12/16 02:53:57
[scp.c]
allow + in usernames; request from Florian.Weimer@RUS.Uni-Stuttgart.DE
- markus@cvs.openbsd.org 2000/12/16 02:39:57
[scp.c]
unused; from stevesk@pobox.com
20001215
- (stevesk) Old OpenBSD patch wasn't completely applied:
- markus@cvs.openbsd.org 2000/01/24 22:11:20
[scp.c]
allow '.' in usernames; from jedgar@fxp.org
- (stevesk) OpenBSD CVS updates:
- markus@cvs.openbsd.org 2000/12/13 16:26:53
[ssh-keyscan.c]
fatal already adds \n; from stevesk@pobox.com
- markus@cvs.openbsd.org 2000/12/13 16:25:44
[ssh-agent.c]
remove redundant spaces; from stevesk@pobox.com
- ho@cvs.openbsd.org 2000/12/12 15:50:21
[pty.c]
When failing to set tty owner and mode on a read-only filesystem, don't
abort if the tty already has correct owner and reasonably sane modes.
Example; permit 'root' to login to a firewall with read-only root fs.
(markus@ ok)
- deraadt@cvs.openbsd.org 2000/12/13 06:36:05
[pty.c]
KNF
- markus@cvs.openbsd.org 2000/12/12 14:45:21
[sshd.c]
source port < 1024 is no longer required for rhosts-rsa since it
adds no additional security.
- markus@cvs.openbsd.org 2000/12/12 16:11:49
[ssh.1 ssh.c]
rhosts-rsa is no longer automagically disabled if ssh is not privileged.
UsePrivilegedPort=no disables rhosts-rsa _only_ for old servers.
these changes should not change the visible default behaviour of the ssh client.
- deraadt@cvs.openbsd.org 2000/12/11 10:27:33
[scp.c]
when copying 0-sized files, do not re-print ETA time at completion
- provos@cvs.openbsd.org 2000/12/15 10:30:15
[kex.c kex.h sshconnect2.c sshd.c]
compute diffie-hellman in parallel between server and client. okay markus@
20001213
- (djm) Make sure we reset the SIGPIPE disposition after we fork. Report
from Andreas M. Kirchwitz <amk@krell.zikzak.de>
- (stevesk) OpenBSD CVS update:
- markus@cvs.openbsd.org 2000/12/12 15:30:02
[ssh-keyscan.c ssh.c sshd.c]
consistently use __progname; from stevesk@pobox.com
20001211
- (bal) Applied patch to include ssh-keyscan into Redhat's package, and
patch to install ssh-keyscan manpage. Patch by Pekka Savola
<pekka@netcore.fi>
- (bal) OpenbSD CVS update
- markus@cvs.openbsd.org 2000/12/10 17:01:53
[sshconnect1.c]
always request new challenge for skey/tis-auth, fixes interop with
other implementations; report from roth@feep.net
20001210
- (bal) OpenBSD CVS updates
- markus@cvs.openbsd.org 2000/12/09 13:41:51
[cipher.c cipher.h rijndael.c rijndael.h rijndael_boxes.h]
undo rijndael changes
- markus@cvs.openbsd.org 2000/12/09 13:48:31
[rijndael.c]
fix byte order bug w/o introducing new implementation
- markus@cvs.openbsd.org 2000/12/09 14:08:27
[sftp-server.c]
"" -> "." for realpath; from vinschen@redhat.com
- markus@cvs.openbsd.org 2000/12/09 14:06:54
[ssh-agent.c]
extern int optind; from stevesk@sweden.hp.com
- provos@cvs.openbsd.org 2000/12/09 23:51:11
[compat.c]
remove unnecessary '\n'
20001209
- (bal) OpenBSD CVS updates:
- djm@cvs.openbsd.org 2000/12/07 4:24:59
[ssh.1]
Typo fix from Wilfredo Sanchez <wsanchez@apple.com>; ok theo
20001207
- (bal) OpenBSD CVS updates:
- markus@cvs.openbsd.org 2000/12/06 22:58:14
[compat.c compat.h packet.c]
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
- markus@cvs.openbsd.org 2000/12/06 23:10:39
[rijndael.c]
unexpand(1)
- markus@cvs.openbsd.org 2000/12/06 23:05:43
[cipher.c cipher.h rijndael.c rijndael.h rijndael_boxes.h]
new rijndael implementation. fixes endian bugs
20001206
- (bal) OpenBSD CVS updates:
- markus@cvs.openbsd.org 2000/12/05 20:34:09
[channels.c channels.h clientloop.c serverloop.c]
async connects for -R/-L; ok deraadt@
- todd@cvs.openssh.org 2000/12/05 16:47:28
[sshd.c]
tweak comment to reflect real location of pid file; ok provos@
- (stevesk) Import <sys/queue.h> from OpenBSD for systems that don't
have it (used in ssh-keyscan).
- (stevesk) OpenBSD CVS update:
- markus@cvs.openbsd.org 2000/12/06 19:57:48
[ssh-keyscan.c]
err(3) -> internal error(), from stevesk@sweden.hp.com
20001205
- (bal) OpenBSD CVS updates:
- markus@cvs.openbsd.org 2000/12/04 19:24:02
[ssh-keyscan.c ssh-keyscan.1]
David Maziere's ssh-keyscan, ok niels@
- (bal) Updated Makefile.in to include ssh-keyscan that was just added
to the recent OpenBSD source tree.
- (stevesk) fix typos in contrib/hpux/README
20001204
- (bal) More C functions defined in NeXT that are unaccessable without
defining -POSIX.
- (bal) OpenBSD CVS updates:
- markus@cvs.openbsd.org 2000/12/03 11:29:04
[compat.c]
remove fallback to SSH_BUG_HMAC now that the drafts are updated
- markus@cvs.openbsd.org 2000/12/03 11:27:55
[compat.c]
correctly match "2.1.0.pl2 SSH" etc; from
pekkas@netcore.fi/bugzilla.redhat
- markus@cvs.openbsd.org 2000/12/03 11:15:03
[auth2.c compat.c compat.h sshconnect2.c]
support f-secure/ssh.com 2.0.12; ok niels@
20001203
- (bal) OpenBSD CVS updates:
- markus@cvs.openbsd.org 2000/11/30 22:54:31
[channels.c]
debug->warn if tried to do -R style fwd w/o client requesting this;
ok neils@
- markus@cvs.openbsd.org 2000/11/29 20:39:17
[cipher.c]
des_cbc_encrypt -> des_ncbc_encrypt since it already updates the IV
- markus@cvs.openbsd.org 2000/11/30 18:33:05
[ssh-agent.c]
agents must not dump core, ok niels@
- markus@cvs.openbsd.org 2000/11/30 07:04:02
[ssh.1]
T is for both protocols
- markus@cvs.openbsd.org 2000/12/01 00:00:51
[ssh.1]
typo; from green@FreeBSD.org
- markus@cvs.openbsd.org 2000/11/30 07:02:35
[ssh.c]
check -T before isatty()
- provos@cvs.openbsd.org 2000/11/29 13:51:27
[sshconnect.c]
show IP address and hostname when new key is encountered. okay markus@
- markus@cvs.openbsd.org 2000/11/30 22:53:35
[sshconnect.c]
disable agent/x11/port fwding if hostkey has changed; ok niels@
- marksu@cvs.openbsd.org 2000/11/29 21:11:59
[sshd.c]
sshd -D, startup w/o deamon(), for monitoring scripts or inittab;
from handler@sub-rosa.com and eric@urbanrange.com; ok niels@
- (djm) Added patch from Nalin Dahyabhai <nalin@redhat.com> to enable
PAM authentication using KbdInteractive.
- (djm) Added another TODO
20001202
- (bal) Backed out of part of Alain St-Denis' loginrec.c patch.
- (bal) Irix need some sort of mansubdir, patch by Michael Stone
<mstone@cs.loyola.edu>
20001129
- (djm) Back out all the serverloop.c hacks. sshd will now hang again
if there are background children with open fds.
- (djm) bsd-rresvport.c bzero -> memset
- (djm) Don't fail in defines.h on absence of 64 bit types (we will
still fail during compilation of sftp-server).
- (djm) Fail if ar is not found during configure
- (djm) OpenBSD CVS updates:
- provos@cvs.openbsd.org 2000/11/22 08:38:31
[sshd.8]
talk about /etc/primes, okay markus@
- markus@cvs.openbsd.org 2000/11/23 14:03:48
[ssh.c sshconnect1.c sshconnect2.c]
complain about invalid ciphers for ssh1/ssh2, fall back to reasonable
defaults
- markus@cvs.openbsd.org 2000/11/25 09:42:53
[sshconnect1.c]
reorder check for illegal ciphers, bugreport from espie@
- markus@cvs.openbsd.org 2000/11/25 10:19:34
[ssh-keygen.c ssh.h]
print keytype when generating a key.
reasonable defaults for RSA1/RSA/DSA keys.
- (djm) Patch from Pekka Savola <Pekka.Savola@netcore.fi> to include a few
more manpage paths in fixpaths calls
- (djm) Also add xauth path at Pekka's suggestion.
- (djm) Add Redhat RPM patch for AUTHPRIV SyslogFacility
20001125
- (djm) Give up privs when reading seed file
20001123
- (bal) Merge OpenBSD changes:
- markus@cvs.openbsd.org 2000/11/15 22:31:36
[auth-options.c]
case insensitive key options; from stevesk@sweeden.hp.com
- markus@cvs.openbsd.org 2000/11/16 17:55:43
[dh.c]
do not use perror() in sshd, after child is forked()
- markus@cvs.openbsd.org 2000/11/14 23:42:40
[auth-rsa.c]
parse option only if key matches; fix some confusing seen by the client
- markus@cvs.openbsd.org 2000/11/14 23:44:19
[session.c]
check no_agent_forward_flag for ssh-2, too
- markus@cvs.openbsd.org 2000/11/15
[ssh-agent.1]
reorder SYNOPSIS; typo, use .It
- markus@cvs.openbsd.org 2000/11/14 23:48:55
[ssh-agent.c]
do not reorder keys if a key is removed
- markus@cvs.openbsd.org 2000/11/15 19:58:08
[ssh.c]
just ignore non existing user keys
- millert@cvs.openbsd.org 200/11/15 20:24:43
[ssh-keygen.c]
Add missing \n at end of error message.
20001122
- (bal) Minor patch to ensure platforms lacking IRIX job limit supports
are compilable.
- (bal) Updated TODO as of 11/18/2000 with known things to resolve.
20001117
- (bal) Changed from 'primes' to 'primes.out' for consistancy sake. It
has no affect the output. Patch by Corinna Vinschen <vinschen@redhat.com>
- (stevesk) Reworked progname support.
- (bal) Misplaced #include "includes.h" in bsd-setproctitle.c. Patch by
Shinichi Maruyama <marya@st.jip.co.jp>
20001116
- (bal) Added in MAXSYMLINK test in bsd-realpath.c. Required for some SCO
releases.
- (bal) Make builds work outside of source tree. Patch by Mark D. Roth
<roth@feep.net>
20001113
- (djm) Add pointer to http://www.imasy.or.jp/~gotoh/connect.c to
contrib/README
- (djm) Merge OpenBSD changes:
- markus@cvs.openbsd.org 2000/11/06 16:04:56
[channels.c channels.h clientloop.c nchan.c serverloop.c]
[session.c ssh.c]
agent forwarding and -R for ssh2, based on work from
jhuuskon@messi.uku.fi
- markus@cvs.openbsd.org 2000/11/06 16:13:27
[ssh.c sshconnect.c sshd.c]
do not disabled rhosts(rsa) if server port > 1024; from
pekkas@netcore.fi
- markus@cvs.openbsd.org 2000/11/06 16:16:35
[sshconnect.c]
downgrade client to 1.3 if server is 1.4; help from mdb@juniper.net
- markus@cvs.openbsd.org 2000/11/09 18:04:40
[auth1.c]
typo; from mouring@pconline.com
- markus@cvs.openbsd.org 2000/11/12 12:03:28
[ssh-agent.c]
off-by-one when removing a key from the agent
- markus@cvs.openbsd.org 2000/11/12 12:50:39
[auth-rh-rsa.c auth2.c authfd.c authfd.h]
[authfile.c hostfile.c kex.c kex.h key.c key.h myproposal.h]
[readconf.c readconf.h rsa.c rsa.h servconf.c servconf.h ssh-add.c]
[ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config]
[sshconnect1.c sshconnect2.c sshd.8 sshd.c sshd_config ssh-dss.c]
[ssh-dss.h ssh-rsa.c ssh-rsa.h dsa.c dsa.h]
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only,
RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA
keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
- (djm) Fix up Makefile and Redhat init script to create RSA host keys
- (djm) Change to interim version
- (djm) Fix RPM spec file stupidity
- (djm) fixpaths to DSA and RSA keys too
20001112
- (bal) SCO Patch to add needed libraries for configure.in. Patch by
Phillips Porch <root@theporch.com>
- (bal) IRIX patch to adding Job Limits. Patch by Denis Parker
<dcp@sgi.com>
- (stevesk) pty.c: HP-UX 10 and 11 don't define TIOCSCTTY. Add error() to
failed ioctl(TIOCSCTTY) call.
20001111
- (djm) Added /etc/primes for kex DH group neg, fixup Makefile.in and
packaging files
- (djm) Fix new Makefile.in warnings
- (djm) Fix vsprintf("%h") in bsd-snprintf.c, short int va_args are
promoted to type int. Report and fix from Dan Astoorian
<djast@cs.toronto.edu>
- (djm) Hardwire sysconfdir in RPM spec files as some RPM versions get
it wrong. Report from Bennett Todd <bet@rahul.net>
20001110
- (bal) Fixed dropped answer from skey_keyinfo() in auth1.c
- (bal) Changed from --with-skey to --with-skey=PATH in configure.in
- (bal) Added in check to verify S/Key library is being detected in
configure.in
- (bal) next-posix.h - added another prototype wrapped in POSIX ifdef/endif.
Patch by Mark Miller <markm@swoon.net>
- (bal) Added 'util.h' header to loginrec.c only if HAVE_UTIL_H is defined
to remove warnings under MacOS X. Patch by Mark Miller <markm@swoon.net>
- (bal) Fixed LDFLAG mispelling in configure.in for --with-afs
20001107
- (bal) acconfig.in - removed the double "USE_PIPES" entry. Patch by
Mark Miller <markm@swoon.net>
- (bal) sshd.init files corrected to assign $? to RETVAL. Patch by
Jarno Huuskonen <jhuuskon@messi.uku.fi>
- (bal) fixpaths fixed to stop it from quitely failing. Patch by
Mark D. Roth <roth@feep.net>
20001106
- (djm) Use Jim's new 1.0.3 askpass in Redhat RPMs
- (djm) Manually fix up missed diff hunks (mainly RCS idents)
- (djm) Remove UPGRADING document in favour of a link to the better
maintained FAQ on www.openssh.com
- (djm) Fix multiple dependancy on gnome-libs from Pekka Savola
<pekkas@netcore.fi>
- (djm) Don't need X11-askpass in RPM spec file if building without it
from Pekka Savola <pekkas@netcore.fi>
- (djm) Release 2.3.0p1
- (bal) typo in configure.in in regards to --with-ldflags from Marko
Asplund <aspa@kronodoc.fi>
- (bal) fixed next-posix.h. Forgot prototype of getppid().
Convert most MESSAGE files to new syntax (${VARIABLE} gets replaced,
not @VARIABLE@, nor @@VARIABLE@@).
By default, substitutions are done for LOCALBASE, PKGNAME, PREFIX,
X11BASE, X11PREFIX; additional patterns can be added via MESSAGE_SUBST.
Clean up some packages while I'm there; add RCS tags to most MESSAGEs.
Remove some uninteresting MESSAGEs.
20001106
- (djm) Use Jim's new 1.0.3 askpass in Redhat RPMs
- (djm) Manually fix up missed diff hunks (mainly RCS idents)
- (djm) Remove UPGRADING document in favour of a link to the better
maintained FAQ on www.openssh.com
- (djm) Fix multiple dependancy on gnome-libs from Pekka Savola
<pekkas@netcore.fi>
- (djm) Don't need X11-askpass in RPM spec file if building without it
from Pekka Savola <pekkas@netcore.fi>
- (djm) Release 2.3.0p1
20001105
- (bal) Sync with OpenBSD:
- markus@cvs.openbsd.org 2000/10/31 9:31:58
[compat.c]
handle all old openssh versions
- markus@cvs.openbsd.org 2000/10/31 13:1853
[deattack.c]
so that large packets do not wrap "n"; from netbsd
- (bal) rijndel.c - fix up RCSID to match OpenBSD tree
- (bal) auth2-skey.c - Checked in. Missing from portable tree.
- (bal) Reworked NEWS-OS and NeXT ports to extract waitpid() and
setsid() into more common files
- (stevesk) pty.c: use __hpux to identify HP-UX.
- (bal) Missed auth-skey.o in Makefile.in and minor correction to
bsd-waitpid.c
20001029
- (stevesk) Fix typo in auth.c: USE_PAM not PAM
- (stevesk) Create contrib/cygwin/ directory; patch from
Corinna Vinschen <vinschen@redhat.com>
- (bal) Resolved more $xno and $xyes issues in configure.in
- (bal) next-posix.h - spelling and forgot a prototype
20001028
- (djm) fix select hack in serverloop.c from Philippe WILLEM
<Philippe.WILLEM@urssaf.fr>
- (djm) Fix mangled AIXAUTHENTICATE code
- (djm) authctxt->pw may be NULL. Fix from Markus Friedl
<markus.friedl@informatik.uni-erlangen.de>
- (djm) Sync with OpenBSD:
- markus@cvs.openbsd.org 2000/10/16 15:46:32
[ssh.1]
fixes from pekkas@netcore.fi
- markus@cvs.openbsd.org 2000/10/17 14:28:11
[atomicio.c]
return number of characters processed; ok deraadt@
- markus@cvs.openbsd.org 2000/10/18 12:04:02
[atomicio.c]
undo
- markus@cvs.openbsd.org 2000/10/18 12:23:02
[scp.c]
replace atomicio(read,...) with read(); ok deraadt@
- markus@cvs.openbsd.org 2000/10/18 12:42:00
[session.c]
restore old record login behaviour
- deraadt@cvs.openbsd.org 2000/10/19 10:41:13
[auth-skey.c]
fmt string problem in unused code
- provos@cvs.openbsd.org 2000/10/19 10:45:16
[sshconnect2.c]
don't reference freed memory. okay deraadt@
- markus@cvs.openbsd.org 2000/10/21 11:04:23
[canohost.c]
typo, eramore@era-t.ericsson.se; ok niels@
- markus@cvs.openbsd.org 2000/10/23 13:31:55
[cipher.c]
non-alignment dependent swap_bytes(); from
simonb@wasabisystems.com/netbsd
- markus@cvs.openbsd.org 2000/10/26 12:38:28
[compat.c]
add older vandyke products
- markus@cvs.openbsd.org 2000/10/27 01:32:19
[channels.c channels.h clientloop.c serverloop.c session.c]
[ssh.c util.c]
enable non-blocking IO on channels, and tty's (except for the
client ttys).
20001027
- (djm) Increase REKEY_BYTES to 2^24 for arc4random
20001025
- (djm) Added WARNING.RNG file and modified configure to ask users of the
builtin entropy code to read it.
- (djm) Prefer builtin regex to PCRE.
- (bal) Added USE_PIPS defined to NeXT configure.in since scp hangs randomly.
- (bal) Apply fixes to configure.in pointed out by Pavel Roskin
<proski@gnu.org>
20001020
- (djm) Don't define _REENTRANT for SNI/Reliant Unix
- (bal) Imported NEWS-OS waitpid() macros into NeXT. Since implementation
is more correct then current version.
20001018
- (stevesk) Add initial support for setproctitle(). Current
support is for the HP-UX pstat(PSTAT_SETCMD, ...) method.
- (stevesk) Add egd startup scripts to contrib/hpux/
20001017
- (djm) Add -lregex to cywin libs from Corinna Vinschen
<vinschen@cygnus.com>
- (djm) Don't rely on atomicio's retval to determine length of askpass
supplied passphrase. Problem report from Lutz Jaenicke
<Lutz.Jaenicke@aet.TU-Cottbus.DE>
- (bal) Changed from GNU rx to PCRE on suggestion from djm.
- (bal) Integrated Sony NEWS-OS patches from NAKAJI Hirouyuki
<nakaji@tutrp.tut.ac.jp>
20001016
- (djm) Sync with OpenBSD:
- markus@cvs.openbsd.org 2000/10/14 04:01:15
[cipher.c]
debug3
- markus@cvs.openbsd.org 2000/10/14 04:07:23
[scp.c]
remove spaces from arguments; from djm@mindrot.org
- markus@cvs.openbsd.org 2000/10/14 06:09:46
[ssh.1]
Cipher is for SSH-1 only
- markus@cvs.openbsd.org 2000/10/14 06:12:09
[servconf.c servconf.h serverloop.c session.c sshd.8]
AllowTcpForwarding; from naddy@
- markus@cvs.openbsd.org 2000/10/14 06:16:56
[auth2.c compat.c compat.h sshconnect2.c version.h]
OpenSSH_2.3; note that is is not complete, but the version number
needs to be changed for interoperability reasons
- markus@cvs.openbsd.org 2000/10/14 06:19:45
[auth-rsa.c]
do not send RSA challenge if key is not allowed by key-options; from
eivind@ThinkSec.com
- markus@cvs.openbsd.org 2000/10/15 08:14:01
[rijndael.c session.c]
typos; from stevesk@sweden.hp.com
- markus@cvs.openbsd.org 2000/10/15 08:18:31
[rijndael.c]
typo
- (djm) Copy manpages back over from OpenBSD - too tedious to wade
through diffs
- (djm) Added condrestart to Redhat init script. Patch from Pekka Savola
<pekkas@netcore.fi>
- (djm) Update version in Redhat spec file
- (djm) Merge some of Nalin Dahyabhai <nalin@redhat.com> changes from the
Redhat 7.0 spec file
- (djm) Make inability to read/write PRNG seedfile non-fatal
20001015
- (djm) Fix ssh2 hang on background processes at logout.
20001014
- (bal) Add support for realpath and getcwd for platforms with broken
or missing realpath implementations for sftp-server.
- (bal) Corrected mistake in INSTALL in regards to GNU rx library
- (bal) Add support for GNU rx library for those lacking regexp support
- (djm) Don't accept PAM_PROMPT_ECHO_ON messages during initial auth
- (djm) Revert SSH2 serverloop hack, will find a better way.
- (djm) Add workaround for Linux 2.4's gratuitious errno change. Patch
from Martin Johansson <fatbob@acc.umu.se>
- (djm) Big OpenBSD sync:
- markus@cvs.openbsd.org 2000/09/30 10:27:44
[log.c]
allow loglevel debug
- markus@cvs.openbsd.org 2000/10/03 11:59:57
[packet.c]
hmac->mac
- markus@cvs.openbsd.org 2000/10/03 12:03:03
[auth-krb4.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth1.c]
move fake-auth from auth1.c to individual auth methods, disables s/key in
debug-msg
- markus@cvs.openbsd.org 2000/10/03 12:16:48
ssh.c
do not resolve canonname, i have no idea why this was added oin ossh
- markus@cvs.openbsd.org 2000/10/09 15:30:44
ssh-keygen.1 ssh-keygen.c
-X now reads private ssh.com DSA keys, too.
- markus@cvs.openbsd.org 2000/10/09 15:32:34
auth-options.c
clear options on every call.
- markus@cvs.openbsd.org 2000/10/09 15:51:00
authfd.c authfd.h
interop with ssh-agent2, from <res@shore.net>
- markus@cvs.openbsd.org 2000/10/10 14:20:45
compat.c
use rexexp for version string matching
- provos@cvs.openbsd.org 2000/10/10 22:02:18
[kex.c kex.h myproposal.h ssh.h ssh2.h sshconnect2.c sshd.c dh.c dh.h]
First rough implementation of the diffie-hellman group exchange. The
client can ask the server for bigger groups to perform the diffie-hellman
in, thus increasing the attack complexity when using ciphers with longer
keys. University of Windsor provided network, T the company.
- markus@cvs.openbsd.org 2000/10/11 13:59:52
[auth-rsa.c auth2.c]
clear auth options unless auth sucessfull
- markus@cvs.openbsd.org 2000/10/11 14:00:27
[auth-options.h]
clear auth options unless auth sucessfull
- markus@cvs.openbsd.org 2000/10/11 14:03:27
[scp.1 scp.c]
support 'scp -o' with help from mouring@pconline.com
- markus@cvs.openbsd.org 2000/10/11 14:11:35
[dh.c]
Wall
- markus@cvs.openbsd.org 2000/10/11 14:14:40
[auth.h auth2.c readconf.c readconf.h readpass.c servconf.c servconf.h]
[ssh.h sshconnect2.c sshd_config auth2-skey.c cli.c cli.h]
add support for s/key (kbd-interactive) to ssh2, based on work by
mkiernan@avantgo.com and me
- markus@cvs.openbsd.org 2000/10/11 14:27:24
[auth.c auth1.c auth2.c authfile.c cipher.c cipher.h kex.c kex.h]
[myproposal.h packet.c readconf.c session.c ssh.c ssh.h sshconnect1.c]
[sshconnect2.c sshd.c]
new cipher framework
- markus@cvs.openbsd.org 2000/10/11 14:45:21
[cipher.c]
remove DES
- markus@cvs.openbsd.org 2000/10/12 03:59:20
[cipher.c cipher.h sshconnect1.c sshconnect2.c sshd.c]
enable DES in SSH-1 clients only
- markus@cvs.openbsd.org 2000/10/12 08:21:13
[kex.h packet.c]
remove unused
- markus@cvs.openbsd.org 2000/10/13 12:34:46
[sshd.c]
Kludge for F-Secure Macintosh < 1.0.2; appro@fy.chalmers.se
- markus@cvs.openbsd.org 2000/10/13 12:59:15
[cipher.c cipher.h myproposal.h rijndael.c rijndael.h]
rijndael/aes support
- markus@cvs.openbsd.org 2000/10/13 13:10:54
[sshd.8]
more info about -V
- markus@cvs.openbsd.org 2000/10/13 13:12:02
[myproposal.h]
prefer no compression
- (djm) Fix scp user@host handling
- (djm) Don't clobber ssh_prng_cmds on install
- (stevesk) Include config.h in rijndael.c so we define intXX_t and
u_intXX_t types on all platforms.
- (stevesk) rijndael.c: cleanup missing declaration warnings.
- (stevesk) ~/.hushlogin shouldn't cause required password change to
be bypassed.
- (stevesk) Display correct path to ssh-askpass in configure output.
Report from Lutz Jaenicke.
20001007
- (stevesk) Print PAM return value in PAM log messages to aid
with debugging.
- (stevesk) Fix detection of pw_class struct member in configure;
patch from KAMAHARA Junzo <kamahara@cc.kshosen.ac.jp>
20001002
- (djm) Fix USER_PATH, report from Kevin Steves <stevesk@sweden.hp.com>
- (djm) Add host system and CC to end-of-configure report. Suggested by
Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>
20000931
- (djm) Cygwin fixes from Corinna Vinschen <vinschen@cygnus.com>
20000930
- (djm) Irix ssh_prng_cmds path fix from Pekka Savola <pekkas@netcore.fi>
- (djm) Support in bsd-snprintf.c for long long conversions from
Ben Lindstrom <mouring@pconline.com>
- (djm) Cleanup NeXT support from Ben Lindstrom <mouring@pconline.com>
- (djm) Ignore SIGPIPEs from serverloop to child. Fixes crashes with
very short lived X connections. Bug report from Tobias Oetiker
<oetiker@ee.ethz.ch>. Fix from Markus Friedl <markus@cvs.openbsd.org>
- (djm) Add recent InitScripts as a RPM dependancy for openssh-server
patch from Pekka Savola <pekkas@netcore.fi>
- (djm) Forgot to cvs add LICENSE file
- (djm) Add LICENSE to RPM spec files
- (djm) CVS OpenBSD sync:
- markus@cvs.openbsd.org 2000/09/26 13:59:59
[clientloop.c]
use debug2
- markus@cvs.openbsd.org 2000/09/27 15:41:34
[auth2.c sshconnect2.c]
use key_type()
- markus@cvs.openbsd.org 2000/09/28 12:03:18
[channels.c]
debug -> debug2 cleanup
- (djm) Irix strips "/dev/tty" from [uw]tmp entries (other systems only
strip "/dev/"). Fix loginrec.c based on patch from Alain St-Denis
<Alain.St-Denis@ec.gc.ca>
- (djm) Fix 9 character passphrase failure with gnome-ssh-askpass.
Problem was caused by interrupted read in ssh-add. Report from Donald
J. Barry <don@astro.cornell.edu>
20000929
- (djm) Fix SSH2 not terminating until all background tasks done problem.
- (djm) Another off-by-one fix from Pavel Kankovsky
<peak@argo.troja.mff.cuni.cz>
- (djm) Clean up. Strip some unnecessary differences with OpenBSD's code,
tidy necessary differences. Use Markus' new debugN() in entropy.c
- (djm) Merged big SCO portability patch from Tim Rice
<tim@multitalents.net>
20000926
- (djm) Update X11-askpass to 1.0.2 in RPM spec file
- (djm) Define _REENTRANT to pickup strtok_r() on HP/UX
- (djm) Security: fix off-by-one buffer overrun in fake-getnameinfo.c.
Report and fix from Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>
20000924
- (djm) Merged cleanup patch from Mark Miller <markm@swoon.net>
- (djm) A bit more cleanup - created cygwin_util.h
- (djm) Include strtok_r() from OpenBSD libc. Fixes report from Mark Miller
<markm@swoon.net>
20000923
- (djm) Fix address logging in utmp from Kevin Steves
<stevesk@sweden.hp.com>
- (djm) Redhat spec and manpage fixes from Pekka Savola <pekkas@netcore.fi>
- (djm) Seperate tests for int64_t and u_int64_t types
- (djm) Tweak password expiry checking at suggestion of Kevin Steves
<stevesk@sweden.hp.com>
- (djm) NeXT patch from Ben Lindstrom <mouring@pconline.com>
- (djm) Use printf %lld instead of %qd in sftp-server.c. Fix from
Michael Stone <mstone@cs.loyola.edu>
- (djm) OpenBSD CVS sync:
- markus@cvs.openbsd.org 2000/09/17 09:38:59
[sshconnect2.c sshd.c]
fix DEBUG_KEXDH
- markus@cvs.openbsd.org 2000/09/17 09:52:51
[sshconnect.c]
yes no; ok niels@
- markus@cvs.openbsd.org 2000/09/21 04:55:11
[sshd.8]
typo
- markus@cvs.openbsd.org 2000/09/21 05:03:54
[serverloop.c]
typo
- markus@cvs.openbsd.org 2000/09/21 05:11:42
scp.c
utime() to utimes(); mouring@pconline.com
- markus@cvs.openbsd.org 2000/09/21 05:25:08
sshconnect2.c
change login logic in ssh2, allows plugin of other auth methods
- markus@cvs.openbsd.org 2000/09/21 05:25:35
[auth2.c channels.c channels.h clientloop.c dispatch.c dispatch.h]
[serverloop.c]
add context to dispatch_run
- markus@cvs.openbsd.org 2000/09/21 05:07:52
authfd.c authfd.h ssh-agent.c
bug compat for old ssh.com software
20000920
- (djm) Fix bad path substitution. Report from Andrew Miner
<asminer@cs.iastate.edu>
20000916
- (djm) Fix SSL search order from Lutz Jaenicke
<Lutz.Jaenicke@aet.TU-Cottbus.DE>
- (djm) New SuSE spec from Corinna Vinschen <corinna@vinschen.de>
- (djm) Update CygWin support from Corinna Vinschen <vinschen@cygnus.com>
- (djm) Use a real struct sockaddr inside the fake struct sockaddr_storage.
Patch from Larry Jones <larry.jones@sdrc.com>
- (djm) Add Steve VanDevender's <stevev@darkwing.uoregon.edu> PAM
password change patch.
- (djm) Bring licenses on my stuff in line with OpenBSD's
- (djm) Cleanup auth-passwd.c and unify HP/UX authentication. Patch from
Kevin Steves <stevesk@sweden.hp.com>
- (djm) Shadow expiry check fix from Pavel Troller <patrol@omni.sinus.cz>
- (djm) Re-enable int64_t types - we need them for sftp
- (djm) Use libexecdir from configure , rather than libexecdir/ssh
- (djm) Update Redhat SPEC file accordingly
- (djm) Add Kevin Steves <stevesk@sweden.hp.com> HP/UX contrib files
- (djm) Add Charles Levert <charles@comm.polymtl.ca> getpgrp patch
- (djm) Fix password auth on HP/UX 10.20. Patch from Dirk De Wachter
<Dirk.DeWachter@rug.ac.be>
- (djm) Fixprogs and entropy list fixes from Larry Jones
<larry.jones@sdrc.com>
- (djm) Fix for SuSE spec file from Takashi YOSHIDA
<tyoshida@gemini.rc.kyushu-u.ac.jp>
- (djm) Merge OpenBSD changes:
- markus@cvs.openbsd.org 2000/09/05 02:59:57
[session.c]
print hostname (not hushlogin)
- markus@cvs.openbsd.org 2000/09/05 13:18:48
[authfile.c ssh-add.c]
enable ssh-add -d for DSA keys
- markus@cvs.openbsd.org 2000/09/05 13:20:49
[sftp-server.c]
cleanup
- markus@cvs.openbsd.org 2000/09/06 03:46:41
[authfile.h]
prototype
- deraadt@cvs.openbsd.org 2000/09/07 14:27:56
[ALL]
cleanup copyright notices on all files. I have attempted to be
accurate with the details. everything is now under Tatu's licence
(which I copied from his readme), and/or the core-sdi bsd-ish thing
for deattack, or various openbsd developers under a 2-term bsd
licence. We're not changing any rules, just being accurate.
- markus@cvs.openbsd.org 2000/09/07 14:40:30
[channels.c channels.h clientloop.c serverloop.c ssh.c]
cleanup window and packet sizes for ssh2 flow control; ok niels
- markus@cvs.openbsd.org 2000/09/07 14:53:00
[scp.c]
typo
- markus@cvs.openbsd.org 2000/09/07 15:13:37
[auth-options.c auth-options.h auth-rh-rsa.c auth-rsa.c auth.c]
[authfile.h canohost.c channels.h compat.c hostfile.h log.c match.h]
[pty.c readconf.c]
some more Copyright fixes
- markus@cvs.openbsd.org 2000/09/08 03:02:51
[README.openssh2]
bye bye
- deraadt@cvs.openbsd.org 2000/09/11 18:38:33
[LICENCE cipher.c]
a few more comments about it being ARC4 not RC4
- markus@cvs.openbsd.org 2000/09/12 14:53:11
[log-client.c log-server.c log.c ssh.1 ssh.c ssh.h sshd.8 sshd.c]
multiple debug levels
- markus@cvs.openbsd.org 2000/09/14 14:25:15
[clientloop.c]
typo
- deraadt@cvs.openbsd.org 2000/09/15 01:13:51
[ssh-agent.c]
check return value for setenv(3) for failure, and deal appropriately
20000913
- (djm) Fix server not exiting with jobs in background.
20000905
- (djm) Import OpenBSD CVS changes
- markus@cvs.openbsd.org 2000/08/31 15:52:24
[Makefile sshd.8 sshd_config sftp-server.8 sftp-server.c]
implement a SFTP server. interops with sftp2, scp2 and the windows
client from ssh.com
- markus@cvs.openbsd.org 2000/08/31 15:56:03
[README.openssh2]
sync
- markus@cvs.openbsd.org 2000/08/31 16:05:42
[session.c]
Wall
- markus@cvs.openbsd.org 2000/08/31 16:09:34
[authfd.c ssh-agent.c]
add a flag to SSH2_AGENTC_SIGN_REQUEST for future extensions
- deraadt@cvs.openbsd.org 2000/09/01 09:25:13
[scp.1 scp.c]
cleanup and fix -S support; stevesk@sweden.hp.com
- markus@cvs.openbsd.org 2000/09/01 16:29:32
[sftp-server.c]
portability fixes
- markus@cvs.openbsd.org 2000/09/01 16:32:41
[sftp-server.c]
fix cast; mouring@pconline.com
- itojun@cvs.openbsd.org 2000/09/03 09:23:28
[ssh-add.1 ssh.1]
add missing .El against .Bl.
- markus@cvs.openbsd.org 2000/09/04 13:03:41
[session.c]
missing close; ok theo
- markus@cvs.openbsd.org 2000/09/04 13:07:21
[session.c]
fix get_last_login_time order; from andre@van-veen.de
- markus@cvs.openbsd.org 2000/09/04 13:10:09
[sftp-server.c]
more cast fixes; from mouring@pconline.com
- markus@cvs.openbsd.org 2000/09/04 13:06:04
[session.c]
set SSH_ORIGINAL_COMMAND; from Leakin@dfw.nostrum.com, bet@rahul.net
- (djm) Cleanup after import. Fix sftp-server compilation, Makefile
- (djm) Merge cygwin support from Corinna Vinschen <vinschen@cygnus.com>
20000903
- (djm) Fix Redhat init script
20000901
- (djm) Pick up Jim's new X11-askpass
- (djm) Release 2.2.0p1
how NetBSD's rc.d interprets script names. Also add REQUIRE and PROVIDE
sections to control scripts so they can be used directly in NetBSD's rc.d
system.
RESTRICTED= variables that were predicated on former U.S. export
regulations. Add CRYPTO=, as necessary, so it's still possible to
exclude all crypto packages from a build by setting MKCRYPTO=no
(but "lintpkgsrc -R" will no longer catch them).
Specifically,
- - All packages which set USE_SSL just lose their RESTRICTED
variable, since MKCRYPTO responds to USE_SSL directly.
- - realplayer7 and ns-flash keep their RESTRICTED, which is based
on license terms, but also gain the CRYPTO variable.
- - srp-client is now marked broken, since the distfile is evidently
no longer available. On this, we're no worse off than before.
[We haven't been mirroring the distfile, or testing the build!]
- - isakmpd gets CRYPTO for RESTRICTED, but remains broken.
- - crack loses all restrictions, as it does not evidently empower
a user to utilize strong encryption (working definition: ability
to encode a message that requires a secret key plus big number
arithmetic to decode).
---
20000901
- (djm) Pick up Jim's new X11-askpass
- (djm) Release 2.2.0p1
20000831
- (djm) Workaround SIGPIPE problems on SCO. Fix from Aran Cox
<acox@cv.telegroup.com>
- (djm) Pick up new version (2.2.0) from OpenBSD CVS
20000830
- (djm) Compile warning fixes from Mark Miller <markm@swoon.net>
- (djm) Periodically rekey arc4random
- (djm) Clean up diff against OpenBSD.
- (djm) HPUX 11 needs USE_PIPES as well: Kevin Steves
<stevesk@sweden.hp.com>
- (djm) Quieten the pam delete credentials error message
- (djm) Fix printing of $DISPLAY hack if set by system type. Report from
Kevin Steves <stevesk@sweden.hp.com>
- (djm) NeXT patch from Ben Lindstrom <mouring@pconline.com>
- (djm) Fix doh in bsd-arc4random.c
20000829
- (djm) Fix ^C ignored issue on Solaris. Diagnosis from Gert
Doering <gert@greenie.muc.de>, John Horne <J.Horne@plymouth.ac.uk> and
Garrick James <garrick@james.net>
- (djm) Check for SCO pty naming style (ptyp%d/ttyp%d). Based on fix from
Bastian Trompetter <btrompetter@firemail.de>
- (djm) NeXT tweaks from Ben Lindstrom <mouring@pconline.com>
- More OpenBSD updates:
- deraadt@cvs.openbsd.org 2000/08/24 15:46:59
[scp.c]
off_t in sink, to fix files > 2GB, i think, test is still running ;-)
- deraadt@cvs.openbsd.org 2000/08/25 10:10:06
[session.c]
Wall
- markus@cvs.openbsd.org 2000/08/26 04:33:43
[compat.c]
ssh.com-2.3.0
- markus@cvs.openbsd.org 2000/08/27 12:18:05
[compat.c]
compatibility with future ssh.com versions
- deraadt@cvs.openbsd.org 2000/08/27 21:50:55
[auth-krb4.c session.c ssh-add.c sshconnect.c uidswap.c]
print uid/gid as unsigned
- markus@cvs.openbsd.org 2000/08/28 13:51:00
[ssh.c]
enable -n and -f for ssh2
- markus@cvs.openbsd.org 2000/08/28 14:19:53
[ssh.c]
allow combination of -N and -f
- markus@cvs.openbsd.org 2000/08/28 14:20:56
[util.c]
util.c
- markus@cvs.openbsd.org 2000/08/28 14:22:02
[util.c]
undo
- markus@cvs.openbsd.org 2000/08/28 14:23:38
[util.c]
don't complain if setting NONBLOCK fails with ENODEV
20000823
- (djm) Define USE_PIPES to avoid socketpair problems on HPUX 10 and SunOS 4
Avoids "scp never exits" problem. Reports from Lutz Jaenicke
<Lutz.Jaenicke@aet.TU-Cottbus.DE> and Tamito KAJIYAMA
<kajiyama@grad.sccs.chukyo-u.ac.jp>
- (djm) Pick up LOGIN_PROGRAM from environment or PATH if not set by headers
- (djm) Add local version to version.h
- (djm) Don't reseed arc4random everytime it is used
- (djm) OpenBSD CVS updates:
- deraadt@cvs.openbsd.org 2000/08/18 20:07:23
[ssh.c]
accept remsh as a valid name as well; roman@buildpoint.com
- deraadt@cvs.openbsd.org 2000/08/18 20:17:13
[deattack.c crc32.c packet.c]
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to
libz crc32 function yet, because it has ugly "long"'s in it;
oneill@cs.sfu.ca
- deraadt@cvs.openbsd.org 2000/08/18 20:26:08
[scp.1 scp.c]
-S prog support; tv@debian.org
- deraadt@cvs.openbsd.org 2000/08/18 20:50:07
[scp.c]
knf
- deraadt@cvs.openbsd.org 2000/08/18 20:57:33
[log-client.c]
shorten
- markus@cvs.openbsd.org 2000/08/19 12:48:11
[channels.c channels.h clientloop.c ssh.c ssh.h]
support for ~. in ssh2
- deraadt@cvs.openbsd.org 2000/08/19 15:29:40
[crc32.h]
proper prototype
- markus@cvs.openbsd.org 2000/08/19 15:34:44
[authfd.c authfd.h key.c key.h ssh-add.1 ssh-add.c ssh-agent.1]
[ssh-agent.c ssh-keygen.c sshconnect1.c sshconnect2.c Makefile]
[fingerprint.c fingerprint.h]
add SSH2/DSA support to the agent and some other DSA related cleanups.
(note that we cannot talk to ssh.com's ssh2 agents)
- markus@cvs.openbsd.org 2000/08/19 15:55:52
[channels.c channels.h clientloop.c]
more ~ support for ssh2
- markus@cvs.openbsd.org 2000/08/19 16:21:19
[clientloop.c]
oops
- millert@cvs.openbsd.org 2000/08/20 12:25:53
[session.c]
We have to stash the result of get_remote_name_or_ip() before we
close our socket or getpeername() will get EBADF and the process
will exit. Only a problem for "UseLogin yes".
- millert@cvs.openbsd.org 2000/08/20 12:30:59
[session.c]
Only check /etc/nologin if "UseLogin no" since login(1) may have its
own policy on determining who is allowed to login when /etc/nologin
is present. Also use the _PATH_NOLOGIN define.
- millert@cvs.openbsd.org 2000/08/20 12:42:43
[auth1.c auth2.c session.c ssh.c]
Add calls to setusercontext() and login_get*(). We basically call
setusercontext() in most places where previously we did a setlogin().
Add default login.conf file and put root in the "daemon" login class.
- millert@cvs.openbsd.org 2000/08/21 10:23:31
[session.c]
Fix incorrect PATH setting; noted by Markus.
20000818
- (djm) OpenBSD CVS changes:
- markus@cvs.openbsd.org 2000/07/22 03:14:37
[servconf.c servconf.h sshd.8 sshd.c sshd_config]
random early drop; ok theo, niels
- deraadt@cvs.openbsd.org 2000/07/26 11:46:51
[ssh.1]
typo
- deraadt@cvs.openbsd.org 2000/08/01 11:46:11
[sshd.8]
many fixes from pepper@mail.reppep.com
- provos@cvs.openbsd.org 2000/08/01 13:01:42
[Makefile.in util.c aux.c]
rename aux.c to util.c to help with cygwin port
- deraadt@cvs.openbsd.org 2000/08/02 00:23:31
[authfd.c]
correct sun_len; Alexander@Leidinger.net
- provos@cvs.openbsd.org 2000/08/02 10:27:17
[readconf.c sshd.8]
disable kerberos authentication by default
- provos@cvs.openbsd.org 2000/08/02 11:27:05
[sshd.8 readconf.c auth-krb4.c]
disallow kerberos authentication if we can't verify the TGT; from
dugsong@
kerberos authentication is on by default only if you have a srvtab.
- markus@cvs.openbsd.org 2000/08/04 14:30:07
[auth.c]
unused
- markus@cvs.openbsd.org 2000/08/04 14:30:35
[sshd_config]
MaxStartups
- markus@cvs.openbsd.org 2000/08/15 13:20:46
[authfd.c]
cleanup; ok niels@
- markus@cvs.openbsd.org 2000/08/17 14:05:10
[session.c]
cleanup login(1)-like jobs, no duplicate utmp entries
- markus@cvs.openbsd.org 2000/08/17 14:06:34
[session.c sshd.8 sshd.c]
sshd -u len, similar to telnetd
- (djm) Lastlog was not getting closed after writing login entry
- (djm) Add Solaris package support from Rip Loomis <loomisg@cist.saic.com>
20000816
- (djm) Replacement for inet_ntoa for Irix (which breaks on gcc)
- (djm) Fix strerror replacement for old SunOS. Based on patch from
Charles Levert <charles@comm.polymtl.ca>
- (djm) Seperate arc4random into seperate file and use OpenSSL's RC4
implementation.
- (djm) SUN_LEN macro for systems which lack it
20000815
- (djm) More SunOS 4.1.x fixes from Nate Itkin <nitkin@europa.com>
- (djm) Avoid failures on Irix when ssh is not setuid. Fix from
Michael Stone <mstone@cs.loyola.edu>
- (djm) Don't seek in directory based lastlogs
- (djm) Fix --with-ipaddr-display configure option test. Patch from
Jarno Huuskonen <jhuuskon@messi.uku.fi>
- (djm) Fix AIX limits from Alexandre Oliva <oliva@lsd.ic.unicamp.br>
20000813
- (djm) Add $(srcdir) to includes when compiling (for VPATH). Report from
Fabrice bacchella <fabrice.bacchella@marchfirst.fr>
20000809
- (djm) Define AIX hard limits if headers don't. Report from
Bill Painter <william.t.painter@lmco.com>
- (djm) utmp direct write & SunOS 4 patch from Charles Levert
<charles@comm.polymtl.ca>
20000808
- (djm) Cleanup Redhat RPMs. Generate keys at runtime rather than install
time, spec file cleanup.
20000807
- (djm) Set 0755 on binaries during install. Report from Lutz Jaenicke
- (djm) Suppress error messages on channel close shutdown() failurs
works around Linux bug. Patch from Zack Weinberg <zack@wolery.cumb.org>
- (djm) Add some more entropy collection commands from Lutz Jaenicke
20000725
- (djm) Fix autoconf typo: HAVE_BINRESVPORT_AF -> HAVE_BINDRESVPORT_AF
20000721
- (djm) OpenBSD CVS updates:
- markus@cvs.openbsd.org 2000/07/16 02:27:22
[authfd.c authfd.h channels.c clientloop.c ssh-add.c ssh-agent.c ssh.c]
[sshconnect1.c sshconnect2.c]
make ssh-add accept dsa keys (the agent does not)
- djm@cvs.openbsd.org 2000/07/17 19:25:02
[sshd.c]
Another closing of stdin; ok deraadt
- markus@cvs.openbsd.org 2000/07/19 18:33:12
[dsa.c]
missing free, reorder
- markus@cvs.openbsd.org 2000/07/20 16:23:14
[ssh-keygen.1]
document input and output files
20000720
- (djm) Spec file fix from Petr Novotny <Petr.Novotny@antek.cz>
20000716
- (djm) Release 2.1.1p4
-lcrypto NetBSD-1.5*
-lcrypto -lrsaref OpenSSL and USE_RSAREF2=NO
-lcrypto -lRSAglue -lrsaref OpenSSL and USE_RSAREF2=YES
and use the first set of libraries which work.
Closes the following PRs: 9820, 10268, 10681.
Package changes:
* Factor out common post-install code from PLIST and package Makefile
into files/INSTALL.
* Enhance files/sshd.sh to handle start/stop/restart/status.
* Check for usable installed version of OpenSSL. This bit possibly
closes the following PRs: 10404, 10501, 10593
Changes from 2.1.1p3:
* allow multiple whitespace but only one '=' between tokens
* close can fail on AFS
* allow leading whitespace in configuration files
* Always create ~/.ssh with mode 700
depend on openssl >= 0.9.5. see PR 10593.
--- 2.1.1p2 -> 2.1.1p3
20000712
- (djm) Remove -lresolve for Reliant Unix
- (djm) OpenBSD CVS Updates:
- deraadt@cvs.openbsd.org 2000/07/11 02:11:34
[session.c sshd.c ]
make MaxStartups code still work with -d; djm
- deraadt@cvs.openbsd.org 2000/07/11 13:17:45
[readconf.c ssh_config]
disable FallBackToRsh by default
- (djm) Replace in_addr_t with u_int32_t in bsd-inet_aton.c. Report from
Ben Lindstrom <mouring@pconline.com>
- (djm) Make building of X11-Askpass and GNOME-Askpass optional in RPM
spec file.
- (djm) Released 2.1.1p3
20000711
- (djm) Fixup for AIX getuserattr() support from Tom Bertelson
<tbert@abac.com>
- (djm) ReliantUNIX support from Udo Schweigert <ust@cert.siemens.de>
- (djm) NeXT: dirent structures to get scp working from Ben Lindstrom
<mouring@pconline.com>
- (djm) Fix broken inet_ntoa check and ut_user/ut_name confusion, report
from Jim Watt <jimw@peisj.pebio.com>
- (djm) Replaced bsd-snprintf.c with one from Mutt source tree, it is known
to compile on more platforms (incl NeXT).
- (djm) Added bsd-inet_aton and configure support for NeXT
- (djm) Misc NeXT fixes from Ben Lindstrom <mouring@pconline.com>
- (djm) OpenBSD CVS updates:
- markus@cvs.openbsd.org 2000/06/26 03:22:29
[authfd.c]
cleanup, less cut&paste
- markus@cvs.openbsd.org 2000/06/26 15:59:19
[servconf.c servconf.h session.c sshd.8 sshd.c]
MaxStartups: limit number of unauthenticated connections, work by
theo and me
- deraadt@cvs.openbsd.org 2000/07/05 14:18:07
[session.c]
use no_x11_forwarding_flag correctly; provos ok
- provos@cvs.openbsd.org 2000/07/05 15:35:57
[sshd.c]
typo
- aaron@cvs.openbsd.org 2000/07/05 22:06:58
[scp.1 ssh-agent.1 ssh-keygen.1 sshd.8]
Insert more missing .El directives. Our troff really should identify
these and spit out a warning.
- todd@cvs.openbsd.org 2000/07/06 21:55:04
[auth-rsa.c auth2.c ssh-keygen.c]
clean code is good code
- deraadt@cvs.openbsd.org 2000/07/07 02:14:29
[serverloop.c]
sense of port forwarding flag test was backwards
- provos@cvs.openbsd.org 2000/07/08 17:17:31
[compat.c readconf.c]
replace strtok with strsep; from David Young <dyoung@onthejob.net>
- deraadt@cvs.openbsd.org 2000/07/08 19:21:15
[auth.h]
KNF
- ho@cvs.openbsd.org 2000/07/08 19:27:33
[compat.c readconf.c]
Better conditions for strsep() ending.
- ho@cvs.openbsd.org 2000/07/10 10:27:05
[readconf.c]
Get the correct message on errors. (niels@ ok)
- ho@cvs.openbsd.org 2000/07/10 10:30:25
[cipher.c kex.c servconf.c]
strtok() --> strsep(). (niels@ ok)
- (djm) Fix problem with debug mode and MaxStartups
- (djm) Don't generate host keys when $(DESTDIR) is set (e.g. during RPM
builds)
- (djm) Add strsep function from OpenBSD libc for systems that lack it
20000709
- (djm) Only enable PAM_TTY kludge for Linux. Problem report from
Kevin Steves <stevesk@sweden.hp.com>
- (djm) Match prototype and function declaration for rresvport_af.
Problem report from Niklas Edmundsson <nikke@ing.umu.se>
- (djm) Missing $(DESTDIR) on host-key target causing problems with RPM
builds. Problem report from Gregory Leblanc <GLeblanc@cu-portland.edu>
- (djm) Replace ut_name with ut_user. Patch from Jim Watt
<jimw@peisj.pebio.com>
- (djm) Fix pam sprintf fix
- (djm) Cleanup entropy collection code a little more. Split initialisation
from seeding, perform intialisation immediatly at start, be careful with
uids. Based on problem report from Jim Watt <jimw@peisj.pebio.com>
- (djm) More NeXT compatibility from Ben Lindstrom <mouring@pconline.com>
Including sigaction() et al. replacements
- (djm) AIX getuserattr() session initialisation from Tom Bertelson
<tbert@abac.com>
20000708
- (djm) Fix bad fprintf format handling in auth-pam.c. Patch from
Aaron Hopkins <aaron@die.net>
- (djm) Fix incorrect configure handling of --with-rsh-path option. Fix from
Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>
- (djm) Fixed undefined variables for OSF SIA. Report from
Baars, Henk <Hendrik.Baars@nl.origin-it.com>
- (djm) Handle EWOULDBLOCK returns from read() and write() in atomicio.c
Fix from Marquess, Steve Mr JMLFDC <Steve.Marquess@DET.AMEDD.ARMY.MIL>
- (djm) Don't use inet_addr.
20000702
- (djm) Fix brace mismatch from Corinna Vinschen <vinschen@cygnus.com>
- (djm) Stop shadow expiry checking from preventing logins with NIS. Based
on fix from HARUYAMA Seigo <haruyama@nt.phys.s.u-tokyo.ac.jp>
- (djm) Use standard OpenSSL functions in auth-skey.c. Patch from
Chris, the Young One <cky@pobox.com>
- (djm) Fix scp progress meter on really wide terminals. Based on patch
from James H. Cloos Jr. <cloos@jhcloos.com>
20000701
- (djm) Fix Tru64 SIA problems reported by John P Speno <speno@isc.upenn.edu>
- (djm) Login fixes from Tom Bertelson <tbert@abac.com>
- (djm) Replace "/bin/sh" with _PATH_BSHELL. Report from Corinna Vinschen
<vinschen@cygnus.com>
- (djm) Replace "/usr/bin/login" with LOGIN_PROGRAM
- (djm) Added check for broken snprintf() functions which do not correctly
terminate output string and attempt to use replacement.
- (djm) Released 2.1.1p2
--- recent changelogs
20000701
- (djm) Fix Tru64 SIA problems reported by John P Speno <speno@isc.upenn.edu>
- (djm) Login fixes from Tom Bertelson <tbert@abac.com>
- (djm) Replace "/bin/sh" with _PATH_BSHELL. Report from Corinna Vinschen
<vinschen@cygnus.com>
- (djm) Replace "/usr/bin/login" with LOGIN_PROGRAM
- (djm) Added check for broken snprintf() functions which do not correctly
terminate output string and attempt to use replacement.
- (djm) Released 2.1.1p2
20000628
- (djm) Fixes to lastlog code for Irix
- (djm) Use atomicio in loginrec
- (djm) Patch from Michael Stone <mstone@cs.loyola.edu> to add support for
Irix 6.x array sessions, project id's, and system audit trail id.
- (djm) Added 'distprep' make target to simplify packaging
- (djm) Added patch from Chris Adams <cmadams@hiwaay.net> to add OSF SIA
support. Enable using "USE_SIA=1 ./configure [options]"
20000627
- (djm) Fixes to login code - not setting li->uid, cleanups
- (djm) Formatting
20000626
- (djm) Better fix to aclocal tests from Garrick James <garrick@james.net>
- (djm) Account expiry support from Andreas Steinmetz <ast@domdv.de>
- (djm) Added password expiry checking (no password change support)
- (djm) Make EGD failures non-fatal if OpenSSL's entropy pool is still OK
based on patch from Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>
- (djm) Fix fixed EGD code.
- OpenBSD CVS update
- provos@cvs.openbsd.org 2000/06/25 14:17:58
[channels.c]
correct check for bad channel ids; from Wei Dai <weidai@eskimo.com>
20000623
- (djm) Use sa_family_t in prototype for rresvport_af. Patch from
Svante Signell <svante.signell@telia.com>
- (djm) Autoconf logic to define sa_family_t if it is missing
- OpenBSD CVS Updates:
- markus@cvs.openbsd.org 2000/06/22 10:32:27
[sshd.c]
missing atomicio; report from Steve.Marquess@DET.AMEDD.ARMY.MIL
- djm@cvs.openbsd.org 2000/06/22 17:55:00
[auth-krb4.c key.c radix.c uuencode.c]
Missing CVS idents; ok markus
20000622
- (djm) Automatically generate host key during "make install". Suggested
by Gary E. Miller <gem@rellim.com>
- (djm) Paranoia before kill() system call
- OpenBSD CVS Updates:
- markus@cvs.openbsd.org 2000/06/18 18:50:11
[auth2.c compat.c compat.h sshconnect2.c]
make userauth+pubkey interop with ssh.com-2.2.0
- markus@cvs.openbsd.org 2000/06/18 20:56:17
[dsa.c]
mem leak + be more paranoid in dsa_verify.
- markus@cvs.openbsd.org 2000/06/18 21:29:50
[key.c]
cleanup fingerprinting, less hardcoded sizes
- markus@cvs.openbsd.org 2000/06/19 19:39:45
[atomicio.c auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
[auth-rsa.c auth-skey.c authfd.c authfd.h authfile.c bufaux.c bufaux.h]
[buffer.c buffer.h canohost.c channels.c channels.h cipher.c cipher.h]
[clientloop.c compat.c compat.h compress.c compress.h crc32.c crc32.h]
[deattack.c dispatch.c dsa.c fingerprint.c fingerprint.h getput.h hmac.c]
[kex.c log-client.c log-server.c login.c match.c mpaux.c mpaux.h nchan.c]
[nchan.h packet.c packet.h pty.c pty.h readconf.c readconf.h readpass.c]
[rsa.c rsa.h scp.c servconf.c servconf.h ssh-add.c ssh-keygen.c ssh.c]
[ssh.h tildexpand.c ttymodes.c ttymodes.h uidswap.c xmalloc.c xmalloc.h]
OpenBSD tag
- markus@cvs.openbsd.org 2000/06/21 10:46:10
sshconnect2.c missing free; nuke old comment
20000620
- (djm) Replace use of '-o' and '-a' logical operators in configure tests
with '||' and '&&'. As suggested by Jim Knoble <jmknoble@pint-stowp.cx>
to fix SCO Unixware problem reported by Gary E. Miller <gem@rellim.com>
- (djm) Typo in loginrec.c
20000618
- (djm) Add summary of configure options to end of ./configure run
- (djm) Not all systems define RUSAGE_SELF & RUSAGE_CHILDREN. Report from
Michael Stone <mstone@cs.loyola.edu>
- (djm) rusage is a privileged operation on some Unices (incl.
Solaris 2.5.1). Report from Paul D. Smith <pausmith@nortelnetworks.com>
- (djm) Avoid PAM failures when running without a TTY. Report from
Martin Petrak <petrak@spsknm.schools.sk>
- (djm) Include sys/types.h when including netinet/in.h in configure tests.
Patch from Jun-ichiro itojun Hagino <itojun@iijlab.net>
- (djm) Started merge of Ben Lindstrom's <mouring@pconline.com> NeXT support
- OpenBSD CVS updates:
- deraadt@cvs.openbsd.org 2000/06/17 09:58:46
[channels.c]
everyone says "nix it" (remove protocol 2 debugging message)
- markus@cvs.openbsd.org 2000/06/17 13:24:34
[sshconnect.c]
allow extended server banners
- markus@cvs.openbsd.org 2000/06/17 14:30:10
[sshconnect.c]
missing atomicio, typo
- jakob@cvs.openbsd.org 2000/06/17 16:52:34
[servconf.c servconf.h session.c sshd.8 sshd_config]
add support for ssh v2 subsystems. ok markus@.
- deraadt@cvs.openbsd.org 2000/06/17 18:57:48
[readconf.c servconf.c]
include = in WHITESPACE; markus ok
- markus@cvs.openbsd.org 2000/06/17 19:09:10
[auth2.c]
implement bug compatibility with ssh-2.0.13 pubkey, server side
- markus@cvs.openbsd.org 2000/06/17 21:00:28
[compat.c]
initial support for ssh.com's 2.2.0
- markus@cvs.openbsd.org 2000/06/17 21:16:09
[scp.c]
typo
- markus@cvs.openbsd.org 2000/06/17 22:05:02
[auth-rsa.c auth2.c serverloop.c session.c auth-options.c auth-options.h]
split auth-rsa option parsing into auth-options
add options support to authorized_keys2
- markus@cvs.openbsd.org 2000/06/17 22:42:54
[session.c]
typo
20000613
- (djm) Fixes from Andrew McGill <andrewm@datrix.co.za>:
- Platform define for SCO 3.x which breaks on /dev/ptmx
- Detect and try to fix missing MAXPATHLEN
- (djm) Fix short copy in loginrec.c (based on patch from Phill Camp
<P.S.S.Camp@ukc.ac.uk>
20000612
- (djm) Glob manpages in RPM spec files to catch compressed files
- (djm) Full license in auth-pam.c
- (djm) Configure fixes from SAKAI Kiyotaka <ksakai@kso.netwk.ntt-at.co.jp>
- (andre) AIX, lastlog, configure fixes from Tom Bertelson <tbert@abac.com>:
- Don't try to retrieve lastlog from wtmp/wtmpx if DISABLE_LASTLOG is
def'd
- Set AIX to use preformatted manpages
20000610
- (djm) Minor doc tweaks
- (djm) Fix for configure on bash2 from Jim Knoble <jmknoble@jmknoble.cx>
20000609
- (djm) Patch from Kenji Miyake <kenji@miyake.org> to disable utmp usage
(in favour of utmpx) on Solaris 8
20000606
- (djm) Cleanup of entropy.c. Reorganised code, removed second pass through
list of commands (by default). Removed verbose debugging (by default).
- (djm) Increased command entropy estimates and default entropy collection
timeout
- (djm) Remove duplicate headers from loginrec.c
- (djm) Don't add /usr/local/lib to library search path on Irix
- (djm) Fix rsh path in RPMs. Report from Jason L Tibbitts III
<tibbs@math.uh.edu>
- (djm) Warn user if grabs fail in GNOME askpass. Patch from Zack Weinberg
<zack@wolery.cumb.org>
- (djm) OpenBSD CVS updates:
- todd@cvs.openbsd.org
[sshconnect2.c]
teach protocol v2 to count login failures properly and also enable an
explanation of why the password prompt comes up again like v1; this is NOT
crypto
- markus@cvs.openbsd.org
[readconf.c readconf.h servconf.c servconf.h session.c ssh.1 ssh.c sshd.8]
xauth_location support; pr 1234
[readconf.c sshconnect2.c]
typo, unused
[session.c]
allow use_login only for login sessions, otherwise remote commands are
execed with uid==0
[sshd.8]
document UseLogin better
[version.h]
OpenSSH 2.1.1
[auth-rsa.c]
fix match_hostname() logic for auth-rsa: deny access if we have a
negative match or no match at all
[channels.c hostfile.c match.c]
don't panic if mkdtemp fails for authfwd; jkb@yahoo-inc.com via
kris@FreeBSD.org
--- changelog from 2.1.0p3:
20000609
- (djm) Patch from Kenji Miyake <kenji@miyake.org> to disable utmp usage
(in favour of utmpx) on Solaris 8
20000606
- (djm) Cleanup of entropy.c. Reorganised code, removed second pass through
list of commands (by default). Removed verbose debugging (by default).
- (djm) Increased command entropy estimates and default entropy collection
timeout
- (djm) Remove duplicate headers from loginrec.c
- (djm) Don't add /usr/local/lib to library search path on Irix
- (djm) Fix rsh path in RPMs. Report from Jason L Tibbitts III
<tibbs@math.uh.edu>
- (djm) Warn user if grabs fail in GNOME askpass. Patch from Zack Weinberg
<zack@wolery.cumb.org>
- (djm) OpenBSD CVS updates:
- todd@cvs.openbsd.org
[sshconnect2.c]
teach protocol v2 to count login failures properly and also enable an
explanation of why the password prompt comes up again like v1; this is NOT
crypto
- markus@cvs.openbsd.org
[readconf.c readconf.h servconf.c servconf.h session.c ssh.1 ssh.c sshd.8]
xauth_location support; pr 1234
[readconf.c sshconnect2.c]
typo, unused
[session.c]
allow use_login only for login sessions, otherwise remote commands are
execed with uid==0
[sshd.8]
document UseLogin better
[version.h]
OpenSSH 2.1.1
[auth-rsa.c]
fix match_hostname() logic for auth-rsa: deny access if we have a
negative match or no match at all
[channels.c hostfile.c match.c]
don't panic if mkdtemp fails for authfwd; jkb@yahoo-inc.com via
kris@FreeBSD.org
20000606
- (djm) Added --with-cflags, --with-ldflags and --with-libs options to
configure.
20000604
- Configure tweaking for new login code on Irix 5.3
- (andre) login code changes based on djm feedback
20000603
- (andre) New login code
- Remove bsd-login.[ch] and all the OpenBSD-derived code in login.c
- Add loginrec.[ch], logintest.c and autoconf code
20000531
- Cleanup of auth.c, login.c and fake-*
- Cleanup of auth-pam.c, save and print "account expired" error messages
- Fix EGD read bug by IWAMURO Motonori <iwa@mmp.fujitsu.co.jp>
- Rewrote bsd-login to use proper utmp API if available. Major cleanup
of fallback DIY code.
