in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
* Added new "IdentitiesOnly" option to ssh(1), which specifies that it should
use keys specified in ssh_config, rather than any keys in ssh-agent(1)
* Make sshd(8) re-execute itself on accepting a new connection. This security
measure ensures that all execute-time randomisations are reapplied for each
connection rather than once, for the master process' lifetime. This includes
mmap and malloc mappings, shared library addressing, shared library mapping
order, ProPolice and StackGhost cookies on systems that support such things
* Add strict permission and ownership checks to programs reading ~/.ssh/config
NB ssh(1) will now exit instead of trying to process a config with poor
ownership or permissions
* Implemented the ability to pass selected environment variables between the
client and the server. See "AcceptEnv" in sshd_config(5) and "SendEnv" in
ssh_config(5) for details
* Added a "MaxAuthTries" option to sshd(8), allowing control over the maximum
number of authentication attempts permitted per connection
* Added support for cancellation of active remote port forwarding sessions.
This may be performed using the ~C escape character, see "Escape Characters"
in ssh(1) for details
* Many sftp(1) interface improvements, including greatly enhanced "ls" support
and the ability to cancel active transfers using SIGINT (^C)
* Implement session multiplexing: a single ssh(1) connection can now carry
multiple login/command/file transfer sessions. Refer to the "ControlMaster"
and "ControlPath" options in ssh_config(5) for more information
* The sftp-server has improved support for non-POSIX filesystems (e.g. FAT)
* Portable OpenSSH: Re-introduce support for PAM password authentication, in
addition to the keyboard-interactive driver. PAM password authentication
is less flexible, and doesn't support pre-authentication password expiry but
runs in-process so Kerberos tokens, etc are retained
* Improved and more extensive regression tests
* Many bugfixes and small improvements
It says to use "pseudo-device rnd" kernel configuration.
TODO: if the above instructions are fine for other
operating systems with /dev/urandom then add.
faults, and haven't tracked down why yet.
No allow PAM authentication if Linux (and USE_PAM is defined).
This will close my 20846 PR from March 2003.
Also, install the contrib/sshd.pam.generic file as the example
sshd.pam instead of the FreeBSD version, but this okay since
it was commented out in the first place.
TODO: test the PAM support on other platforms and allow
if USE_PAM is defined.
well. Bump the PKGREVISION.
XXX The right fix is to create a autoconf check for the number of args
XXX that skeychallenge takes and do the right thing accordingly.
the RCD_SCRIPTS rc.d script(s) to the PLIST.
This GENERATE_PLIST idea is part of Greg A. Woods'
PR #22954.
This helps when the RC_SCRIPTS are installed to
a different ${RCD_SCRIPTS_EXAMPLEDIR}. (Later,
the default RCD_SCRIPTS_EXAMPLEDIR will be changed
to be more clear that they are the examples.)
These patches also remove the etc/rc.d/ scripts from PLISTs
(of packages that use RCD_SCRIPTS). (This also removes
now unused references from openssh* makefiles. Note that
qmail package has not been changed yet.)
I have been doing automatic PLIST registration for RC_SCRIPTS
for over a year. Not all of these packages have been tested,
but many have been tested and used.
Somethings maybe to do:
- a few packages still manually install the rc.d scripts to
hard-coded etc/rc.d. These need to be fixed.
- maybe remove from mk/${OPSYS}.pkg.dist mtree specifications too.
don't know why this didn't originally work as it should, but I've
just tested it with gcc3 and Forte 8 on Solaris and I couldn't make
it fail.
fixes coredump problem on Solaris observed by some, and also
PR pkg/23120 from Alex Gerasimoff.
bump PKGREVISION to differentiate between broken and unbroken
package.
Most important chcanges: security relevant bug fixes in new PAM authentication code
Changes since OpenSSH 3.7.1p1:
==============================
* This release disables PAM by default. To enable it, set "UsePAM yes" in
sshd_config. Due to complexity, inconsistencies in the specification and
differences between vendors' PAM implementations we recommend that PAM
be left disabled in sshd_config unless there is a need for its use.
Sites using only public key or simple password authentication usually
have little need to enable PAM support.
* This release now requires zlib 1.1.4 to build correctly. Previous
versions have security problems.
* Fix compilation for versions of OpenSSL before 0.9.6. Some cipher modes
are not supported for older OpenSSL versions.
* Fix compilation problems on systems with a missing or lacking inet_ntoa()
function.
* Workaround problems related to unimplemented or broken setresuid/setreuid
functions on several platforms.
* Fix compilation on older OpenBSD systems.
* Fix handling of password-less authentication (PermitEmptyPasswords=yes)
that has not worked since the 3.7p1 release.
# OpenSSH 3.7x currently does *not* work on IRIX!
# To compile, we would need to remove the extraneous inclusion of the
# ``inet_ntoa.h'' header in openbsd-compat/inet_ntoa.c, but even though
# sshd will not work: It seems the connection is closed by the daemon
# when it tries to spawn off a child to handle the incoming connection
#
# If you need the latest security patches for your openssh, I'm afraid you'll
# have to apply them by hand to the 3.6.1p2 version.
(Now wouldn't it be nice if we had a NOT_FOR_PLATFORM_REASON that is displayed
automatically?)
Large number of changes since 3.6.1p2, the most pertinent being:
* do not expand buffer before attempting to reallocate it (buffer.c)
note that NetBSD-current already includes this fix.
other changes include:
* portability fixes
* regression test fixes
* add GSSAPI support and remove kerberos support from ssh1, retaining
kerberos passwd auth for ssh1 and 2
* man page fixes
* general bug fixes
see the ChangeLog for full details.
just setting BUILDLINK_DEPENDS.openssl. USE_OPENSSL_VERSION wasn't
actually needed here anyway since the minimum version allowed by
openssl/buildlink2.mk exceeded the version requested here.
USE_PKGINSTALL is "YES". bsd.pkg.install.mk will no longer automatically
pick up a INSTALL/DEINSTALL script in the package directory and assume that
you want it for the corresponding *_EXTRA_TMPL variable.
was commented out because it didn't work with recent openssh, is now fiexed
and commented back in). This support is conditional on ${KERBEROS} being
set, and currently enables support for both kerberos 4 and 5. This should
be refined.
This has been tested and confirmed on -current and 1.6. Testing on other
platforms (if any? solaris?) in which we support kerberos in pkgsrc should
be done.
- (djm) Add back radix.o (used by AFS support), after it went missing from
Makefile many moons ago
- (djm) Apply "owl-always-auth" patch from Openwall/Solar Designer
- (djm) Fix blibpath specification for AIX/gcc
- (djm) Some systems have basename in -lgen. Fix from ayamura@ayamura.org
(This last fix makes this compile on IRIX again.)
relevant changes are > 500 lines, see
ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/ChangeLog
Personal selection:
rekeying bugfixes and automatic rekeying
bandwidth limitation (scp -l)
Add a -t life option to ssh-agent that set the default lifetime.
The default can still be overriden by using -t in ssh-add.
sftp progress meter support.
allow usernames with embedded '@', e.g. scp user@vhost@realhost:file /tmp;
[scp.c]
1) include stalling time in total time
2) truncate filenames to 45 instead of 20 characters
3) print rate instead of progress bar, no more stars
4) scale output to tty width
