| 120100823
2 - (djm) Release OpenSSH-5.6p1
3
420100816
5 - (dtucker) [configure.ac openbsd-compat/Makefile.in
6 openbsd-compat/openbsd-compat.h openbsd-compat/strptime.c] Add strptime to
7 the compat library which helps on platforms like old IRIX. Based on work
8 by djm, tested by Tom Christensen.
9 - OpenBSD CVS Sync
10 - djm@cvs.openbsd.org 2010/08/12 21:49:44
11 [ssh.c]
12 close any extra file descriptors inherited from parent at start and
13 reopen stdin/stdout to /dev/null when forking for ControlPersist.
14
15 prevents tools that fork and run a captive ssh for communication from
16 failing to exit when the ssh completes while they wait for these fds to
17 close. The inherited fds may persist arbitrarily long if a background
18 mux master has been started by ControlPersist. cvs and scp were effected
19 by this.
20
21 "please commit" markus@
22 - (djm) [regress/README.regress] typo
23
2420100812
25 - (tim) [regress/login-timeout.sh regress/reconfigure.sh regress/reexec.sh
26 regress/test-exec.sh] Under certain conditions when testing with sudo
27 tests would fail because the pidfile could not be read by a regular user.
28 "cat: cannot open ...../regress/pidfile: Permission denied (error 13)"
29 Make sure cat is run by $SUDO. no objection from me. djm@
30 - (tim) [auth.c] add cast to quiet compiler. Change only affects SVR5 systems.
31
3220100809
33 - (djm) bz#1561: don't bother setting IFF_UP on tun(4) device if it is
34 already set. Makes FreeBSD user openable tunnels useful; patch from
35 richard.burakowski+ossh AT mrburak.net, ok dtucker@
36 - (dtucker) bug #1530: strip trailing ":" from hostname in ssh-copy-id.
37 based in part on a patch from Colin Watson, ok djm@
38
3920100809
40 - OpenBSD CVS Sync
41 - djm@cvs.openbsd.org 2010/08/08 16:26:42
42 [version.h]
43 crank to 5.6
44 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
45 [contrib/suse/openssh.spec] Crank version numbers
46
4720100805
48 - OpenBSD CVS Sync
49 - djm@cvs.openbsd.org 2010/08/04 05:37:01
50 [ssh.1 ssh_config.5 sshd.8]
51 Remove mentions of weird "addr/port" alternate address format for IPv6
52 addresses combinations. It hasn't worked for ages and we have supported
53 the more commen "[addr]:port" format for a long time. ok jmc@ markus@
54 - djm@cvs.openbsd.org 2010/08/04 05:40:39
55 [PROTOCOL.certkeys ssh-keygen.c]
56 tighten the rules for certificate encoding by requiring that options
57 appear in lexical order and make our ssh-keygen comply. ok markus@
58 - djm@cvs.openbsd.org 2010/08/04 05:42:47
59 [auth.c auth2-hostbased.c authfile.c authfile.h ssh-keysign.8]
60 [ssh-keysign.c ssh.c]
61 enable certificates for hostbased authentication, from Iain Morgan;
62 "looks ok" markus@
63 - djm@cvs.openbsd.org 2010/08/04 05:49:22
64 [authfile.c]
65 commited the wrong version of the hostbased certificate diff; this
66 version replaces some strlc{py,at} verbosity with xasprintf() at
67 the request of markus@
68 - djm@cvs.openbsd.org 2010/08/04 06:07:11
69 [ssh-keygen.1 ssh-keygen.c]
70 Support CA keys in PKCS#11 tokens; feedback and ok markus@
71 - djm@cvs.openbsd.org 2010/08/04 06:08:40
72 [ssh-keysign.c]
73 clean for -Wuninitialized (Id sync only; portable had this change)
74 - djm@cvs.openbsd.org 2010/08/05 13:08:42
75 [channels.c]
76 Fix a trio of bugs in the local/remote window calculation for datagram
77 data channels (i.e. TunnelForward):
78
79 Calculate local_consumed correctly in channel_handle_wfd() by measuring
80 the delta to buffer_len(c->output) from when we start to when we finish.
81 The proximal problem here is that the output_filter we use in portable
82 modified the length of the dequeued datagram (to futz with the headers
83 for !OpenBSD).
84
85 In channel_output_poll(), don't enqueue datagrams that won't fit in the
86 peer's advertised packet size (highly unlikely to ever occur) or which
87 won't fit in the peer's remaining window (more likely).
88
89 In channel_input_data(), account for the 4-byte string header in
90 datagram packets that we accept from the peer and enqueue in c->output.
91
92 report, analysis and testing 2/3 cases from wierbows AT us.ibm.com;
93 "looks good" markus@
94
9520100803
96 - (dtucker) [monitor.c] Bug #1795: Initialize the values to be returned from
97 PAM to sane values in case the PAM method doesn't write to them. Spotted by
98 Bitman Zhou, ok djm@.
99 - OpenBSD CVS Sync
100 - djm@cvs.openbsd.org 2010/07/16 04:45:30
101 [ssh-keygen.c]
102 avoid bogus compiler warning
103 - djm@cvs.openbsd.org 2010/07/16 14:07:35
104 [ssh-rsa.c]
105 more timing paranoia - compare all parts of the expected decrypted
106 data before returning. AFAIK not exploitable in the SSH protocol.
107 "groovy" deraadt@
108 - djm@cvs.openbsd.org 2010/07/19 03:16:33
109 [sftp-client.c]
110 bz#1797: fix swapped args in upload_dir_internal(), breaking recursive
111 upload depth checks and causing verbose printing of transfers to always
112 be turned on; patch from imorgan AT nas.nasa.gov
113 - djm@cvs.openbsd.org 2010/07/19 09:15:12
114 [clientloop.c readconf.c readconf.h ssh.c ssh_config.5]
115 add a "ControlPersist" option that automatically starts a background
116 ssh(1) multiplex master when connecting. This connection can stay alive
117 indefinitely, or can be set to automatically close after a user-specified
118 duration of inactivity. bz#1330 - patch by dwmw2 AT infradead.org, but
119 further hacked on by wmertens AT cisco.com, apb AT cequrux.com,
120 martin-mindrot-bugzilla AT earth.li and myself; "looks ok" markus@
121 - djm@cvs.openbsd.org 2010/07/21 02:10:58
122 [misc.c]
123 sync timingsafe_bcmp() with the one dempsky@ committed to sys/lib/libkern
124 - dtucker@cvs.openbsd.org 2010/07/23 08:49:25
125 [ssh.1]
126 Ciphers is documented in ssh_config(5) these days
127
12820100819
129 - (dtucker) [contrib/ssh-copy-ud.1] Bug #1786: update ssh-copy-id.1 with more
130 details about its behaviour WRT existing directories. Patch from
131 asguthrie at gmail com, ok djm.
132
13320100716
134 - (djm) OpenBSD CVS Sync
135 - djm@cvs.openbsd.org 2010/07/02 04:32:44
136 [misc.c]
137 unbreak strdelim() skipping past quoted strings, e.g.
138 AllowUsers "blah blah" blah
139 was broken; report and fix in bz#1757 from bitman.zhou AT centrify.com
140 ok dtucker;
141 - djm@cvs.openbsd.org 2010/07/12 22:38:52
142 [ssh.c]
143 Make ExitOnForwardFailure work with fork-after-authentication ("ssh -f")
144 for protocol 2. ok markus@
145 - djm@cvs.openbsd.org 2010/07/12 22:41:13
146 [ssh.c ssh_config.5]
147 expand %h to the hostname in ssh_config Hostname options. While this
148 sounds useless, it is actually handy for working with unqualified
149 hostnames:
150
151 Host *.*
152 Hostname %h
153 Host *
154 Hostname %h.example.org
155
156 "I like it" markus@
157 - djm@cvs.openbsd.org 2010/07/13 11:52:06
158 [auth-rsa.c channels.c jpake.c key.c misc.c misc.h monitor.c]
159 [packet.c ssh-rsa.c]
160 implement a timing_safe_cmp() function to compare memory without leaking
161 timing information by short-circuiting like memcmp() and use it for
162 some of the more sensitive comparisons (though nothing high-value was
163 readily attackable anyway); "looks ok" markus@
164 - djm@cvs.openbsd.org 2010/07/13 23:13:16
165 [auth-rsa.c channels.c jpake.c key.c misc.c misc.h monitor.c packet.c]
166 [ssh-rsa.c]
167 s/timing_safe_cmp/timingsafe_bcmp/g
168 - jmc@cvs.openbsd.org 2010/07/14 17:06:58
169 [ssh.1]
170 finally ssh synopsis looks nice again! this commit just removes a ton of
171 hacks we had in place to make it work with old groff;
172 - schwarze@cvs.openbsd.org 2010/07/15 21:20:38
173 [ssh-keygen.1]
174 repair incorrect block nesting, which screwed up indentation;
175 problem reported and fix OK by jmc@
176
17720100714
178 - (tim) [contrib/redhat/openssh.spec] Bug 1796: Test for skip_x11_askpass
179 (line 77) should have been for no_x11_askpass.
180
18120100702
182 - (djm) OpenBSD CVS Sync
183 - jmc@cvs.openbsd.org 2010/06/26 00:57:07
184 [ssh_config.5]
185 tweak previous;
186 - djm@cvs.openbsd.org 2010/06/26 23:04:04
187 [ssh.c]
188 oops, forgot to #include <canohost.h>; spotted and patch from chl@
189 - djm@cvs.openbsd.org 2010/06/29 23:15:30
190 [ssh-keygen.1 ssh-keygen.c]
191 allow import (-i) and export (-e) of PEM and PKCS#8 encoded keys;
192 bz#1749; ok markus@
193 - djm@cvs.openbsd.org 2010/06/29 23:16:46
194 [auth2-pubkey.c sshd_config.5]
195 allow key options (command="..." and friends) in AuthorizedPrincipals;
196 ok markus@
197 - jmc@cvs.openbsd.org 2010/06/30 07:24:25
198 [ssh-keygen.1]
199 tweak previous;
200 - jmc@cvs.openbsd.org 2010/06/30 07:26:03
201 [ssh-keygen.c]
202 sort usage();
203 - jmc@cvs.openbsd.org 2010/06/30 07:28:34
204 [sshd_config.5]
205 tweak previous;
206 - millert@cvs.openbsd.org 2010/07/01 13:06:59
207 [scp.c]
208 Fix a longstanding problem where if you suspend scp at the
209 password/passphrase prompt the terminal mode is not restored.
210 OK djm@
211 - phessler@cvs.openbsd.org 2010/06/27 19:19:56
212 [regress/Makefile]
213 fix how we run the tests so we can successfully use SUDO='sudo -E'
214 in our env
215 - djm@cvs.openbsd.org 2010/06/29 23:59:54
216 [cert-userkey.sh]
217 regress tests for key options in AuthorizedPrincipals
218
21920100627
220 - (tim) [openbsd-compat/port-uw.c] Reorder includes. auth-options.h now needs
221 key.h.
222
22320100626
224 - (djm) OpenBSD CVS Sync
225 - djm@cvs.openbsd.org 2010/05/21 05:00:36
226 [misc.c]
227 colon() returns char*, so s/return (0)/return NULL/
228 - markus@cvs.openbsd.org 2010/06/08 21:32:19
229 [ssh-pkcs11.c]
230 check length of value returned C_GetAttributValue for != 0
231 from mdrtbugzilla@codefive.co.uk; bugzilla #1773; ok dtucker@
232 - djm@cvs.openbsd.org 2010/06/17 07:07:30
233 [mux.c]
234 Correct sizing of object to be allocated by calloc(), replacing
235 sizeof(state) with sizeof(*state). This worked by accident since
236 the struct contained a single int at present, but could have broken
237 in the future. patch from hyc AT symas.com
238 - djm@cvs.openbsd.org 2010/06/18 00:58:39
239 [sftp.c]
240 unbreak ls in working directories that contains globbing characters in
241 their pathnames. bz#1655 reported by vgiffin AT apple.com
242 - djm@cvs.openbsd.org 2010/06/18 03:16:03
243 [session.c]
244 Missing check for chroot_director == "none" (we already checked against
245 NULL); bz#1564 from Jan.Pechanec AT Sun.COM
246 - djm@cvs.openbsd.org 2010/06/18 04:43:08
247 [sftp-client.c]
248 fix memory leak in do_realpath() error path; bz#1771, patch from
249 anicka AT suse.cz
250 - djm@cvs.openbsd.org 2010/06/22 04:22:59
251 [servconf.c sshd_config.5]
252 expose some more sshd_config options inside Match blocks:
253 AuthorizedKeysFile AuthorizedPrincipalsFile
254 HostbasedUsesNameFromPacketOnly PermitTunnel
255 bz#1764; feedback from imorgan AT nas.nasa.gov; ok dtucker@
256 - djm@cvs.openbsd.org 2010/06/22 04:32:06
257 [ssh-keygen.c]
258 standardise error messages when attempting to open private key
259 files to include "progname: filename: error reason"
260 bz#1783; ok dtucker@
261 - djm@cvs.openbsd.org 2010/06/22 04:49:47
262 [auth.c]
263 queue auth debug messages for bad ownership or permissions on the user's
264 keyfiles. These messages will be sent after the user has successfully
265 authenticated (where our client will display them with LogLevel=debug).
266 bz#1554; ok dtucker@
267 - djm@cvs.openbsd.org 2010/06/22 04:54:30
268 [ssh-keyscan.c]
269 replace verbose and overflow-prone Linebuf code with read_keyfile_line()
270 based on patch from joachim AT joachimschipper.nl; bz#1565; ok dtucker@
271 - djm@cvs.openbsd.org 2010/06/22 04:59:12
272 [session.c]
273 include the user name on "subsystem request for ..." log messages;
274 bz#1571; ok dtucker@
275 - djm@cvs.openbsd.org 2010/06/23 02:59:02
276 [ssh-keygen.c]
277 fix printing of extensions in v01 certificates that I broke in r1.190
278 - djm@cvs.openbsd.org 2010/06/25 07:14:46
279 [channels.c mux.c readconf.c readconf.h ssh.h]
280 bz#1327: remove hardcoded limit of 100 permitopen clauses and port
281 forwards per direction; ok markus@ stevesk@
282 - djm@cvs.openbsd.org 2010/06/25 07:20:04
283 [channels.c session.c]
284 bz#1750: fix requirement for /dev/null inside ChrootDirectory for
285 internal-sftp accidentally introduced in r1.253 by removing the code
286 that opens and dup /dev/null to stderr and modifying the channels code
287 to read stderr but discard it instead; ok markus@
288 - djm@cvs.openbsd.org 2010/06/25 08:46:17
289 [auth1.c auth2-none.c]
290 skip the initial check for access with an empty password when
291 PermitEmptyPasswords=no; bz#1638; ok markus@
292 - djm@cvs.openbsd.org 2010/06/25 23:10:30
293 [ssh.c]
294 log the hostname and address that we connected to at LogLevel=verbose
295 after authentication is successful to mitigate "phishing" attacks by
296 servers with trusted keys that accept authentication silently and
297 automatically before presenting fake password/passphrase prompts;
298 "nice!" markus@
299 - djm@cvs.openbsd.org 2010/06/25 23:10:30
300 [ssh.c]
301 log the hostname and address that we connected to at LogLevel=verbose
302 after authentication is successful to mitigate "phishing" attacks by
303 servers with trusted keys that accept authentication silently and
304 automatically before presenting fake password/passphrase prompts;
305 "nice!" markus@
306
30720100622
308 - (djm) [loginrec.c] crank LINFO_NAMESIZE (username length) to 512
309 bz#1579; ok dtucker
310
31120100618
312 - (djm) [contrib/ssh-copy-id] Update key file explicitly under ~
313 rather than assuming that $CWD == $HOME. bz#1500, patch from
314 timothy AT gelter.com
315
31620100617
317 - (tim) [contrib/cygwin/README] Remove a reference to the obsolete
318 minires-devel package, and to add the reference to the libedit-devel
319 package since CYgwin now provides libedit. Patch from Corinna Vinschen.
320
32120100521
322 - (djm) OpenBSD CVS Sync
323 - djm@cvs.openbsd.org 2010/05/07 11:31:26
324 [regress/Makefile regress/cert-userkey.sh]
325 regress tests for AuthorizedPrincipalsFile and "principals=" key option.
326 feedback and ok markus@
327 - djm@cvs.openbsd.org 2010/05/11 02:58:04
328 [auth-rsa.c]
329 don't accept certificates marked as "cert-authority" here; ok markus@
330 - djm@cvs.openbsd.org 2010/05/14 00:47:22
331 [ssh-add.c]
332 check that the certificate matches the corresponding private key before
333 grafting it on
334 - djm@cvs.openbsd.org 2010/05/14 23:29:23
335 [channels.c channels.h mux.c ssh.c]
336 Pause the mux channel while waiting for reply from aynch callbacks.
337 Prevents misordering of replies if new requests arrive while waiting.
338
339 Extend channel open confirm callback to allow signalling failure
340 conditions as well as success. Use this to 1) fix a memory leak, 2)
341 start using the above pause mechanism and 3) delay sending a success/
342 failure message on mux slave session open until we receive a reply from
343 the server.
344
345 motivated by and with feedback from markus@
346 - markus@cvs.openbsd.org 2010/05/16 12:55:51
347 [PROTOCOL.mux clientloop.h mux.c readconf.c readconf.h ssh.1 ssh.c]
348 mux support for remote forwarding with dynamic port allocation,
349 use with
350 LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost`
351 feedback and ok djm@
352 - djm@cvs.openbsd.org 2010/05/20 11:25:26
353 [auth2-pubkey.c]
354 fix logspam when key options (from="..." especially) deny non-matching
355 keys; reported by henning@ also bz#1765; ok markus@ dtucker@
356 - djm@cvs.openbsd.org 2010/05/20 23:46:02
357 [PROTOCOL.certkeys auth-options.c ssh-keygen.c]
358 Move the permit-* options to the non-critical "extensions" field for v01
359 certificates. The logic is that if another implementation fails to
360 implement them then the connection just loses features rather than fails
361 outright.
362
363 ok markus@
364
36520100511
366 - (dtucker) [Makefile.in] Bug #1770: Link libopenbsd-compat twice to solve
367 circular dependency problem on old or odd platforms. From Tom Lane, ok
368 djm@.
369 - (djm) [openbsd-compat/openssl-compat.h] Fix build breakage on older
370 libcrypto by defining OPENSSL_[DR]SA_MAX_MODULUS_BITS if they aren't
371 already. ok dtucker@
372
37320100510
374 - OpenBSD CVS Sync
375 - djm@cvs.openbsd.org 2010/04/23 01:47:41
376 [ssh-keygen.c]
377 bz#1740: display a more helpful error message when $HOME is
378 inaccessible while trying to create .ssh directory. Based on patch
379 from jchadima AT redhat.com; ok dtucker@
380 - djm@cvs.openbsd.org 2010/04/23 22:27:38
381 [mux.c]
382 set "detach_close" flag when registering channel cleanup callbacks.
383 This causes the channel to close normally when its fds close and
384 hangs when terminating a mux slave using ~. bz#1758; ok markus@
385 - djm@cvs.openbsd.org 2010/04/23 22:42:05
386 [session.c]
387 set stderr to /dev/null for subsystems rather than just closing it.
388 avoids hangs if a subsystem or shell initialisation writes to stderr.
389 bz#1750; ok markus@
390 - djm@cvs.openbsd.org 2010/04/23 22:48:31
391 [ssh-keygen.c]
392 refuse to generate keys longer than OPENSSL_[RD]SA_MAX_MODULUS_BITS,
393 since we would refuse to use them anyway. bz#1516; ok dtucker@
394 - djm@cvs.openbsd.org 2010/04/26 22:28:24
395 [sshconnect2.c]
396 bz#1502: authctxt.success is declared as an int, but passed by
397 reference to function that accepts sig_atomic_t*. Convert it to
398 the latter; ok markus@ dtucker@
399 - djm@cvs.openbsd.org 2010/05/01 02:50:50
400 [PROTOCOL.certkeys]
401 typo; jmeltzer@
402 - dtucker@cvs.openbsd.org 2010/05/05 04:22:09
403 [sftp.c]
404 restore mput and mget which got lost in the tab-completion changes.
405 found by Kenneth Whitaker, ok djm@
406 - djm@cvs.openbsd.org 2010/05/07 11:30:30
407 [auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c]
408 [key.c servconf.c servconf.h sshd.8 sshd_config.5]
409 add some optional indirection to matching of principal names listed
410 in certificates. Currently, a certificate must include the a user's name
411 to be accepted for authentication. This change adds the ability to
412 specify a list of certificate principal names that are acceptable.
413
414 When authenticating using a CA trusted through ~/.ssh/authorized_keys,
415 this adds a new principals="name1[,name2,...]" key option.
416
417 For CAs listed through sshd_config's TrustedCAKeys option, a new config
418 option "AuthorizedPrincipalsFile" specifies a per-user file containing
419 the list of acceptable names.
420
421 If either option is absent, the current behaviour of requiring the
422 username to appear in principals continues to apply.
423
424 These options are useful for role accounts, disjoint account namespaces
425 and "user@realm"-style naming policies in certificates.
426
427 feedback and ok markus@
428 - jmc@cvs.openbsd.org 2010/05/07 12:49:17
429 [sshd_config.5]
430 tweak previous;
431
43220100423
433 - (dtucker) [configure.ac] Bug #1756: Check for the existence of a lib64 dir
434 in the openssl install directory (some newer openssl versions do this on at
435 least some amd64 platforms).
436
43720100418
438 - OpenBSD CVS Sync
439 - jmc@cvs.openbsd.org 2010/04/16 06:45:01
440 [ssh_config.5]
441 tweak previous; ok djm
442 - jmc@cvs.openbsd.org 2010/04/16 06:47:04
443 [ssh-keygen.1 ssh-keygen.c]
444 tweak previous; ok djm
445 - djm@cvs.openbsd.org 2010/04/16 21:14:27
446 [sshconnect.c]
447 oops, %r => remote username, not %u
448 - djm@cvs.openbsd.org 2010/04/16 01:58:45
449 [regress/cert-hostkey.sh regress/cert-userkey.sh]
450 regression tests for v01 certificate format
451 includes interop tests for v00 certs
452 - (dtucker) [contrib/aix/buildbff.sh] Fix creation of ssh_prng_cmds.default
453 file.
454
45520100416
456 - (djm) Release openssh-5.5p1
457 - OpenBSD CVS Sync
458 - djm@cvs.openbsd.org 2010/03/26 03:13:17
459 [bufaux.c]
460 allow buffer_get_int_ret/buffer_get_int64_ret to take a NULL pointer
461 argument to allow skipping past values in a buffer
462 - jmc@cvs.openbsd.org 2010/03/26 06:54:36
463 [ssh.1]
464 tweak previous;
465 - jmc@cvs.openbsd.org 2010/03/27 14:26:55
466 [ssh_config.5]
467 tweak previous; ok dtucker
468 - djm@cvs.openbsd.org 2010/04/10 00:00:16
469 [ssh.c]
470 bz#1746 - suppress spurious tty warning when using -O and stdin
471 is not a tty; ok dtucker@ markus@
472 - djm@cvs.openbsd.org 2010/04/10 00:04:30
473 [sshconnect.c]
474 fix terminology: we didn't find a certificate in known_hosts, we found
475 a CA key
476 - djm@cvs.openbsd.org 2010/04/10 02:08:44
477 [clientloop.c]
478 bz#1698: kill channel when pty allocation requests fail. Fixed
479 stuck client if the server refuses pty allocation.
480 ok dtucker@ "think so" markus@
481 - djm@cvs.openbsd.org 2010/04/10 02:10:56
482 [sshconnect2.c]
483 show the key type that we are offering in debug(), helps distinguish
484 between certs and plain keys as the path to the private key is usually
485 the same.
486 - djm@cvs.openbsd.org 2010/04/10 05:48:16
487 [mux.c]
488 fix NULL dereference; from matthew.haub AT alumni.adelaide.edu.au
489 - djm@cvs.openbsd.org 2010/04/14 22:27:42
490 [ssh_config.5 sshconnect.c]
491 expand %r => remote username in ssh_config:ProxyCommand;
492 ok deraadt markus
493 - markus@cvs.openbsd.org 2010/04/15 20:32:55
494 [ssh-pkcs11.c]
495 retry lookup for private key if there's no matching key with CKA_SIGN
496 attribute enabled; this fixes fixes MuscleCard support (bugzilla #1736)
497 ok djm@
498 - djm@cvs.openbsd.org 2010/04/16 01:47:26
499 [PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c]
500 [auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c]
501 [ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c]
502 [sshconnect.c sshconnect2.c sshd.c]
503 revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the
504 following changes:
505
506 move the nonce field to the beginning of the certificate where it can
507 better protect against chosen-prefix attacks on the signature hash
508
509 Rename "constraints" field to "critical options"
510
511 Add a new non-critical "extensions" field
512
513 Add a serial number
514
515 The older format is still support for authentication and cert generation
516 (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
517
518 ok markus@
519
|
120100410
2 - (dtucker) [configure.ac] Put the check for the existence of getaddrinfo
3 back so we disable the IPv6 tests if we don't have it.
4
520100409
6 - (dtucker) [contrib/cygwin/Makefile] Don't overwrite files with the wrong
7 ones. Based on a patch from Roumen Petrov.
8 - (dtucker) [configure.ac] Bug #1744: use pkg-config for libedit flags if we
--- 2735 unchanged lines hidden --- | 52020100410
521 - (dtucker) [configure.ac] Put the check for the existence of getaddrinfo
522 back so we disable the IPv6 tests if we don't have it.
523
52420100409
525 - (dtucker) [contrib/cygwin/Makefile] Don't overwrite files with the wrong
526 ones. Based on a patch from Roumen Petrov.
527 - (dtucker) [configure.ac] Bug #1744: use pkg-config for libedit flags if we
--- 2735 unchanged lines hidden --- |