| 120100823 2 - (djm) Release OpenSSH-5.6p1 3 420100816 5 - (dtucker) [configure.ac openbsd-compat/Makefile.in 6 openbsd-compat/openbsd-compat.h openbsd-compat/strptime.c] Add strptime to 7 the compat library which helps on platforms like old IRIX. Based on work 8 by djm, tested by Tom Christensen. 9 - OpenBSD CVS Sync 10 - djm@cvs.openbsd.org 2010/08/12 21:49:44 11 [ssh.c] 12 close any extra file descriptors inherited from parent at start and 13 reopen stdin/stdout to /dev/null when forking for ControlPersist. 14 15 prevents tools that fork and run a captive ssh for communication from 16 failing to exit when the ssh completes while they wait for these fds to 17 close. The inherited fds may persist arbitrarily long if a background 18 mux master has been started by ControlPersist. cvs and scp were effected 19 by this. 20 21 "please commit" markus@ 22 - (djm) [regress/README.regress] typo 23 2420100812 25 - (tim) [regress/login-timeout.sh regress/reconfigure.sh regress/reexec.sh 26 regress/test-exec.sh] Under certain conditions when testing with sudo 27 tests would fail because the pidfile could not be read by a regular user. 28 "cat: cannot open ...../regress/pidfile: Permission denied (error 13)" 29 Make sure cat is run by $SUDO. no objection from me. djm@ 30 - (tim) [auth.c] add cast to quiet compiler. Change only affects SVR5 systems. 31 3220100809 33 - (djm) bz#1561: don't bother setting IFF_UP on tun(4) device if it is 34 already set. Makes FreeBSD user openable tunnels useful; patch from 35 richard.burakowski+ossh AT mrburak.net, ok dtucker@ 36 - (dtucker) bug #1530: strip trailing ":" from hostname in ssh-copy-id. 37 based in part on a patch from Colin Watson, ok djm@ 38 3920100809 40 - OpenBSD CVS Sync 41 - djm@cvs.openbsd.org 2010/08/08 16:26:42 42 [version.h] 43 crank to 5.6 44 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] 45 [contrib/suse/openssh.spec] Crank version numbers 46 4720100805 48 - OpenBSD CVS Sync 49 - djm@cvs.openbsd.org 2010/08/04 05:37:01 50 [ssh.1 ssh_config.5 sshd.8] 51 Remove mentions of weird "addr/port" alternate address format for IPv6 52 addresses combinations. It hasn't worked for ages and we have supported 53 the more commen "[addr]:port" format for a long time. ok jmc@ markus@ 54 - djm@cvs.openbsd.org 2010/08/04 05:40:39 55 [PROTOCOL.certkeys ssh-keygen.c] 56 tighten the rules for certificate encoding by requiring that options 57 appear in lexical order and make our ssh-keygen comply. ok markus@ 58 - djm@cvs.openbsd.org 2010/08/04 05:42:47 59 [auth.c auth2-hostbased.c authfile.c authfile.h ssh-keysign.8] 60 [ssh-keysign.c ssh.c] 61 enable certificates for hostbased authentication, from Iain Morgan; 62 "looks ok" markus@ 63 - djm@cvs.openbsd.org 2010/08/04 05:49:22 64 [authfile.c] 65 commited the wrong version of the hostbased certificate diff; this 66 version replaces some strlc{py,at} verbosity with xasprintf() at 67 the request of markus@ 68 - djm@cvs.openbsd.org 2010/08/04 06:07:11 69 [ssh-keygen.1 ssh-keygen.c] 70 Support CA keys in PKCS#11 tokens; feedback and ok markus@ 71 - djm@cvs.openbsd.org 2010/08/04 06:08:40 72 [ssh-keysign.c] 73 clean for -Wuninitialized (Id sync only; portable had this change) 74 - djm@cvs.openbsd.org 2010/08/05 13:08:42 75 [channels.c] 76 Fix a trio of bugs in the local/remote window calculation for datagram 77 data channels (i.e. TunnelForward): 78 79 Calculate local_consumed correctly in channel_handle_wfd() by measuring 80 the delta to buffer_len(c->output) from when we start to when we finish. 81 The proximal problem here is that the output_filter we use in portable 82 modified the length of the dequeued datagram (to futz with the headers 83 for !OpenBSD). 84 85 In channel_output_poll(), don't enqueue datagrams that won't fit in the 86 peer's advertised packet size (highly unlikely to ever occur) or which 87 won't fit in the peer's remaining window (more likely). 88 89 In channel_input_data(), account for the 4-byte string header in 90 datagram packets that we accept from the peer and enqueue in c->output. 91 92 report, analysis and testing 2/3 cases from wierbows AT us.ibm.com; 93 "looks good" markus@ 94 9520100803 96 - (dtucker) [monitor.c] Bug #1795: Initialize the values to be returned from 97 PAM to sane values in case the PAM method doesn't write to them. Spotted by 98 Bitman Zhou, ok djm@. 99 - OpenBSD CVS Sync 100 - djm@cvs.openbsd.org 2010/07/16 04:45:30 101 [ssh-keygen.c] 102 avoid bogus compiler warning 103 - djm@cvs.openbsd.org 2010/07/16 14:07:35 104 [ssh-rsa.c] 105 more timing paranoia - compare all parts of the expected decrypted 106 data before returning. AFAIK not exploitable in the SSH protocol. 107 "groovy" deraadt@ 108 - djm@cvs.openbsd.org 2010/07/19 03:16:33 109 [sftp-client.c] 110 bz#1797: fix swapped args in upload_dir_internal(), breaking recursive 111 upload depth checks and causing verbose printing of transfers to always 112 be turned on; patch from imorgan AT nas.nasa.gov 113 - djm@cvs.openbsd.org 2010/07/19 09:15:12 114 [clientloop.c readconf.c readconf.h ssh.c ssh_config.5] 115 add a "ControlPersist" option that automatically starts a background 116 ssh(1) multiplex master when connecting. This connection can stay alive 117 indefinitely, or can be set to automatically close after a user-specified 118 duration of inactivity. bz#1330 - patch by dwmw2 AT infradead.org, but 119 further hacked on by wmertens AT cisco.com, apb AT cequrux.com, 120 martin-mindrot-bugzilla AT earth.li and myself; "looks ok" markus@ 121 - djm@cvs.openbsd.org 2010/07/21 02:10:58 122 [misc.c] 123 sync timingsafe_bcmp() with the one dempsky@ committed to sys/lib/libkern 124 - dtucker@cvs.openbsd.org 2010/07/23 08:49:25 125 [ssh.1] 126 Ciphers is documented in ssh_config(5) these days 127 12820100819 129 - (dtucker) [contrib/ssh-copy-ud.1] Bug #1786: update ssh-copy-id.1 with more 130 details about its behaviour WRT existing directories. Patch from 131 asguthrie at gmail com, ok djm. 132 13320100716 134 - (djm) OpenBSD CVS Sync 135 - djm@cvs.openbsd.org 2010/07/02 04:32:44 136 [misc.c] 137 unbreak strdelim() skipping past quoted strings, e.g. 138 AllowUsers "blah blah" blah 139 was broken; report and fix in bz#1757 from bitman.zhou AT centrify.com 140 ok dtucker; 141 - djm@cvs.openbsd.org 2010/07/12 22:38:52 142 [ssh.c] 143 Make ExitOnForwardFailure work with fork-after-authentication ("ssh -f") 144 for protocol 2. ok markus@ 145 - djm@cvs.openbsd.org 2010/07/12 22:41:13 146 [ssh.c ssh_config.5] 147 expand %h to the hostname in ssh_config Hostname options. While this 148 sounds useless, it is actually handy for working with unqualified 149 hostnames: 150 151 Host *.* 152 Hostname %h 153 Host * 154 Hostname %h.example.org 155 156 "I like it" markus@ 157 - djm@cvs.openbsd.org 2010/07/13 11:52:06 158 [auth-rsa.c channels.c jpake.c key.c misc.c misc.h monitor.c] 159 [packet.c ssh-rsa.c] 160 implement a timing_safe_cmp() function to compare memory without leaking 161 timing information by short-circuiting like memcmp() and use it for 162 some of the more sensitive comparisons (though nothing high-value was 163 readily attackable anyway); "looks ok" markus@ 164 - djm@cvs.openbsd.org 2010/07/13 23:13:16 165 [auth-rsa.c channels.c jpake.c key.c misc.c misc.h monitor.c packet.c] 166 [ssh-rsa.c] 167 s/timing_safe_cmp/timingsafe_bcmp/g 168 - jmc@cvs.openbsd.org 2010/07/14 17:06:58 169 [ssh.1] 170 finally ssh synopsis looks nice again! this commit just removes a ton of 171 hacks we had in place to make it work with old groff; 172 - schwarze@cvs.openbsd.org 2010/07/15 21:20:38 173 [ssh-keygen.1] 174 repair incorrect block nesting, which screwed up indentation; 175 problem reported and fix OK by jmc@ 176 17720100714 178 - (tim) [contrib/redhat/openssh.spec] Bug 1796: Test for skip_x11_askpass 179 (line 77) should have been for no_x11_askpass. 180 18120100702 182 - (djm) OpenBSD CVS Sync 183 - jmc@cvs.openbsd.org 2010/06/26 00:57:07 184 [ssh_config.5] 185 tweak previous; 186 - djm@cvs.openbsd.org 2010/06/26 23:04:04 187 [ssh.c] 188 oops, forgot to #include <canohost.h>; spotted and patch from chl@ 189 - djm@cvs.openbsd.org 2010/06/29 23:15:30 190 [ssh-keygen.1 ssh-keygen.c] 191 allow import (-i) and export (-e) of PEM and PKCS#8 encoded keys; 192 bz#1749; ok markus@ 193 - djm@cvs.openbsd.org 2010/06/29 23:16:46 194 [auth2-pubkey.c sshd_config.5] 195 allow key options (command="..." and friends) in AuthorizedPrincipals; 196 ok markus@ 197 - jmc@cvs.openbsd.org 2010/06/30 07:24:25 198 [ssh-keygen.1] 199 tweak previous; 200 - jmc@cvs.openbsd.org 2010/06/30 07:26:03 201 [ssh-keygen.c] 202 sort usage(); 203 - jmc@cvs.openbsd.org 2010/06/30 07:28:34 204 [sshd_config.5] 205 tweak previous; 206 - millert@cvs.openbsd.org 2010/07/01 13:06:59 207 [scp.c] 208 Fix a longstanding problem where if you suspend scp at the 209 password/passphrase prompt the terminal mode is not restored. 210 OK djm@ 211 - phessler@cvs.openbsd.org 2010/06/27 19:19:56 212 [regress/Makefile] 213 fix how we run the tests so we can successfully use SUDO='sudo -E' 214 in our env 215 - djm@cvs.openbsd.org 2010/06/29 23:59:54 216 [cert-userkey.sh] 217 regress tests for key options in AuthorizedPrincipals 218 21920100627 220 - (tim) [openbsd-compat/port-uw.c] Reorder includes. auth-options.h now needs 221 key.h. 222 22320100626 224 - (djm) OpenBSD CVS Sync 225 - djm@cvs.openbsd.org 2010/05/21 05:00:36 226 [misc.c] 227 colon() returns char*, so s/return (0)/return NULL/ 228 - markus@cvs.openbsd.org 2010/06/08 21:32:19 229 [ssh-pkcs11.c] 230 check length of value returned C_GetAttributValue for != 0 231 from mdrtbugzilla@codefive.co.uk; bugzilla #1773; ok dtucker@ 232 - djm@cvs.openbsd.org 2010/06/17 07:07:30 233 [mux.c] 234 Correct sizing of object to be allocated by calloc(), replacing 235 sizeof(state) with sizeof(*state). This worked by accident since 236 the struct contained a single int at present, but could have broken 237 in the future. patch from hyc AT symas.com 238 - djm@cvs.openbsd.org 2010/06/18 00:58:39 239 [sftp.c] 240 unbreak ls in working directories that contains globbing characters in 241 their pathnames. bz#1655 reported by vgiffin AT apple.com 242 - djm@cvs.openbsd.org 2010/06/18 03:16:03 243 [session.c] 244 Missing check for chroot_director == "none" (we already checked against 245 NULL); bz#1564 from Jan.Pechanec AT Sun.COM 246 - djm@cvs.openbsd.org 2010/06/18 04:43:08 247 [sftp-client.c] 248 fix memory leak in do_realpath() error path; bz#1771, patch from 249 anicka AT suse.cz 250 - djm@cvs.openbsd.org 2010/06/22 04:22:59 251 [servconf.c sshd_config.5] 252 expose some more sshd_config options inside Match blocks: 253 AuthorizedKeysFile AuthorizedPrincipalsFile 254 HostbasedUsesNameFromPacketOnly PermitTunnel 255 bz#1764; feedback from imorgan AT nas.nasa.gov; ok dtucker@ 256 - djm@cvs.openbsd.org 2010/06/22 04:32:06 257 [ssh-keygen.c] 258 standardise error messages when attempting to open private key 259 files to include "progname: filename: error reason" 260 bz#1783; ok dtucker@ 261 - djm@cvs.openbsd.org 2010/06/22 04:49:47 262 [auth.c] 263 queue auth debug messages for bad ownership or permissions on the user's 264 keyfiles. These messages will be sent after the user has successfully 265 authenticated (where our client will display them with LogLevel=debug). 266 bz#1554; ok dtucker@ 267 - djm@cvs.openbsd.org 2010/06/22 04:54:30 268 [ssh-keyscan.c] 269 replace verbose and overflow-prone Linebuf code with read_keyfile_line() 270 based on patch from joachim AT joachimschipper.nl; bz#1565; ok dtucker@ 271 - djm@cvs.openbsd.org 2010/06/22 04:59:12 272 [session.c] 273 include the user name on "subsystem request for ..." log messages; 274 bz#1571; ok dtucker@ 275 - djm@cvs.openbsd.org 2010/06/23 02:59:02 276 [ssh-keygen.c] 277 fix printing of extensions in v01 certificates that I broke in r1.190 278 - djm@cvs.openbsd.org 2010/06/25 07:14:46 279 [channels.c mux.c readconf.c readconf.h ssh.h] 280 bz#1327: remove hardcoded limit of 100 permitopen clauses and port 281 forwards per direction; ok markus@ stevesk@ 282 - djm@cvs.openbsd.org 2010/06/25 07:20:04 283 [channels.c session.c] 284 bz#1750: fix requirement for /dev/null inside ChrootDirectory for 285 internal-sftp accidentally introduced in r1.253 by removing the code 286 that opens and dup /dev/null to stderr and modifying the channels code 287 to read stderr but discard it instead; ok markus@ 288 - djm@cvs.openbsd.org 2010/06/25 08:46:17 289 [auth1.c auth2-none.c] 290 skip the initial check for access with an empty password when 291 PermitEmptyPasswords=no; bz#1638; ok markus@ 292 - djm@cvs.openbsd.org 2010/06/25 23:10:30 293 [ssh.c] 294 log the hostname and address that we connected to at LogLevel=verbose 295 after authentication is successful to mitigate "phishing" attacks by 296 servers with trusted keys that accept authentication silently and 297 automatically before presenting fake password/passphrase prompts; 298 "nice!" markus@ 299 - djm@cvs.openbsd.org 2010/06/25 23:10:30 300 [ssh.c] 301 log the hostname and address that we connected to at LogLevel=verbose 302 after authentication is successful to mitigate "phishing" attacks by 303 servers with trusted keys that accept authentication silently and 304 automatically before presenting fake password/passphrase prompts; 305 "nice!" markus@ 306 30720100622 308 - (djm) [loginrec.c] crank LINFO_NAMESIZE (username length) to 512 309 bz#1579; ok dtucker 310 31120100618 312 - (djm) [contrib/ssh-copy-id] Update key file explicitly under ~ 313 rather than assuming that $CWD == $HOME. bz#1500, patch from 314 timothy AT gelter.com 315 31620100617 317 - (tim) [contrib/cygwin/README] Remove a reference to the obsolete 318 minires-devel package, and to add the reference to the libedit-devel 319 package since CYgwin now provides libedit. Patch from Corinna Vinschen. 320 32120100521 322 - (djm) OpenBSD CVS Sync 323 - djm@cvs.openbsd.org 2010/05/07 11:31:26 324 [regress/Makefile regress/cert-userkey.sh] 325 regress tests for AuthorizedPrincipalsFile and "principals=" key option. 326 feedback and ok markus@ 327 - djm@cvs.openbsd.org 2010/05/11 02:58:04 328 [auth-rsa.c] 329 don't accept certificates marked as "cert-authority" here; ok markus@ 330 - djm@cvs.openbsd.org 2010/05/14 00:47:22 331 [ssh-add.c] 332 check that the certificate matches the corresponding private key before 333 grafting it on 334 - djm@cvs.openbsd.org 2010/05/14 23:29:23 335 [channels.c channels.h mux.c ssh.c] 336 Pause the mux channel while waiting for reply from aynch callbacks. 337 Prevents misordering of replies if new requests arrive while waiting. 338 339 Extend channel open confirm callback to allow signalling failure 340 conditions as well as success. Use this to 1) fix a memory leak, 2) 341 start using the above pause mechanism and 3) delay sending a success/ 342 failure message on mux slave session open until we receive a reply from 343 the server. 344 345 motivated by and with feedback from markus@ 346 - markus@cvs.openbsd.org 2010/05/16 12:55:51 347 [PROTOCOL.mux clientloop.h mux.c readconf.c readconf.h ssh.1 ssh.c] 348 mux support for remote forwarding with dynamic port allocation, 349 use with 350 LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost` 351 feedback and ok djm@ 352 - djm@cvs.openbsd.org 2010/05/20 11:25:26 353 [auth2-pubkey.c] 354 fix logspam when key options (from="..." especially) deny non-matching 355 keys; reported by henning@ also bz#1765; ok markus@ dtucker@ 356 - djm@cvs.openbsd.org 2010/05/20 23:46:02 357 [PROTOCOL.certkeys auth-options.c ssh-keygen.c] 358 Move the permit-* options to the non-critical "extensions" field for v01 359 certificates. The logic is that if another implementation fails to 360 implement them then the connection just loses features rather than fails 361 outright. 362 363 ok markus@ 364 36520100511 366 - (dtucker) [Makefile.in] Bug #1770: Link libopenbsd-compat twice to solve 367 circular dependency problem on old or odd platforms. From Tom Lane, ok 368 djm@. 369 - (djm) [openbsd-compat/openssl-compat.h] Fix build breakage on older 370 libcrypto by defining OPENSSL_[DR]SA_MAX_MODULUS_BITS if they aren't 371 already. ok dtucker@ 372 37320100510 374 - OpenBSD CVS Sync 375 - djm@cvs.openbsd.org 2010/04/23 01:47:41 376 [ssh-keygen.c] 377 bz#1740: display a more helpful error message when $HOME is 378 inaccessible while trying to create .ssh directory. Based on patch 379 from jchadima AT redhat.com; ok dtucker@ 380 - djm@cvs.openbsd.org 2010/04/23 22:27:38 381 [mux.c] 382 set "detach_close" flag when registering channel cleanup callbacks. 383 This causes the channel to close normally when its fds close and 384 hangs when terminating a mux slave using ~. bz#1758; ok markus@ 385 - djm@cvs.openbsd.org 2010/04/23 22:42:05 386 [session.c] 387 set stderr to /dev/null for subsystems rather than just closing it. 388 avoids hangs if a subsystem or shell initialisation writes to stderr. 389 bz#1750; ok markus@ 390 - djm@cvs.openbsd.org 2010/04/23 22:48:31 391 [ssh-keygen.c] 392 refuse to generate keys longer than OPENSSL_[RD]SA_MAX_MODULUS_BITS, 393 since we would refuse to use them anyway. bz#1516; ok dtucker@ 394 - djm@cvs.openbsd.org 2010/04/26 22:28:24 395 [sshconnect2.c] 396 bz#1502: authctxt.success is declared as an int, but passed by 397 reference to function that accepts sig_atomic_t*. Convert it to 398 the latter; ok markus@ dtucker@ 399 - djm@cvs.openbsd.org 2010/05/01 02:50:50 400 [PROTOCOL.certkeys] 401 typo; jmeltzer@ 402 - dtucker@cvs.openbsd.org 2010/05/05 04:22:09 403 [sftp.c] 404 restore mput and mget which got lost in the tab-completion changes. 405 found by Kenneth Whitaker, ok djm@ 406 - djm@cvs.openbsd.org 2010/05/07 11:30:30 407 [auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c] 408 [key.c servconf.c servconf.h sshd.8 sshd_config.5] 409 add some optional indirection to matching of principal names listed 410 in certificates. Currently, a certificate must include the a user's name 411 to be accepted for authentication. This change adds the ability to 412 specify a list of certificate principal names that are acceptable. 413 414 When authenticating using a CA trusted through ~/.ssh/authorized_keys, 415 this adds a new principals="name1[,name2,...]" key option. 416 417 For CAs listed through sshd_config's TrustedCAKeys option, a new config 418 option "AuthorizedPrincipalsFile" specifies a per-user file containing 419 the list of acceptable names. 420 421 If either option is absent, the current behaviour of requiring the 422 username to appear in principals continues to apply. 423 424 These options are useful for role accounts, disjoint account namespaces 425 and "user@realm"-style naming policies in certificates. 426 427 feedback and ok markus@ 428 - jmc@cvs.openbsd.org 2010/05/07 12:49:17 429 [sshd_config.5] 430 tweak previous; 431 43220100423 433 - (dtucker) [configure.ac] Bug #1756: Check for the existence of a lib64 dir 434 in the openssl install directory (some newer openssl versions do this on at 435 least some amd64 platforms). 436 43720100418 438 - OpenBSD CVS Sync 439 - jmc@cvs.openbsd.org 2010/04/16 06:45:01 440 [ssh_config.5] 441 tweak previous; ok djm 442 - jmc@cvs.openbsd.org 2010/04/16 06:47:04 443 [ssh-keygen.1 ssh-keygen.c] 444 tweak previous; ok djm 445 - djm@cvs.openbsd.org 2010/04/16 21:14:27 446 [sshconnect.c] 447 oops, %r => remote username, not %u 448 - djm@cvs.openbsd.org 2010/04/16 01:58:45 449 [regress/cert-hostkey.sh regress/cert-userkey.sh] 450 regression tests for v01 certificate format 451 includes interop tests for v00 certs 452 - (dtucker) [contrib/aix/buildbff.sh] Fix creation of ssh_prng_cmds.default 453 file. 454 45520100416 456 - (djm) Release openssh-5.5p1 457 - OpenBSD CVS Sync 458 - djm@cvs.openbsd.org 2010/03/26 03:13:17 459 [bufaux.c] 460 allow buffer_get_int_ret/buffer_get_int64_ret to take a NULL pointer 461 argument to allow skipping past values in a buffer 462 - jmc@cvs.openbsd.org 2010/03/26 06:54:36 463 [ssh.1] 464 tweak previous; 465 - jmc@cvs.openbsd.org 2010/03/27 14:26:55 466 [ssh_config.5] 467 tweak previous; ok dtucker 468 - djm@cvs.openbsd.org 2010/04/10 00:00:16 469 [ssh.c] 470 bz#1746 - suppress spurious tty warning when using -O and stdin 471 is not a tty; ok dtucker@ markus@ 472 - djm@cvs.openbsd.org 2010/04/10 00:04:30 473 [sshconnect.c] 474 fix terminology: we didn't find a certificate in known_hosts, we found 475 a CA key 476 - djm@cvs.openbsd.org 2010/04/10 02:08:44 477 [clientloop.c] 478 bz#1698: kill channel when pty allocation requests fail. Fixed 479 stuck client if the server refuses pty allocation. 480 ok dtucker@ "think so" markus@ 481 - djm@cvs.openbsd.org 2010/04/10 02:10:56 482 [sshconnect2.c] 483 show the key type that we are offering in debug(), helps distinguish 484 between certs and plain keys as the path to the private key is usually 485 the same. 486 - djm@cvs.openbsd.org 2010/04/10 05:48:16 487 [mux.c] 488 fix NULL dereference; from matthew.haub AT alumni.adelaide.edu.au 489 - djm@cvs.openbsd.org 2010/04/14 22:27:42 490 [ssh_config.5 sshconnect.c] 491 expand %r => remote username in ssh_config:ProxyCommand; 492 ok deraadt markus 493 - markus@cvs.openbsd.org 2010/04/15 20:32:55 494 [ssh-pkcs11.c] 495 retry lookup for private key if there's no matching key with CKA_SIGN 496 attribute enabled; this fixes fixes MuscleCard support (bugzilla #1736) 497 ok djm@ 498 - djm@cvs.openbsd.org 2010/04/16 01:47:26 499 [PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c] 500 [auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c] 501 [ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c] 502 [sshconnect.c sshconnect2.c sshd.c] 503 revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the 504 following changes: 505 506 move the nonce field to the beginning of the certificate where it can 507 better protect against chosen-prefix attacks on the signature hash 508 509 Rename "constraints" field to "critical options" 510 511 Add a new non-critical "extensions" field 512 513 Add a serial number 514 515 The older format is still support for authentication and cert generation 516 (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate) 517 518 ok markus@ 519
|
120100410 2 - (dtucker) [configure.ac] Put the check for the existence of getaddrinfo 3 back so we disable the IPv6 tests if we don't have it. 4 520100409 6 - (dtucker) [contrib/cygwin/Makefile] Don't overwrite files with the wrong 7 ones. Based on a patch from Roumen Petrov. 8 - (dtucker) [configure.ac] Bug #1744: use pkg-config for libedit flags if we
--- 2735 unchanged lines hidden --- | 52020100410 521 - (dtucker) [configure.ac] Put the check for the existence of getaddrinfo 522 back so we disable the IPv6 tests if we don't have it. 523 52420100409 525 - (dtucker) [contrib/cygwin/Makefile] Don't overwrite files with the wrong 526 ones. Based on a patch from Roumen Petrov. 527 - (dtucker) [configure.ac] Bug #1744: use pkg-config for libedit flags if we
--- 2735 unchanged lines hidden --- |