308205 |
02-Nov-2016 |
delphij |
Fix BIND remote Denial of Service vulnerability. [SA-16:34]
Fix OpenSSL remote DoS vulnerability. [SA-16:35]
Security: FreeBSD-SA-16:34.bind Security: FreeBSD-SA-16:35.openssl Approved by: so |
306336 |
26-Sep-2016 |
delphij |
Apply upstream revision 3612ff6fcec0e3d1f2a598135fe12177c0419582:
Fix overflow check in BN_bn2dec() Fix an off by one error in the overflow check added by 07bed46 ("Check for errors in BN_bn2dec()").
This fixes a regression introduced in SA-16:26.openssl.
Submitted by: jkim PR: 212921 Approved by: so |
306230 |
23-Sep-2016 |
delphij |
Fix multiple OpenSSL vulnerabilitites.
Approved by: so Security: FreeBSD-SA-16:26.openssl |
299068 |
04-May-2016 |
delphij |
Fix multiple OpenSSL vulnerabilitites. [SA-16:17]
Fix memory leak in ZFS. [EN-16:08]
Approved by: so |
296953 |
16-Mar-2016 |
glebius |
o Fix OpenSSH xauth(1) command injection. [SA-16:14] o Fix incorrect argument validation in sysarch(2). [SA-16:15]
Security: FreeBSD-SA-16:14.openssh-xauth, CVE-2016-3115 Security: FreeBSD-SA-16:15.sysarch, CVE-2016-1885 Approved by: so |
296611 |
10-Mar-2016 |
delphij |
Fix multiple vulnerabilities of BIND. [SA-16:13]
Fix a regression with OpenSSL patch. [SA-16:12]
Approved by: so |
296465 |
07-Mar-2016 |
delphij |
Fix multiple OpenSSL vulnerabilities.
Security: FreeBSD-SA-16:12.openssl Approved by: so |
295061 |
30-Jan-2016 |
delphij |
Fix OpenSSL SSLv2 ciphersuite downgrade vulnerability.
Security: CVE-2015-3197 Security: FreeBSD-SA-16:11.openssl Approved by: so |
294054 |
14-Jan-2016 |
glebius |
Fix OpenSSH client information leak.
Security: SA-16:07.openssh Security: CVE-2016-0777 Approved by: so |
291854 |
05-Dec-2015 |
delphij |
Fix OpenSSL multiple vulnerabilities.
Security: FreeBSD-SA-15:26.openssl Approved by: so |
287147 |
25-Aug-2015 |
delphij |
Fix local privilege escalation in IRET handler. [SA-15:21]
Fix OpenSSH multiple vulnerabilities. [SA-15:22]
Fix insufficient check of unsupported pkg(7) signature methods. [EN-15:15]
Approved by: so |
285980 |
28-Jul-2015 |
delphij |
Fix resource exhaustion in TCP reassembly. [SA-15:15]
Fix OpenSSH multiple vulnerabilities. [SA-15:16]
Fix BIND remote denial of service vulnerability. [SA-15:17]
Approved by: so |
284295 |
12-Jun-2015 |
delphij |
Fix OpenSSL multiple vulnerabilities.
Security: FreeBSD-SA-15:10.openssl Approved by: so |
280275 |
20-Mar-2015 |
delphij |
Fix issues with original SA-15:06.openssl commit:
- Revert a portion of ASN1 change per suggested by OpenBSD and OpenSSL developers. The change was removed from the formal OpenSSL release and does not solve security issue. - Properly fix CVE-2015-0209 and CVE-2015-0288.
Approved by: so |
280268 |
19-Mar-2015 |
delphij |
Fix multiple OpenSSL vulnerabilities.
Security: FreeBSD-SA-15:06.openssl Security: CVE-2015-0209 Security: CVE-2015-0286 Security: CVE-2015-0287 Security: CVE-2015-0288 Security: CVE-2015-0289 Security: CVE-2015-0293 Approved by: so |
279265 |
25-Feb-2015 |
delphij |
Fix integer overflow in IGMP protocol. [SA-15:04]
Fix BIND remote denial of service vulnerability. [SA-15:05]
Fix vt(4) crash with improper ioctl parameters. [EN-15:01]
Updated base system OpenSSL to 0.9.8zd. [EN-15:02]
Fix freebsd-update libraries update ordering issue. [EN-15:03]
Approved by: so |
277195 |
14-Jan-2015 |
delphij |
Fix multiple vulnerabilities in OpenSSL. [SA-15:01]
Approved by: so |
273415 |
21-Oct-2014 |
delphij |
Fix rtsold(8) remote buffer overflow vulnerability. [SA-14:20]
Fix routed(8) remote denial of service vulnerability. [SA-14:21]
Fix memory leak in sandboxed namei lookup. [SA-14:22]
Fix OpenSSL multiple vulnerabilities. [SA-14:23]
Approved by: so |
271305 |
09-Sep-2014 |
delphij |
Fix multiple OpenSSL vulnerabilities:
The receipt of a specifically crafted DTLS handshake message may cause OpenSSL to consume large amounts of memory. [CVE-2014-3506]
The receipt of a specifically crafted DTLS packet could cause OpenSSL to leak memory. [CVE-2014-3507]
A flaw in OBJ_obj2txt may cause pretty printing functions such as X509_name_oneline, X509_name_print_ex et al. to leak some information from the stack. [CVE-2014-3508]
OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a denial of service attack. [CVE-2014-3510]
Security: CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3510 Security: FreeBSD-SA-14:18.openssl Approved by: so |
267655 |
20-Jun-2014 |
gjb |
Remove svn:mergeinfo carried over from stable/9.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
267654 |
20-Jun-2014 |
gjb |
Copy stable/9 to releng/9.3 as part of the 9.3-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
267285 |
09-Jun-2014 |
jkim |
Merge OpenSSL 0.9.8za.
Approved by: re (kib), so (delphij)
|
267106 |
05-Jun-2014 |
delphij |
Fix OpenSSL multiple vulnerabilities.
Security: CVE-2014-0195, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470 Security: SA-14:14.openssl Approved by: re (jpaetzel)
|
264693 |
20-Apr-2014 |
des |
MFH (r264691): merge upstream patch for EC calculation bug
|
264624 |
17-Apr-2014 |
delphij |
Cherry-pick OpenSSL changeset 5be1ae2:
==== Author: Dr. Stephen Henson <steve@openssl.org>
Treat a zero length passed to ssleay_rand_add a no op: the existing logic zeroes the md value which is very bad. OpenSSL itself never does this internally and the actual call doesn't make sense as it would be passing zero bytes of entropy.
Thanks to Marcus Meissner <meissner@suse.de> for reporting this bug. ====
This is a direct commit to stable/8 and stable/9. -HEAD and stable/10 already have this fix as part of OpenSSL 1.0.1g.
Noticed by: koobs Reviewed by: benl (maintainer)
|
264285 |
08-Apr-2014 |
delphij |
Fix NFS deadlock vulnerability. [SA-14:05]
Fix ECDSA Cache Side-channel Attack in OpenSSL. [SA-14:06]
|
263970 |
31-Mar-2014 |
des |
MFH (r237568, r255422, r255460, r255766, r255767, r255774, r255829, r256126, r257954, r261320, r261499, r263691, r263712): upgrade to OpenSSH 6.6p1 via 6.3p1, 6.4p1 and 6.5p1.
Differences relative to head:
- No DNSSEC support since stable/9 does not have LDNS - Sandboxing off by default, and uses rlimit instead of Capsicum - ED25519 moved to the bottom of the order of preference to avoid "new public key" warnings
|
259451 |
16-Dec-2013 |
bjk |
Fix build breakage after r259448
Approved by: hrs (mentor, src committer)
|
259448 |
16-Dec-2013 |
bjk |
MFC r259286,259424,259425: Apply patch from upstream Heimdal for encoding fix
RFC 4402 specifies the implementation of the gss_pseudo_random() function for the krb5 mechanism (and the C bindings therein). The implementation uses a PRF+ function that concatenates the output of individual krb5 pseudo-random operations produced with a counter and seed. The original implementation of this function in Heimdal incorrectly encoded the counter as a little-endian integer, but the RFC specifies the counter encoding as big-endian. The implementation initializes the counter to zero, so the first block of output (16 octets, for the modern AES enctypes 17 and 18) is unchanged. (RFC 4402 specifies that the counter should begin at 1, but both existing implementations begin with zero and it looks like the standard will be re-issued, with test vectors, to begin at zero.)
This is upstream's commit f85652af868e64811f2b32b815d4198e7f9017f6, from 13 October, 2013: % Fix krb5's gss_pseudo_random() (n is big-endian) % % The first enctype RFC3961 prf output length's bytes are correct because % the little- and big-endian representations of unsigned zero are the % same. The second block of output was wrong because the counter was not % being encoded as big-endian. % % This change could break applications. But those applications would not % have been interoperating with other implementations anyways (in % particular: MIT's).
Bump __FreeBSD_version accordingly and add a note in UPDATING.
Approved by: hrs (mentor, src committer)
|
254554 |
20-Aug-2013 |
des |
MFH (r254278): fix relative symlinks
|
252339 |
28-Jun-2013 |
des |
Insta-MFH (r252338): update docs to reflect correct default privsep setting
|
251135 |
30-May-2013 |
des |
Pull in OpenSSH 6.2p2 from head.
|
251087 |
29-May-2013 |
bdrewery |
MFH r250595: The HPN patch added a new BUG bit for SSH_BUG_LARGEWINDOW and the update to 6.1 added SSH_BUG_DYNAMIC_RPORT with the same value.
Fix the HPN SSH_BUG_LARGEWINDOW bit so it is unique.
|
248915 |
29-Mar-2013 |
des |
Remove (harmless) duplicate entry for VersionAddendum.
Noticed by: dim@ MFC after: 1 week
|
248604 |
21-Mar-2013 |
delphij |
MFV r248595:
- Integrate OpenSSL revisions fb092ef4fca897344daf7189526f5f26be6487ce, a93cc7c57333f4538cbcdedd2e961a5a38caa52d, and 76c61a5d1adb92388f39e585e4af860a20feb9bb.
This removes the newly added orig_len field of SSL3_RECORD and restored ABI.
Approved by: benl
|
248468 |
18-Mar-2013 |
des |
MFH (r248465): revert upstream decommissioning of authorized_keys2
|
248334 |
15-Mar-2013 |
delphij |
Redo r241528:
MFC r240339: openssl: change SHLIB_VERSION_NUMBER to reflect the reality.
|
248272 |
14-Mar-2013 |
delphij |
Merge OpenSSL 0.9.8y. This is a direct commit to stable/9 as HEAD is on a different release now.
|
247485 |
28-Feb-2013 |
des |
Pull in OpenSSH 6.1 from head.
|
246069 |
29-Jan-2013 |
pfg |
Clean some 'svn:executable' properties in the tree.
Submitted by: Christoph Mallon
While here, merge some other mergeinfo properties that were left behind from my commits
/head/include:r241008,241141,241181 /head/contrib/gcc:r244776,244792 /head/cddl:r238457,238509,238558
|
245482 |
16-Jan-2013 |
delphij |
MFC r244975:
Indicate that we are using OpenSSL with some local modifications.
|
245481 |
16-Jan-2013 |
delphij |
MFC r244973:
Integrate OpenSSL changeset 22950 (appro):
bn_word.c: fix overflow bug in BN_add_word.
|
243195 |
17-Nov-2012 |
dim |
MFC r243034:
In crypto/heimdal/lib/sl/slc-lex.l, don't define YY_NO_INPUT, since %option nounput is already specified.
|
241528 |
14-Oct-2012 |
avg |
MFC r240339: openssl: change SHLIB_VERSION_NUMBER to reflect the reality
|
237998 |
02-Jul-2012 |
jkim |
MFC: r237657, r237658, r237666
Merge OpenSSL 0.9.8x and regen manual pages.
|
237940 |
02-Jul-2012 |
delphij |
MFC r237568:
Fetch both ECDSA and RSA keys by default in ssh-keyscan(1).
|
236520 |
03-Jun-2012 |
rea |
OpenSSH: allow VersionAddendum to be used again
Prior to this, setting VersionAddendum will be a no-op: one will always have BASE_VERSION + " " + VERSION_HPN for VersionAddendum set in the config and a bare BASE_VERSION + VERSION_HPN when there is no VersionAddendum is set.
HPN patch requires both parties to have the "hpn" inside their advertized versions, so we add VERSION_HPN to the VERSION_BASE if HPN is enabled and omitting it if HPN is disabled.
VersionAddendum now uses the following logics: * unset (default value): append " " and VERSION_ADDENDUM; * VersionAddendum is set and isn't empty: append " " and VersionAddendum; * VersionAddendum is set and empty: don't append anything.
Approved by: des Reviewed by: bz
|
236304 |
30-May-2012 |
bz |
Update the previous openssl fix. [12:01]
Fix a bug in crypt(3) ignoring characters of a passphrase. [12:02]
Security: FreeBSD-SA-12:01.openssl (revised) Security: FreeBSD-SA-12:02.crypt Approved by: so (bz, simon)
|
234954 |
03-May-2012 |
bz |
Fix multiple OpenSSL vulnerabilities.
Security: CVE-2011-4576, CVE-2011-4619, CVE-2011-4109 Security: CVE-2012-0884, CVE-2012-2110 Security: FreeBSD-SA-12:01.openssl Approved by: so (bz,simon)
|
228843 |
23-Dec-2011 |
cperciva |
Fix a problem whereby a corrupt DNS record can cause named to crash. [11:06]
Add an API for alerting internal libc routines to the presence of "unsafe" paths post-chroot, and use it in ftpd. [11:07]
Fix a buffer overflow in telnetd. [11:08]
Make pam_ssh ignore unpassphrased keys unless the "nullok" option is specified. [11:09]
Add sanity checking of service names in pam_start. [11:10]
Approved by: so (cperciva) Approved by: re (bz) Security: FreeBSD-SA-11:06.bind Security: FreeBSD-SA-11:07.chroot Security: FreeBSD-SA-11:08.telnetd Security: FreeBSD-SA-11:09.pam_ssh Security: FreeBSD-SA-11:10.pam
|
227305 |
07-Nov-2011 |
marius |
MFC: r227006, r227281, r227282
Add a PCI front-end to esp(4) allowing it to support AMD Am53C974 and replace amd(4) with the former in the amd64, i386 and pc98 GENERIC kernel configuration files. Besides duplicating functionality, amd(4), which previously also supported the AMD Am53C974, unlike esp(4) is no longer maintained and has accumulated enough bit rot over time to always cause a panic during boot as long as at least one target is attached to it (see PR 124667).
PR: 124667 Approved by: re (kib) Obtained from: NetBSD (based on)
|
225983 |
04-Oct-2011 |
des |
MFH r225852: regenerate after hpn patch
Approved by: re (kib)
|
225736 |
23-Sep-2011 |
kensmith |
Copy head to stable/9 as part of 9.0-RELEASE release cycle.
Approved by: re (implicit)
|
225614 |
16-Sep-2011 |
des |
Remove the svn:keywords property and restore the historical $FreeBSD$ tag.
Approved by: re (kib) MFC after: 3 weeks
|
225446 |
08-Sep-2011 |
delphij |
Fix SSL memory handlig for (EC)DH cipher suites, in particular for multi-threaded use of ECDH.
Security: CVE-2011-3210 Reviewed by: stas Obtained from: OpenSSL CVS Approved by: re (kib)
|
224642 |
03-Aug-2011 |
brooks |
Fix two more $FreeBSD$ keywords.
Reported by: pluknet Approved by: re (implicit)
|
224640 |
03-Aug-2011 |
brooks |
Enable keyword expansion for $FreeBSD$ on files where it was added it r224638.
Submitted by: bz Approved by: re (implicit) Point hat to: brooks
|
224638 |
03-Aug-2011 |
brooks |
Add support for dynamically adjusted buffers to allow the full use of the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported.
Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf.
This code is a style(9) compliant version of these features extracted from the patches published at:
http://www.psc.edu/networking/projects/hpn-ssh/
Merging this patch has been a collaboration between me and Bjoern.
Reviewed by: bz Approved by: re (kib), des (maintainer)
|
223758 |
04-Jul-2011 |
attilio |
With retirement of cpumask_t and usage of cpuset_t for representing a mask of CPUs, pc_other_cpus and pc_cpumask become highly inefficient.
Remove them and replace their usage with custom pc_cpuid magic (as, atm, pc_cpumask can be easilly represented by (1 << pc_cpuid) and pc_other_cpus by (all_cpus & ~(1 << pc_cpuid))).
This change is not targeted for MFC because of struct pcpu members removal and dependency by cpumask_t retirement.
MD review by: marcel, marius, alc Tested by: pluknet MD testing by: marcel, marius, gonzo, andreast
|
222813 |
07-Jun-2011 |
attilio |
etire the cpumask_t type and replace it with cpuset_t usage.
This is intended to fix the bug where cpu mask objects are capped to 32. MAXCPU, then, can now arbitrarely bumped to whatever value. Anyway, as long as several structures in the kernel are statically allocated and sized as MAXCPU, it is suggested to keep it as low as possible for the time being.
Technical notes on this commit itself: - More functions to handle with cpuset_t objects are introduced. The most notable are cpusetobj_ffs() (which calculates a ffs(3) for a cpuset_t object), cpusetobj_strprint() (which prepares a string representing a cpuset_t object) and cpusetobj_strscan() (which creates a valid cpuset_t starting from a string representation). - pc_cpumask and pc_other_cpus are target to be removed soon. With the moving from cpumask_t to cpuset_t they are now inefficient and not really useful. Anyway, for the time being, please note that access to pcpu datas is protected by sched_pin() in order to avoid migrating the CPU while reading more than one (possible) word - Please note that size of cpuset_t objects may differ between kernel and userland. While this is not directly related to the patch itself, it is good to understand that concept and possibly use the patch as a reference on how to deal with cpuset_t objects in userland, when accessing kernland members. - KTR_CPUMASK is changed and now is represented through a string, to be set as the example reported in NOTES.
Please additively note that no MAXCPU is bumped in this patch, but private testing has been done until to MAXCPU=128 on a real 8x8x2(htt) machine (amd64).
Please note that the FreeBSD version is not yet bumped because of the upcoming pcpu changes. However, note that this patch is not targeted for MFC.
People to thank for the time spent on this patch: - sbruno, pluknet and Nicholas Esborn (nick AT desert DOT net) tested several revision of the patches and really helped in improving stability of this work. - marius fixed several bugs in the sparc64 implementation and reviewed patches related to ktr. - jeff and jhb discussed the basic approach followed. - kib and marcel made targeted review on some specific part of the patch. - marius, art, nwhitehorn and andreast reviewed MD specific part of the patch. - marius, andreast, gonzo, nwhitehorn and jceel tested MD specific implementations of the patch. - Other people have made contributions on other patches that have been already committed and have been listed separately.
Companies that should be mentioned for having participated at several degrees: - Yahoo! for having offered the machines used for testing on big count of CPUs. - The FreeBSD Foundation for having sponsored my devsummit attendance, which has been instrumental. - Sandvine for having offered offices and infrastructure during development.
(I really hope I didn't forget anyone, if it happened I apologize in advance).
|
222081 |
18-May-2011 |
benl |
Fix clang warning (why is there nowhere yyparse() is declared?).
Approved by: philip (mentor)
|
221487 |
05-May-2011 |
des |
Merge two upstream patches from vendor branch. No functional changes.
|
221420 |
04-May-2011 |
des |
Upgrade to OpenSSH 5.8p2.
|
218625 |
12-Feb-2011 |
simon |
Fix Incorrectly formatted ClientHello SSL/TLS handshake messages could cause OpenSSL to parse past the end of the message.
Note: Applications are only affected if they act as a server and call SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. This includes Apache httpd >= 2.3.3, if configured with "SSLUseStapling On".
Security: http://www.openssl.org/news/secadv_20110208.txt Security: CVE-2011-0014 Obtained from: OpenSSL CVS
|
216166 |
03-Dec-2010 |
simon |
Merge OpenSSL 0.9.8q into head.
Security: CVE-2010-4180 Security: http://www.openssl.org/news/secadv_20101202.txt MFC after: 3 days
|
215697 |
22-Nov-2010 |
simon |
Merge OpenSSL 0.9.8p into head.
Security: CVE-2010-3864 Security: http://www.openssl.org/news/secadv_20101116.txt
|
215288 |
14-Nov-2010 |
simon |
Fix double-free in OpenSSL's SSL ECDH code.
It has yet to be determined if this warrants a FreeBSD Security Advisory, but we might as well get it fixed in the normal branches.
Obtained from: OpenSSL CVS Security: CVE-2010-2939 X-MFC after: Not long...
|
215116 |
11-Nov-2010 |
des |
Upgrade to OpenSSH 5.6p1.
|
215083 |
10-Nov-2010 |
des |
Forgot to svn rm this when I imported 5.4p1.
|
213250 |
28-Sep-2010 |
emaste |
Remove copyright strings printed at login time via login(1) or sshd(8). It is not clear to what this copyright should apply, and this is in line with what other operating systems do.
For ssh specifically, printing of the copyright string is not in the upstream version so this reduces our FreeBSD-local diffs.
Approved by: core, des (ssh)
|
212961 |
21-Sep-2010 |
rpaulo |
Bring in OpenSSL checkin 19821:
Make inline assembler clang-friendly [from HEAD].
openssl/crypto/md32_common.h 1.45.2.1 -> 1.45.2.2 openssl/crypto/rc5/rc5_locl.h 1.8 -> 1.8.8.1
Approved by: simon
|
208724 |
01-Jun-2010 |
des |
More commas
|
208709 |
01-Jun-2010 |
des |
Missing commas
|
208606 |
28-May-2010 |
cperciva |
Fix .Dd line: FreeBSD's mdoc code doesn't understand OpenBSD's $Mdocdate$.
MFC after: 3 days
|
207736 |
07-May-2010 |
mckusick |
Merger of the quota64 project into head.
This joint work of Dag-Erling Smørgrav and myself updates the FFS quota system to support both traditional 32-bit and new 64-bit quotas (for those of you who want to put 2+Tb quotas on your users).
By default quotas are not compiled into the kernel. To include them in your kernel configuration you need to specify:
options QUOTA # Enable FFS quotas
If you are already running with the current 32-bit quotas, they should continue to work just as they have in the past. If you wish to convert to using 64-bit quotas, use `quotacheck -c 64'; if you wish to revert from 64-bit quotas back to 32-bit quotas, use `quotacheck -c 32'.
There is a new library of functions to simplify the use of the quota system, do `man quotafile' for details. If your application is currently using the quotactl(2), it is highly recommended that you convert your application to use the quotafile interface. Note that existing binaries will continue to work.
Special thanks to John Kozubik of rsync.net for getting me interested in pursuing 64-bit quota support and for funding part of my development time on this project.
|
207319 |
28-Apr-2010 |
des |
Upgrade to OpenSSH 5.5p1.
|
206397 |
08-Apr-2010 |
kib |
Enhance r199804 by marking the daemonised child as immune to OOM instead of short-living parent. Only mark the master process that accepts connections, do not protect connection handlers spawned from inetd.
Submitted by: Mykola Dzham <i levsha me> Reviewed by: attilio MFC after: 1 week
|
206046 |
01-Apr-2010 |
simon |
Merge OpenSSL 0.9.8n into head.
This fixes CVE-2010-0740 which only affected -CURRENT (OpenSSL 0.9.8m) but not -STABLE branches.
I have not yet been able to find out if CVE-2010-0433 impacts FreeBSD. This will be investigated further.
Security: CVE-2010-0433, CVE-2010-0740 Security: http://www.openssl.org/news/secadv_20100324.txt
|
205601 |
24-Mar-2010 |
ed |
Prune empty directories.
|
205137 |
13-Mar-2010 |
simon |
Readd $FreeBSD$ to the OpenSSL config file as that's useful for mergemaster.
Suggested by: dougb
|
205128 |
13-Mar-2010 |
simon |
Merge OpenSSL 0.9.8m into head.
This also "reverts" some FreeBSD local changes so we should now be back to using entirely stock OpenSSL. The local changes were simple $FreeBSD$ lines additions, which were required in the CVS days, and the patch for FreeBSD-SA-09:15.ssl which has been superseded with OpenSSL 0.9.8m's RFC5746 'TLS renegotiation extension' support.
MFC after: 3 weeks
|
204917 |
09-Mar-2010 |
des |
Upgrade to OpenSSH 5.4p1.
MFC after: 1 month
|
202231 |
13-Jan-2010 |
ed |
Add a missing $FreeBSD$ string.
I was requested to add this string to any file that was modified by my commit, which I forgot to do so.
Requested by: des
|
202213 |
13-Jan-2010 |
ed |
Make OpenSSH work with utmpx.
- Partially revert r184122 (sshd.c). Our ut_host is now big enough to fit proper hostnames.
- Change config.h to match reality.
- defines.h requires UTMPX_FILE to be set by <utmpx.h> before it allows the utmpx code to work. This makes no sense to me. I've already mentioned this upstream.
- Add our own platform-specific handling of lastlog. The version I will send to the OpenSSH folks will use proper autoconf generated definitions instead of `#if 1'.
|
201444 |
03-Jan-2010 |
brooks |
The size of credential messages is limited by CMGROUP_MAX rather than NGROUPS.
MFC after: 1 week
|
200054 |
03-Dec-2009 |
cperciva |
Disable SSL renegotiation in order to protect against a serious protocol flaw. [09:15]
Correctly handle failures from unsetenv resulting from a corrupt environment in rtld-elf. [09:16]
Fix permissions in freebsd-update in order to prevent leakage of sensitive files. [09:17]
Approved by: so (cperciva) Security: FreeBSD-SA-09:15.ssl Security: FreeBSD-SA-09:16.rtld Security: FreeBSD-SA-09:17.freebsd-udpate
|
199804 |
25-Nov-2009 |
attilio |
Avoid sshd, cron, syslogd and inetd to be killed under high-pressure swap environments. Please note that this can't be done while such processes run in jails.
Note: in future it would be interesting to find a way to do that selectively for any desired proccess (choosen by user himself), probabilly via a ptrace interface or whatever.
Obtained from: Sandvine Incorporated Reviewed by: emaste, arch@ Sponsored by: Sandvine Incorporated MFC: 1 month
|
199131 |
10-Nov-2009 |
des |
Fix globbing
Noticed by: delphij, David Cornejo <dave@dogwood.com> Forgotten by: des
|
197957 |
11-Oct-2009 |
des |
Remove dupe.
|
197802 |
06-Oct-2009 |
des |
Expand $FreeBSD$
|
197785 |
05-Oct-2009 |
des |
Add more symbols that need to be masked:
- initialized and uninitialized data - symbols from roaming_dummy.c which end up in pam_ssh
Update the command line used to generate the #defines.
|
197679 |
01-Oct-2009 |
des |
Upgrade to OpenSSH 5.3p1.
|
196474 |
23-Aug-2009 |
simon |
Merge DTLS fixes from vendor-crypto/openssl/dist:
- Fix memory consumption bug with "future epoch" DTLS records. - Fix fragment handling memory leak. - Do not access freed data structure. - Fix DTLS fragment bug - out-of-sequence message handling which could result in NULL pointer dereference in dtls1_process_out_of_seq_message().
Note that this will not get FreeBSD Security Advisory as DTLS is experimental in OpenSSL.
MFC after: 1 week Security: CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 CVE-2009-1387
|
196164 |
13-Aug-2009 |
des |
Update and remove CVS-specific items
Approved by: re (kib)
|
196133 |
12-Aug-2009 |
simon |
Remove symlinks in OpenSSL's testing framework. These are not required for normal build, and doesn't export well to CVS.
If they are needed later a script will be added to recreate the symlinks when needed at build time.
Approved by: re (rwatson)
|
194297 |
16-Jun-2009 |
jhb |
Use the closefrom(2) system call.
Reviewed by: des
|
194206 |
14-Jun-2009 |
simon |
Merge OpenSSL 0.9.8k into head.
Approved by: re
|
192595 |
22-May-2009 |
des |
Upgrade to OpenSSH 5.2p1.
MFC after: 3 months
|
191517 |
26-Apr-2009 |
ed |
Remove empty directories from the HEAD.
Discussed with: developers, imp
|
191381 |
22-Apr-2009 |
cperciva |
Don't leak information via uninitialized space in db(3) records. [09:07]
Sanity-check string lengths in order to stop OpenSSL crashing when printing corrupt BMPString or UniversalString objects. [09:08]
Security: FreeBSD-SA-09:07.libc Security: FreeBSD-SA-09:08.openssl Security: CVE-2009-0590 Approved by: re (kensmith) Approved by: so (cperciva)
|
186872 |
07-Jan-2009 |
simon |
Prevent cross-site forgery attacks on lukemftpd(8) due to splitting long commands into multiple requests. [09:01]
Fix incorrect OpenSSL checks for malformed signatures due to invalid check of return value from EVP_VerifyFinal(), DSA_verify, and DSA_do_verify. [09:02]
Security: FreeBSD-SA-09:01.lukemftpd Security: FreeBSD-SA-09:02.openssl Obtained from: NetBSD [SA-09:01] Obtained from: OpenSSL Project [SA-09:02] Approved by: so (simon)
|
184122 |
21-Oct-2008 |
des |
At some point, construct_utmp() was changed to use realhostname() to fill in the struct utmp due to concerns about the length of the hostname buffer. However, this breaks the UseDNS option. There is a simpler and better solution: initialize utmp_len to the correct value (UT_HOSTSIZE instead of MAXHOSTNAMELEN) and let get_remote_name_or_ip() worry about the size of the buffer.
PR: bin/97499 Submitted by: Bruce Cran <bruce@cran.org.uk> MFC after: 1 week
|
183458 |
29-Sep-2008 |
des |
Our groff doesn't understand $Mdocdate$, so replace them with bare dates.
MFC after: 3 days
|
183336 |
24-Sep-2008 |
des |
MFV "xmalloc: zero size" fix.
MFC after: 1 week
|
183229 |
21-Sep-2008 |
simon |
The vendor area is the proper home for these files now.
|
183227 |
21-Sep-2008 |
simon |
Bootstrapping merge history from vendor-crypto/openssl/dist/@182044.
|
182614 |
01-Sep-2008 |
des |
Remove some unused files.
|
182601 |
01-Sep-2008 |
des |
Set SIZEOF_LONG_INT and SIZEOF_LONG_LONG_INT to plausible values. They aren't used for anything, but that's no excuse for being silly.
|
181918 |
20-Aug-2008 |
des |
Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED. Submitted upstream, no reaction.
Submitted by: delphij@ MFC after: 2 weeks
|
181111 |
01-Aug-2008 |
des |
Upgrade to OpenSSH 5.1p1.
I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed.
MFC after: 6 weeks
|
181110 |
01-Aug-2008 |
des |
Remove svn:keywords except on files that need it. This makes diffs against the vendor branch much more readable.
|
181109 |
01-Aug-2008 |
des |
Another file with no local changes.
"This time for sure!"
|
181108 |
01-Aug-2008 |
des |
Another file with no local changes.
|
181107 |
01-Aug-2008 |
des |
Another four files without local changes. This is driving me nuts - every time I think I got them all, another one pops up.
|
181106 |
01-Aug-2008 |
des |
Yet another file with no local changes.
|
181105 |
01-Aug-2008 |
des |
Accidentally mangled this one in the previous commit.
|
181104 |
01-Aug-2008 |
des |
More files which no longer have any local changes.
|
181103 |
01-Aug-2008 |
des |
These two files have no local patches except to prevent expansion of the original $FreeBSD$ keywords. Revert those changes, and simply disable keyword expansion.
|
181101 |
01-Aug-2008 |
des |
Last remains of old OPIE patch
|
181098 |
01-Aug-2008 |
des |
We no longer have any local changes here.
|
181097 |
01-Aug-2008 |
des |
Consistently set svn:eol-style.
|
181096 |
01-Aug-2008 |
des |
Tag expansion is no longer needed (svn handles them correctly). Add svn command to diff against vendor branch.
|
181095 |
01-Aug-2008 |
des |
This is no longer needed.
|
181094 |
01-Aug-2008 |
des |
Cleanup.
|
181092 |
01-Aug-2008 |
des |
Ugh. Set svn:mergeinfo correctly.
|
181091 |
01-Aug-2008 |
des |
Catch up with reality.
|
181090 |
01-Aug-2008 |
des |
Revert an old hack I put in to replace S/Key with OPIE. We haven't used that code in ages - we use pam_opie(8) instead - so this is a NOP.
|
181087 |
31-Jul-2008 |
des |
Add missing #include for strlen()
|
181081 |
31-Jul-2008 |
des |
Advance merge point.
|
180989 |
30-Jul-2008 |
des |
Fix alignment of the cmsg buffer by placing it in a union with a struct cmsghdr. Derived from upstream patch.
Submitted by: cognet MFC after: 2 weeks
|
180765 |
23-Jul-2008 |
des |
Remove a bunch of files we don't need to build OpenSSH. They are still available in base/vendor-crypto/openssh/dist/.
|
180764 |
23-Jul-2008 |
des |
Bootstrap svn:mergeinfo.
|
179526 |
03-Jun-2008 |
peter |
cvs2svn did not delete this, even though it is empty.
|
178828 |
07-May-2008 |
dfr |
Fix conflicts after heimdal-1.1 import and add build infrastructure. Import all non-style changes made by heimdal to our own libgssapi.
|
178826 |
07-May-2008 |
dfr |
This commit was generated by cvs2svn to compensate for changes in r178825, which included commits to RCS files with non-trunk default branches.
|
176070 |
06-Feb-2008 |
des |
Fix the Xlist so it actually works with 'tar -X', and update the upgrade instructions accordingly.
|
176069 |
06-Feb-2008 |
des |
As per discussion, commit experimental metadata for my contrib packages. The idea is to have a FREEBSD-vendor file for every third-party package in the tree.
|
175292 |
13-Jan-2008 |
simon |
Unbreak detection of cryptodev support for FreeBSD which was broken with OpenSSL 0.9.8 import.
Note that this does not enable cryptodev by default, as it was the case with OpenSSL 0.9.7 in FreeBSD base, but this change makes it possible to enable cryptodev at all.
This has been submitted upstream as: http://rt.openssl.org/Ticket/Display.html?id=1624
Submitted by: nork
|
172768 |
18-Oct-2007 |
simon |
This commit was generated by cvs2svn to compensate for changes in r172767, which included commits to RCS files with non-trunk default branches.
|
172765 |
18-Oct-2007 |
peter |
Remove _FREEFALL_CONFIG hacks. su+pam_ksu works well enough to use on the freebsd.org cluster.
|
172429 |
03-Oct-2007 |
simon |
Correct a buffer overflow in OpenSSL SSL_get_shared_ciphers().
Security: FreeBSD-SA-07:08.openssl Approved by: re (security blanket)
|
169966 |
24-May-2007 |
des |
s/X11R6/local/g
|
169883 |
22-May-2007 |
simon |
Fix runtime crash in OpenSSL with "Illegal instruction" by making some casts a bit less evil.
This was e.g. seen when using portsnap as:
Fetching snapshot tag from portsnap3.FreeBSD.org... Illegal instruction
Note the patch is slightly different from kan's original patch to match style in the OpenSSL source files a bit better.
Submitted by: kan Tested by: many
|
167620 |
15-Mar-2007 |
simon |
- Bring upgrade produce up-to-date for OpenSSL 0.9.8e. - Add reminder to bump version numer in Makefile.inc.
|
167618 |
15-Mar-2007 |
simon |
This commit was generated by cvs2svn to compensate for changes in r167617, which included commits to RCS files with non-trunk default branches.
|
167615 |
15-Mar-2007 |
simon |
Resolve conflicts after import of OpenSSL 0.9.8e.
|
167613 |
15-Mar-2007 |
simon |
This commit was generated by cvs2svn to compensate for changes in r167612, which included commits to RCS files with non-trunk default branches.
|
164149 |
10-Nov-2006 |
des |
Resolve conflicts.
|
164147 |
10-Nov-2006 |
des |
This commit was generated by cvs2svn to compensate for changes in r164146, which included commits to RCS files with non-trunk default branches.
|
163054 |
06-Oct-2006 |
des |
Don't define XAUTH_PATH here, we either pass it in on the compiler command line or rely on the built-in default.
|
163004 |
04-Oct-2006 |
des |
Go figure how an extra $Id$ line crept in...
|
163003 |
04-Oct-2006 |
des |
Merge vendor patch.
|
162984 |
03-Oct-2006 |
des |
Tweak ifdefs for backward compatibility.
|
162953 |
02-Oct-2006 |
des |
Regenerate; no effect on the code as it doesn't actually use the handful of conditionals that changed in this revision.
|
162952 |
02-Oct-2006 |
des |
Update configure options and add some missing steps. The section about our local changes needs reviewing, and some of those changes should probably be reconsidered (such as preferring DSA over RSA, which made sense when RSA was encumbered but probably doesn't any more)
|
162917 |
01-Oct-2006 |
simon |
This commit was generated by cvs2svn to compensate for changes in r162916, which included commits to RCS files with non-trunk default branches.
|
162914 |
01-Oct-2006 |
simon |
Resolve conflicts after import of OpenSSL 0.9.8d.
|
162912 |
01-Oct-2006 |
simon |
This commit was generated by cvs2svn to compensate for changes in r162911, which included commits to RCS files with non-trunk default branches.
|
162860 |
30-Sep-2006 |
des |
Regenerate.
MFC after: 1 week
|
162859 |
30-Sep-2006 |
des |
#include <errno.h>; this has the unfortunate side effect of taking the file off the vendor branch.
MFC after: 1 week
|
162858 |
30-Sep-2006 |
des |
Removed from vendor branch.
MFC after: 1 week
|
162857 |
30-Sep-2006 |
des |
Bump version addendum.
MFC after: 1 week
|
162856 |
30-Sep-2006 |
des |
Merge conflicts.
MFC after: 1 week
|
162853 |
30-Sep-2006 |
des |
This commit was generated by cvs2svn to compensate for changes in r162852, which included commits to RCS files with non-trunk default branches.
|
162360 |
16-Sep-2006 |
des |
Merge vendor patch for BSM problem in protocol version 1.
MFC after: 1 week
|
162207 |
10-Sep-2006 |
simon |
Correct incorrect PKCS#1 v1.5 padding validation in crypto(3).
Obtained from: OpenSSL project Security: FreeBSD-SA-06:19.openssl
|
160837 |
30-Jul-2006 |
simon |
Resolve conflicts after import of OpenSSL 0.9.8b.
This was missed the first time around since eng_padlock.c was not part of OpenSSL 0.9.7e and therefor did not have the v0_9_7e CVS tag used during original resolve of conflicts.
Noticed by: Antoine Brodin <antoine.brodin@laposte.net>
|
160827 |
29-Jul-2006 |
simon |
Sync FREEBSD-Xlist with what was actually excluded from OpenSSL 0.9.8b import.
|
160826 |
29-Jul-2006 |
simon |
Add some rough notes on how to import a new OpenSSL version into the FreeBSD base system. Parts are inspired by the OpenSSH upgrade notes.
|
160817 |
29-Jul-2006 |
simon |
Resolve conflicts after import of OpenSSL 0.9.8b.
|
160815 |
29-Jul-2006 |
simon |
This commit was generated by cvs2svn to compensate for changes in r160814, which included commits to RCS files with non-trunk default branches.
|
159458 |
09-Jun-2006 |
des |
Our glob(3) has all the required features.
Submitted by: ache
|
159457 |
09-Jun-2006 |
des |
Revert inadvertant commit of debugging code.
|
158519 |
13-May-2006 |
des |
Introduce a namespace munging hack inspired by NetBSD to avoid polluting the namespace of applications which inadvertantly link in libssh (usually through pam_ssh)
Suggested by: lukem@netbsd.org MFC after: 6 weeks
|
157055 |
23-Mar-2006 |
des |
Fix utmp. There is some clever logic in configure.ac which attempts to determine whether struct utmp contains the ut_host and ut_time fields. Unfortunately, it reports a false negative for both on FreeBSD, and I didn't check the resulting config.h closely enough to catch the error.
Noticed by: ache
|
157020 |
22-Mar-2006 |
des |
Regenerate.
|
157019 |
22-Mar-2006 |
des |
Merge conflicts.
|
157017 |
22-Mar-2006 |
des |
This commit was generated by cvs2svn to compensate for changes in r157016, which included commits to RCS files with non-trunk default branches.
|
156813 |
17-Mar-2006 |
ru |
Reimplementation of world/kernel build options. For details, see:
http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061725.html
The src.conf(5) manpage is to follow in a few days.
Brought to you by: imp, jhb, kris, phk, ru (all bugs are mine)
|
153969 |
02-Jan-2006 |
dfr |
Fix the amd64 (and presumably ia64) lib32 build by ensuring that the heimdal GSS-API mechanism uses its own version of gssapi.h, including all the implementation-dependant pollution contained therein.
This moves the file off the vendor branch, sadly.
Submitted by: bz
|
153838 |
29-Dec-2005 |
dfr |
Add a new extensible GSS-API layer which can support GSS-API plugins, similar the the Solaris implementation. Repackage the krb5 GSS mechanism as a plugin library for the new implementation. This also includes a comprehensive set of manpages for the GSS-API functions with text mostly taken from the RFC.
Reviewed by: Love Hörnquist Åstrand <lha@it.su.se>, ru (build system), des (openssh parts)
|
151233 |
11-Oct-2005 |
cperciva |
Correct a man-in-the-middle SSL version rollback vulnerability.
Security: FreeBSD-SA-05:21.openssl
|
149754 |
03-Sep-2005 |
des |
Regenerate
|
149753 |
03-Sep-2005 |
des |
Resolve conflicts.
|
149750 |
03-Sep-2005 |
des |
This commit was generated by cvs2svn to compensate for changes in r149749, which included commits to RCS files with non-trunk default branches.
|
149748 |
03-Sep-2005 |
des |
fine-tune.
|
147810 |
07-Jul-2005 |
kensmith |
This is sort of an MFS. Peter made these changes to the RELENG_* branches but missed HEAD. This patch extends his a little bit, setting it up via the Makefiles so that adding _FREEFALL_CONFIG to /etc/make.conf is the only thing needed to cluster-ize things (current setup also requires overriding CFLAGS).
From Peter's commit to the RELENG_* branches: > Add the freebsd.org custer's source modifications under #ifdefs to aid > keeping things in sync. For ksu: > * install suid-root by default > * don't fall back to asking for a unix password (ie: be pure kerberos) > * allow custom user instances for things like www and not just root
The Makefile tweaks will be MFC-ed, the rest is already done.
MFC after: 3 days Approved by: re (dwhite)
|
147010 |
05-Jun-2005 |
des |
Forgot to bump the version addendum.
|
147006 |
05-Jun-2005 |
des |
Regenerate.
|
147005 |
05-Jun-2005 |
des |
Resolve conflicts.
|
147004 |
05-Jun-2005 |
des |
Update for 4.1p1.
|
147002 |
05-Jun-2005 |
des |
This commit was generated by cvs2svn to compensate for changes in r147001, which included commits to RCS files with non-trunk default branches.
|
146999 |
05-Jun-2005 |
des |
This commit was generated by cvs2svn to compensate for changes in r146998, which included commits to RCS files with non-trunk default branches.
|
146981 |
04-Jun-2005 |
des |
Rewrite some of the regexps so they don't match themselves.
|
142432 |
25-Feb-2005 |
nectar |
File removed in update from OpenSSL 0.9.7d -> 0.9.7e.
|
142431 |
25-Feb-2005 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r142430, which included commits to RCS files with non-trunk default branches.
|
142428 |
25-Feb-2005 |
nectar |
Resolve conflicts after import of OpenSSL 0.9.7e.
|
142426 |
25-Feb-2005 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r142425, which included commits to RCS files with non-trunk default branches.
|
142423 |
25-Feb-2005 |
nectar |
Update list of files to remove prior to import of OpenSSL 0.9.7e.
|
142422 |
25-Feb-2005 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r142421, which included commits to RCS files with non-trunk default branches.
|
142404 |
24-Feb-2005 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r142403, which included commits to RCS files with non-trunk default branches.
|
142402 |
24-Feb-2005 |
nectar |
Do not include lib/kdfs in future imports.
|
137020 |
28-Oct-2004 |
des |
Better Xlist command line.
|
137019 |
28-Oct-2004 |
des |
Resolve conflicts
|
137016 |
28-Oct-2004 |
des |
This commit was generated by cvs2svn to compensate for changes in r137015, which included commits to RCS files with non-trunk default branches.
|
136998 |
27-Oct-2004 |
des |
These are unnecessary and have been causing imp@ trouble.
|
133718 |
14-Aug-2004 |
markm |
Add support for C3 Nehemiah ACE ("Padlock") AES crypto. This comes from OpenSSL 0.9.5 (yet to be released), and is pretty complete.
|
133666 |
13-Aug-2004 |
markm |
This commit was generated by cvs2svn to compensate for changes in r133665, which included commits to RCS files with non-trunk default branches.
|
128462 |
20-Apr-2004 |
des |
Regenerate.
|
128461 |
20-Apr-2004 |
des |
One more conflict.
|
128460 |
20-Apr-2004 |
des |
Resolve conflicts.
|
128459 |
20-Apr-2004 |
des |
Adjust version number and addendum.
|
128457 |
20-Apr-2004 |
des |
This commit was generated by cvs2svn to compensate for changes in r128456, which included commits to RCS files with non-trunk default branches.
|
127905 |
05-Apr-2004 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r127904, which included commits to RCS files with non-trunk default branches.
|
127811 |
03-Apr-2004 |
nectar |
Resolve conflicts after import of Heimdal 0.6.1.
|
127809 |
03-Apr-2004 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r127808, which included commits to RCS files with non-trunk default branches.
|
127134 |
17-Mar-2004 |
nectar |
Resolve conflicts after import of OpenSSL 0.9.7d.
|
127129 |
17-Mar-2004 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r127128, which included commits to RCS files with non-trunk default branches.
|
127115 |
17-Mar-2004 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r127114, which included commits to RCS files with non-trunk default branches.
|
127033 |
15-Mar-2004 |
des |
Correctly document the default value of UsePAM.
|
126283 |
26-Feb-2004 |
des |
Update VersionAddendum in config files and man pages.
|
126280 |
26-Feb-2004 |
des |
Define HAVE_GSSAPI_H.
|
126279 |
26-Feb-2004 |
des |
Regenerate.
|
126278 |
26-Feb-2004 |
des |
Document recently changed configuration defaults.
|
126277 |
26-Feb-2004 |
des |
Resolve conflicts.
|
126275 |
26-Feb-2004 |
des |
This commit was generated by cvs2svn to compensate for changes in r126274, which included commits to RCS files with non-trunk default branches.
|
126273 |
26-Feb-2004 |
des |
Merge OpenSSH 3.8p1.
|
126272 |
26-Feb-2004 |
des |
Prepare for upcoming 3.8p1 import.
|
126271 |
26-Feb-2004 |
des |
Pull asbesthos underpants on and disable protocol version 1 by default.
|
126009 |
19-Feb-2004 |
des |
Turn non-PAM password authentication off by default when USE_PAM is defined. Too many users are getting bitten by it.
|
124970 |
25-Jan-2004 |
des |
Update the "overview of FreeBSD changes to OpenSSH-portable" to reflect reality.
|
124696 |
18-Jan-2004 |
des |
Work around removal of EAI_NODATA from netdb.h.
|
124292 |
09-Jan-2004 |
nectar |
Re-add the FreeBSD RCS keyword for the benefit of mergemaster.
PR: conf/50040 Requested by: Dimitry Andric <dim@xs4all.nl>
|
124288 |
09-Jan-2004 |
des |
This commit was generated by cvs2svn to compensate for changes in r124287, which included commits to RCS files with non-trunk default branches.
|
124279 |
09-Jan-2004 |
des |
Egg on my face: UsePAM was off by default.
Pointed out by: Sean McNeil <sean@mcneil.com>
|
124244 |
08-Jan-2004 |
des |
Regenerate config.h; I don't know why this didn't hit CVS yesterday.
|
124213 |
07-Jan-2004 |
des |
Update to reflect changes since the last version.
|
124211 |
07-Jan-2004 |
des |
Resolve conflicts and remove obsolete files.
Sponsored by: registrar.no
|
124209 |
07-Jan-2004 |
des |
This commit was generated by cvs2svn to compensate for changes in r124208, which included commits to RCS files with non-trunk default branches.
|
124207 |
07-Jan-2004 |
des |
Merge OpenSSH 3.7.1p2.
|
121824 |
31-Oct-2003 |
simon |
Add a missing word.
Submitted by: Michel Lavondes <fox@vader.aacc.cc.md.us> Reviewed by: des MFC after: 1 week
|
121420 |
23-Oct-2003 |
des |
Plug a memory leak in the PAM child process. It is of no great consequence as the process is short-lived, and the leak occurs very rarely and always shortly before the process terminates.
MFC after: 3 days
|
120953 |
09-Oct-2003 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r120952, which included commits to RCS files with non-trunk default branches.
|
120948 |
09-Oct-2003 |
nectar |
Resolve conflicts after import of Heimdal 0.6.
|
120946 |
09-Oct-2003 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r120945, which included commits to RCS files with non-trunk default branches.
|
120944 |
09-Oct-2003 |
nectar |
Add list of files to remove from the Heimdal distribution prior to each import.
|
120636 |
01-Oct-2003 |
nectar |
Remove files no longer included with OpenSSL as of version 0.9.7c.
|
120635 |
01-Oct-2003 |
nectar |
Merge conflicts after import of OpenSSL 0.9.7c.
|
120632 |
01-Oct-2003 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r120631, which included commits to RCS files with non-trunk default branches.
|
120630 |
01-Oct-2003 |
nectar |
Update list of files to remove prior to import of OpenSSL 0.9.7c.
|
120490 |
26-Sep-2003 |
joe |
This commit was generated by cvs2svn to compensate for changes in r120489, which included commits to RCS files with non-trunk default branches.
|
120489 |
26-Sep-2003 |
joe |
Additional corrections to OpenSSH buffer handling.
Obtained from: openssh.org Originally committed to head by: nectar
|
120413 |
24-Sep-2003 |
des |
Update version string.
|
120411 |
24-Sep-2003 |
des |
Remove bogus calls to xfree().
|
120406 |
24-Sep-2003 |
des |
resp is a pointer to an array of structs, not an array of pointers to structs.
|
120405 |
24-Sep-2003 |
des |
Return the correct error value when a null query fails.
|
120230 |
19-Sep-2003 |
des |
Fix broken shell code.
|
120162 |
17-Sep-2003 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r120161, which included commits to RCS files with non-trunk default branches.
|
120161 |
17-Sep-2003 |
nectar |
Correct more cases of allocation size bookkeeping being updated before calling functions which can potentially fail and cause cleanups to be invoked.
Submitted by: Solar Designer <solar@openwall.com>
|
120125 |
16-Sep-2003 |
nectar |
Update the OpenSSH addendum string for the buffer handling fix.
|
120114 |
16-Sep-2003 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r120113, which included commits to RCS files with non-trunk default branches.
|
117675 |
16-Jul-2003 |
markm |
Very big makeover in the way telnet, telnetd and libtelnet are built.
Previously, there were two copies of telnet; a non-crypto version that lived in the usual places, and a crypto version that lived in crypto/telnet/. The latter was built in a broken manner somewhat akin to other "contribified" sources. This meant that there were 4 telnets competing with each other at build time - KerberosIV, Kerberos5, plain-old-secure and base. KerberosIV is no longer in the running, but the other three took it in turns to jump all over each other during a "make buildworld".
As the crypto issue has been clarified, and crypto _calls_ are not a problem, crypto/telnet has been repo-copied to contrib/telnet, and with this commit, all telnets are now "contribified". The contrib path was chosen to not destroy history in the repository, and differs from other contrib/ entries in that it may be worked on as "normal" BSD code. There is no dangerous crypto in these sources, only a very weak system less strong than enigma(1).
Kerberos5 telnet and Secure telnet are now selected by using the usual macros in /etc/make.conf, and the build process is unsurprising and less treacherous.
|
116792 |
24-Jun-2003 |
des |
This commit was generated by cvs2svn to compensate for changes in r116791, which included commits to RCS files with non-trunk default branches.
|
115372 |
28-May-2003 |
des |
Fix off-by-one and initialization errors which prevented sshd from restarting when sent a SIGHUP.
Submitted by: tegge Approved by: re (jhb)
|
114972 |
13-May-2003 |
des |
Revert unnecessary part of previous commit.
|
114955 |
12-May-2003 |
des |
Rename a few functions to avoid stealing common words (error, log, debug etc.) from the application namespace for programs that use pam_ssh(8). Use #defines to avoid changing the actual source code.
Approved by: re (rwatson)
|
114911 |
11-May-2003 |
markm |
Fix up external variables named "debug" that have a horrible habit of conflicting with other, similarly named functions in static libraries. This is done mostly by renaming the var if it is shared amongst modules, or making it static otherwise.
OK'ed by: re(scottl)
|
114630 |
04-May-2003 |
obrien |
Use __FBSDID vs. rcsid[]. Also protect sccs[] and copyright[] from GCC 3.3.
|
114426 |
01-May-2003 |
des |
Remove RCSID from files which have no other diffs to the vendor branch.
|
113914 |
23-Apr-2003 |
des |
Nit.
|
113913 |
23-Apr-2003 |
des |
Improvements to the proposed shell code.
|
113912 |
23-Apr-2003 |
des |
Regenerate.
|
113911 |
23-Apr-2003 |
des |
Resolve conflicts.
|
113909 |
23-Apr-2003 |
des |
This commit was generated by cvs2svn to compensate for changes in r113908, which included commits to RCS files with non-trunk default branches.
|
112871 |
31-Mar-2003 |
des |
- when using a child process instead of a thread, change the child's name to reflect its role - try to handle expired passwords a little better
MFC after: 1 week
|
112870 |
31-Mar-2003 |
des |
If an ssh1 client initiated challenge-response authentication but did not respond to challenge, and later successfully authenticated itself using another method, the kbdint context would never be released, leaving the PAM child process behind even after the connection ended.
Fix this by automatically releasing the kbdint context if a packet of type SSH_CMSG_AUTH_TIS is follwed by anything but a packet of type SSH_CMSG_AUTH_TIS_RESPONSE.
MFC after: 1 week
|
112446 |
20-Mar-2003 |
jedgar |
Merge conflicts
|
112440 |
20-Mar-2003 |
jedgar |
This commit was generated by cvs2svn to compensate for changes in r112439, which included commits to RCS files with non-trunk default branches.
|
111993 |
08-Mar-2003 |
markm |
KerberosIV deorbit sequence: Re-entry. Thank you, faithful friend. Enjoy your retirement in ports.
|
111946 |
06-Mar-2003 |
nectar |
Unbreak Kerberos 5 authentication in telnet. (Credential forwarding is still broken.)
PR: bin/45397
|
111150 |
19-Feb-2003 |
nectar |
Resolve conflicts after import of OpenSSL 0.9.7a.
|
111148 |
19-Feb-2003 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r111147, which included commits to RCS files with non-trunk default branches.
|
110988 |
16-Feb-2003 |
des |
Paranoia: instead of a NULL conversation function, use one that always returns PAM_CONV_ERR; moreover, make sure we always have the right conversation function installed before calling PAM service functions. Also unwrap some not-so-long lines.
MFC after: 3 days
|
110868 |
14-Feb-2003 |
nectar |
When `des_read_pw_string' is a macro, as in OpenSSL 0.9.7, an attempt to declare a prototype for it will croak.
|
110692 |
11-Feb-2003 |
des |
document the current default value for VersionAddendum.
|
110506 |
07-Feb-2003 |
des |
Set the ruid to the euid at startup as a workaround for a bug in pam_ssh.
MFC after: 3 days
|
110359 |
05-Feb-2003 |
trhodes |
The manual page lists only 2 files, however it reads as `three files' which is obviously incorrect.
PR: 46841 Submitted by: Sakamoto Seiji <s-siji@hyper.ocn.ne.jp>
|
110283 |
03-Feb-2003 |
des |
Linux-PAM's pam_start(3) fails with a bogus error message if passed the pam_conv argument is NULL. OpenPAM doesn't care, but to make things easier for people porting this code to other systems (or -STABLE), use a dummy struct pam_conv instead of NULL.
Pointed out by: Damien Miller <djm@mindrot.org>
|
110282 |
03-Feb-2003 |
des |
Bump patch date to 2003-02-01 (the day after I fixed PAM authentication for ssh1)
|
110138 |
31-Jan-2003 |
des |
Fix keyboard-interactive authentication for ssh1. The problem was twofold:
- The PAM kbdint device sometimes doesn't know authentication succeeded until you re-query it. The ssh1 kbdint code would never re-query the device, so authentication would always fail. This patch has been submitted to the OpenSSH developers.
- The monitor code for PAM sometimes forgot to tell the monitor that authentication had succeeded. This caused the monitor to veto the privsep child's decision to allow the connection.
These patches have been tested with OpenSSH clients on -STABLE, NetBSD and Linux, and with ssh.com's ssh1 on Solaris.
Sponsored by: DARPA, NAI Labs
|
110049 |
29-Jan-2003 |
nectar |
Background: When libdes was replaced with OpenSSL's libcrypto, there were a few interfaces that the former implemented but the latter did not. Because some software in the base system still depended upon these interfaces, we simply included them in our libcrypto (rnd_keys.c).
Now, finally get around to removing the dependencies on these interfaces. There were basically two cases:
des_new_random_key -- This is just a wrapper for des_random_key, and these calls were replaced.
des_init_random_number_generator et. al. -- A few functions were used by the application to seed libdes's PRNG. These are not necessary when using libcrypto, as OpenSSL internally seeds the PRNG from /dev/random. These calls were simply removed.
Again, some of the Kerberos 4 files have been taken off the vendor branch. I do not expect there to be future imports of KTH Kerberos 4.
|
110019 |
29-Jan-2003 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r110018, which included commits to RCS files with non-trunk default branches.
|
110007 |
28-Jan-2003 |
markm |
Merge conflicts. This is cunning doublespeak for "use vendor code".
|
110006 |
28-Jan-2003 |
markm |
Remove files no longer on OpenSSL 0.9.7. crypto/des/rnd_keys.c is retained as it is still used.
|
109999 |
28-Jan-2003 |
markm |
This commit was generated by cvs2svn to compensate for changes in r109998, which included commits to RCS files with non-trunk default branches.
|
109995 |
28-Jan-2003 |
nectar |
Make the Kerberos 4 bits build against OpenSSL 0.9.7. This required two basic changes (both of which should be no-ops until OpenSSL 0.9.7 is imported):
= Define OPENSSL_DES_LIBDES_COMPATIBILITY wherever we include openssl/des.h.
= Spell `struct des_ks_struct []' using the existing `des_key_schedule' typedef.
When OpenSSL 0.9.7 is imported, `des_key_schedule' (among other things) will be a macro invocation instead of a typedef, and things should `just work'.
Yes, this commit does take several files off the vendor branch. I do not expect there to be future imports of KTH Kerberos 4.
|
109683 |
22-Jan-2003 |
des |
Force early initialization of the resolver library, since the resolver configuration files will no longer be available once sshd is chrooted.
PR: 39953, 40894 Submitted by: dinoex MFC after: 3 days
|
109642 |
21-Jan-2003 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r109641, which included commits to RCS files with non-trunk default branches.
|
109466 |
18-Jan-2003 |
billf |
add more RFC defined telnet options
Reviewed by: ps
|
108159 |
21-Dec-2002 |
des |
The previous commit contained a stupid mistake: ctxt->pam_[cp]sock was initialized after the call to pthread_create() instead of before. It just happened to work with threads enabled because ctxt is shared, but of course it doesn't work when we use a child process instead of threads.
|
107861 |
14-Dec-2002 |
des |
If possible, use pthreads instead of a child process for PAM.
Reimplement the necessary bits from auth_pam.c and auth2_pam.c so that they share the PAM context used by the keyboard-interactive thread. If a child process is used instead, they will (necessarily) use a separate context.
Constify do_pam_account() and do_pam_session().
Sponsored by: DARPA, NAI Labs
|
107860 |
14-Dec-2002 |
des |
Add a missing #include "canohost.h".
|
107859 |
14-Dec-2002 |
des |
Remove code related to the PAMAuthenticationViaKbdInt option (which we've disabled). This removes the only reference to auth2_pam().
|
107858 |
14-Dec-2002 |
des |
Back out a lastlog-related change which is no longer relevant.
|
107857 |
14-Dec-2002 |
des |
Fix a rounding error in the block size calculation.
Submitted by: tjr
|
107553 |
03-Dec-2002 |
des |
Since OpenSSH drops privileges before calling pam_open_session(3), pam_lastlog(8) can't possibly work, so let OpenSSH handle lastlog.
Approved by: re (rwatson)
|
107299 |
27-Nov-2002 |
eric |
Merge argument parsing changes into this copy of telnet.
Submitted by: markm Approved by: bmah
|
107208 |
24-Nov-2002 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r107207, which included commits to RCS files with non-trunk default branches.
|
106489 |
06-Nov-2002 |
des |
Add caveats regarding the effect of PAM on PasswordAuthentication and PermitRootLogin.
PR: docs/43776 MFC after: 1 week
|
106465 |
05-Nov-2002 |
des |
Document the current default for VersionAddendum.
|
106464 |
05-Nov-2002 |
des |
Accurately reflect our local changes and additions.
|
106463 |
05-Nov-2002 |
des |
Document the current default value for VersionAddendum.
|
106353 |
02-Nov-2002 |
des |
Switch to two-clause license, with NAI's permission.
|
106130 |
29-Oct-2002 |
des |
Resolve conflicts.
|
106129 |
29-Oct-2002 |
des |
Protect against tag expansion + fix some brainos.
|
106128 |
29-Oct-2002 |
des |
Some tricks I use when I upgrade.
|
106127 |
29-Oct-2002 |
des |
Correct shell code to expand globs in FREEBSD-Xlist
|
106126 |
29-Oct-2002 |
des |
More cruft.
|
106122 |
29-Oct-2002 |
des |
This commit was generated by cvs2svn to compensate for changes in r106121, which included commits to RCS files with non-trunk default branches.
|
105766 |
23-Oct-2002 |
assar |
This commit was generated by cvs2svn to compensate for changes in r105765, which included commits to RCS files with non-trunk default branches.
|
105673 |
22-Oct-2002 |
assar |
This commit was generated by cvs2svn to compensate for changes in r105672, which included commits to RCS files with non-trunk default branches.
|
104331 |
02-Oct-2002 |
dd |
Permit the argument to the -s option to be a hostname. I see no reason to restrict this to a numeric address.
PR: 41841 Submitted by: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua>, Maxim Maximov <mcsi@agava.com>
|
104205 |
30-Sep-2002 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r104204, which included commits to RCS files with non-trunk default branches.
|
103956 |
25-Sep-2002 |
markm |
Catch up with "base" telnet. s/FALL THROUGH/FALLTHROUGH/ for lint(1).
|
103955 |
25-Sep-2002 |
markm |
Catch up with "base" telnet.
s/FALL THROUGH/FALLTHROUGH/ for lint(1). s/Usage/usage/ for consistency.
|
103954 |
25-Sep-2002 |
markm |
From the requestor:
"Could you do me a favor and fix sys_bsd.c to get the howmany() macro from <sys/param.h>, instead of <sys/types.h>? This will save me from having to worry about the unsync'd bits before making the change."
Requested by: mike
|
103542 |
18-Sep-2002 |
nectar |
These RFCs and internet-drafts are not really needed in the base system, and I've not been importing them lately. cvs rm them now so they can be cleaned out of the attic later.
Requested by: obrien
|
103426 |
16-Sep-2002 |
nectar |
Resolve conflicts.
|
103424 |
16-Sep-2002 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r103423, which included commits to RCS files with non-trunk default branches.
|
103134 |
09-Sep-2002 |
ume |
sshd didn't handle actual size of struct sockaddr correctly, and did copy it as long as just size of struct sockaddr. So, If connection is via IPv6, sshd didn't log hostname into utmp correctly. This problem occured only under FreeBSD because of our hack. However, this is potential problem of OpenSSH-portable, and they agreed to fix this. Though, there is no fixed version of OpenSSH-portable available yet, since this problem is serious for IPv6 users, I commit the fix.
Reported by: many people Reviewed by: current@ and stable@ (no objection) MFC after: 3 days
|
103108 |
09-Sep-2002 |
kuriyama |
Fix typo (s@src/crypto/openssh-portable@src/crypto/openssh@).
|
102654 |
30-Aug-2002 |
nectar |
Pass the pointy hat! Remove accidently imported files.
|
102651 |
30-Aug-2002 |
nectar |
Remove some parts of the Heimdal distribution which we do not use and have never used.
|
102648 |
30-Aug-2002 |
nectar |
Remove files no longer relevant after latest import.
|
102647 |
30-Aug-2002 |
nectar |
Resolve conflicts after import of Heimdal Kerberos circa 2002/08/29.
|
102645 |
30-Aug-2002 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r102644, which included commits to RCS files with non-trunk default branches.
|
102250 |
22-Aug-2002 |
nsayer |
Encrypted strings (after hex decoding) aren't null terminated, because 0 might simply be part of the ciphertext.
PR: bin/40266 Submitted by: andr@dgap.mipt.ru MFC after: 3 days
|
101621 |
10-Aug-2002 |
nectar |
Resolve conflicts.
|
101619 |
10-Aug-2002 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r101618, which included commits to RCS files with non-trunk default branches.
|
101616 |
10-Aug-2002 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r101615, which included commits to RCS files with non-trunk default branches.
|
101614 |
10-Aug-2002 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r101613, which included commits to RCS files with non-trunk default branches.
|
101387 |
05-Aug-2002 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r101386, which included commits to RCS files with non-trunk default branches.
|
101385 |
05-Aug-2002 |
ache |
Do login cap calls _before_ descriptors are hardly closed because close may invalidate login cap descriptor.
Reviewed by: des
|
100943 |
30-Jul-2002 |
nectar |
Resolve conflicts after import of OpenSSL 0.9.6e.
|
100937 |
30-Jul-2002 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r100936, which included commits to RCS files with non-trunk default branches.
|
100934 |
30-Jul-2002 |
nectar |
This man page has not been referenced by anything for a while, and is not part of the OpenSSL distribution. Remove it.
|
100932 |
30-Jul-2002 |
nectar |
Remove many obsolete files. The majority of these are simply no longer included as part of the OpenSSL distribution. However, a few we just don't need and are explicitly excluded in FREEBSD-Xlist.
|
100931 |
30-Jul-2002 |
nectar |
Resolve conflicts after import of OpenSSL 0.9.6d.
|
100929 |
30-Jul-2002 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r100928, which included commits to RCS files with non-trunk default branches.
|
100927 |
30-Jul-2002 |
nectar |
Update list of files to remove prior to import of OpenSSL 0.9.6d
|
100838 |
29-Jul-2002 |
fanf |
Use login_getpwclass() instead of login_getclass() so that the root vs. default login class distinction is made correctly.
PR: 37416 Approved by: des MFC after: 4 days
|
100715 |
26-Jul-2002 |
fanf |
FreeBSD doesn't use the host RSA key by default.
Reviewed by: des
|
100693 |
26-Jul-2002 |
ache |
Problems addressed:
1) options.print_lastlog was not honored. 2) "Last login: ..." was printed twice. 3) "copyright" was not printed 4) No newline was before motd.
Reviewed by: maintainer's silence in 2 weeks (with my constant reminders)
|
100678 |
25-Jul-2002 |
fanf |
Document the FreeBSD default for CheckHostIP, which was changed in rev 1.2 of readconf.c.
Approved by: des
|
100583 |
23-Jul-2002 |
des |
Whitespace nit.
|
100254 |
17-Jul-2002 |
des |
In pam_init_ctx(), register a cleanup function that will kill the child process if a fatal error occurs. Deregister it in pam_free_ctx().
|
99768 |
11-Jul-2002 |
des |
Use realhostname_sa(3) so the IP address will be used instead of the hostname if the latter is too long for utmp.
Submitted by: ru MFC after: 3 days
|
99748 |
10-Jul-2002 |
des |
Do not try to use PAM for password authentication, as it is already (and far better) supported by the challenge/response authentication mechanism.
|
99747 |
10-Jul-2002 |
des |
Don't forget to clear the buffer before reusing it.
|
99455 |
05-Jul-2002 |
des |
Rewrite to use the buffer API instead of roll-your-own messaging.
Suggested by: Markus Friedl <markus@openbsd.org> Sponsored by: DARPA, NAI Labs
|
99454 |
05-Jul-2002 |
des |
(forgot to commit) We don't need --with-opie since PAM takes care of it.
|
99319 |
03-Jul-2002 |
des |
- Don't enable OpenSSH's OPIE support, since we let PAM handle OPIE.
- We don't have setutent(3) etc., and I have no idea why configure ever thought we did.
|
99315 |
03-Jul-2002 |
des |
Two FreeBSD-specific nits in comments: - ChallengeResponseAuthentication controls PAM, not S/Key - We don't honor PAMAuthenticationViaKbdInt, because the code path it controls doesn't make sense for us, so don't mention it.
Sponsored by: DARPA, NAI Labs
|
99259 |
02-Jul-2002 |
des |
Version bump for mm_answer_pam_respond() fix.
|
99258 |
02-Jul-2002 |
des |
Fix a braino in mm_answer_pam_respond() which would cause sshd to abort if PAM authentication failed due to an incorrect response.
|
99132 |
30-Jun-2002 |
des |
Forgot to update the addendum in the config files.
|
99065 |
29-Jun-2002 |
des |
Regenerate.
|
99064 |
29-Jun-2002 |
des |
<sys/mman.h> requires <sys/types.h>.
|
99063 |
29-Jun-2002 |
des |
Resolve conflicts.
Sponsored by: DARPA, NAI Labs
|
99061 |
29-Jun-2002 |
des |
This commit was generated by cvs2svn to compensate for changes in r99060, which included commits to RCS files with non-trunk default branches.
|
99059 |
29-Jun-2002 |
des |
Commit config.h so we don't need autoconf to build world.
|
99057 |
29-Jun-2002 |
des |
OpenBSD lifted this code our tree. Preserve the original CVS id.
|
99056 |
29-Jun-2002 |
des |
Use our __RCSID().
|
99055 |
29-Jun-2002 |
des |
Make sure the environment variables set by setusercontext() are passed on to the child process.
Reviewed by: ache Sponsored by: DARPA, NAI Labs
|
99054 |
29-Jun-2002 |
des |
Canonicize the host name before looking it up in the host file.
Sponsored by: DARPA, NAI Labs
|
99053 |
29-Jun-2002 |
des |
Apply class-imposed login restrictions.
Sponsored by: DARPA, NAI Labs
|
99052 |
29-Jun-2002 |
des |
PAM support, the FreeBSD way.
Sponsored by: DARPA, NAI Labs
|
99051 |
29-Jun-2002 |
des |
Document FreeBSD defaults.
Sponsored by: DARPA, NAI Labs
|
99050 |
29-Jun-2002 |
des |
Document FreeBSD defaults and paths.
Sponsored by: DARPA, NAI Labs
|
99049 |
29-Jun-2002 |
des |
Remove duplicate.
|
99048 |
29-Jun-2002 |
des |
Apply FreeBSD's configuration defaults.
Sponsored by: DARPA, NAI Labs
|
99047 |
29-Jun-2002 |
des |
Add the VersionAddendum configuration variable.
Sponsored by: DARPA, NAI Labs
|
99046 |
29-Jun-2002 |
des |
Support OPIE as an alternative to S/Key.
Sponsored by: DARPA, NAI Labs
|
99045 |
29-Jun-2002 |
des |
Document the upgrade process.
|
99044 |
29-Jun-2002 |
des |
Files we don't want to import.
|
98941 |
27-Jun-2002 |
des |
Forcibly revert to mainline.
|
98938 |
27-Jun-2002 |
des |
This commit was generated by cvs2svn to compensate for changes in r98937, which included commits to RCS files with non-trunk default branches.
|
98884 |
26-Jun-2002 |
markm |
Warnings fixes. Sort out some variable types.
|
98882 |
26-Jun-2002 |
markm |
Help fix warnings by marking an argument as unused.
|
98742 |
24-Jun-2002 |
dinoex |
remove declaration of authlog use variable from_host Reviewed by: des
|
98738 |
24-Jun-2002 |
des |
IPv4or6 is already defined in libssh.
|
98706 |
23-Jun-2002 |
des |
Resolve conflicts and document local changes.
|
98695 |
23-Jun-2002 |
des |
Correctly export the environment variables set by setusercontext().
Sponsored by: DARPA, NAI Labs
|
98684 |
23-Jun-2002 |
des |
Resolve conflicts. Known issues:
- sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated
I will have these issues resolved, and privilege separation turned on by default, in time for DP2.
Sponsored by: DARPA, NAI Labs
|
98676 |
23-Jun-2002 |
des |
This commit was generated by cvs2svn to compensate for changes in r98675, which included commits to RCS files with non-trunk default branches.
|
97341 |
27-May-2002 |
jmallett |
Don't risk catching a signal while handling a signal for a dying child, as we can then end up not properly clearing wtmp/utmp entries.
PR: bin/37934 Submitted by: Sandeep Kumar <skumar@juniper.net> Reviewed by: markm MFC after: 2 weeks
|
96434 |
12-May-2002 |
jedgar |
Remove _PATH_CP now that it is defined in paths.h
Reviewed by: des
|
96385 |
11-May-2002 |
alfred |
unbreak build:
commands.c, sys_bsd.c: comment out/remove junk after #endif/#else network.c, terminal.c, utlities.c: include stdlib.h for exit(3)
|
96226 |
08-May-2002 |
des |
Resurrect as an empty file to unbreak the build. We have everything we need in paths.h.
|
96108 |
06-May-2002 |
markm |
Fix an external declaration that was causing telnetd to core dump.
MFC after: 1 week PR: 37766
|
95894 |
01-May-2002 |
obrien |
Usual after-import fixup of SCM IDs.
|
95456 |
25-Apr-2002 |
des |
Back out previous commit.
|
95431 |
25-Apr-2002 |
jkh |
Change default challenge/response behavior of sshd by popular demand. This brings us into sync with the behavior of sshd on other Unix platforms.
Submitted by: Joshua Goodall <joshua@roughtrade.net>
|
95312 |
23-Apr-2002 |
ache |
1) Proberly conditionalize PAM "last login" printout. 2) For "copyright" case #ifdef HAVE_LOGIN_CAP was placed on too big block, narrow it down. 3) Don't check the same conditions twice (for "copyright" and "welcome"), put them under single block. 4) Print \n between "copyright" and "welcome" as our login does.
Reviewed by: des (1)
|
95242 |
22-Apr-2002 |
des |
Don't report last login time in PAM case. (perforce change 10057)
Sponsored by: DARPA, NAI Labs
|
95241 |
22-Apr-2002 |
des |
Fix warnings + wait for child so it doesn't go zombie (perforce change 10122)
|
95207 |
21-Apr-2002 |
ache |
Move LOGIN_CAP calls before all file descriptors are closed hard, since some descriptors may be used by LOGIN_CAP internally, add login_close().
Use "nocheckmail" LOGIN_CAP capability too like our login does.
|
95120 |
20-Apr-2002 |
ache |
Fix TZ & TERM handling for use_login case of rev. 1.24
|
95119 |
20-Apr-2002 |
ache |
1) Surprisingly, "CheckMail" handling code completely removed from this version, so documented "CheckMail" option exists but does nothing. Bring it back to life adding code back.
2) Cosmetique. Reduce number of args in do_setusercontext()
|
95109 |
20-Apr-2002 |
ache |
1) Fix overlook in my prev. commit - forget HAVE_ prefix in one place in old code merge.
2) In addition honor "timezone" and "term" capabilities from login.conf, not overwrite them once they set (they are TZ and TERM variables).
|
95105 |
20-Apr-2002 |
ache |
Please repeat after me: setusercontext() modifies _current_ environment, but sshd uses separate child_env. So, to make setusercontext() really does something, environment must be switched before call and passed to child_env back after it.
The error here was that modified environment not passed back to child_env, so all variables that setusercontext() adds are lost, including ones from ~/.login_conf
|
94657 |
14-Apr-2002 |
des |
Fix some warnings. Don't record logins twice in USE_PAM case. Strip "/dev/" off the tty name before passing it to auth_ttyok or PAM.
Inspired by: dinoex Sponsored by: DARPA, NAI Labs
|
94511 |
12-Apr-2002 |
des |
Back out previous backout. It seems I was right to begin with, and DSA is preferrable to RSA (not least because the SECSH draft standard requires DSA while RSA is only recommended).
|
94464 |
11-Apr-2002 |
des |
Knowledgeable persons assure me that RSA is preferable to DSA and that we should transition away from DSA.
|
94439 |
11-Apr-2002 |
des |
Prefer DSA to RSA if both are available.
|
94438 |
11-Apr-2002 |
des |
Do not attempt to load an ssh2 RSA host key by default.
|
94203 |
08-Apr-2002 |
ru |
Align for const poisoning in -lutil.
|
93927 |
06-Apr-2002 |
des |
Nuke stale copy of the pam_ssh(8) source code.
|
93704 |
02-Apr-2002 |
des |
Revert to vendor version, what little was left of our local patches here was incorrect.
Pointed out by: Markus Friedl <markus@openbsd.org>
|
93701 |
02-Apr-2002 |
des |
Change the FreeBSD version addendum to "FreeBSD-20020402". This shortens the version string to 28 characters, which is below the 40-character limit specified in the proposed SECSH standard. Some servers, however (like the one built into the Foundry BigIron line of switches) will hang when confronted with a version string longer than 24 characters, so some users may need to shorten it further.
Sponsored by: DARPA, NAI Labs
|
93698 |
02-Apr-2002 |
des |
Make the various ssh clients understand the VersionAddendum option.
Submitted by: pb
|
93221 |
26-Mar-2002 |
ru |
Switch over to using pam_login_access(8) module in sshd(8). (Fixes static compilation. Reduces diffs to OpenSSH.)
Reviewed by: bde
|
93216 |
26-Mar-2002 |
nectar |
REALLY correct typo this time.
Noticed by: roam
|
93155 |
25-Mar-2002 |
nectar |
Fix typo (missing paren) affecting KRB4 && KRB5 case.
Approved by: des
|
93042 |
23-Mar-2002 |
des |
We keep moduli(5) in /etc/ssh, not /etc.
|
92879 |
21-Mar-2002 |
des |
Correctly set PAM_RHOST so e.g. pam_login_access(8) can do its job.
Sponsored by: DARPA, NAI Labs
|
92878 |
21-Mar-2002 |
des |
Use the "sshd" service instead of "csshd". The latter was only needed because of bugs (incorrect design decisions, actually) in Linux-PAM.
Sponsored by: DARPA, NAI Labs
|
92876 |
21-Mar-2002 |
des |
Use PAM instead of S/Key (or OPIE) for SSH2.
Sponsored by: DARPA, NAI Labs
|
92836 |
20-Mar-2002 |
des |
Note that portions of this software were
Sponsored by: DARPA, NAI Labs
|
92832 |
20-Mar-2002 |
des |
- Change the prompt from "S/Key Password: " to "OPIE Password: "
- If the user doesn't have an OPIE key, don't challenge him. This is a workaround until I get PAM to work properly with ssh2.
Sponsored by: DARPA, NAI Labs
|
92708 |
19-Mar-2002 |
des |
Unbreak for KRB4 ^ KRB5 case.
Sponsored by: DARPA, NAI Labs
|
92564 |
18-Mar-2002 |
des |
Revive this file (which is used for opie rather than skey)
|
92559 |
18-Mar-2002 |
des |
Fix conflicts.
|
92556 |
18-Mar-2002 |
des |
This commit was generated by cvs2svn to compensate for changes in r92555, which included commits to RCS files with non-trunk default branches.
|
92402 |
16-Mar-2002 |
des |
Diff reduction.
Sponsored by: DARPA, NAI Labs
|
91810 |
07-Mar-2002 |
nectar |
Update version string.
|
91688 |
05-Mar-2002 |
nectar |
Fix off-by-one error.
Obtained from: OpenBSD
|
91431 |
27-Feb-2002 |
green |
Use login_getpwclass() instead of login_getclass() so that default mapping of user login classes works.
Obtained from: TrustedBSD project Sponsored by: DARPA, NAI Labs
|
90931 |
19-Feb-2002 |
nectar |
Update build after import of Heimdal Kerberos 2002/02/17.
|
90930 |
19-Feb-2002 |
nectar |
Remove files that were dropped from Heimdal Kerberos 2002/02/17.
|
90929 |
19-Feb-2002 |
nectar |
Resolve conflicts after import of Heimdal Kerberos 2002/02/17.
|
90927 |
19-Feb-2002 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r90926, which included commits to RCS files with non-trunk default branches.
|
90242 |
05-Feb-2002 |
sheldonh |
Don't use non-signal-safe functions (exit(3) in this case) in signal handlers. In this case, use _exit(2) instead, following the call to shutdown(2).
This fixes rare telnetd hangs.
PR: misc/33672 Submitted by: Umesh Krishnaswamy <umesh@juniper.net> MFC after: 1 month
|
89840 |
27-Jan-2002 |
kris |
Resolve conflicts.
|
89838 |
27-Jan-2002 |
kris |
This commit was generated by cvs2svn to compensate for changes in r89837, which included commits to RCS files with non-trunk default branches.
|
89703 |
23-Jan-2002 |
ru |
Make libssh.so useable (undefined reference to IPv4or6).
Reviewed by: des, markm Approved by: markm
|
89403 |
15-Jan-2002 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r89402, which included commits to RCS files with non-trunk default branches.
|
89014 |
07-Jan-2002 |
green |
Fix a coredump bug occurring if ssh-keygen attempts to change the password on a DSA key.
Submitted by: ian j hart <ianjhart@ntlworld.com>
|
87882 |
14-Dec-2001 |
ru |
mdoc(7) police: remove -r from SYNOPSIS, sort -p in DESCRIPTION.
|
87558 |
09-Dec-2001 |
jkh |
Don't assume that the number of fds to select on is known quantity (in this case 16). Use dynamic FD_SETs and calculated high-water marks throughout. There are also too many versions of telnet in the tree.
Obtained from: OpenBSD and Apple's Radar database MFC after: 2 days
|
87358 |
04-Dec-2001 |
ru |
Fixed bugs from previous revision.
Removed -s from SYNOPSIS and restored -S in DESCRIPTION.
|
87308 |
03-Dec-2001 |
nectar |
Update version string since we applied a fix for the UseLogin issue.
|
87277 |
03-Dec-2001 |
jhay |
Protect variables and function prototypes that are only used in the INET6 case with an ifdef INET6.
This make the fixit floppy compile again.
Reviewed by: markm
|
87267 |
03-Dec-2001 |
markm |
More help for alpha WARNS=2. This code is, erm, unusual. Anyone who feels like rewriting it will meet no objection from me.
|
87266 |
03-Dec-2001 |
markm |
help the alphas out with the WARNS=2 stuff.
|
87255 |
03-Dec-2001 |
nectar |
Do not pass user-defined environmental variables to /usr/bin/login.
Obtained from: OpenBSD Approved by: green
|
87174 |
01-Dec-2001 |
markm |
Protect names that are used elsewhere. This fixes WARNS=2 breakage in crypto telnet.
|
87155 |
30-Nov-2001 |
markm |
Damn. The previous mega-commit was incomplete WRT ANSIfication. This fixes that.
|
87139 |
30-Nov-2001 |
markm |
Very large style makeover.
1) ANSIfy. 2) Clean up ifdefs so that a) ones that never/always apply are appropriately either fully removed, or just the #if junk is removed. b) change #if defined(FOO) for appropiate values of FOO. (currently AUTHENTICATION and ENCRYPTION) 3) WARNS=2 fixing 4) GC other unused stuff
This code can now be unifdef(1)ed to make non-crypto telnet.
|
86617 |
19-Nov-2001 |
dwmalone |
In the "UseLogin yes" case we need env to be NULL to make sure it will be correctly initialised.
PR: 32065 Tested by: The Anarcat <anarcat@anarcat.dyndns.org> MFC after: 3 days
|
85703 |
29-Oct-2001 |
jhb |
Fix world by trimming an extra comment terminator.
|
85690 |
29-Oct-2001 |
nsayer |
Add Berkeley copyright to SRA.
This is by the kind permission of Dave Safford, formerly of TAMU who wrote the original code. Here is an excerpt of the e-mail exchange concerning this issue:
Dave Safford wrote: >Nick Sayer wrote: >> Some time ago we spoke about SRA and importing it into FreeBSD. I forgot to >> ask if you had a prefered license boilerplate for the top of the files. It >> has come up recently, and the SRA code in FreeBSD doesn't have one.
>I really have no preference - use whatever is most convenient in the >FreeBSD environment.
>dave safford
This is the standard BSD license with clause 3 removed and clause 4 suitably renumbered.
MFC after: 1 day
|
85600 |
27-Oct-2001 |
markm |
Diff-reduce these two.
Really, one of them needs to disappear. I'll figure out which later.
Reported by: bde
|
84305 |
01-Oct-2001 |
markm |
Add __FBSDID() to diff-reduce with "base" telnet.
|
84043 |
27-Sep-2001 |
green |
Modify a "You don't exist" message, pretty rude for transient YP failures.
|
82961 |
04-Sep-2001 |
assar |
fix renamed options in some of the code that was #ifdef AFS also print an error if krb5 ticket passing is disabled
Submitted by: Jonathan Chen <jon@spock.org>
|
82497 |
29-Aug-2001 |
markm |
Manually unifdef(1) CRAY, UNICOS, hpux and sun uselsess code.
|
82410 |
27-Aug-2001 |
ps |
Backout last change. I didnt follow the thread and made a mistake with this. localisations is a valid spelling. Oops
|
82408 |
27-Aug-2001 |
ps |
Correctly spell localizations
|
82326 |
25-Aug-2001 |
dd |
Remove description of an option that only applies to UNICOS < 7.0. That define may still be present in the source, but I don't think anyone has plans to try to use it.
Obtained from: NetBSD
|
81965 |
20-Aug-2001 |
markm |
Code merge and diff reduce with "base" telnet. This is the "later" telnet, so it was treated as the reference code, except where later commits were made to "base" telnet.
|
81796 |
16-Aug-2001 |
green |
Update the OpenSSH minor-version string.
Requested by: obrien Reviewed by: rwatson
|
81665 |
15-Aug-2001 |
horikawa |
Removal of following export controll related sentences: o Because of export controls, TELNET ENCRYPT option is not supported outside of the United States and Canada. o Because of export controls, data encryption is not supported outside of the United States and Canada.
src/crypto/README revision 1.5 commit log says: > Crypto sources are no longer export controlled: > Explain, why crypto sources are still in crypto/. and actually telnet encryption is used outside of US and Canada now.
Pointed out by: OHSAWA Chitoshi <ohsawa@catv1.ccn-net.ne.jp> Reviewed by: no objection on doc
|
81622 |
14-Aug-2001 |
ru |
mdoc(7) police: s/BSD/.Bx/ where appropriate.
|
80224 |
23-Jul-2001 |
kris |
output_data(), output_datalen() and netflush() didn't actually guarantee to do what they are supposed to: under some circumstances output data would be truncated, or the buffer would not actually be flushed (possibly leading to overflows when the caller assumes the operation succeeded). Change the semantics so that these functions ensure they complete the operation before returning.
Comment out diagnostic code enabled by '-D reports' which causes an infinite recursion and an eventual crash.
Patch developed with assistance from ru and assar.
|
80038 |
20-Jul-2001 |
ru |
More potential buffer overflow fixes.
o Fixed `nfrontp' calculations in output_data(). If `remaining' is initially zero, it was possible for `nfrontp' to be decremented.
Noticed by: dillon
o Replaced leaking writenet() with output_datalen():
: * writenet : * : * Just a handy little function to write a bit of raw data to the net. : * It will force a transmit of the buffer if necessary : * : * arguments : * ptr - A pointer to a character string to write : * len - How many bytes to write : */ : void : writenet(ptr, len) : register unsigned char *ptr; : register int len; : { : /* flush buffer if no room for new data) */ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ : if ((&netobuf[BUFSIZ] - nfrontp) < len) { : /* if this fails, don't worry, buffer is a little big */ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ : netflush(); : } : : memmove(nfrontp, ptr, len); : nfrontp += len; : : } /* end of writenet */
What an irony! :-)
o Optimized output_datalen() a bit.
|
80001 |
19-Jul-2001 |
kris |
Resolve conflicts
|
79999 |
19-Jul-2001 |
kris |
This commit was generated by cvs2svn to compensate for changes in r79998, which included commits to RCS files with non-trunk default branches.
|
79992 |
19-Jul-2001 |
ru |
vsnprintf() can return a value larger than the buffer size.
Submitted by: assar Obtained from: OpenBSD
|
79981 |
19-Jul-2001 |
ru |
Fixed the exploitable remote buffer overflow.
Reported on: bugtraq Obtained from: Heimdal, NetBSD Reviewed by: obrien, imp
|
79683 |
13-Jul-2001 |
nectar |
Bug fix: When the client connects to a server and Kerberos authentication is enabled, the client effectively ignores any error from krb5_rd_rep due to a missing branch.
In theory this could result in an ssh client using Kerberos 5 authentication accepting a spoofed AP-REP. I doubt this is a real possiblity, however, because the AP-REP is passed from the server to the client via the SSH encrypted channel. Any tampering should cause the decryption or MAC to fail.
Approved by: green MFC after: 1 week
|
79528 |
10-Jul-2001 |
ru |
mdoc(7) police: removed HISTORY info from the .Os call.
|
79398 |
07-Jul-2001 |
green |
Fix an incorrect conflict resolution which prevented TISAuthentication from working right in 2.9.
|
79324 |
05-Jul-2001 |
ru |
mdoc(7) police: merge all fixes from non-crypto version.
|
79323 |
05-Jul-2001 |
ru |
MF non-crypto: 1.13: document -u in usage.
|
78976 |
29-Jun-2001 |
green |
Also add a colon to "Bad passphrase, please try again ".
|
78975 |
29-Jun-2001 |
green |
Put in a missing colon in the "Enter passphrase" message.
|
78827 |
26-Jun-2001 |
green |
Back out the last change which is probably actually a red herring. Argh!
|
78826 |
26-Jun-2001 |
green |
Don't pointlessly kill a channel because the first (forced) non-blocking read returns 0.
Now I can finally tunnel CVSUP again...
|
78536 |
21-Jun-2001 |
assar |
fix merges from 0.3f
|
78528 |
21-Jun-2001 |
assar |
This commit was generated by cvs2svn to compensate for changes in r78527, which included commits to RCS files with non-trunk default branches.
|
78348 |
16-Jun-2001 |
assar |
(do_authloop): handle !KRB4 && KRB5
|
78263 |
15-Jun-2001 |
markm |
Unbreak OpenSSH for the KRB5-and-no-KRB4 case. Asking for KRB5 does not imply that you want, need or have kerberosIV headers.
|
78129 |
12-Jun-2001 |
green |
Enable Kerberos 5 support in sshd again.
|
77925 |
08-Jun-2001 |
green |
Switch to the user's uid before attempting to unlink the auth forwarding file, nullifying the effects of a race.
Obtained from: OpenBSD
|
77114 |
24-May-2001 |
obrien |
Fix $FreeBSD$ style committer messed up in rev 1.7 for some reason.
|
77105 |
24-May-2001 |
dillon |
Oops, forgot the 'u' in the getopt for the previous commit.
|
77095 |
23-May-2001 |
dillon |
A feature to allow one to telnet to a unix domain socket. (MFC from non-crypto version)
Also update the crypto telnet's man page to reflect other options ported from the non-crypto version.
Obtained from: Lyndon Nerenberg <lyndon@orthanc.ab.ca>
|
76870 |
20-May-2001 |
kris |
Resolve conflicts
|
76867 |
20-May-2001 |
kris |
This commit was generated by cvs2svn to compensate for changes in r76866, which included commits to RCS files with non-trunk default branches.
|
76820 |
18-May-2001 |
obrien |
Restore the RSA host key to /etc/ssh/ssh_host_key. Also fix $FreeBSD$ spamage in crypto/openssh/sshd_config rev. 1.16.
|
76751 |
17-May-2001 |
nsayer |
Make the PAM user-override actually override the correect thing.
|
76712 |
17-May-2001 |
peter |
Back out last commit. This was already fixed. This should never have happened, this is why we have commit mail expressly delivered to committers.
|
76711 |
17-May-2001 |
peter |
Fix the latest telnet breakage. Obviously this was never compiled.
|
76697 |
16-May-2001 |
nsayer |
Since the root-on-insecure-tty code was added to telnetd, a dependency on char *line was added to libtelnet. Put a dummy one in to keep the linker happy.
|
76696 |
16-May-2001 |
nsayer |
Make sure the protocol actively rejects bad data rather than (potentially) not responding to an invalid SRA 'auth is' message.
|
76691 |
16-May-2001 |
nsayer |
srandomdev() affords us the opportunity to radically improve, and at the same time simplify, the random number selection code.
|
76690 |
16-May-2001 |
nsayer |
Catch any attempted buffer overflows. The magic numbers in this code (512) are a little distressing, but the method really needs to be extended to allow server-supplied DH parameters anyway.
Submitted by: kris
|
76689 |
16-May-2001 |
nsayer |
Catch malloc return failures. This should help avoid dereferencing NULL on low-memory situations.
Submitted by: kris
|
76616 |
15-May-2001 |
peter |
Hack to work around braindeath in libtelnet:sra.c. The sra.o file references global variables from telnetd, but is also linked into telnet as well. I was tempted to back out the last sra.c change as it is 100% bogus and should be taken out and shot, but for now this bandaid should get world working again. :-(
|
76610 |
15-May-2001 |
nsayer |
If the uid of the attempted authentication is 0 and if the pty is insecure, do not succeed. Copied from login.c. This functionality really should be a PAM module.
|
76607 |
15-May-2001 |
green |
If a host would exceed 16 characters in the utmp entry, record only it's IP address/base host instead.
Submitted by: brian
|
76582 |
14-May-2001 |
ru |
mdoc(7) police: finished fixing conflicts in revision 1.18.
|
76464 |
11-May-2001 |
markm |
Fix make world in the kerberosIV case.
|
76452 |
11-May-2001 |
assar |
merge imported changes into HEAD
|
76394 |
09-May-2001 |
alfred |
Fix some of the handling in the pam module, don't unregister things that were never registered. At the same time handle a failure from pam_setcreds with a bit more paranioa than the previous fix.
Sync a bit with the "Portable OpenSSH" work to make comparisons a easier.
|
76384 |
08-May-2001 |
green |
Since PAM is broken, let pam_setcred() failure be non-fatal.
|
76372 |
08-May-2001 |
assar |
This commit was generated by cvs2svn to compensate for changes in r76371, which included commits to RCS files with non-trunk default branches.
|
76339 |
07-May-2001 |
nsayer |
Pointy hat fix -- reapply the SRA PAM patch. To -current this time.
|
76292 |
05-May-2001 |
green |
sshd_config should still be keeping ssh host keys in /etc/ssh, not /etc.
|
76287 |
05-May-2001 |
green |
Finish committing _more_ somehow-uncommitted OpenSSH 2.9 updates. (Missing Delta Brigade, tally-ho!)
|
76265 |
04-May-2001 |
green |
Get ssh(1) compiling with MAKE_KERBEROS5.
|
76263 |
04-May-2001 |
green |
Remove obsoleted files.
|
76262 |
04-May-2001 |
green |
Fix conflicts for OpenSSH 2.9.
|
76260 |
04-May-2001 |
green |
This commit was generated by cvs2svn to compensate for changes in r76259, which included commits to RCS files with non-trunk default branches.
|
76227 |
03-May-2001 |
green |
Add a "VersionAddendum" configuration setting for sshd which allows anyone to easily change the part of the OpenSSH version after the main version number. The FreeBSD-specific version banner could be disabled that way, for example:
# Call ourselves plain OpenSSH VersionAddendum
|
76226 |
03-May-2001 |
green |
Backout completely canonical lookup modifications.
|
75505 |
14-Apr-2001 |
markm |
Toss into attic stuff we don't use.
|
75465 |
13-Apr-2001 |
ru |
mdoc(7) police: removed hard sentence breaks introduced in rev.1.10.
|
75263 |
06-Apr-2001 |
nsayer |
Clean up telnet's argument processing a bit. autologin and encryption is now the default, so ignore the arguments that turn it on. Add a new -y argument to turn off encryption in case someone wants to do that. Sync these changes with the man page (including removing the now obsolete statement about availability only in the US and Canada).
|
75236 |
05-Apr-2001 |
nsayer |
Reactivate SRA.
Make handling of SIGINT and SIGQUIT follow SIGTSTP in TerminalNewMode(). This allows people to break out of SRA authentication if they wish to.
|
74503 |
20-Mar-2001 |
green |
Suggested by kris, OpenSSH shall have a version designated to note that it's not "plain" OpenSSH 2.3.0.
|
74500 |
20-Mar-2001 |
green |
Make password attacks based on traffic analysis harder by requiring that "non-echoed" characters are still echoed back in a null packet, as well as pad passwords sent to not give hints to the length otherwise.
Obtained from: OpenBSD
|
74411 |
18-Mar-2001 |
nsayer |
Fix core noted in -stable with 'auth disable SRA'.
I just mistakenly commited this to RELENG_4. I have contacted Jordan to see about how to fix this. Pass the pointy hat.
|
74291 |
15-Mar-2001 |
asmodai |
Fix double mention of ssh.
This file is already off the vendorbranch, nonetheless it needs to be submitted back to the OpenSSH people.
PR: 25743 Submitted by: David Wolfskill <dhw@whistle.com>
|
74278 |
15-Mar-2001 |
green |
Don't dump core when an attempt is made to login using protocol 2 with an invalid user name.
|
74197 |
13-Mar-2001 |
assar |
(try_krb5_authentication): simplify code. from joda@netbsd.org
|
74147 |
12-Mar-2001 |
assar |
Fix LP64 problem in Kerberos 5 TGT passing.
Obtained from: NetBSD (done by thorpej@netbsd.org)
|
74138 |
12-Mar-2001 |
assar |
enable auto-negotiation of encrypt and decrypt
|
74136 |
12-Mar-2001 |
assar |
initialize pointers to NULL and sized to 0 to avoid free:ing invalid memory.
PR: bin/20779
|
74090 |
11-Mar-2001 |
green |
Reenable the SIGPIPE signal handler default in all cases for spawned sessions.
|
73432 |
04-Mar-2001 |
markm |
Remove stuff that is really "ports material", generated files and stuff for other OS's. Also remove stuff (libraries) that are already present in FreeBSD and must not get mixed up in our code.
|
73426 |
04-Mar-2001 |
markm |
Trim down the source tree a bit. We shouldn't have blatantly uncompilable bits in here (like X stuff), nor should we have too much "ports material".
|
73400 |
04-Mar-2001 |
assar |
Add code for being compatible with ssh.com's krb5 authentication. It is done by using the same ssh messages for v4 and v5 authentication (since the ssh.com does not now anything about v4) and looking at the contents after unpacking it to see if it is v4 or v5. Based on code from Björn Grönvall <bg@sics.se>
PR: misc/20504
|
72616 |
18-Feb-2001 |
kris |
Resolve conflicts
|
72614 |
18-Feb-2001 |
kris |
This commit was generated by cvs2svn to compensate for changes in r72613, which included commits to RCS files with non-trunk default branches.
|
72586 |
18-Feb-2001 |
ps |
Make ConnectionsPerPeriod non-fatal for real.
|
72494 |
14-Feb-2001 |
markm |
Fix a "make world"-breaking inconsistency for those folks making a world with both KRB4 and KRB5.
|
72463 |
13-Feb-2001 |
assar |
nuke conflict markers
|
72451 |
13-Feb-2001 |
assar |
update to new heimdal libkrb5
|
72448 |
13-Feb-2001 |
assar |
fix conflicts in heimdal 0.3e import
|
72446 |
13-Feb-2001 |
assar |
This commit was generated by cvs2svn to compensate for changes in r72445, which included commits to RCS files with non-trunk default branches.
|
72397 |
12-Feb-2001 |
kris |
Patches backported from later development version of OpenSSH which prevent (instead of just mitigating through connection limits) the Bleichenbacher attack which can lead to guessing of the server key (not host key) by regenerating it when an RSA failure is detected.
Reviewed by: rwatson
|
72285 |
10-Feb-2001 |
kris |
Note that crypto/ is not used to build in, people should see secure/ instead.
|
72139 |
07-Feb-2001 |
asmodai |
Synch: Add $FreeBSD$.
|
72093 |
06-Feb-2001 |
asmodai |
Fix typo: compatability -> compatibility.
Compatability is not an existing english word.
|
72089 |
06-Feb-2001 |
asmodai |
Fix typo: seperate -> separate.
Seperate does not exist in the english language.
Submitted to look at by: kris
|
72083 |
06-Feb-2001 |
asmodai |
Fix typo: wierd -> weird.
There is no such thing as wierd in the english language.
|
72023 |
04-Feb-2001 |
green |
Correctly fill in the sun_len for a sockaddr_sun.
Submitted by: Alexander Leidinger <Alexander@leidinger.net>
|
72021 |
04-Feb-2001 |
green |
MFS: Don't use the canonical hostname here, too.
|
72020 |
04-Feb-2001 |
green |
MFF: Make ConnectionsPerPeriod usage a warning, not fatal.
|
71899 |
01-Feb-2001 |
ru |
mdoc(7) police: split punctuation characters + misc fixes.
|
71317 |
21-Jan-2001 |
green |
Actually propagate back to the rest of the application that a command was specified when using -t mode with the SSH client.
Submitted by: Dima Dorfman <dima@unixfreak.org>
|
70990 |
13-Jan-2001 |
green |
/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it and giving a dire error to its lingering users.
|
70890 |
10-Jan-2001 |
ru |
Prepare for mdoc(7)NG.
|
70726 |
06-Jan-2001 |
green |
Fix a long-standing bug that resulted in a dropped session sometimes when an X11-forwarded client was closed. For some reason, sshd didn't disable the SIGPIPE exit handler and died a horrible death (well, okay, a silent death really). Set SIGPIPE's handler to SIG_IGN.
|
70497 |
29-Dec-2000 |
assar |
fix conflicts from merge
|
70495 |
29-Dec-2000 |
assar |
This commit was generated by cvs2svn to compensate for changes in r70494, which included commits to RCS files with non-trunk default branches.
|
69837 |
10-Dec-2000 |
assar |
This commit was generated by cvs2svn to compensate for changes in r69836, which included commits to RCS files with non-trunk default branches.
|
69834 |
10-Dec-2000 |
assar |
This commit was generated by cvs2svn to compensate for changes in r69833, which included commits to RCS files with non-trunk default branches.
|
69831 |
10-Dec-2000 |
assar |
This commit was generated by cvs2svn to compensate for changes in r69830, which included commits to RCS files with non-trunk default branches.
|
69825 |
10-Dec-2000 |
assar |
(scrub_env): change to only accept a listed set of variables, including only non-filename contents for TERMCAP
|
69591 |
05-Dec-2000 |
green |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website.
Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too.
This requires at least the following in pam.conf:
sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so
Parts by: Eivind Eklend <eivind@FreeBSD.org>
|
69590 |
05-Dec-2000 |
green |
Forgot to remove the old line in the last commit.
|
69588 |
05-Dec-2000 |
green |
This commit was generated by cvs2svn to compensate for changes in r69587, which included commits to RCS files with non-trunk default branches.
|
69584 |
04-Dec-2000 |
brian |
Remove duplicate line
Not responded to by: kris, then green
|
69389 |
30-Nov-2000 |
asmodai |
Add more environment variables to be filtered through scrub_env(). Synched from normal telnet.
|
69387 |
30-Nov-2000 |
asmodai |
String paranoia fix. Synched from normal telnet.
|
69384 |
30-Nov-2000 |
asmodai |
String paranoia. Merged from regular telnet.
|
69223 |
26-Nov-2000 |
kris |
Correct definition of MAXHOSTNAMELEN in ifdef'ed code.
Submitted by: Edwin Groothuis <mavetju@chello.nl> PR: bin/22787
|
69130 |
25-Nov-2000 |
green |
In env_destroy(), it is a bad idea to env_swap(self, 0) to switch back to the original environ unconditionally. The setting of the variable to save the previous environ is conditional; it happens when ENV.e_committed is set. Therefore, don't try to swap the env back unless the previous env has been initialized.
PR: bin/22670 Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
|
69129 |
25-Nov-2000 |
billf |
Correct an arguement to ssh_add_identity, this matches what is currently in ports/security/openssh/files/pam_ssh.c
PR: 22164 Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp> Reviewed by: green Approved by: green
|
68965 |
20-Nov-2000 |
ru |
mdoc(7) police: use the new features of the Nm macro.
|
68891 |
19-Nov-2000 |
kris |
Fix a buffer overflow from a long local hostname.
Obtained from: OpenBSD
|
68704 |
14-Nov-2000 |
green |
Add login_cap and login_access support. Previously, these FreeBSD-local checks were only made when using the 1.x protocol.
|
68701 |
14-Nov-2000 |
green |
This commit was generated by cvs2svn to compensate for changes in r68700, which included commits to RCS files with non-trunk default branches.
|
68666 |
13-Nov-2000 |
kris |
Update list of files to remove prior to import
|
68654 |
13-Nov-2000 |
kris |
Resolve conflicts, and garbage collect some local changes that are no longer required
|
68652 |
13-Nov-2000 |
kris |
This commit was generated by cvs2svn to compensate for changes in r68651, which included commits to RCS files with non-trunk default branches.
|
68575 |
10-Nov-2000 |
ru |
Avoid use of direct troff requests in mdoc(7) manual pages.
|
67865 |
29-Oct-2000 |
dougb |
Add a CVS Id tag
|
67827 |
29-Oct-2000 |
kris |
Sync with usr.bin/telnet/telnet.c r1.9 - fix buffer overflow in DISPLAY
|
65700 |
10-Sep-2000 |
green |
Fix a few style oddities.
|
65699 |
10-Sep-2000 |
green |
Fix a goof in timevaldiff.
|
65676 |
10-Sep-2000 |
kris |
Remove files no longer present in OpenSSH 2.2.0 and beyond
|
65674 |
10-Sep-2000 |
kris |
Resolve conflicts and update for OpenSSH 2.2.0
Reviewed by: gshapiro, peter, green
|
65669 |
10-Sep-2000 |
kris |
This commit was generated by cvs2svn to compensate for changes in r65668, which included commits to RCS files with non-trunk default branches.
|
65653 |
10-Sep-2000 |
kris |
Nuke RSAREF support from orbit.
It's the only way to be sure.
|
65433 |
04-Sep-2000 |
kris |
ttyname was not being passed into do_login(), so we were erroneously picking up the function definition from unistd.h instead. Use s->tty instead.
Submitted by: peter
|
65398 |
03-Sep-2000 |
kris |
bzero() the struct timeval for paranoia
Submitted by: gshapiro
|
65361 |
02-Sep-2000 |
kris |
Err, we weren't even compiling auth1.c with LOGIN_CAP at all. Guess nobody was using this feature.
|
65360 |
02-Sep-2000 |
kris |
Repair a broken conflict resolution in r1.2 which had the effect of nullifying the login_cap and login.access checks for whether a user/host is allowed access to the system for users other than root. But since we currently don't have a similar check in the ssh2 code path anyway, it's um, "okay".
Submitted by: gshapiro
|
65359 |
02-Sep-2000 |
kris |
Repair my dyslexia: s/opt/otp/ in the OPIE challenge. D'oh!
Submitted by: gshapiro
|
65358 |
02-Sep-2000 |
kris |
Re-add missing "break" which was lost during a previous patch integration. This currently has no effect.
Submitted by: gshapiro
|
65357 |
02-Sep-2000 |
kris |
Turn on X11Forwarding by default on the server. Any risk is to the client, where it is already disabled by default.
Reminded by: peter
|
65022 |
23-Aug-2000 |
kris |
Increase the default value of LoginGraceTime from 60 seconds to 120 seconds.
PR: 20488 Submitted by: rwatson
|
65020 |
23-Aug-2000 |
kris |
Respect X11BASE to derive the location of xauth(1)
PR: 17818 Submitted by: Bjoern Fischer <bfischer@Techfak.Uni-Bielefeld.DE>
|
64594 |
13-Aug-2000 |
kris |
This commit was generated by cvs2svn to compensate for changes in r64593, which included commits to RCS files with non-trunk default branches.
|
64584 |
13-Aug-2000 |
kris |
This commit was generated by cvs2svn to compensate for changes in r64583, which included commits to RCS files with non-trunk default branches.
|
64581 |
13-Aug-2000 |
kris |
Fix setproctitle() vulnerability in non-compiled code.
|
64098 |
01-Aug-2000 |
asmodai |
Chalk up another phkmalloc victim.
It seems as if uninitialised memory was the culprit.
We may want to contribute this back to the OpenSSH project.
Submitted by: Alexander Leidinger <Alexander@Leidinger.net> on -current.
|
64055 |
31-Jul-2000 |
alex |
Crypto sources are no longer export controlled: Explain, why crypto sources are still in crypto/.
Reviewed by: markm
|
63919 |
27-Jul-2000 |
asmodai |
Fix a weird typo, is -> are. The OpenSSH maintainer probably want to contribute this back to the real OpenSSH guys.
Submitted by: Jon Perkin <sketchy@netcraft.com>
|
63915 |
27-Jul-2000 |
marko |
Fixed a minor typo in the header.
Pointed out by: asmodai
|
63849 |
25-Jul-2000 |
marko |
Committed, Thanks!!
PR: 20108 Submitted by: Doug Lee
|
63662 |
20-Jul-2000 |
ume |
Fix buffer size of ALIGNed buffer.
PR: bin/20053 Submitted by: Alex Kapranoff <alex@kapran.bitmcnit.bryansk.su>
|
63606 |
20-Jul-2000 |
assar |
merge in syslog fixes, do not call syslog with variabel as format string
|
63248 |
16-Jul-2000 |
peter |
Add missing $FreeBSD$ to files that are NOT still on vendor a branch.
|
62958 |
11-Jul-2000 |
nsayer |
Fix 'telnet -X sra' coredump
PR# 19835
|
62944 |
11-Jul-2000 |
peter |
Sync sshd_config with sshd and manapage internal defaults (Checkmail = yes)
|
62943 |
11-Jul-2000 |
peter |
Sync LoginGraceTime with sshd_config = 60 seconds by default, not 600.
|
62942 |
11-Jul-2000 |
peter |
Fix out-of-sync defaults. PermitRootLogin is supposed to be 'no' but sshd's internal default was 'yes'. (if some cracker managed to trash /etc/ssh/sshd_config, then root logins could be reactivated)
Approved by: kris
|
62940 |
11-Jul-2000 |
peter |
Make FallBackToRsh off by default. Falling back to rsh by default is silly in this day and age.
Approved by: kris
|
62868 |
10-Jul-2000 |
kris |
Don't call printf with no format string.
|
62805 |
08-Jul-2000 |
ume |
Make telnet -s work. It is corresponding to EAI_NONAME -> EAI_NODATA change (getaddrinfo.c rev 1.12).
|
62773 |
07-Jul-2000 |
itojun |
sync with usr.bin/telnet/commands.c 1.21 -> 1.22. pierre.dampure@alveley.org
|
62567 |
04-Jul-2000 |
green |
Allow restarting on SIGHUP when the full path was not given as argv[0]. We do have /proc/curproc/file :)
|
62179 |
27-Jun-2000 |
green |
So /this/ is what has made OpenSSH's SSHv2 support never work right! In some cases, limits did not get set to the proper class, but instead always to "default", because not all passwd copies were done to completion.
|
62144 |
26-Jun-2000 |
green |
Also make sure to close the socket that exceeds your rate limit.
|
62101 |
26-Jun-2000 |
green |
Make rate limiting work per-listening-socket. Log better messages than before for this, requiring a new function (get_ipaddr()). canohost.c receives a $FreeBSD$ line.
Suggested by: Niels Provos <niels@OpenBSD.org>
|
62030 |
24-Jun-2000 |
markm |
MFI. This is a documentation-only, diffreducing patch, that if invoked will cause breakage. US Users - DO NOT try to turn on IDEA - the sources are not included.
|
61828 |
19-Jun-2000 |
markm |
Grrr. I hate CVS. These were supposed to be committed when I did the IDEA fix earlier today.
Bring back IDEA from the dead (but not compiled by default).
|
61821 |
19-Jun-2000 |
markm |
Re-add IDEA. This is not actually built unless asked for by the user. (To avoid patent hassles).
|
61563 |
11-Jun-2000 |
kris |
Fix syntax error in previous commit.
Submitted by: Udo Schweigert <ust@cert.siemens.de>
|
61529 |
10-Jun-2000 |
kris |
Fix security botch in "UseLogin Yes" case: commands are executed with uid 0.
Obtained from: OpenBSD
|
61498 |
10-Jun-2000 |
ru |
Make `ssh-agent -k' work for csh(1)-like shells.
|
61320 |
06-Jun-2000 |
green |
Allow "DenyUsers" to function.
|
61212 |
03-Jun-2000 |
kris |
Resolve conflicts
|
61210 |
03-Jun-2000 |
kris |
This commit was generated by cvs2svn to compensate for changes in r61209, which included commits to RCS files with non-trunk default branches.
|
61208 |
03-Jun-2000 |
kris |
Resolve conflicts
|
61207 |
03-Jun-2000 |
kris |
This commit was generated by cvs2svn to compensate for changes in r61206, which included commits to RCS files with non-trunk default branches.
|
61203 |
03-Jun-2000 |
kris |
Bring vendor patches onto the main branch, and resolve conflicts.
|
61202 |
03-Jun-2000 |
kris |
This commit was generated by cvs2svn to compensate for changes in r61201, which included commits to RCS files with non-trunk default branches.
|
61200 |
03-Jun-2000 |
kris |
This commit was generated by cvs2svn to compensate for changes in r61199, which included commits to RCS files with non-trunk default branches.
|
61087 |
30-May-2000 |
kris |
Update to the version of pam_ssh corresponding to OpenSSH 2.1 (taken from the openssh port)
Submitted by: Hajimu UMEMOTO <ume@mahoroba.org>
|
60938 |
26-May-2000 |
jake |
Back out the previous change to the queue(3) interface. It was not discussed and should probably not happen.
Requested by: msmith and others
|
60833 |
23-May-2000 |
jake |
Change the way that the queue(3) structures are declared; don't assume that the type argument to *_HEAD and *_ENTRY is a struct.
Suggested by: phk Reviewed by: phk Approved by: mdodd
|
60813 |
23-May-2000 |
ache |
Turn on CheckMail to be more login-compatible by default
|
60785 |
22-May-2000 |
brian |
Don't USE_PIPES
Spammed by: peter Submitted by: mkn@uk.FreeBSD.org
|
60678 |
18-May-2000 |
kris |
Correct two stupid typos in the DSA key location.
Submitted by: Udo Schweigert <ust@cert.siemens.de>
|
60663 |
17-May-2000 |
kris |
Unbreak Kerberos5 compilation. This still remains untested.
Noticed by: obrien
|
60579 |
15-May-2000 |
kris |
Oops, rename S/Key to Opie in line with FreeBSD usage.
|
60578 |
15-May-2000 |
kris |
Create a DSA host key if one does not already exist, and teach sshd_config about it.
|
60576 |
15-May-2000 |
kris |
Resolve conflicts and update for FreeBSD.
|
60574 |
15-May-2000 |
kris |
This commit was generated by cvs2svn to compensate for changes in r60573, which included commits to RCS files with non-trunk default branches.
|
59803 |
30-Apr-2000 |
nik |
Note that X11 Forwarding is off by default.
PR: docs/17566 Submitted by: Keith Stevenson <ktstev01@louisville.edu>
|
59402 |
19-Apr-2000 |
markm |
MFF: catch up with FreeFall
|
59354 |
18-Apr-2000 |
kris |
If stderr is closed, report the error message about missing libraries via syslog instead.
Reviewed by: jkh
|
59287 |
16-Apr-2000 |
markm |
Internat diff reducer.
|
59282 |
16-Apr-2000 |
markm |
This commit was generated by cvs2svn to compensate for changes in r59281, which included commits to RCS files with non-trunk default branches.
|
59194 |
13-Apr-2000 |
kris |
Resolve conflicts.
|
59192 |
13-Apr-2000 |
kris |
This commit was generated by cvs2svn to compensate for changes in r59191, which included commits to RCS files with non-trunk default branches.
|
59027 |
05-Apr-2000 |
kris |
Correct a typo and interchanged library names
Submitted by: Ben Rosengart <ben@narcissus.net> Matthew D. Fuller <fullermd@futuresouth.com>
|
58772 |
29-Mar-2000 |
kris |
Fix a memory leak.
PR: 17360 Submitted by: Andrew J. Korty <ajk@iu.edu>
|
58592 |
26-Mar-2000 |
kris |
#include <ssl/foo.h> -> #include <openssl/foo.h>
|
58585 |
26-Mar-2000 |
kris |
Resolve conflicts.
|
58583 |
26-Mar-2000 |
kris |
This commit was generated by cvs2svn to compensate for changes in r58582, which included commits to RCS files with non-trunk default branches.
|
58549 |
25-Mar-2000 |
kris |
Don't refer to the openssl handbook chapter by name - the doc guys keep jamming new chapters in front of it :)
|
58531 |
24-Mar-2000 |
brian |
Use pipe() instead of socketpair() in sshd when communicating with the client. This allows ppp/ssh style tunnels to function again.
Ok'd by: markk Submitted by: markk@knigma.org
|
58520 |
24-Mar-2000 |
mpp |
Fix a few spelling errors.
|
58463 |
22-Mar-2000 |
sheldonh |
IgnoreUserKnownHosts is a boolean flag, not an integer value.
The fix submitted in the attributed PR is identical to the one adopted by OpenBSD.
PR: 17027 Submitted by: David Malone <dwmalone@maths.tcd.ie> Obtained from: OpenBSD
|
57971 |
13-Mar-2000 |
kris |
Add a new function stub to libcrypto() which resolves to a symbol in the librsa* library and reports which version of the library (OpenSSL/RSAREF) is being used.
This is then used in openssh to detect the failure case of RSAREF and a RSA key >1024 bits, to print a more helpful error message than 'rsa_public_encrypt() fai led.'
This is a 4.0-RELEASE candidate.
|
57952 |
13-Mar-2000 |
kris |
Various manpage style/grammar/formatting cleanups
Submitted by: Peter Jeremy <peter.jeremy@alcatel.com.au>, jedgar PR: 17292 (remainder of)
|
57886 |
10-Mar-2000 |
nik |
- typos - Add double spaces following full stops to improve typeset output - mdoc-ification. (Though I'm uncertain whether option values and contents should be .Dq or something else). - Fix a missed /etc/ssh change - Expand wording on RandomSeed and behaviour when X11 isn't forwarded. - Change examples to literal mode. - Trim trailing whitespace
PR: docs/17292 Submitted by: Peter Jeremy <peter.jeremy@alcatel.com.au>
|
57853 |
09-Mar-2000 |
markm |
Make LOGIN_CAP work properly.
|
57811 |
08-Mar-2000 |
kris |
/etc -> /etc/ssh
Submitted by: Ben Smithurst <ben@scientia.demon.co.uk>
|
57741 |
03-Mar-2000 |
jhay |
MFI: Use krb5 functions in krb5 files.
Reviewed by: markm
|
57728 |
03-Mar-2000 |
shin |
Replace structure copy form ifreq obtained by SIOCGIFADDR to memcpy(), to avoid unaligned access trap on alpha.
Approved by: jkh
|
57724 |
03-Mar-2000 |
shin |
CMSG_XXX macros alignment fixes to follow RFC2292.
Approved by: jkh
|
57708 |
03-Mar-2000 |
green |
Turn off X11 forwarding in the client. X11 forwarding in the server by default should probably also get turned on, now.
Requested by: kris Obtained from: OpenBSD
|
57683 |
02-Mar-2000 |
kris |
Update the wording on the error message when libcrypto.so can't find an RSA library.
Reviewed by: peter, jkh
|
57633 |
29-Feb-2000 |
ume |
Enable connection logging. FreeBSD's libwrap is IPv6 ready. OpenSSH is in our source tree, now. It's a time to enable it.
Reviewed by: markm, shin Approved by: jkh
|
57565 |
28-Feb-2000 |
markm |
1) Add kerberos5 functionality. by Daniel Kouril <kouril@informatics.muni.cz> 2) Add full LOGIN_CAP capability by Andrey Chernov
|
57563 |
28-Feb-2000 |
brian |
Don't put truncated hostnames in utmp
Approved by: jkh
|
57518 |
26-Feb-2000 |
peter |
Sync with internat.freebsd.org; weak symbols vs static libs == trouble
|
57514 |
26-Feb-2000 |
peter |
Merge from internat.freebsd.org; move VERBOSE_STUBS to a better spot.
|
57513 |
26-Feb-2000 |
peter |
Merge from internat.freebsd.org repo, minus change to rsa_eay.c (missing)
Reorganize and unify libcrypto's interface so that the RSA implementation is chosen at runtime via dlopen().
This is a checkpoint and may require more tweaks still.
|
57511 |
26-Feb-2000 |
peter |
Merge from internat.freebsd.org repo, minus change to rsa_eay.c (missing)
Reorganize and unify libcrypto's interface so that the RSA implementation is chosen at runtime via dlopen().
This is a checkpoint and may require more tweaks still.
|
57510 |
26-Feb-2000 |
peter |
At great personal risk (to my already fragile sanity), reorganize the rsa stubs for libcrypto. libcrypto.so now uses dlopen() to implement the backends for either the native or rsaref implemented RSA code. This involves: - unifying the libcrypto and openssl(1) source so there is no #ifdef RSAref variations. - using weak symbols and dlopen()/dlsym() routines to access the rsa method vectors.
Releases will enable the user to choose International, US (rsaref) or no RSA code at install time. 'make world' will DTRT depending on whether you have the international or US source. For US users, you must either install rsaref (the port or package) or (if you don't fear RSA Inc) use the (superior) International rsa_eay.c code.
This has been discussed at great length by the affected folks and even we have a great deal of confusion. This is a checkpoint so we can tune the results. This works for me in all permutations I can think of and should result in a CD/ftp 'release' just about doing the right thing now.
|
57496 |
26-Feb-2000 |
peter |
Redo this with a repo copy from the original file and reset the __PREFIX__ markers.
|
57493 |
26-Feb-2000 |
peter |
oops, update path to /etc/ssh/ssh_host_key
|
57487 |
25-Feb-2000 |
peter |
Merge from internat.freebsd.org; move ssh files from /etc to /etc/ssh
|
57472 |
25-Feb-2000 |
peter |
Don't use the dlopen() stubs if comiling with PIC. This still needs some more thought for the static case. Should we provide weak error-generating stubs for static binaries if -lrsaref was forgotten?
|
57470 |
25-Feb-2000 |
green |
Fix a bug that crawled in pretty recently (from the port). It made sshd coredump :(
|
57467 |
25-Feb-2000 |
peter |
Fix garbage in SSH_PROGRAM (only on freefall, not internat)
|
57465 |
25-Feb-2000 |
green |
Make "CheckHostIP" default to off. This was proposed on -security and earlier IRC, but despite my inital feeling against it, this seems the more proper thing to do.
Proposed by: rwatson
|
57464 |
25-Feb-2000 |
green |
The includes must be <openssl/.*\.h>, not <ssl/.*\.h>.
|
57463 |
24-Feb-2000 |
markm |
remove more ports crud.
|
57462 |
24-Feb-2000 |
markm |
remove ports junk
|
57444 |
24-Feb-2000 |
markm |
Use libcrypto instead of libdes.
|
57443 |
24-Feb-2000 |
markm |
RIP libdes. All hail libcrypto!
|
57442 |
24-Feb-2000 |
markm |
Get crypto from libcrypto, not libdes.
|
57432 |
24-Feb-2000 |
markm |
Add the patches fom ports (QV: ports/security/openssh/patches/patch-*)
|
57430 |
24-Feb-2000 |
markm |
This commit was generated by cvs2svn to compensate for changes in r57429, which included commits to RCS files with non-trunk default branches.
|
57428 |
24-Feb-2000 |
markm |
Merge conflicts.
|
57427 |
24-Feb-2000 |
markm |
Oops; forgot to add this.
|
57426 |
24-Feb-2000 |
markm |
Get this to the same level of functionality as old libdes.
|
57423 |
24-Feb-2000 |
markm |
This commit was generated by cvs2svn to compensate for changes in r57422, which included commits to RCS files with non-trunk default branches.
|
57420 |
24-Feb-2000 |
markm |
This commit was generated by cvs2svn to compensate for changes in r57419, which included commits to RCS files with non-trunk default branches.
|
57417 |
24-Feb-2000 |
markm |
This commit was generated by cvs2svn to compensate for changes in r57416, which included commits to RCS files with non-trunk default branches.
|
57415 |
24-Feb-2000 |
markm |
freefall/internat diff reducer
|
57414 |
24-Feb-2000 |
markm |
Freefall/Internat diff reducer.
|
57388 |
22-Feb-2000 |
jkh |
Add call stubs for dynamic rsaref loading. This isn't enabled for now but simply lets us sync up on the solution as it's evolved.
|
57343 |
19-Feb-2000 |
shin |
Use static buffer to save source route hostnames.
Approved by: jkh
|
57342 |
19-Feb-2000 |
shin |
Print "Trying ..." for each host. Also cleanups for error printing.
Approved by: jkh
Submitted by: Ben Smithurst <ben@scientia.demon.co.uk>
|
57233 |
15-Feb-2000 |
shin |
Fix bugs in telnet.
Sorry there were still several bugs. -error retry at af missmatch was incomplete. -af matching for source addr option was wrong -socket was not freed at retry.
Approved by: jkh
|
57125 |
10-Feb-2000 |
shin |
Add more dual stack consideration.
-Should retry as much as possible when some of source routing intermediate hosts' address families missmatch happened. (such as when a host has only A record, and another host has each of A and AAAA record.)
-Should retry as much as possible when dest addr and source addr(specified with -s option) address family missmatch happend
Approved by: jkh
|
57016 |
07-Feb-2000 |
shin |
Fix telnet core dump at invalid service name specified. Added an error check to avoid it.
Approved by: jkh
Submitted by: Robert Muir <rmuir@gibralter.net>
|
56870 |
29-Jan-2000 |
shin |
Add NI_NAMEREQD flag to getnameinfo() call. Without this flag, getnameinfo() don't return error at name resolving failure. But it is used at doaddrlookup(-N) case in telnet, error need to be returned to correctly initialize hostname buffer.
Discovered at checking recent KAME repository change, noticed by itojun.
|
56668 |
27-Jan-2000 |
shin |
another tcp apps IPv6 updates.(should be make world safe) ftp, telnet, ftpd, faithd also telnet related sync with crypto, secure, kerberosIV
Obtained from: KAME project
|
56084 |
16-Jan-2000 |
kris |
This commit was generated by cvs2svn to compensate for changes in r56083, which included commits to RCS files with non-trunk default branches.
|
56082 |
16-Jan-2000 |
kris |
Fix for missing symbol in -DRSAref case.
|
55949 |
14-Jan-2000 |
kris |
Fix breakage when NO_RSA specified.
Reviewed by: Ben Laurie <ben@openssl.org>
|
55719 |
10-Jan-2000 |
kris |
Zap NO_IDEA
|
55717 |
10-Jan-2000 |
kris |
List of files to nuke prior to import.
|
55715 |
10-Jan-2000 |
kris |
This commit was generated by cvs2svn to compensate for changes in r55714, which included commits to RCS files with non-trunk default branches.
|
55709 |
10-Jan-2000 |
kris |
Zap the IDEA stuff - it's patented internationally (at least in some places), and we don't want people to get in trouble just for having it.
|
55683 |
09-Jan-2000 |
markm |
This commit was generated by cvs2svn to compensate for changes in r55682, which included commits to RCS files with non-trunk default branches.
|
55662 |
09-Jan-2000 |
markm |
Fix path.
|
55648 |
09-Jan-2000 |
markm |
resolve conflicts.
|
55644 |
09-Jan-2000 |
markm |
This commit was generated by cvs2svn to compensate for changes in r55643, which included commits to RCS files with non-trunk default branches.
|
55166 |
28-Dec-1999 |
green |
Upgrade to the pam_ssh module, version 1.1..
(From the author:) Primarily, I have added built-in functions for manipulating the environment, so putenv() is no longer used. XDM and its variants should now work without modification. Note that the new code uses the macros in <sys/queue.h>.
Submitted by: Andrew J. Korty <ajk@iu.edu>
|
55100 |
25-Dec-1999 |
kris |
This commit was generated by cvs2svn to compensate for changes in r55099, which included commits to RCS files with non-trunk default branches.
|
53874 |
29-Nov-1999 |
green |
Add the PAM SSH RSA key authentication module. For example, you can add, "login auth sufficient pam_ssh.so" to your /etc/pam.conf, and users with a ~/.ssh/identity can login(1) with their SSH key :)
PR: 15158 Submitted by: Andrew J. Korty <ajk@waterspout.com> Reviewed by: obrien
|
51429 |
19-Sep-1999 |
markm |
Merge anf fix for build.
|
51416 |
19-Sep-1999 |
markm |
This commit was generated by cvs2svn to compensate for changes in r51415, which included commits to RCS files with non-trunk default branches.
|
51414 |
19-Sep-1999 |
markm |
Big OpenSSL/KTH/FreeBSD merge, badly poisoned by $FreeBSD$'s.
|
50895 |
04-Sep-1999 |
markm |
This commit was generated by cvs2svn to compensate for changes in r50894, which included commits to RCS files with non-trunk default branches.
|
50887 |
04-Sep-1999 |
markm |
Add macro originally provided externally.
|
50886 |
04-Sep-1999 |
markm |
Add includes to to silence warnings. Bit hackish.
|
50885 |
04-Sep-1999 |
markm |
Add some includes to shut up warnings.
|
50761 |
01-Sep-1999 |
markm |
This commit was generated by cvs2svn to compensate for changes in r50760, which included commits to RCS files with non-trunk default branches.
|
50759 |
01-Sep-1999 |
markm |
Termcap header no longer needed.
|
50479 |
28-Aug-1999 |
peter |
$Id$ -> $FreeBSD$
|
49902 |
16-Aug-1999 |
markm |
Add virtual MAINTAINER line.
|
49901 |
16-Aug-1999 |
nsayer |
According to Mark Murray, Makefiles do not belong here. I guess we're going to have to figure something else out.
|
49887 |
16-Aug-1999 |
nsayer |
Add SRA authentication to src/crypto/telnet.
SRA does a Diffie-Hellmen exchange and then DES-encrypts the authentication data. If the authentication is successful, it also sets up a session key for DES encryption.
SRA was originally developed at Texas A&M University.
This code is probably export restricted (despite the fact that I originally found it at a University in Germany).
SRA is not perfect. It is vulnerable to monkey-in-the-middle attacks and does not use tremendously large DH constants (and thus an individual exchange probably could be factored in a few days on modern CPU horsepower). It does not, however, require any changes in user or administrative behavior and foils session hijacking and sniffing. The goal of this commit is that telnet and telnetd end up in the DES distribution and that therefore an encrypted session telnet becomes standard issue for FreeBSD.
|
49861 |
16-Aug-1999 |
nsayer |
Fix int function without return (make consistent with neighbors)
|
49299 |
30-Jul-1999 |
nik |
Document the "skey" command in telnet(1).
PR: docs/12360 Submitted by: kjm@rins.ryukoku.ac.jp (KOJIMA Hajime) Nagged by: markm :-)
|
47973 |
17-Jun-1999 |
ru |
Merge from non-crypto version: - "-N" option - "-E" security fix - "-s src_addr" option
Requested by: markm
|
45493 |
08-Apr-1999 |
brian |
MF libexec/telnetd: Determine the host name using an array size of MAXHOSTNAMELEN and call trimdomain() before implementing the -u option.
|
45428 |
07-Apr-1999 |
brian |
MF libexec/telnetd: MAXHOSTNAMELEN & -u fixes.
|
45395 |
06-Apr-1999 |
brian |
Use realhostname().
|
45377 |
06-Apr-1999 |
brian |
MF src/libexec/telnetd: Verify the reverse DNS lookup ala rlogind. Suggested by: markm
|
41858 |
16-Dec-1998 |
peter |
Old stuff laying around: Don't use getstr which can conflict with some curses/termcap/terminfo implementations and causes recursion.
|
41856 |
16-Dec-1998 |
peter |
Old stuff from a source tree: copy (verbatum) the code to expand the %s/%m in the default /etc/gettytab.
|
38728 |
01-Sep-1998 |
gpalmer |
Remove redundant decl. of time(). Causes problems on alpha
|
38709 |
31-Aug-1998 |
jdp |
Remove a work-around for an assembler bug that has been fixed since April, 1997. The work-around causes problems under ELF.
|
34938 |
29-Mar-1998 |
markm |
Fix nasty typo that randomly caused kinit to not properly deduce the user's username when this was not specified.
Reported by: Sean Eric Fagan
|
33426 |
16-Feb-1998 |
markm |
Make the ticket filename the same as for our old eBones. I am going to kerberize xdm again, and it will be a pain to maintain two different sets of patches (for 2.2 and 3.0).
|
33425 |
16-Feb-1998 |
markm |
Bring back the old behaviour of kinit; if no username is mentioned on the command line, attempt to get a ticket for the current uid (or <uid>.root if we are already su'ed).
Requested By: Garrett Wollman
|
32688 |
22-Jan-1998 |
imp |
MFC: sprintf paranoia
|
31622 |
08-Dec-1997 |
charnier |
MFC: no \n in syslog strings. Change -P to -p in flags. EOF -> -1. Use err(3).
|
31417 |
25-Nov-1997 |
markm |
kinit(1) and its man page do not agre on what is reported with -v. Fix this. Submitted by: Sheldon Hearn.
|
30212 |
08-Oct-1997 |
uhclem |
PR: bin/771 and bin/1037 are resolved by this change This change changes the default handling of linemode so that older and/or stupider telnet clients can still get wakeup characters like <ESC> and <CTRL>D to work correctly multiple times on the same line, as in csh "set filec" operations. It also causes CR and LF characters to be read by apps in certain terminal modes consistently, as opposed to returning CR sometimes and LF sometimes, which broke existing apps. The change was shown to fix the problem demonstrated in the FreeBSD telnet client, along with the telnet client in Solaris, SCO, Windows '95 & NT, DEC OSF, NCSA, and others.
A similar change was incorporated in the non-crypto version of telnetd.
This resolves bin/771 and bin/1037.
|
29988 |
29-Sep-1997 |
wosch |
Sort cross refereces in section SEE ALSO.
|
29667 |
21-Sep-1997 |
markm |
FreeBSD's original passwd helper is needed here.
|
29181 |
07-Sep-1997 |
markm |
Bring the FreeBSD changes to the virgin sources.
|
29118 |
04-Sep-1997 |
markm |
FreeBSD specific schanges - mainly religious issues about where to put stuff.
|
29089 |
04-Sep-1997 |
markm |
This commit was generated by cvs2svn to compensate for changes in r29088, which included commits to RCS files with non-trunk default branches.
|
29086 |
04-Sep-1997 |
markm |
This commit was generated by cvs2svn to compensate for changes in r29085, which included commits to RCS files with non-trunk default branches.
|
25405 |
03-May-1997 |
markm |
Bring in the Starter files for the contrib-crypto dir.
I am not going to commit anything to this area for a few days. This is because 1) I want everyone to be DARN sure there is no export of crypto that may get our USA friends it trouble. 2) I have been asked by the folk developing KTH-eBones to hold off for their new release.
Worked with: rkw, jdp CVS: CVS:
|