#
1.44 |
|
20-Dec-2023 |
christos |
Merge conflicts between 9.5 and 9.6
|
#
1.43 |
|
25-Oct-2023 |
christos |
Merge conflicts between 9.3 and 9.5
|
#
1.42 |
|
26-Jul-2023 |
christos |
Merge changes between OpenSSH-9.1 and OpenSSH-9.3
|
Revision tags: netbsd-10-base
|
#
1.41 |
|
05-Oct-2022 |
christos |
branches: 1.41.2; merge conflicts between 9.0 and 9.1
|
#
1.40 |
|
15-Apr-2022 |
christos |
merge conflicts between OpenSSH-8.9 and OpenSSH-9.0
|
#
1.39 |
|
23-Feb-2022 |
christos |
Merge differences between openssh-8.8 and openssh-8.9
|
#
1.38 |
|
27-Sep-2021 |
christos |
Merge conflicts between OpenSSH 8.7 and 8.8
|
#
1.37 |
|
02-Sep-2021 |
christos |
Merge our changes from OpenSSH-8.6 to OpenSSH-8.7
|
Revision tags: cjep_sun2x-base1 cjep_sun2x-base cjep_staticlib_x-base1 cjep_staticlib_x-base
|
#
1.36 |
|
19-Apr-2021 |
christos |
Merge local changes between 8.5 and 8.6
|
#
1.35 |
|
05-Mar-2021 |
christos |
merge local changes between openssh 8.4 and 8.5
|
#
1.34 |
|
04-Dec-2020 |
christos |
Merge conflicts
|
#
1.33 |
|
28-May-2020 |
christos |
Merge conflicts
|
Revision tags: phil-wifi-20200421 phil-wifi-20200411 is-mlppp-base phil-wifi-20200406
|
#
1.32 |
|
27-Feb-2020 |
christos |
Merge conflicts
|
Revision tags: phil-wifi-20191119
|
#
1.31 |
|
12-Oct-2019 |
christos |
merge openssh-8.1
|
Revision tags: netbsd-9-3-RELEASE netbsd-9-2-RELEASE netbsd-9-1-RELEASE netbsd-9-0-RELEASE netbsd-9-0-RC2 netbsd-9-0-RC1 netbsd-9-base phil-wifi-20190609
|
#
1.30 |
|
20-Apr-2019 |
christos |
merge conflicts.
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906
|
#
1.29 |
|
26-Aug-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625
|
#
1.28 |
|
07-Jun-2018 |
riastradh |
branches: 1.28.2; Disable loading XMSS keys by default too.
Nobody should be using XMSS host keys without an explicit decision, because they're qualitatively different from all other types of host keys in that they require keeping state.
This also eliminates a harmless but confusing warning that began after we stopped generating XMSS keys by default.
|
Revision tags: pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 pgoyette-compat-0415
|
#
1.27 |
|
08-Apr-2018 |
joerg |
Fix clang build by adding __dead annotations.
|
Revision tags: pgoyette-compat-0407
|
#
1.26 |
|
06-Apr-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base
|
#
1.25 |
|
07-Oct-2017 |
christos |
branches: 1.25.2; merge conflicts.
|
Revision tags: matt-nb8-mediatek-base perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.24 |
|
20-Apr-2017 |
joerg |
branches: 1.24.4; GC multistate_privsep.
|
#
1.23 |
|
18-Apr-2017 |
christos |
merge conflicts
|
Revision tags: pgoyette-localcount-20170320 bouyer-socketcan-base pgoyette-localcount-20170107
|
#
1.22 |
|
25-Dec-2016 |
christos |
branches: 1.22.2; merge conflicts
|
Revision tags: pgoyette-localcount-20161104 localcount-20160914 pgoyette-localcount-20160806
|
#
1.21 |
|
02-Aug-2016 |
christos |
merge conflicts.
|
Revision tags: pgoyette-localcount-20160726 pgoyette-localcount-base
|
#
1.20 |
|
11-Mar-2016 |
christos |
branches: 1.20.2; merge conflicts
|
#
1.19 |
|
13-Aug-2015 |
christos |
merge conflicts
|
#
1.18 |
|
03-Jul-2015 |
christos |
merge conflicts
|
#
1.17 |
|
03-Apr-2015 |
christos |
Merge conflicts
|
#
1.16 |
|
19-Oct-2014 |
christos |
merge openssh-6.7
|
Revision tags: netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 tls-maxphys-base
|
#
1.15 |
|
28-Jan-2014 |
martin |
branches: 1.15.4; Mark a potentially unused variable (depending on #ifdef)
|
#
1.14 |
|
15-Dec-2013 |
spz |
Coverity issues 996120 and 996121, Use after free
Use the M_CP_STROPT definition exclusive to servconf.c twice and you have freed your original string.
servconf.h won copying authorized_keys_command and authorized_keys_command_user in COPY_MATCH_STRING_OPTS in 1.107, but servconf.c didn't drop its own, so it walks into this trap. Remove the duplicate copies, and disarm the trap.
Note this is on a code path where authorized_keys_command and authorized_keys_command_user don't actually get used except for a debug dump of the config, and dump_cfg_string protects itself against trying to print NULL pointers, so all you get is sshd -T -C ... giving wrong results, which is rather insignificant as far as security issues go.
|
#
1.13 |
|
08-Nov-2013 |
christos |
merge conflicts.
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.12 |
|
29-Mar-2013 |
christos |
welcome to openssh-6.2
|
Revision tags: agc-symver-base yamt-pagecache-base8 yamt-pagecache-base7
|
#
1.11 |
|
12-Dec-2012 |
christos |
update to 6.1
This is primarily a bugfix release.
Features:
* sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. * ssh-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel * sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1)/sshd(8): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while. * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. bz#2023, * sshd(8): Handle long comments in config files better. bz#2025 * ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. bz#1995 * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.
|
Revision tags: yamt-pagecache-base6 yamt-pagecache-base5
|
#
1.10 |
|
02-May-2012 |
christos |
branches: 1.10.2; merge OpenSSH 6.0
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857 * ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings * support cancellation of local/dynamic forwardings from ~C commandline
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports * scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying * ssh(1): skip attempting to create ~/.ssh when -F is passed * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943 * sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859 * sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683 * Fixed a number of memory and file descriptor leaks
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 netbsd-6-1-RC2 netbsd-6-1-RC1 netbsd-6-0-1-RELEASE matt-nb6-plus-nbase netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 yamt-pagecache-base4 netbsd-6-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base
|
#
1.9 |
|
07-Sep-2011 |
christos |
branches: 1.9.2; 1.9.4; 1.9.8; 1.9.10; merge openssh-5.9
|
#
1.8 |
|
25-Jul-2011 |
christos |
- Merge conflicts - WARNS=5
|
Revision tags: cherry-xenmp-base bouyer-quota2-nbase bouyer-quota2-base
|
#
1.7 |
|
09-Jan-2011 |
christos |
avoid unused variable warning.
|
Revision tags: matt-mips64-premerge-20101231
|
#
1.6 |
|
22-Nov-2010 |
adam |
Fix compiler warnings
|
#
1.5 |
|
21-Nov-2010 |
adam |
Merge in our changes: - Updated OpenSSH-HPN to hpn13v10 - Added OpenSSH-LPK patches to retrive pubkey from LDAP - Replaced arc4random_buf() (which is not available on NetBSD) with arc4random - Disabled roaming reconnect (otherwise: problem with undef symbols in libssh)
|
#
1.4 |
|
21-Nov-2010 |
adam |
Resolve conflicts
|
#
1.3 |
|
27-Dec-2009 |
christos |
merge changes.
|
Revision tags: matt-premerge-20091211
|
#
1.2 |
|
07-Jun-2009 |
christos |
Merge in our changes: - conditionalize login_cap - conditionalize bsd_auth - bring in pam from portable - restore krb5, krb4, afs, skey - bring in hpn patches, disable mt aes cipher, keep speedups and cipher none - add ignore root rhosts option - fix ctype macro arguments - umac is broken, disable it - better ~homedir handling - netbsd style tunnels - urandom, xhome, chrootdir, rescuedir NetBSD handling - utmp/utmpx handling - handle tty posix_vdisable properly - handle setuid and unsetuid the posix way instead of setresuid() - add all missing functions - add new moduli - add build glue
|
#
1.1 |
|
07-Jun-2009 |
christos |
branches: 1.1.1; Initial revision
|
#
1.43 |
|
25-Oct-2023 |
christos |
Merge conflicts between 9.3 and 9.5
|
#
1.42 |
|
26-Jul-2023 |
christos |
Merge changes between OpenSSH-9.1 and OpenSSH-9.3
|
Revision tags: netbsd-10-base
|
#
1.41 |
|
05-Oct-2022 |
christos |
branches: 1.41.2; merge conflicts between 9.0 and 9.1
|
#
1.40 |
|
15-Apr-2022 |
christos |
merge conflicts between OpenSSH-8.9 and OpenSSH-9.0
|
#
1.39 |
|
23-Feb-2022 |
christos |
Merge differences between openssh-8.8 and openssh-8.9
|
#
1.38 |
|
27-Sep-2021 |
christos |
Merge conflicts between OpenSSH 8.7 and 8.8
|
#
1.37 |
|
02-Sep-2021 |
christos |
Merge our changes from OpenSSH-8.6 to OpenSSH-8.7
|
Revision tags: cjep_sun2x-base1 cjep_sun2x-base cjep_staticlib_x-base1 cjep_staticlib_x-base
|
#
1.36 |
|
19-Apr-2021 |
christos |
Merge local changes between 8.5 and 8.6
|
#
1.35 |
|
05-Mar-2021 |
christos |
merge local changes between openssh 8.4 and 8.5
|
#
1.34 |
|
04-Dec-2020 |
christos |
Merge conflicts
|
#
1.33 |
|
28-May-2020 |
christos |
Merge conflicts
|
Revision tags: phil-wifi-20200421 phil-wifi-20200411 is-mlppp-base phil-wifi-20200406
|
#
1.32 |
|
27-Feb-2020 |
christos |
Merge conflicts
|
Revision tags: phil-wifi-20191119
|
#
1.31 |
|
12-Oct-2019 |
christos |
merge openssh-8.1
|
Revision tags: netbsd-9-3-RELEASE netbsd-9-2-RELEASE netbsd-9-1-RELEASE netbsd-9-0-RELEASE netbsd-9-0-RC2 netbsd-9-0-RC1 netbsd-9-base phil-wifi-20190609
|
#
1.30 |
|
20-Apr-2019 |
christos |
merge conflicts.
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906
|
#
1.29 |
|
26-Aug-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625
|
#
1.28 |
|
07-Jun-2018 |
riastradh |
branches: 1.28.2; Disable loading XMSS keys by default too.
Nobody should be using XMSS host keys without an explicit decision, because they're qualitatively different from all other types of host keys in that they require keeping state.
This also eliminates a harmless but confusing warning that began after we stopped generating XMSS keys by default.
|
Revision tags: pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 pgoyette-compat-0415
|
#
1.27 |
|
08-Apr-2018 |
joerg |
Fix clang build by adding __dead annotations.
|
Revision tags: pgoyette-compat-0407
|
#
1.26 |
|
06-Apr-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base
|
#
1.25 |
|
07-Oct-2017 |
christos |
branches: 1.25.2; merge conflicts.
|
Revision tags: matt-nb8-mediatek-base perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.24 |
|
20-Apr-2017 |
joerg |
branches: 1.24.4; GC multistate_privsep.
|
#
1.23 |
|
18-Apr-2017 |
christos |
merge conflicts
|
Revision tags: pgoyette-localcount-20170320 bouyer-socketcan-base pgoyette-localcount-20170107
|
#
1.22 |
|
25-Dec-2016 |
christos |
branches: 1.22.2; merge conflicts
|
Revision tags: pgoyette-localcount-20161104 localcount-20160914 pgoyette-localcount-20160806
|
#
1.21 |
|
02-Aug-2016 |
christos |
merge conflicts.
|
Revision tags: pgoyette-localcount-20160726 pgoyette-localcount-base
|
#
1.20 |
|
11-Mar-2016 |
christos |
branches: 1.20.2; merge conflicts
|
#
1.19 |
|
13-Aug-2015 |
christos |
merge conflicts
|
#
1.18 |
|
03-Jul-2015 |
christos |
merge conflicts
|
#
1.17 |
|
03-Apr-2015 |
christos |
Merge conflicts
|
#
1.16 |
|
19-Oct-2014 |
christos |
merge openssh-6.7
|
Revision tags: netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 tls-maxphys-base
|
#
1.15 |
|
28-Jan-2014 |
martin |
branches: 1.15.4; Mark a potentially unused variable (depending on #ifdef)
|
#
1.14 |
|
15-Dec-2013 |
spz |
Coverity issues 996120 and 996121, Use after free
Use the M_CP_STROPT definition exclusive to servconf.c twice and you have freed your original string.
servconf.h won copying authorized_keys_command and authorized_keys_command_user in COPY_MATCH_STRING_OPTS in 1.107, but servconf.c didn't drop its own, so it walks into this trap. Remove the duplicate copies, and disarm the trap.
Note this is on a code path where authorized_keys_command and authorized_keys_command_user don't actually get used except for a debug dump of the config, and dump_cfg_string protects itself against trying to print NULL pointers, so all you get is sshd -T -C ... giving wrong results, which is rather insignificant as far as security issues go.
|
#
1.13 |
|
08-Nov-2013 |
christos |
merge conflicts.
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.12 |
|
29-Mar-2013 |
christos |
welcome to openssh-6.2
|
Revision tags: agc-symver-base yamt-pagecache-base8 yamt-pagecache-base7
|
#
1.11 |
|
12-Dec-2012 |
christos |
update to 6.1
This is primarily a bugfix release.
Features:
* sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. * ssh-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel * sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1)/sshd(8): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while. * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. bz#2023, * sshd(8): Handle long comments in config files better. bz#2025 * ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. bz#1995 * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.
|
Revision tags: yamt-pagecache-base6 yamt-pagecache-base5
|
#
1.10 |
|
02-May-2012 |
christos |
branches: 1.10.2; merge OpenSSH 6.0
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857 * ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings * support cancellation of local/dynamic forwardings from ~C commandline
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports * scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying * ssh(1): skip attempting to create ~/.ssh when -F is passed * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943 * sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859 * sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683 * Fixed a number of memory and file descriptor leaks
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 netbsd-6-1-RC2 netbsd-6-1-RC1 netbsd-6-0-1-RELEASE matt-nb6-plus-nbase netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 yamt-pagecache-base4 netbsd-6-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base
|
#
1.9 |
|
07-Sep-2011 |
christos |
branches: 1.9.2; 1.9.4; 1.9.8; 1.9.10; merge openssh-5.9
|
#
1.8 |
|
25-Jul-2011 |
christos |
- Merge conflicts - WARNS=5
|
Revision tags: cherry-xenmp-base bouyer-quota2-nbase bouyer-quota2-base
|
#
1.7 |
|
09-Jan-2011 |
christos |
avoid unused variable warning.
|
Revision tags: matt-mips64-premerge-20101231
|
#
1.6 |
|
22-Nov-2010 |
adam |
Fix compiler warnings
|
#
1.5 |
|
21-Nov-2010 |
adam |
Merge in our changes: - Updated OpenSSH-HPN to hpn13v10 - Added OpenSSH-LPK patches to retrive pubkey from LDAP - Replaced arc4random_buf() (which is not available on NetBSD) with arc4random - Disabled roaming reconnect (otherwise: problem with undef symbols in libssh)
|
#
1.4 |
|
21-Nov-2010 |
adam |
Resolve conflicts
|
#
1.3 |
|
27-Dec-2009 |
christos |
merge changes.
|
Revision tags: matt-premerge-20091211
|
#
1.2 |
|
07-Jun-2009 |
christos |
Merge in our changes: - conditionalize login_cap - conditionalize bsd_auth - bring in pam from portable - restore krb5, krb4, afs, skey - bring in hpn patches, disable mt aes cipher, keep speedups and cipher none - add ignore root rhosts option - fix ctype macro arguments - umac is broken, disable it - better ~homedir handling - netbsd style tunnels - urandom, xhome, chrootdir, rescuedir NetBSD handling - utmp/utmpx handling - handle tty posix_vdisable properly - handle setuid and unsetuid the posix way instead of setresuid() - add all missing functions - add new moduli - add build glue
|
#
1.1 |
|
07-Jun-2009 |
christos |
branches: 1.1.1; Initial revision
|
#
1.42 |
|
26-Jul-2023 |
christos |
Merge changes between OpenSSH-9.1 and OpenSSH-9.3
|
Revision tags: netbsd-10-base
|
#
1.41 |
|
05-Oct-2022 |
christos |
merge conflicts between 9.0 and 9.1
|
#
1.40 |
|
15-Apr-2022 |
christos |
merge conflicts between OpenSSH-8.9 and OpenSSH-9.0
|
#
1.39 |
|
23-Feb-2022 |
christos |
Merge differences between openssh-8.8 and openssh-8.9
|
#
1.38 |
|
27-Sep-2021 |
christos |
Merge conflicts between OpenSSH 8.7 and 8.8
|
#
1.37 |
|
02-Sep-2021 |
christos |
Merge our changes from OpenSSH-8.6 to OpenSSH-8.7
|
Revision tags: cjep_sun2x-base1 cjep_sun2x-base cjep_staticlib_x-base1 cjep_staticlib_x-base
|
#
1.36 |
|
19-Apr-2021 |
christos |
Merge local changes between 8.5 and 8.6
|
#
1.35 |
|
05-Mar-2021 |
christos |
merge local changes between openssh 8.4 and 8.5
|
#
1.34 |
|
04-Dec-2020 |
christos |
Merge conflicts
|
#
1.33 |
|
28-May-2020 |
christos |
Merge conflicts
|
Revision tags: phil-wifi-20200421 phil-wifi-20200411 is-mlppp-base phil-wifi-20200406
|
#
1.32 |
|
27-Feb-2020 |
christos |
Merge conflicts
|
Revision tags: phil-wifi-20191119
|
#
1.31 |
|
12-Oct-2019 |
christos |
merge openssh-8.1
|
Revision tags: netbsd-9-3-RELEASE netbsd-9-2-RELEASE netbsd-9-1-RELEASE netbsd-9-0-RELEASE netbsd-9-0-RC2 netbsd-9-0-RC1 netbsd-9-base phil-wifi-20190609
|
#
1.30 |
|
20-Apr-2019 |
christos |
merge conflicts.
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906
|
#
1.29 |
|
26-Aug-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625
|
#
1.28 |
|
07-Jun-2018 |
riastradh |
branches: 1.28.2; Disable loading XMSS keys by default too.
Nobody should be using XMSS host keys without an explicit decision, because they're qualitatively different from all other types of host keys in that they require keeping state.
This also eliminates a harmless but confusing warning that began after we stopped generating XMSS keys by default.
|
Revision tags: pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 pgoyette-compat-0415
|
#
1.27 |
|
08-Apr-2018 |
joerg |
Fix clang build by adding __dead annotations.
|
Revision tags: pgoyette-compat-0407
|
#
1.26 |
|
06-Apr-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base
|
#
1.25 |
|
07-Oct-2017 |
christos |
branches: 1.25.2; merge conflicts.
|
Revision tags: matt-nb8-mediatek-base perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.24 |
|
20-Apr-2017 |
joerg |
branches: 1.24.4; GC multistate_privsep.
|
#
1.23 |
|
18-Apr-2017 |
christos |
merge conflicts
|
Revision tags: pgoyette-localcount-20170320 bouyer-socketcan-base pgoyette-localcount-20170107
|
#
1.22 |
|
25-Dec-2016 |
christos |
branches: 1.22.2; merge conflicts
|
Revision tags: pgoyette-localcount-20161104 localcount-20160914 pgoyette-localcount-20160806
|
#
1.21 |
|
02-Aug-2016 |
christos |
merge conflicts.
|
Revision tags: pgoyette-localcount-20160726 pgoyette-localcount-base
|
#
1.20 |
|
11-Mar-2016 |
christos |
branches: 1.20.2; merge conflicts
|
#
1.19 |
|
13-Aug-2015 |
christos |
merge conflicts
|
#
1.18 |
|
03-Jul-2015 |
christos |
merge conflicts
|
#
1.17 |
|
03-Apr-2015 |
christos |
Merge conflicts
|
#
1.16 |
|
19-Oct-2014 |
christos |
merge openssh-6.7
|
Revision tags: netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 tls-maxphys-base
|
#
1.15 |
|
28-Jan-2014 |
martin |
branches: 1.15.4; Mark a potentially unused variable (depending on #ifdef)
|
#
1.14 |
|
15-Dec-2013 |
spz |
Coverity issues 996120 and 996121, Use after free
Use the M_CP_STROPT definition exclusive to servconf.c twice and you have freed your original string.
servconf.h won copying authorized_keys_command and authorized_keys_command_user in COPY_MATCH_STRING_OPTS in 1.107, but servconf.c didn't drop its own, so it walks into this trap. Remove the duplicate copies, and disarm the trap.
Note this is on a code path where authorized_keys_command and authorized_keys_command_user don't actually get used except for a debug dump of the config, and dump_cfg_string protects itself against trying to print NULL pointers, so all you get is sshd -T -C ... giving wrong results, which is rather insignificant as far as security issues go.
|
#
1.13 |
|
08-Nov-2013 |
christos |
merge conflicts.
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.12 |
|
29-Mar-2013 |
christos |
welcome to openssh-6.2
|
Revision tags: agc-symver-base yamt-pagecache-base8 yamt-pagecache-base7
|
#
1.11 |
|
12-Dec-2012 |
christos |
update to 6.1
This is primarily a bugfix release.
Features:
* sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. * ssh-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel * sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1)/sshd(8): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while. * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. bz#2023, * sshd(8): Handle long comments in config files better. bz#2025 * ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. bz#1995 * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.
|
Revision tags: yamt-pagecache-base6 yamt-pagecache-base5
|
#
1.10 |
|
02-May-2012 |
christos |
branches: 1.10.2; merge OpenSSH 6.0
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857 * ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings * support cancellation of local/dynamic forwardings from ~C commandline
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports * scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying * ssh(1): skip attempting to create ~/.ssh when -F is passed * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943 * sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859 * sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683 * Fixed a number of memory and file descriptor leaks
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 netbsd-6-1-RC2 netbsd-6-1-RC1 netbsd-6-0-1-RELEASE matt-nb6-plus-nbase netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 yamt-pagecache-base4 netbsd-6-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base
|
#
1.9 |
|
07-Sep-2011 |
christos |
branches: 1.9.2; 1.9.4; 1.9.8; 1.9.10; merge openssh-5.9
|
#
1.8 |
|
25-Jul-2011 |
christos |
- Merge conflicts - WARNS=5
|
Revision tags: cherry-xenmp-base bouyer-quota2-nbase bouyer-quota2-base
|
#
1.7 |
|
09-Jan-2011 |
christos |
avoid unused variable warning.
|
Revision tags: matt-mips64-premerge-20101231
|
#
1.6 |
|
22-Nov-2010 |
adam |
Fix compiler warnings
|
#
1.5 |
|
21-Nov-2010 |
adam |
Merge in our changes: - Updated OpenSSH-HPN to hpn13v10 - Added OpenSSH-LPK patches to retrive pubkey from LDAP - Replaced arc4random_buf() (which is not available on NetBSD) with arc4random - Disabled roaming reconnect (otherwise: problem with undef symbols in libssh)
|
#
1.4 |
|
21-Nov-2010 |
adam |
Resolve conflicts
|
#
1.3 |
|
27-Dec-2009 |
christos |
merge changes.
|
Revision tags: matt-premerge-20091211
|
#
1.2 |
|
07-Jun-2009 |
christos |
Merge in our changes: - conditionalize login_cap - conditionalize bsd_auth - bring in pam from portable - restore krb5, krb4, afs, skey - bring in hpn patches, disable mt aes cipher, keep speedups and cipher none - add ignore root rhosts option - fix ctype macro arguments - umac is broken, disable it - better ~homedir handling - netbsd style tunnels - urandom, xhome, chrootdir, rescuedir NetBSD handling - utmp/utmpx handling - handle tty posix_vdisable properly - handle setuid and unsetuid the posix way instead of setresuid() - add all missing functions - add new moduli - add build glue
|
#
1.1 |
|
07-Jun-2009 |
christos |
branches: 1.1.1; Initial revision
|
#
1.41 |
|
05-Oct-2022 |
christos |
merge conflicts between 9.0 and 9.1
|
#
1.40 |
|
15-Apr-2022 |
christos |
merge conflicts between OpenSSH-8.9 and OpenSSH-9.0
|
#
1.39 |
|
23-Feb-2022 |
christos |
Merge differences between openssh-8.8 and openssh-8.9
|
#
1.38 |
|
27-Sep-2021 |
christos |
Merge conflicts between OpenSSH 8.7 and 8.8
|
#
1.37 |
|
02-Sep-2021 |
christos |
Merge our changes from OpenSSH-8.6 to OpenSSH-8.7
|
Revision tags: cjep_sun2x-base1 cjep_sun2x-base cjep_staticlib_x-base1 cjep_staticlib_x-base
|
#
1.36 |
|
19-Apr-2021 |
christos |
Merge local changes between 8.5 and 8.6
|
#
1.35 |
|
05-Mar-2021 |
christos |
merge local changes between openssh 8.4 and 8.5
|
#
1.34 |
|
04-Dec-2020 |
christos |
Merge conflicts
|
#
1.33 |
|
28-May-2020 |
christos |
Merge conflicts
|
Revision tags: phil-wifi-20200421 phil-wifi-20200411 is-mlppp-base phil-wifi-20200406
|
#
1.32 |
|
27-Feb-2020 |
christos |
Merge conflicts
|
Revision tags: phil-wifi-20191119
|
#
1.31 |
|
12-Oct-2019 |
christos |
merge openssh-8.1
|
Revision tags: netbsd-9-3-RELEASE netbsd-9-2-RELEASE netbsd-9-1-RELEASE netbsd-9-0-RELEASE netbsd-9-0-RC2 netbsd-9-0-RC1 netbsd-9-base phil-wifi-20190609
|
#
1.30 |
|
20-Apr-2019 |
christos |
merge conflicts.
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906
|
#
1.29 |
|
26-Aug-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625
|
#
1.28 |
|
07-Jun-2018 |
riastradh |
branches: 1.28.2; Disable loading XMSS keys by default too.
Nobody should be using XMSS host keys without an explicit decision, because they're qualitatively different from all other types of host keys in that they require keeping state.
This also eliminates a harmless but confusing warning that began after we stopped generating XMSS keys by default.
|
Revision tags: pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 pgoyette-compat-0415
|
#
1.27 |
|
08-Apr-2018 |
joerg |
Fix clang build by adding __dead annotations.
|
Revision tags: pgoyette-compat-0407
|
#
1.26 |
|
06-Apr-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base
|
#
1.25 |
|
07-Oct-2017 |
christos |
branches: 1.25.2; merge conflicts.
|
Revision tags: matt-nb8-mediatek-base perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.24 |
|
20-Apr-2017 |
joerg |
branches: 1.24.4; GC multistate_privsep.
|
#
1.23 |
|
18-Apr-2017 |
christos |
merge conflicts
|
Revision tags: pgoyette-localcount-20170320 bouyer-socketcan-base pgoyette-localcount-20170107
|
#
1.22 |
|
25-Dec-2016 |
christos |
branches: 1.22.2; merge conflicts
|
Revision tags: pgoyette-localcount-20161104 localcount-20160914 pgoyette-localcount-20160806
|
#
1.21 |
|
02-Aug-2016 |
christos |
merge conflicts.
|
Revision tags: pgoyette-localcount-20160726 pgoyette-localcount-base
|
#
1.20 |
|
11-Mar-2016 |
christos |
branches: 1.20.2; merge conflicts
|
#
1.19 |
|
13-Aug-2015 |
christos |
merge conflicts
|
#
1.18 |
|
03-Jul-2015 |
christos |
merge conflicts
|
#
1.17 |
|
03-Apr-2015 |
christos |
Merge conflicts
|
#
1.16 |
|
19-Oct-2014 |
christos |
merge openssh-6.7
|
Revision tags: netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 tls-maxphys-base
|
#
1.15 |
|
28-Jan-2014 |
martin |
branches: 1.15.4; Mark a potentially unused variable (depending on #ifdef)
|
#
1.14 |
|
15-Dec-2013 |
spz |
Coverity issues 996120 and 996121, Use after free
Use the M_CP_STROPT definition exclusive to servconf.c twice and you have freed your original string.
servconf.h won copying authorized_keys_command and authorized_keys_command_user in COPY_MATCH_STRING_OPTS in 1.107, but servconf.c didn't drop its own, so it walks into this trap. Remove the duplicate copies, and disarm the trap.
Note this is on a code path where authorized_keys_command and authorized_keys_command_user don't actually get used except for a debug dump of the config, and dump_cfg_string protects itself against trying to print NULL pointers, so all you get is sshd -T -C ... giving wrong results, which is rather insignificant as far as security issues go.
|
#
1.13 |
|
08-Nov-2013 |
christos |
merge conflicts.
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.12 |
|
29-Mar-2013 |
christos |
welcome to openssh-6.2
|
Revision tags: agc-symver-base yamt-pagecache-base8 yamt-pagecache-base7
|
#
1.11 |
|
12-Dec-2012 |
christos |
update to 6.1
This is primarily a bugfix release.
Features:
* sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. * ssh-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel * sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1)/sshd(8): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while. * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. bz#2023, * sshd(8): Handle long comments in config files better. bz#2025 * ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. bz#1995 * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.
|
Revision tags: yamt-pagecache-base6 yamt-pagecache-base5
|
#
1.10 |
|
02-May-2012 |
christos |
branches: 1.10.2; merge OpenSSH 6.0
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857 * ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings * support cancellation of local/dynamic forwardings from ~C commandline
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports * scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying * ssh(1): skip attempting to create ~/.ssh when -F is passed * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943 * sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859 * sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683 * Fixed a number of memory and file descriptor leaks
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 netbsd-6-1-RC2 netbsd-6-1-RC1 netbsd-6-0-1-RELEASE matt-nb6-plus-nbase netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 yamt-pagecache-base4 netbsd-6-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base
|
#
1.9 |
|
07-Sep-2011 |
christos |
branches: 1.9.2; 1.9.4; 1.9.8; 1.9.10; merge openssh-5.9
|
#
1.8 |
|
25-Jul-2011 |
christos |
- Merge conflicts - WARNS=5
|
Revision tags: cherry-xenmp-base bouyer-quota2-nbase bouyer-quota2-base
|
#
1.7 |
|
09-Jan-2011 |
christos |
avoid unused variable warning.
|
Revision tags: matt-mips64-premerge-20101231
|
#
1.6 |
|
22-Nov-2010 |
adam |
Fix compiler warnings
|
#
1.5 |
|
21-Nov-2010 |
adam |
Merge in our changes: - Updated OpenSSH-HPN to hpn13v10 - Added OpenSSH-LPK patches to retrive pubkey from LDAP - Replaced arc4random_buf() (which is not available on NetBSD) with arc4random - Disabled roaming reconnect (otherwise: problem with undef symbols in libssh)
|
#
1.4 |
|
21-Nov-2010 |
adam |
Resolve conflicts
|
#
1.3 |
|
27-Dec-2009 |
christos |
merge changes.
|
Revision tags: matt-premerge-20091211
|
#
1.2 |
|
07-Jun-2009 |
christos |
Merge in our changes: - conditionalize login_cap - conditionalize bsd_auth - bring in pam from portable - restore krb5, krb4, afs, skey - bring in hpn patches, disable mt aes cipher, keep speedups and cipher none - add ignore root rhosts option - fix ctype macro arguments - umac is broken, disable it - better ~homedir handling - netbsd style tunnels - urandom, xhome, chrootdir, rescuedir NetBSD handling - utmp/utmpx handling - handle tty posix_vdisable properly - handle setuid and unsetuid the posix way instead of setresuid() - add all missing functions - add new moduli - add build glue
|
#
1.1 |
|
07-Jun-2009 |
christos |
branches: 1.1.1; Initial revision
|
#
1.40 |
|
15-Apr-2022 |
christos |
merge conflicts between OpenSSH-8.9 and OpenSSH-9.0
|
#
1.39 |
|
23-Feb-2022 |
christos |
Merge differences between openssh-8.8 and openssh-8.9
|
#
1.38 |
|
27-Sep-2021 |
christos |
Merge conflicts between OpenSSH 8.7 and 8.8
|
#
1.37 |
|
02-Sep-2021 |
christos |
Merge our changes from OpenSSH-8.6 to OpenSSH-8.7
|
Revision tags: cjep_sun2x-base1 cjep_sun2x-base cjep_staticlib_x-base1 cjep_staticlib_x-base
|
#
1.36 |
|
19-Apr-2021 |
christos |
Merge local changes between 8.5 and 8.6
|
#
1.35 |
|
05-Mar-2021 |
christos |
merge local changes between openssh 8.4 and 8.5
|
#
1.34 |
|
04-Dec-2020 |
christos |
Merge conflicts
|
#
1.33 |
|
28-May-2020 |
christos |
Merge conflicts
|
Revision tags: phil-wifi-20200421 phil-wifi-20200411 is-mlppp-base phil-wifi-20200406
|
#
1.32 |
|
27-Feb-2020 |
christos |
Merge conflicts
|
Revision tags: phil-wifi-20191119
|
#
1.31 |
|
12-Oct-2019 |
christos |
merge openssh-8.1
|
Revision tags: netbsd-9-2-RELEASE netbsd-9-1-RELEASE netbsd-9-0-RELEASE netbsd-9-0-RC2 netbsd-9-0-RC1 netbsd-9-base phil-wifi-20190609
|
#
1.30 |
|
20-Apr-2019 |
christos |
merge conflicts.
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906
|
#
1.29 |
|
26-Aug-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625
|
#
1.28 |
|
07-Jun-2018 |
riastradh |
branches: 1.28.2; Disable loading XMSS keys by default too.
Nobody should be using XMSS host keys without an explicit decision, because they're qualitatively different from all other types of host keys in that they require keeping state.
This also eliminates a harmless but confusing warning that began after we stopped generating XMSS keys by default.
|
Revision tags: pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 pgoyette-compat-0415
|
#
1.27 |
|
08-Apr-2018 |
joerg |
Fix clang build by adding __dead annotations.
|
Revision tags: pgoyette-compat-0407
|
#
1.26 |
|
06-Apr-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base
|
#
1.25 |
|
07-Oct-2017 |
christos |
branches: 1.25.2; merge conflicts.
|
Revision tags: matt-nb8-mediatek-base perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.24 |
|
20-Apr-2017 |
joerg |
branches: 1.24.4; GC multistate_privsep.
|
#
1.23 |
|
18-Apr-2017 |
christos |
merge conflicts
|
Revision tags: pgoyette-localcount-20170320 bouyer-socketcan-base pgoyette-localcount-20170107
|
#
1.22 |
|
25-Dec-2016 |
christos |
branches: 1.22.2; merge conflicts
|
Revision tags: pgoyette-localcount-20161104 localcount-20160914 pgoyette-localcount-20160806
|
#
1.21 |
|
02-Aug-2016 |
christos |
merge conflicts.
|
Revision tags: pgoyette-localcount-20160726 pgoyette-localcount-base
|
#
1.20 |
|
11-Mar-2016 |
christos |
branches: 1.20.2; merge conflicts
|
#
1.19 |
|
13-Aug-2015 |
christos |
merge conflicts
|
#
1.18 |
|
03-Jul-2015 |
christos |
merge conflicts
|
#
1.17 |
|
03-Apr-2015 |
christos |
Merge conflicts
|
#
1.16 |
|
19-Oct-2014 |
christos |
merge openssh-6.7
|
Revision tags: netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 tls-maxphys-base
|
#
1.15 |
|
28-Jan-2014 |
martin |
branches: 1.15.4; Mark a potentially unused variable (depending on #ifdef)
|
#
1.14 |
|
15-Dec-2013 |
spz |
Coverity issues 996120 and 996121, Use after free
Use the M_CP_STROPT definition exclusive to servconf.c twice and you have freed your original string.
servconf.h won copying authorized_keys_command and authorized_keys_command_user in COPY_MATCH_STRING_OPTS in 1.107, but servconf.c didn't drop its own, so it walks into this trap. Remove the duplicate copies, and disarm the trap.
Note this is on a code path where authorized_keys_command and authorized_keys_command_user don't actually get used except for a debug dump of the config, and dump_cfg_string protects itself against trying to print NULL pointers, so all you get is sshd -T -C ... giving wrong results, which is rather insignificant as far as security issues go.
|
#
1.13 |
|
08-Nov-2013 |
christos |
merge conflicts.
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.12 |
|
29-Mar-2013 |
christos |
welcome to openssh-6.2
|
Revision tags: agc-symver-base yamt-pagecache-base8 yamt-pagecache-base7
|
#
1.11 |
|
12-Dec-2012 |
christos |
update to 6.1
This is primarily a bugfix release.
Features:
* sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. * ssh-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel * sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1)/sshd(8): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while. * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. bz#2023, * sshd(8): Handle long comments in config files better. bz#2025 * ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. bz#1995 * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.
|
Revision tags: yamt-pagecache-base6 yamt-pagecache-base5
|
#
1.10 |
|
02-May-2012 |
christos |
branches: 1.10.2; merge OpenSSH 6.0
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857 * ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings * support cancellation of local/dynamic forwardings from ~C commandline
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports * scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying * ssh(1): skip attempting to create ~/.ssh when -F is passed * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943 * sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859 * sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683 * Fixed a number of memory and file descriptor leaks
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 netbsd-6-1-RC2 netbsd-6-1-RC1 netbsd-6-0-1-RELEASE matt-nb6-plus-nbase netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 yamt-pagecache-base4 netbsd-6-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base
|
#
1.9 |
|
07-Sep-2011 |
christos |
branches: 1.9.2; 1.9.4; 1.9.8; 1.9.10; merge openssh-5.9
|
#
1.8 |
|
25-Jul-2011 |
christos |
- Merge conflicts - WARNS=5
|
Revision tags: cherry-xenmp-base bouyer-quota2-nbase bouyer-quota2-base
|
#
1.7 |
|
09-Jan-2011 |
christos |
avoid unused variable warning.
|
Revision tags: matt-mips64-premerge-20101231
|
#
1.6 |
|
22-Nov-2010 |
adam |
Fix compiler warnings
|
#
1.5 |
|
21-Nov-2010 |
adam |
Merge in our changes: - Updated OpenSSH-HPN to hpn13v10 - Added OpenSSH-LPK patches to retrive pubkey from LDAP - Replaced arc4random_buf() (which is not available on NetBSD) with arc4random - Disabled roaming reconnect (otherwise: problem with undef symbols in libssh)
|
#
1.4 |
|
21-Nov-2010 |
adam |
Resolve conflicts
|
#
1.3 |
|
27-Dec-2009 |
christos |
merge changes.
|
Revision tags: matt-premerge-20091211
|
#
1.2 |
|
07-Jun-2009 |
christos |
Merge in our changes: - conditionalize login_cap - conditionalize bsd_auth - bring in pam from portable - restore krb5, krb4, afs, skey - bring in hpn patches, disable mt aes cipher, keep speedups and cipher none - add ignore root rhosts option - fix ctype macro arguments - umac is broken, disable it - better ~homedir handling - netbsd style tunnels - urandom, xhome, chrootdir, rescuedir NetBSD handling - utmp/utmpx handling - handle tty posix_vdisable properly - handle setuid and unsetuid the posix way instead of setresuid() - add all missing functions - add new moduli - add build glue
|
#
1.1 |
|
07-Jun-2009 |
christos |
branches: 1.1.1; Initial revision
|
#
1.39 |
|
23-Feb-2022 |
christos |
Merge differences between openssh-8.8 and openssh-8.9
|
#
1.38 |
|
27-Sep-2021 |
christos |
Merge conflicts between OpenSSH 8.7 and 8.8
|
#
1.37 |
|
02-Sep-2021 |
christos |
Merge our changes from OpenSSH-8.6 to OpenSSH-8.7
|
Revision tags: cjep_sun2x-base1 cjep_sun2x-base cjep_staticlib_x-base1 cjep_staticlib_x-base
|
#
1.36 |
|
19-Apr-2021 |
christos |
Merge local changes between 8.5 and 8.6
|
#
1.35 |
|
05-Mar-2021 |
christos |
merge local changes between openssh 8.4 and 8.5
|
#
1.34 |
|
04-Dec-2020 |
christos |
Merge conflicts
|
#
1.33 |
|
28-May-2020 |
christos |
Merge conflicts
|
Revision tags: phil-wifi-20200421 phil-wifi-20200411 is-mlppp-base phil-wifi-20200406
|
#
1.32 |
|
27-Feb-2020 |
christos |
Merge conflicts
|
Revision tags: phil-wifi-20191119
|
#
1.31 |
|
12-Oct-2019 |
christos |
merge openssh-8.1
|
Revision tags: netbsd-9-2-RELEASE netbsd-9-1-RELEASE netbsd-9-0-RELEASE netbsd-9-0-RC2 netbsd-9-0-RC1 netbsd-9-base phil-wifi-20190609
|
#
1.30 |
|
20-Apr-2019 |
christos |
merge conflicts.
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906
|
#
1.29 |
|
26-Aug-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625
|
#
1.28 |
|
07-Jun-2018 |
riastradh |
branches: 1.28.2; Disable loading XMSS keys by default too.
Nobody should be using XMSS host keys without an explicit decision, because they're qualitatively different from all other types of host keys in that they require keeping state.
This also eliminates a harmless but confusing warning that began after we stopped generating XMSS keys by default.
|
Revision tags: pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 pgoyette-compat-0415
|
#
1.27 |
|
08-Apr-2018 |
joerg |
Fix clang build by adding __dead annotations.
|
Revision tags: pgoyette-compat-0407
|
#
1.26 |
|
06-Apr-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base
|
#
1.25 |
|
07-Oct-2017 |
christos |
branches: 1.25.2; merge conflicts.
|
Revision tags: matt-nb8-mediatek-base perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.24 |
|
20-Apr-2017 |
joerg |
branches: 1.24.4; GC multistate_privsep.
|
#
1.23 |
|
18-Apr-2017 |
christos |
merge conflicts
|
Revision tags: pgoyette-localcount-20170320 bouyer-socketcan-base pgoyette-localcount-20170107
|
#
1.22 |
|
25-Dec-2016 |
christos |
branches: 1.22.2; merge conflicts
|
Revision tags: pgoyette-localcount-20161104 localcount-20160914 pgoyette-localcount-20160806
|
#
1.21 |
|
02-Aug-2016 |
christos |
merge conflicts.
|
Revision tags: pgoyette-localcount-20160726 pgoyette-localcount-base
|
#
1.20 |
|
11-Mar-2016 |
christos |
branches: 1.20.2; merge conflicts
|
#
1.19 |
|
13-Aug-2015 |
christos |
merge conflicts
|
#
1.18 |
|
03-Jul-2015 |
christos |
merge conflicts
|
#
1.17 |
|
03-Apr-2015 |
christos |
Merge conflicts
|
#
1.16 |
|
19-Oct-2014 |
christos |
merge openssh-6.7
|
Revision tags: netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 tls-maxphys-base
|
#
1.15 |
|
28-Jan-2014 |
martin |
branches: 1.15.4; Mark a potentially unused variable (depending on #ifdef)
|
#
1.14 |
|
15-Dec-2013 |
spz |
Coverity issues 996120 and 996121, Use after free
Use the M_CP_STROPT definition exclusive to servconf.c twice and you have freed your original string.
servconf.h won copying authorized_keys_command and authorized_keys_command_user in COPY_MATCH_STRING_OPTS in 1.107, but servconf.c didn't drop its own, so it walks into this trap. Remove the duplicate copies, and disarm the trap.
Note this is on a code path where authorized_keys_command and authorized_keys_command_user don't actually get used except for a debug dump of the config, and dump_cfg_string protects itself against trying to print NULL pointers, so all you get is sshd -T -C ... giving wrong results, which is rather insignificant as far as security issues go.
|
#
1.13 |
|
08-Nov-2013 |
christos |
merge conflicts.
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.12 |
|
29-Mar-2013 |
christos |
welcome to openssh-6.2
|
Revision tags: agc-symver-base yamt-pagecache-base8 yamt-pagecache-base7
|
#
1.11 |
|
12-Dec-2012 |
christos |
update to 6.1
This is primarily a bugfix release.
Features:
* sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. * ssh-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel * sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1)/sshd(8): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while. * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. bz#2023, * sshd(8): Handle long comments in config files better. bz#2025 * ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. bz#1995 * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.
|
Revision tags: yamt-pagecache-base6 yamt-pagecache-base5
|
#
1.10 |
|
02-May-2012 |
christos |
branches: 1.10.2; merge OpenSSH 6.0
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857 * ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings * support cancellation of local/dynamic forwardings from ~C commandline
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports * scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying * ssh(1): skip attempting to create ~/.ssh when -F is passed * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943 * sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859 * sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683 * Fixed a number of memory and file descriptor leaks
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 netbsd-6-1-RC2 netbsd-6-1-RC1 netbsd-6-0-1-RELEASE matt-nb6-plus-nbase netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 yamt-pagecache-base4 netbsd-6-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base
|
#
1.9 |
|
07-Sep-2011 |
christos |
branches: 1.9.2; 1.9.4; 1.9.8; 1.9.10; merge openssh-5.9
|
#
1.8 |
|
25-Jul-2011 |
christos |
- Merge conflicts - WARNS=5
|
Revision tags: cherry-xenmp-base bouyer-quota2-nbase bouyer-quota2-base
|
#
1.7 |
|
09-Jan-2011 |
christos |
avoid unused variable warning.
|
Revision tags: matt-mips64-premerge-20101231
|
#
1.6 |
|
22-Nov-2010 |
adam |
Fix compiler warnings
|
#
1.5 |
|
21-Nov-2010 |
adam |
Merge in our changes: - Updated OpenSSH-HPN to hpn13v10 - Added OpenSSH-LPK patches to retrive pubkey from LDAP - Replaced arc4random_buf() (which is not available on NetBSD) with arc4random - Disabled roaming reconnect (otherwise: problem with undef symbols in libssh)
|
#
1.4 |
|
21-Nov-2010 |
adam |
Resolve conflicts
|
#
1.3 |
|
27-Dec-2009 |
christos |
merge changes.
|
Revision tags: matt-premerge-20091211
|
#
1.2 |
|
07-Jun-2009 |
christos |
Merge in our changes: - conditionalize login_cap - conditionalize bsd_auth - bring in pam from portable - restore krb5, krb4, afs, skey - bring in hpn patches, disable mt aes cipher, keep speedups and cipher none - add ignore root rhosts option - fix ctype macro arguments - umac is broken, disable it - better ~homedir handling - netbsd style tunnels - urandom, xhome, chrootdir, rescuedir NetBSD handling - utmp/utmpx handling - handle tty posix_vdisable properly - handle setuid and unsetuid the posix way instead of setresuid() - add all missing functions - add new moduli - add build glue
|
#
1.1 |
|
07-Jun-2009 |
christos |
branches: 1.1.1; Initial revision
|
#
1.38 |
|
27-Sep-2021 |
christos |
Merge conflicts between OpenSSH 8.7 and 8.8
|
#
1.37 |
|
02-Sep-2021 |
christos |
Merge our changes from OpenSSH-8.6 to OpenSSH-8.7
|
Revision tags: cjep_sun2x-base1 cjep_sun2x-base cjep_staticlib_x-base1 cjep_staticlib_x-base
|
#
1.36 |
|
19-Apr-2021 |
christos |
Merge local changes between 8.5 and 8.6
|
#
1.35 |
|
05-Mar-2021 |
christos |
merge local changes between openssh 8.4 and 8.5
|
#
1.34 |
|
04-Dec-2020 |
christos |
Merge conflicts
|
#
1.33 |
|
28-May-2020 |
christos |
Merge conflicts
|
Revision tags: phil-wifi-20200421 phil-wifi-20200411 is-mlppp-base phil-wifi-20200406
|
#
1.32 |
|
27-Feb-2020 |
christos |
Merge conflicts
|
Revision tags: phil-wifi-20191119
|
#
1.31 |
|
12-Oct-2019 |
christos |
merge openssh-8.1
|
Revision tags: netbsd-9-2-RELEASE netbsd-9-1-RELEASE netbsd-9-0-RELEASE netbsd-9-0-RC2 netbsd-9-0-RC1 netbsd-9-base phil-wifi-20190609
|
#
1.30 |
|
20-Apr-2019 |
christos |
merge conflicts.
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906
|
#
1.29 |
|
26-Aug-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625
|
#
1.28 |
|
07-Jun-2018 |
riastradh |
branches: 1.28.2; Disable loading XMSS keys by default too.
Nobody should be using XMSS host keys without an explicit decision, because they're qualitatively different from all other types of host keys in that they require keeping state.
This also eliminates a harmless but confusing warning that began after we stopped generating XMSS keys by default.
|
Revision tags: pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 pgoyette-compat-0415
|
#
1.27 |
|
08-Apr-2018 |
joerg |
Fix clang build by adding __dead annotations.
|
Revision tags: pgoyette-compat-0407
|
#
1.26 |
|
06-Apr-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base
|
#
1.25 |
|
07-Oct-2017 |
christos |
branches: 1.25.2; merge conflicts.
|
Revision tags: matt-nb8-mediatek-base perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.24 |
|
20-Apr-2017 |
joerg |
branches: 1.24.4; GC multistate_privsep.
|
#
1.23 |
|
18-Apr-2017 |
christos |
merge conflicts
|
Revision tags: pgoyette-localcount-20170320 bouyer-socketcan-base pgoyette-localcount-20170107
|
#
1.22 |
|
25-Dec-2016 |
christos |
branches: 1.22.2; merge conflicts
|
Revision tags: pgoyette-localcount-20161104 localcount-20160914 pgoyette-localcount-20160806
|
#
1.21 |
|
02-Aug-2016 |
christos |
merge conflicts.
|
Revision tags: pgoyette-localcount-20160726 pgoyette-localcount-base
|
#
1.20 |
|
11-Mar-2016 |
christos |
branches: 1.20.2; merge conflicts
|
#
1.19 |
|
13-Aug-2015 |
christos |
merge conflicts
|
#
1.18 |
|
03-Jul-2015 |
christos |
merge conflicts
|
#
1.17 |
|
03-Apr-2015 |
christos |
Merge conflicts
|
#
1.16 |
|
19-Oct-2014 |
christos |
merge openssh-6.7
|
Revision tags: netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 tls-maxphys-base
|
#
1.15 |
|
28-Jan-2014 |
martin |
branches: 1.15.4; Mark a potentially unused variable (depending on #ifdef)
|
#
1.14 |
|
15-Dec-2013 |
spz |
Coverity issues 996120 and 996121, Use after free
Use the M_CP_STROPT definition exclusive to servconf.c twice and you have freed your original string.
servconf.h won copying authorized_keys_command and authorized_keys_command_user in COPY_MATCH_STRING_OPTS in 1.107, but servconf.c didn't drop its own, so it walks into this trap. Remove the duplicate copies, and disarm the trap.
Note this is on a code path where authorized_keys_command and authorized_keys_command_user don't actually get used except for a debug dump of the config, and dump_cfg_string protects itself against trying to print NULL pointers, so all you get is sshd -T -C ... giving wrong results, which is rather insignificant as far as security issues go.
|
#
1.13 |
|
08-Nov-2013 |
christos |
merge conflicts.
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.12 |
|
29-Mar-2013 |
christos |
welcome to openssh-6.2
|
Revision tags: agc-symver-base yamt-pagecache-base8 yamt-pagecache-base7
|
#
1.11 |
|
12-Dec-2012 |
christos |
update to 6.1
This is primarily a bugfix release.
Features:
* sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. * ssh-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel * sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1)/sshd(8): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while. * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. bz#2023, * sshd(8): Handle long comments in config files better. bz#2025 * ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. bz#1995 * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.
|
Revision tags: yamt-pagecache-base6 yamt-pagecache-base5
|
#
1.10 |
|
02-May-2012 |
christos |
branches: 1.10.2; merge OpenSSH 6.0
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857 * ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings * support cancellation of local/dynamic forwardings from ~C commandline
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports * scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying * ssh(1): skip attempting to create ~/.ssh when -F is passed * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943 * sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859 * sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683 * Fixed a number of memory and file descriptor leaks
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 netbsd-6-1-RC2 netbsd-6-1-RC1 netbsd-6-0-1-RELEASE matt-nb6-plus-nbase netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 yamt-pagecache-base4 netbsd-6-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base
|
#
1.9 |
|
07-Sep-2011 |
christos |
branches: 1.9.2; 1.9.4; 1.9.8; 1.9.10; merge openssh-5.9
|
#
1.8 |
|
25-Jul-2011 |
christos |
- Merge conflicts - WARNS=5
|
Revision tags: cherry-xenmp-base bouyer-quota2-nbase bouyer-quota2-base
|
#
1.7 |
|
09-Jan-2011 |
christos |
avoid unused variable warning.
|
Revision tags: matt-mips64-premerge-20101231
|
#
1.6 |
|
22-Nov-2010 |
adam |
Fix compiler warnings
|
#
1.5 |
|
21-Nov-2010 |
adam |
Merge in our changes: - Updated OpenSSH-HPN to hpn13v10 - Added OpenSSH-LPK patches to retrive pubkey from LDAP - Replaced arc4random_buf() (which is not available on NetBSD) with arc4random - Disabled roaming reconnect (otherwise: problem with undef symbols in libssh)
|
#
1.4 |
|
21-Nov-2010 |
adam |
Resolve conflicts
|
#
1.3 |
|
27-Dec-2009 |
christos |
merge changes.
|
Revision tags: matt-premerge-20091211
|
#
1.2 |
|
07-Jun-2009 |
christos |
Merge in our changes: - conditionalize login_cap - conditionalize bsd_auth - bring in pam from portable - restore krb5, krb4, afs, skey - bring in hpn patches, disable mt aes cipher, keep speedups and cipher none - add ignore root rhosts option - fix ctype macro arguments - umac is broken, disable it - better ~homedir handling - netbsd style tunnels - urandom, xhome, chrootdir, rescuedir NetBSD handling - utmp/utmpx handling - handle tty posix_vdisable properly - handle setuid and unsetuid the posix way instead of setresuid() - add all missing functions - add new moduli - add build glue
|
#
1.1 |
|
07-Jun-2009 |
christos |
branches: 1.1.1; Initial revision
|
#
1.37 |
|
02-Sep-2021 |
christos |
Merge our changes from OpenSSH-8.6 to OpenSSH-8.7
|
Revision tags: cjep_sun2x-base1 cjep_sun2x-base cjep_staticlib_x-base1 cjep_staticlib_x-base
|
#
1.36 |
|
19-Apr-2021 |
christos |
Merge local changes between 8.5 and 8.6
|
#
1.35 |
|
05-Mar-2021 |
christos |
merge local changes between openssh 8.4 and 8.5
|
#
1.34 |
|
04-Dec-2020 |
christos |
Merge conflicts
|
#
1.33 |
|
28-May-2020 |
christos |
Merge conflicts
|
Revision tags: phil-wifi-20200421 phil-wifi-20200411 is-mlppp-base phil-wifi-20200406
|
#
1.32 |
|
27-Feb-2020 |
christos |
Merge conflicts
|
Revision tags: phil-wifi-20191119
|
#
1.31 |
|
12-Oct-2019 |
christos |
merge openssh-8.1
|
Revision tags: netbsd-9-2-RELEASE netbsd-9-1-RELEASE netbsd-9-0-RELEASE netbsd-9-0-RC2 netbsd-9-0-RC1 netbsd-9-base phil-wifi-20190609
|
#
1.30 |
|
20-Apr-2019 |
christos |
merge conflicts.
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906
|
#
1.29 |
|
26-Aug-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625
|
#
1.28 |
|
07-Jun-2018 |
riastradh |
branches: 1.28.2; Disable loading XMSS keys by default too.
Nobody should be using XMSS host keys without an explicit decision, because they're qualitatively different from all other types of host keys in that they require keeping state.
This also eliminates a harmless but confusing warning that began after we stopped generating XMSS keys by default.
|
Revision tags: pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 pgoyette-compat-0415
|
#
1.27 |
|
08-Apr-2018 |
joerg |
Fix clang build by adding __dead annotations.
|
Revision tags: pgoyette-compat-0407
|
#
1.26 |
|
06-Apr-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base
|
#
1.25 |
|
07-Oct-2017 |
christos |
branches: 1.25.2; merge conflicts.
|
Revision tags: matt-nb8-mediatek-base perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.24 |
|
20-Apr-2017 |
joerg |
branches: 1.24.4; GC multistate_privsep.
|
#
1.23 |
|
18-Apr-2017 |
christos |
merge conflicts
|
Revision tags: pgoyette-localcount-20170320 bouyer-socketcan-base pgoyette-localcount-20170107
|
#
1.22 |
|
25-Dec-2016 |
christos |
branches: 1.22.2; merge conflicts
|
Revision tags: pgoyette-localcount-20161104 localcount-20160914 pgoyette-localcount-20160806
|
#
1.21 |
|
02-Aug-2016 |
christos |
merge conflicts.
|
Revision tags: pgoyette-localcount-20160726 pgoyette-localcount-base
|
#
1.20 |
|
11-Mar-2016 |
christos |
branches: 1.20.2; merge conflicts
|
#
1.19 |
|
13-Aug-2015 |
christos |
merge conflicts
|
#
1.18 |
|
03-Jul-2015 |
christos |
merge conflicts
|
#
1.17 |
|
03-Apr-2015 |
christos |
Merge conflicts
|
#
1.16 |
|
19-Oct-2014 |
christos |
merge openssh-6.7
|
Revision tags: netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 tls-maxphys-base
|
#
1.15 |
|
28-Jan-2014 |
martin |
branches: 1.15.4; Mark a potentially unused variable (depending on #ifdef)
|
#
1.14 |
|
15-Dec-2013 |
spz |
Coverity issues 996120 and 996121, Use after free
Use the M_CP_STROPT definition exclusive to servconf.c twice and you have freed your original string.
servconf.h won copying authorized_keys_command and authorized_keys_command_user in COPY_MATCH_STRING_OPTS in 1.107, but servconf.c didn't drop its own, so it walks into this trap. Remove the duplicate copies, and disarm the trap.
Note this is on a code path where authorized_keys_command and authorized_keys_command_user don't actually get used except for a debug dump of the config, and dump_cfg_string protects itself against trying to print NULL pointers, so all you get is sshd -T -C ... giving wrong results, which is rather insignificant as far as security issues go.
|
#
1.13 |
|
08-Nov-2013 |
christos |
merge conflicts.
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.12 |
|
29-Mar-2013 |
christos |
welcome to openssh-6.2
|
Revision tags: agc-symver-base yamt-pagecache-base8 yamt-pagecache-base7
|
#
1.11 |
|
12-Dec-2012 |
christos |
update to 6.1
This is primarily a bugfix release.
Features:
* sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. * ssh-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel * sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1)/sshd(8): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while. * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. bz#2023, * sshd(8): Handle long comments in config files better. bz#2025 * ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. bz#1995 * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.
|
Revision tags: yamt-pagecache-base6 yamt-pagecache-base5
|
#
1.10 |
|
02-May-2012 |
christos |
branches: 1.10.2; merge OpenSSH 6.0
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857 * ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings * support cancellation of local/dynamic forwardings from ~C commandline
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports * scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying * ssh(1): skip attempting to create ~/.ssh when -F is passed * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943 * sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859 * sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683 * Fixed a number of memory and file descriptor leaks
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 netbsd-6-1-RC2 netbsd-6-1-RC1 netbsd-6-0-1-RELEASE matt-nb6-plus-nbase netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 yamt-pagecache-base4 netbsd-6-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base
|
#
1.9 |
|
07-Sep-2011 |
christos |
branches: 1.9.2; 1.9.4; 1.9.8; 1.9.10; merge openssh-5.9
|
#
1.8 |
|
25-Jul-2011 |
christos |
- Merge conflicts - WARNS=5
|
Revision tags: cherry-xenmp-base bouyer-quota2-nbase bouyer-quota2-base
|
#
1.7 |
|
09-Jan-2011 |
christos |
avoid unused variable warning.
|
Revision tags: matt-mips64-premerge-20101231
|
#
1.6 |
|
22-Nov-2010 |
adam |
Fix compiler warnings
|
#
1.5 |
|
21-Nov-2010 |
adam |
Merge in our changes: - Updated OpenSSH-HPN to hpn13v10 - Added OpenSSH-LPK patches to retrive pubkey from LDAP - Replaced arc4random_buf() (which is not available on NetBSD) with arc4random - Disabled roaming reconnect (otherwise: problem with undef symbols in libssh)
|
#
1.4 |
|
21-Nov-2010 |
adam |
Resolve conflicts
|
#
1.3 |
|
27-Dec-2009 |
christos |
merge changes.
|
Revision tags: matt-premerge-20091211
|
#
1.2 |
|
07-Jun-2009 |
christos |
Merge in our changes: - conditionalize login_cap - conditionalize bsd_auth - bring in pam from portable - restore krb5, krb4, afs, skey - bring in hpn patches, disable mt aes cipher, keep speedups and cipher none - add ignore root rhosts option - fix ctype macro arguments - umac is broken, disable it - better ~homedir handling - netbsd style tunnels - urandom, xhome, chrootdir, rescuedir NetBSD handling - utmp/utmpx handling - handle tty posix_vdisable properly - handle setuid and unsetuid the posix way instead of setresuid() - add all missing functions - add new moduli - add build glue
|
#
1.1 |
|
07-Jun-2009 |
christos |
branches: 1.1.1; Initial revision
|
#
1.36 |
|
19-Apr-2021 |
christos |
Merge local changes between 8.5 and 8.6
|
#
1.35 |
|
05-Mar-2021 |
christos |
merge local changes between openssh 8.4 and 8.5
|
#
1.34 |
|
04-Dec-2020 |
christos |
Merge conflicts
|
#
1.33 |
|
28-May-2020 |
christos |
Merge conflicts
|
Revision tags: phil-wifi-20200421 phil-wifi-20200411 is-mlppp-base phil-wifi-20200406
|
#
1.32 |
|
27-Feb-2020 |
christos |
Merge conflicts
|
Revision tags: phil-wifi-20191119
|
#
1.31 |
|
12-Oct-2019 |
christos |
merge openssh-8.1
|
Revision tags: netbsd-9-1-RELEASE netbsd-9-0-RELEASE netbsd-9-0-RC2 netbsd-9-0-RC1 netbsd-9-base phil-wifi-20190609
|
#
1.30 |
|
20-Apr-2019 |
christos |
merge conflicts.
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906
|
#
1.29 |
|
26-Aug-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625
|
#
1.28 |
|
07-Jun-2018 |
riastradh |
branches: 1.28.2; Disable loading XMSS keys by default too.
Nobody should be using XMSS host keys without an explicit decision, because they're qualitatively different from all other types of host keys in that they require keeping state.
This also eliminates a harmless but confusing warning that began after we stopped generating XMSS keys by default.
|
Revision tags: pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 pgoyette-compat-0415
|
#
1.27 |
|
08-Apr-2018 |
joerg |
Fix clang build by adding __dead annotations.
|
Revision tags: pgoyette-compat-0407
|
#
1.26 |
|
06-Apr-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base
|
#
1.25 |
|
07-Oct-2017 |
christos |
branches: 1.25.2; merge conflicts.
|
Revision tags: matt-nb8-mediatek-base perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.24 |
|
20-Apr-2017 |
joerg |
branches: 1.24.4; GC multistate_privsep.
|
#
1.23 |
|
18-Apr-2017 |
christos |
merge conflicts
|
Revision tags: pgoyette-localcount-20170320 bouyer-socketcan-base pgoyette-localcount-20170107
|
#
1.22 |
|
25-Dec-2016 |
christos |
branches: 1.22.2; merge conflicts
|
Revision tags: pgoyette-localcount-20161104 localcount-20160914 pgoyette-localcount-20160806
|
#
1.21 |
|
02-Aug-2016 |
christos |
merge conflicts.
|
Revision tags: pgoyette-localcount-20160726 pgoyette-localcount-base
|
#
1.20 |
|
11-Mar-2016 |
christos |
branches: 1.20.2; merge conflicts
|
#
1.19 |
|
13-Aug-2015 |
christos |
merge conflicts
|
#
1.18 |
|
03-Jul-2015 |
christos |
merge conflicts
|
#
1.17 |
|
03-Apr-2015 |
christos |
Merge conflicts
|
#
1.16 |
|
19-Oct-2014 |
christos |
merge openssh-6.7
|
Revision tags: netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 tls-maxphys-base
|
#
1.15 |
|
28-Jan-2014 |
martin |
branches: 1.15.4; Mark a potentially unused variable (depending on #ifdef)
|
#
1.14 |
|
15-Dec-2013 |
spz |
Coverity issues 996120 and 996121, Use after free
Use the M_CP_STROPT definition exclusive to servconf.c twice and you have freed your original string.
servconf.h won copying authorized_keys_command and authorized_keys_command_user in COPY_MATCH_STRING_OPTS in 1.107, but servconf.c didn't drop its own, so it walks into this trap. Remove the duplicate copies, and disarm the trap.
Note this is on a code path where authorized_keys_command and authorized_keys_command_user don't actually get used except for a debug dump of the config, and dump_cfg_string protects itself against trying to print NULL pointers, so all you get is sshd -T -C ... giving wrong results, which is rather insignificant as far as security issues go.
|
#
1.13 |
|
08-Nov-2013 |
christos |
merge conflicts.
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.12 |
|
29-Mar-2013 |
christos |
welcome to openssh-6.2
|
Revision tags: agc-symver-base yamt-pagecache-base8 yamt-pagecache-base7
|
#
1.11 |
|
12-Dec-2012 |
christos |
update to 6.1
This is primarily a bugfix release.
Features:
* sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. * ssh-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel * sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1)/sshd(8): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while. * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. bz#2023, * sshd(8): Handle long comments in config files better. bz#2025 * ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. bz#1995 * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.
|
Revision tags: yamt-pagecache-base6 yamt-pagecache-base5
|
#
1.10 |
|
02-May-2012 |
christos |
branches: 1.10.2; merge OpenSSH 6.0
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857 * ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings * support cancellation of local/dynamic forwardings from ~C commandline
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports * scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying * ssh(1): skip attempting to create ~/.ssh when -F is passed * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943 * sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859 * sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683 * Fixed a number of memory and file descriptor leaks
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 netbsd-6-1-RC2 netbsd-6-1-RC1 netbsd-6-0-1-RELEASE matt-nb6-plus-nbase netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 yamt-pagecache-base4 netbsd-6-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base
|
#
1.9 |
|
07-Sep-2011 |
christos |
branches: 1.9.2; 1.9.4; 1.9.8; 1.9.10; merge openssh-5.9
|
#
1.8 |
|
25-Jul-2011 |
christos |
- Merge conflicts - WARNS=5
|
Revision tags: cherry-xenmp-base bouyer-quota2-nbase bouyer-quota2-base
|
#
1.7 |
|
09-Jan-2011 |
christos |
avoid unused variable warning.
|
Revision tags: matt-mips64-premerge-20101231
|
#
1.6 |
|
22-Nov-2010 |
adam |
Fix compiler warnings
|
#
1.5 |
|
21-Nov-2010 |
adam |
Merge in our changes: - Updated OpenSSH-HPN to hpn13v10 - Added OpenSSH-LPK patches to retrive pubkey from LDAP - Replaced arc4random_buf() (which is not available on NetBSD) with arc4random - Disabled roaming reconnect (otherwise: problem with undef symbols in libssh)
|
#
1.4 |
|
21-Nov-2010 |
adam |
Resolve conflicts
|
#
1.3 |
|
27-Dec-2009 |
christos |
merge changes.
|
Revision tags: matt-premerge-20091211
|
#
1.2 |
|
07-Jun-2009 |
christos |
Merge in our changes: - conditionalize login_cap - conditionalize bsd_auth - bring in pam from portable - restore krb5, krb4, afs, skey - bring in hpn patches, disable mt aes cipher, keep speedups and cipher none - add ignore root rhosts option - fix ctype macro arguments - umac is broken, disable it - better ~homedir handling - netbsd style tunnels - urandom, xhome, chrootdir, rescuedir NetBSD handling - utmp/utmpx handling - handle tty posix_vdisable properly - handle setuid and unsetuid the posix way instead of setresuid() - add all missing functions - add new moduli - add build glue
|
#
1.1 |
|
07-Jun-2009 |
christos |
branches: 1.1.1; Initial revision
|
#
1.35 |
|
05-Mar-2021 |
christos |
merge local changes between openssh 8.4 and 8.5
|
#
1.34 |
|
04-Dec-2020 |
christos |
Merge conflicts
|
#
1.33 |
|
28-May-2020 |
christos |
Merge conflicts
|
Revision tags: phil-wifi-20200421 phil-wifi-20200411 is-mlppp-base phil-wifi-20200406
|
#
1.32 |
|
27-Feb-2020 |
christos |
Merge conflicts
|
Revision tags: phil-wifi-20191119
|
#
1.31 |
|
12-Oct-2019 |
christos |
merge openssh-8.1
|
Revision tags: netbsd-9-1-RELEASE netbsd-9-0-RELEASE netbsd-9-0-RC2 netbsd-9-0-RC1 netbsd-9-base phil-wifi-20190609
|
#
1.30 |
|
20-Apr-2019 |
christos |
merge conflicts.
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906
|
#
1.29 |
|
26-Aug-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625
|
#
1.28 |
|
07-Jun-2018 |
riastradh |
branches: 1.28.2; Disable loading XMSS keys by default too.
Nobody should be using XMSS host keys without an explicit decision, because they're qualitatively different from all other types of host keys in that they require keeping state.
This also eliminates a harmless but confusing warning that began after we stopped generating XMSS keys by default.
|
Revision tags: pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 pgoyette-compat-0415
|
#
1.27 |
|
08-Apr-2018 |
joerg |
Fix clang build by adding __dead annotations.
|
Revision tags: pgoyette-compat-0407
|
#
1.26 |
|
06-Apr-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base
|
#
1.25 |
|
07-Oct-2017 |
christos |
branches: 1.25.2; merge conflicts.
|
Revision tags: matt-nb8-mediatek-base perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.24 |
|
20-Apr-2017 |
joerg |
branches: 1.24.4; GC multistate_privsep.
|
#
1.23 |
|
18-Apr-2017 |
christos |
merge conflicts
|
Revision tags: pgoyette-localcount-20170320 bouyer-socketcan-base pgoyette-localcount-20170107
|
#
1.22 |
|
25-Dec-2016 |
christos |
branches: 1.22.2; merge conflicts
|
Revision tags: pgoyette-localcount-20161104 localcount-20160914 pgoyette-localcount-20160806
|
#
1.21 |
|
02-Aug-2016 |
christos |
merge conflicts.
|
Revision tags: pgoyette-localcount-20160726 pgoyette-localcount-base
|
#
1.20 |
|
11-Mar-2016 |
christos |
branches: 1.20.2; merge conflicts
|
#
1.19 |
|
13-Aug-2015 |
christos |
merge conflicts
|
#
1.18 |
|
03-Jul-2015 |
christos |
merge conflicts
|
#
1.17 |
|
03-Apr-2015 |
christos |
Merge conflicts
|
#
1.16 |
|
19-Oct-2014 |
christos |
merge openssh-6.7
|
Revision tags: netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 tls-maxphys-base
|
#
1.15 |
|
28-Jan-2014 |
martin |
branches: 1.15.4; Mark a potentially unused variable (depending on #ifdef)
|
#
1.14 |
|
15-Dec-2013 |
spz |
Coverity issues 996120 and 996121, Use after free
Use the M_CP_STROPT definition exclusive to servconf.c twice and you have freed your original string.
servconf.h won copying authorized_keys_command and authorized_keys_command_user in COPY_MATCH_STRING_OPTS in 1.107, but servconf.c didn't drop its own, so it walks into this trap. Remove the duplicate copies, and disarm the trap.
Note this is on a code path where authorized_keys_command and authorized_keys_command_user don't actually get used except for a debug dump of the config, and dump_cfg_string protects itself against trying to print NULL pointers, so all you get is sshd -T -C ... giving wrong results, which is rather insignificant as far as security issues go.
|
#
1.13 |
|
08-Nov-2013 |
christos |
merge conflicts.
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.12 |
|
29-Mar-2013 |
christos |
welcome to openssh-6.2
|
Revision tags: agc-symver-base yamt-pagecache-base8 yamt-pagecache-base7
|
#
1.11 |
|
12-Dec-2012 |
christos |
update to 6.1
This is primarily a bugfix release.
Features:
* sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. * ssh-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel * sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1)/sshd(8): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while. * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. bz#2023, * sshd(8): Handle long comments in config files better. bz#2025 * ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. bz#1995 * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.
|
Revision tags: yamt-pagecache-base6 yamt-pagecache-base5
|
#
1.10 |
|
02-May-2012 |
christos |
branches: 1.10.2; merge OpenSSH 6.0
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857 * ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings * support cancellation of local/dynamic forwardings from ~C commandline
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports * scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying * ssh(1): skip attempting to create ~/.ssh when -F is passed * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943 * sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859 * sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683 * Fixed a number of memory and file descriptor leaks
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 netbsd-6-1-RC2 netbsd-6-1-RC1 netbsd-6-0-1-RELEASE matt-nb6-plus-nbase netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 yamt-pagecache-base4 netbsd-6-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base
|
#
1.9 |
|
07-Sep-2011 |
christos |
branches: 1.9.2; 1.9.4; 1.9.8; 1.9.10; merge openssh-5.9
|
#
1.8 |
|
25-Jul-2011 |
christos |
- Merge conflicts - WARNS=5
|
Revision tags: cherry-xenmp-base bouyer-quota2-nbase bouyer-quota2-base
|
#
1.7 |
|
09-Jan-2011 |
christos |
avoid unused variable warning.
|
Revision tags: matt-mips64-premerge-20101231
|
#
1.6 |
|
22-Nov-2010 |
adam |
Fix compiler warnings
|
#
1.5 |
|
21-Nov-2010 |
adam |
Merge in our changes: - Updated OpenSSH-HPN to hpn13v10 - Added OpenSSH-LPK patches to retrive pubkey from LDAP - Replaced arc4random_buf() (which is not available on NetBSD) with arc4random - Disabled roaming reconnect (otherwise: problem with undef symbols in libssh)
|
#
1.4 |
|
21-Nov-2010 |
adam |
Resolve conflicts
|
#
1.3 |
|
27-Dec-2009 |
christos |
merge changes.
|
Revision tags: matt-premerge-20091211
|
#
1.2 |
|
07-Jun-2009 |
christos |
Merge in our changes: - conditionalize login_cap - conditionalize bsd_auth - bring in pam from portable - restore krb5, krb4, afs, skey - bring in hpn patches, disable mt aes cipher, keep speedups and cipher none - add ignore root rhosts option - fix ctype macro arguments - umac is broken, disable it - better ~homedir handling - netbsd style tunnels - urandom, xhome, chrootdir, rescuedir NetBSD handling - utmp/utmpx handling - handle tty posix_vdisable properly - handle setuid and unsetuid the posix way instead of setresuid() - add all missing functions - add new moduli - add build glue
|
#
1.1 |
|
07-Jun-2009 |
christos |
branches: 1.1.1; Initial revision
|
#
1.34 |
|
04-Dec-2020 |
christos |
Merge conflicts
|
#
1.33 |
|
28-May-2020 |
christos |
Merge conflicts
|
Revision tags: phil-wifi-20200421 phil-wifi-20200411 is-mlppp-base phil-wifi-20200406
|
#
1.32 |
|
27-Feb-2020 |
christos |
Merge conflicts
|
Revision tags: phil-wifi-20191119
|
#
1.31 |
|
12-Oct-2019 |
christos |
merge openssh-8.1
|
Revision tags: netbsd-9-1-RELEASE netbsd-9-0-RELEASE netbsd-9-0-RC2 netbsd-9-0-RC1 netbsd-9-base phil-wifi-20190609
|
#
1.30 |
|
20-Apr-2019 |
christos |
merge conflicts.
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906
|
#
1.29 |
|
26-Aug-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625
|
#
1.28 |
|
07-Jun-2018 |
riastradh |
branches: 1.28.2; Disable loading XMSS keys by default too.
Nobody should be using XMSS host keys without an explicit decision, because they're qualitatively different from all other types of host keys in that they require keeping state.
This also eliminates a harmless but confusing warning that began after we stopped generating XMSS keys by default.
|
Revision tags: pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 pgoyette-compat-0415
|
#
1.27 |
|
08-Apr-2018 |
joerg |
Fix clang build by adding __dead annotations.
|
Revision tags: pgoyette-compat-0407
|
#
1.26 |
|
06-Apr-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base
|
#
1.25 |
|
07-Oct-2017 |
christos |
branches: 1.25.2; merge conflicts.
|
Revision tags: matt-nb8-mediatek-base perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.24 |
|
20-Apr-2017 |
joerg |
branches: 1.24.4; GC multistate_privsep.
|
#
1.23 |
|
18-Apr-2017 |
christos |
merge conflicts
|
Revision tags: pgoyette-localcount-20170320 bouyer-socketcan-base pgoyette-localcount-20170107
|
#
1.22 |
|
25-Dec-2016 |
christos |
branches: 1.22.2; merge conflicts
|
Revision tags: pgoyette-localcount-20161104 localcount-20160914 pgoyette-localcount-20160806
|
#
1.21 |
|
02-Aug-2016 |
christos |
merge conflicts.
|
Revision tags: pgoyette-localcount-20160726 pgoyette-localcount-base
|
#
1.20 |
|
11-Mar-2016 |
christos |
branches: 1.20.2; merge conflicts
|
#
1.19 |
|
13-Aug-2015 |
christos |
merge conflicts
|
#
1.18 |
|
03-Jul-2015 |
christos |
merge conflicts
|
#
1.17 |
|
03-Apr-2015 |
christos |
Merge conflicts
|
#
1.16 |
|
19-Oct-2014 |
christos |
merge openssh-6.7
|
Revision tags: netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 tls-maxphys-base
|
#
1.15 |
|
28-Jan-2014 |
martin |
branches: 1.15.4; Mark a potentially unused variable (depending on #ifdef)
|
#
1.14 |
|
15-Dec-2013 |
spz |
Coverity issues 996120 and 996121, Use after free
Use the M_CP_STROPT definition exclusive to servconf.c twice and you have freed your original string.
servconf.h won copying authorized_keys_command and authorized_keys_command_user in COPY_MATCH_STRING_OPTS in 1.107, but servconf.c didn't drop its own, so it walks into this trap. Remove the duplicate copies, and disarm the trap.
Note this is on a code path where authorized_keys_command and authorized_keys_command_user don't actually get used except for a debug dump of the config, and dump_cfg_string protects itself against trying to print NULL pointers, so all you get is sshd -T -C ... giving wrong results, which is rather insignificant as far as security issues go.
|
#
1.13 |
|
08-Nov-2013 |
christos |
merge conflicts.
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.12 |
|
29-Mar-2013 |
christos |
welcome to openssh-6.2
|
Revision tags: agc-symver-base yamt-pagecache-base8 yamt-pagecache-base7
|
#
1.11 |
|
12-Dec-2012 |
christos |
update to 6.1
This is primarily a bugfix release.
Features:
* sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. * ssh-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel * sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1)/sshd(8): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while. * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. bz#2023, * sshd(8): Handle long comments in config files better. bz#2025 * ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. bz#1995 * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.
|
Revision tags: yamt-pagecache-base6 yamt-pagecache-base5
|
#
1.10 |
|
02-May-2012 |
christos |
branches: 1.10.2; merge OpenSSH 6.0
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857 * ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings * support cancellation of local/dynamic forwardings from ~C commandline
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports * scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying * ssh(1): skip attempting to create ~/.ssh when -F is passed * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943 * sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859 * sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683 * Fixed a number of memory and file descriptor leaks
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 netbsd-6-1-RC2 netbsd-6-1-RC1 netbsd-6-0-1-RELEASE matt-nb6-plus-nbase netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 yamt-pagecache-base4 netbsd-6-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base
|
#
1.9 |
|
07-Sep-2011 |
christos |
branches: 1.9.2; 1.9.4; 1.9.8; 1.9.10; merge openssh-5.9
|
#
1.8 |
|
25-Jul-2011 |
christos |
- Merge conflicts - WARNS=5
|
Revision tags: cherry-xenmp-base bouyer-quota2-nbase bouyer-quota2-base
|
#
1.7 |
|
09-Jan-2011 |
christos |
avoid unused variable warning.
|
Revision tags: matt-mips64-premerge-20101231
|
#
1.6 |
|
22-Nov-2010 |
adam |
Fix compiler warnings
|
#
1.5 |
|
21-Nov-2010 |
adam |
Merge in our changes: - Updated OpenSSH-HPN to hpn13v10 - Added OpenSSH-LPK patches to retrive pubkey from LDAP - Replaced arc4random_buf() (which is not available on NetBSD) with arc4random - Disabled roaming reconnect (otherwise: problem with undef symbols in libssh)
|
#
1.4 |
|
21-Nov-2010 |
adam |
Resolve conflicts
|
#
1.3 |
|
27-Dec-2009 |
christos |
merge changes.
|
Revision tags: matt-premerge-20091211
|
#
1.2 |
|
07-Jun-2009 |
christos |
Merge in our changes: - conditionalize login_cap - conditionalize bsd_auth - bring in pam from portable - restore krb5, krb4, afs, skey - bring in hpn patches, disable mt aes cipher, keep speedups and cipher none - add ignore root rhosts option - fix ctype macro arguments - umac is broken, disable it - better ~homedir handling - netbsd style tunnels - urandom, xhome, chrootdir, rescuedir NetBSD handling - utmp/utmpx handling - handle tty posix_vdisable properly - handle setuid and unsetuid the posix way instead of setresuid() - add all missing functions - add new moduli - add build glue
|
#
1.1 |
|
07-Jun-2009 |
christos |
branches: 1.1.1; Initial revision
|
#
1.33 |
|
28-May-2020 |
christos |
Merge conflicts
|
Revision tags: phil-wifi-20200421 phil-wifi-20200411 is-mlppp-base phil-wifi-20200406
|
#
1.32 |
|
27-Feb-2020 |
christos |
Merge conflicts
|
Revision tags: phil-wifi-20191119
|
#
1.31 |
|
12-Oct-2019 |
christos |
merge openssh-8.1
|
Revision tags: netbsd-9-0-RELEASE netbsd-9-0-RC2 netbsd-9-0-RC1 netbsd-9-base phil-wifi-20190609
|
#
1.30 |
|
20-Apr-2019 |
christos |
merge conflicts.
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906
|
#
1.29 |
|
26-Aug-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625
|
#
1.28 |
|
07-Jun-2018 |
riastradh |
branches: 1.28.2; Disable loading XMSS keys by default too.
Nobody should be using XMSS host keys without an explicit decision, because they're qualitatively different from all other types of host keys in that they require keeping state.
This also eliminates a harmless but confusing warning that began after we stopped generating XMSS keys by default.
|
Revision tags: pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 pgoyette-compat-0415
|
#
1.27 |
|
08-Apr-2018 |
joerg |
Fix clang build by adding __dead annotations.
|
Revision tags: pgoyette-compat-0407
|
#
1.26 |
|
06-Apr-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base
|
#
1.25 |
|
07-Oct-2017 |
christos |
branches: 1.25.2; merge conflicts.
|
Revision tags: matt-nb8-mediatek-base perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.24 |
|
20-Apr-2017 |
joerg |
branches: 1.24.4; GC multistate_privsep.
|
#
1.23 |
|
18-Apr-2017 |
christos |
merge conflicts
|
Revision tags: pgoyette-localcount-20170320 bouyer-socketcan-base pgoyette-localcount-20170107
|
#
1.22 |
|
25-Dec-2016 |
christos |
branches: 1.22.2; merge conflicts
|
Revision tags: pgoyette-localcount-20161104 localcount-20160914 pgoyette-localcount-20160806
|
#
1.21 |
|
02-Aug-2016 |
christos |
merge conflicts.
|
Revision tags: pgoyette-localcount-20160726 pgoyette-localcount-base
|
#
1.20 |
|
11-Mar-2016 |
christos |
branches: 1.20.2; merge conflicts
|
#
1.19 |
|
13-Aug-2015 |
christos |
merge conflicts
|
#
1.18 |
|
03-Jul-2015 |
christos |
merge conflicts
|
#
1.17 |
|
03-Apr-2015 |
christos |
Merge conflicts
|
#
1.16 |
|
19-Oct-2014 |
christos |
merge openssh-6.7
|
Revision tags: netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 tls-maxphys-base
|
#
1.15 |
|
28-Jan-2014 |
martin |
branches: 1.15.4; Mark a potentially unused variable (depending on #ifdef)
|
#
1.14 |
|
15-Dec-2013 |
spz |
Coverity issues 996120 and 996121, Use after free
Use the M_CP_STROPT definition exclusive to servconf.c twice and you have freed your original string.
servconf.h won copying authorized_keys_command and authorized_keys_command_user in COPY_MATCH_STRING_OPTS in 1.107, but servconf.c didn't drop its own, so it walks into this trap. Remove the duplicate copies, and disarm the trap.
Note this is on a code path where authorized_keys_command and authorized_keys_command_user don't actually get used except for a debug dump of the config, and dump_cfg_string protects itself against trying to print NULL pointers, so all you get is sshd -T -C ... giving wrong results, which is rather insignificant as far as security issues go.
|
#
1.13 |
|
08-Nov-2013 |
christos |
merge conflicts.
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.12 |
|
29-Mar-2013 |
christos |
welcome to openssh-6.2
|
Revision tags: agc-symver-base yamt-pagecache-base8 yamt-pagecache-base7
|
#
1.11 |
|
12-Dec-2012 |
christos |
update to 6.1
This is primarily a bugfix release.
Features:
* sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. * ssh-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel * sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1)/sshd(8): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while. * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. bz#2023, * sshd(8): Handle long comments in config files better. bz#2025 * ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. bz#1995 * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.
|
Revision tags: yamt-pagecache-base6 yamt-pagecache-base5
|
#
1.10 |
|
02-May-2012 |
christos |
branches: 1.10.2; merge OpenSSH 6.0
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857 * ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings * support cancellation of local/dynamic forwardings from ~C commandline
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports * scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying * ssh(1): skip attempting to create ~/.ssh when -F is passed * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943 * sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859 * sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683 * Fixed a number of memory and file descriptor leaks
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 netbsd-6-1-RC2 netbsd-6-1-RC1 netbsd-6-0-1-RELEASE matt-nb6-plus-nbase netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 yamt-pagecache-base4 netbsd-6-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base
|
#
1.9 |
|
07-Sep-2011 |
christos |
branches: 1.9.2; 1.9.4; 1.9.8; 1.9.10; merge openssh-5.9
|
#
1.8 |
|
25-Jul-2011 |
christos |
- Merge conflicts - WARNS=5
|
Revision tags: cherry-xenmp-base bouyer-quota2-nbase bouyer-quota2-base
|
#
1.7 |
|
09-Jan-2011 |
christos |
avoid unused variable warning.
|
Revision tags: matt-mips64-premerge-20101231
|
#
1.6 |
|
22-Nov-2010 |
adam |
Fix compiler warnings
|
#
1.5 |
|
21-Nov-2010 |
adam |
Merge in our changes: - Updated OpenSSH-HPN to hpn13v10 - Added OpenSSH-LPK patches to retrive pubkey from LDAP - Replaced arc4random_buf() (which is not available on NetBSD) with arc4random - Disabled roaming reconnect (otherwise: problem with undef symbols in libssh)
|
#
1.4 |
|
21-Nov-2010 |
adam |
Resolve conflicts
|
#
1.3 |
|
27-Dec-2009 |
christos |
merge changes.
|
Revision tags: matt-premerge-20091211
|
#
1.2 |
|
07-Jun-2009 |
christos |
Merge in our changes: - conditionalize login_cap - conditionalize bsd_auth - bring in pam from portable - restore krb5, krb4, afs, skey - bring in hpn patches, disable mt aes cipher, keep speedups and cipher none - add ignore root rhosts option - fix ctype macro arguments - umac is broken, disable it - better ~homedir handling - netbsd style tunnels - urandom, xhome, chrootdir, rescuedir NetBSD handling - utmp/utmpx handling - handle tty posix_vdisable properly - handle setuid and unsetuid the posix way instead of setresuid() - add all missing functions - add new moduli - add build glue
|
#
1.1 |
|
07-Jun-2009 |
christos |
branches: 1.1.1; Initial revision
|
#
1.32 |
|
27-Feb-2020 |
christos |
Merge conflicts
|
Revision tags: phil-wifi-20191119
|
#
1.31 |
|
12-Oct-2019 |
christos |
merge openssh-8.1
|
Revision tags: netbsd-9-0-RELEASE netbsd-9-0-RC2 netbsd-9-0-RC1 netbsd-9-base phil-wifi-20190609
|
#
1.30 |
|
20-Apr-2019 |
christos |
merge conflicts.
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906
|
#
1.29 |
|
26-Aug-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625
|
#
1.28 |
|
07-Jun-2018 |
riastradh |
branches: 1.28.2; Disable loading XMSS keys by default too.
Nobody should be using XMSS host keys without an explicit decision, because they're qualitatively different from all other types of host keys in that they require keeping state.
This also eliminates a harmless but confusing warning that began after we stopped generating XMSS keys by default.
|
Revision tags: pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 pgoyette-compat-0415
|
#
1.27 |
|
08-Apr-2018 |
joerg |
Fix clang build by adding __dead annotations.
|
Revision tags: pgoyette-compat-0407
|
#
1.26 |
|
06-Apr-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base
|
#
1.25 |
|
07-Oct-2017 |
christos |
branches: 1.25.2; merge conflicts.
|
Revision tags: matt-nb8-mediatek-base perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.24 |
|
20-Apr-2017 |
joerg |
branches: 1.24.4; GC multistate_privsep.
|
#
1.23 |
|
18-Apr-2017 |
christos |
merge conflicts
|
Revision tags: pgoyette-localcount-20170320 bouyer-socketcan-base pgoyette-localcount-20170107
|
#
1.22 |
|
25-Dec-2016 |
christos |
branches: 1.22.2; merge conflicts
|
Revision tags: pgoyette-localcount-20161104 localcount-20160914 pgoyette-localcount-20160806
|
#
1.21 |
|
02-Aug-2016 |
christos |
merge conflicts.
|
Revision tags: pgoyette-localcount-20160726 pgoyette-localcount-base
|
#
1.20 |
|
11-Mar-2016 |
christos |
branches: 1.20.2; merge conflicts
|
#
1.19 |
|
13-Aug-2015 |
christos |
merge conflicts
|
#
1.18 |
|
03-Jul-2015 |
christos |
merge conflicts
|
#
1.17 |
|
03-Apr-2015 |
christos |
Merge conflicts
|
#
1.16 |
|
19-Oct-2014 |
christos |
merge openssh-6.7
|
Revision tags: netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 tls-maxphys-base
|
#
1.15 |
|
28-Jan-2014 |
martin |
branches: 1.15.4; Mark a potentially unused variable (depending on #ifdef)
|
#
1.14 |
|
15-Dec-2013 |
spz |
Coverity issues 996120 and 996121, Use after free
Use the M_CP_STROPT definition exclusive to servconf.c twice and you have freed your original string.
servconf.h won copying authorized_keys_command and authorized_keys_command_user in COPY_MATCH_STRING_OPTS in 1.107, but servconf.c didn't drop its own, so it walks into this trap. Remove the duplicate copies, and disarm the trap.
Note this is on a code path where authorized_keys_command and authorized_keys_command_user don't actually get used except for a debug dump of the config, and dump_cfg_string protects itself against trying to print NULL pointers, so all you get is sshd -T -C ... giving wrong results, which is rather insignificant as far as security issues go.
|
#
1.13 |
|
08-Nov-2013 |
christos |
merge conflicts.
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.12 |
|
29-Mar-2013 |
christos |
welcome to openssh-6.2
|
Revision tags: agc-symver-base yamt-pagecache-base8 yamt-pagecache-base7
|
#
1.11 |
|
12-Dec-2012 |
christos |
update to 6.1
This is primarily a bugfix release.
Features:
* sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. * ssh-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel * sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1)/sshd(8): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while. * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. bz#2023, * sshd(8): Handle long comments in config files better. bz#2025 * ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. bz#1995 * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.
|
Revision tags: yamt-pagecache-base6 yamt-pagecache-base5
|
#
1.10 |
|
02-May-2012 |
christos |
branches: 1.10.2; merge OpenSSH 6.0
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857 * ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings * support cancellation of local/dynamic forwardings from ~C commandline
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports * scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying * ssh(1): skip attempting to create ~/.ssh when -F is passed * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943 * sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859 * sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683 * Fixed a number of memory and file descriptor leaks
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 netbsd-6-1-RC2 netbsd-6-1-RC1 netbsd-6-0-1-RELEASE matt-nb6-plus-nbase netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 yamt-pagecache-base4 netbsd-6-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base
|
#
1.9 |
|
07-Sep-2011 |
christos |
branches: 1.9.2; 1.9.4; 1.9.8; 1.9.10; merge openssh-5.9
|
#
1.8 |
|
25-Jul-2011 |
christos |
- Merge conflicts - WARNS=5
|
Revision tags: cherry-xenmp-base bouyer-quota2-nbase bouyer-quota2-base
|
#
1.7 |
|
09-Jan-2011 |
christos |
avoid unused variable warning.
|
Revision tags: matt-mips64-premerge-20101231
|
#
1.6 |
|
22-Nov-2010 |
adam |
Fix compiler warnings
|
#
1.5 |
|
21-Nov-2010 |
adam |
Merge in our changes: - Updated OpenSSH-HPN to hpn13v10 - Added OpenSSH-LPK patches to retrive pubkey from LDAP - Replaced arc4random_buf() (which is not available on NetBSD) with arc4random - Disabled roaming reconnect (otherwise: problem with undef symbols in libssh)
|
#
1.4 |
|
21-Nov-2010 |
adam |
Resolve conflicts
|
#
1.3 |
|
27-Dec-2009 |
christos |
merge changes.
|
Revision tags: matt-premerge-20091211
|
#
1.2 |
|
07-Jun-2009 |
christos |
Merge in our changes: - conditionalize login_cap - conditionalize bsd_auth - bring in pam from portable - restore krb5, krb4, afs, skey - bring in hpn patches, disable mt aes cipher, keep speedups and cipher none - add ignore root rhosts option - fix ctype macro arguments - umac is broken, disable it - better ~homedir handling - netbsd style tunnels - urandom, xhome, chrootdir, rescuedir NetBSD handling - utmp/utmpx handling - handle tty posix_vdisable properly - handle setuid and unsetuid the posix way instead of setresuid() - add all missing functions - add new moduli - add build glue
|
#
1.1 |
|
07-Jun-2009 |
christos |
branches: 1.1.1; Initial revision
|
#
1.31 |
|
12-Oct-2019 |
christos |
merge openssh-8.1
|
Revision tags: netbsd-9-base phil-wifi-20190609
|
#
1.30 |
|
20-Apr-2019 |
christos |
merge conflicts.
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906
|
#
1.29 |
|
26-Aug-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625
|
#
1.28 |
|
07-Jun-2018 |
riastradh |
branches: 1.28.2; Disable loading XMSS keys by default too.
Nobody should be using XMSS host keys without an explicit decision, because they're qualitatively different from all other types of host keys in that they require keeping state.
This also eliminates a harmless but confusing warning that began after we stopped generating XMSS keys by default.
|
Revision tags: pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 pgoyette-compat-0415
|
#
1.27 |
|
08-Apr-2018 |
joerg |
Fix clang build by adding __dead annotations.
|
Revision tags: pgoyette-compat-0407
|
#
1.26 |
|
06-Apr-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base
|
#
1.25 |
|
07-Oct-2017 |
christos |
branches: 1.25.2; merge conflicts.
|
Revision tags: matt-nb8-mediatek-base perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.24 |
|
20-Apr-2017 |
joerg |
branches: 1.24.4; GC multistate_privsep.
|
#
1.23 |
|
18-Apr-2017 |
christos |
merge conflicts
|
Revision tags: pgoyette-localcount-20170320 bouyer-socketcan-base pgoyette-localcount-20170107
|
#
1.22 |
|
25-Dec-2016 |
christos |
branches: 1.22.2; merge conflicts
|
Revision tags: pgoyette-localcount-20161104 localcount-20160914 pgoyette-localcount-20160806
|
#
1.21 |
|
02-Aug-2016 |
christos |
merge conflicts.
|
Revision tags: pgoyette-localcount-20160726 pgoyette-localcount-base
|
#
1.20 |
|
11-Mar-2016 |
christos |
branches: 1.20.2; merge conflicts
|
#
1.19 |
|
13-Aug-2015 |
christos |
merge conflicts
|
#
1.18 |
|
03-Jul-2015 |
christos |
merge conflicts
|
#
1.17 |
|
03-Apr-2015 |
christos |
Merge conflicts
|
#
1.16 |
|
19-Oct-2014 |
christos |
merge openssh-6.7
|
Revision tags: netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 tls-maxphys-base
|
#
1.15 |
|
28-Jan-2014 |
martin |
branches: 1.15.4; Mark a potentially unused variable (depending on #ifdef)
|
#
1.14 |
|
15-Dec-2013 |
spz |
Coverity issues 996120 and 996121, Use after free
Use the M_CP_STROPT definition exclusive to servconf.c twice and you have freed your original string.
servconf.h won copying authorized_keys_command and authorized_keys_command_user in COPY_MATCH_STRING_OPTS in 1.107, but servconf.c didn't drop its own, so it walks into this trap. Remove the duplicate copies, and disarm the trap.
Note this is on a code path where authorized_keys_command and authorized_keys_command_user don't actually get used except for a debug dump of the config, and dump_cfg_string protects itself against trying to print NULL pointers, so all you get is sshd -T -C ... giving wrong results, which is rather insignificant as far as security issues go.
|
#
1.13 |
|
08-Nov-2013 |
christos |
merge conflicts.
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.12 |
|
29-Mar-2013 |
christos |
welcome to openssh-6.2
|
Revision tags: agc-symver-base yamt-pagecache-base8 yamt-pagecache-base7
|
#
1.11 |
|
12-Dec-2012 |
christos |
update to 6.1
This is primarily a bugfix release.
Features:
* sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. * ssh-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel * sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1)/sshd(8): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while. * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. bz#2023, * sshd(8): Handle long comments in config files better. bz#2025 * ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. bz#1995 * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.
|
Revision tags: yamt-pagecache-base6 yamt-pagecache-base5
|
#
1.10 |
|
02-May-2012 |
christos |
branches: 1.10.2; merge OpenSSH 6.0
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857 * ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings * support cancellation of local/dynamic forwardings from ~C commandline
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports * scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying * ssh(1): skip attempting to create ~/.ssh when -F is passed * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943 * sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859 * sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683 * Fixed a number of memory and file descriptor leaks
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 netbsd-6-1-RC2 netbsd-6-1-RC1 netbsd-6-0-1-RELEASE matt-nb6-plus-nbase netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 yamt-pagecache-base4 netbsd-6-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base
|
#
1.9 |
|
07-Sep-2011 |
christos |
branches: 1.9.2; 1.9.4; 1.9.8; 1.9.10; merge openssh-5.9
|
#
1.8 |
|
25-Jul-2011 |
christos |
- Merge conflicts - WARNS=5
|
Revision tags: cherry-xenmp-base bouyer-quota2-nbase bouyer-quota2-base
|
#
1.7 |
|
09-Jan-2011 |
christos |
avoid unused variable warning.
|
Revision tags: matt-mips64-premerge-20101231
|
#
1.6 |
|
22-Nov-2010 |
adam |
Fix compiler warnings
|
#
1.5 |
|
21-Nov-2010 |
adam |
Merge in our changes: - Updated OpenSSH-HPN to hpn13v10 - Added OpenSSH-LPK patches to retrive pubkey from LDAP - Replaced arc4random_buf() (which is not available on NetBSD) with arc4random - Disabled roaming reconnect (otherwise: problem with undef symbols in libssh)
|
#
1.4 |
|
21-Nov-2010 |
adam |
Resolve conflicts
|
#
1.3 |
|
27-Dec-2009 |
christos |
merge changes.
|
Revision tags: matt-premerge-20091211
|
#
1.2 |
|
07-Jun-2009 |
christos |
Merge in our changes: - conditionalize login_cap - conditionalize bsd_auth - bring in pam from portable - restore krb5, krb4, afs, skey - bring in hpn patches, disable mt aes cipher, keep speedups and cipher none - add ignore root rhosts option - fix ctype macro arguments - umac is broken, disable it - better ~homedir handling - netbsd style tunnels - urandom, xhome, chrootdir, rescuedir NetBSD handling - utmp/utmpx handling - handle tty posix_vdisable properly - handle setuid and unsetuid the posix way instead of setresuid() - add all missing functions - add new moduli - add build glue
|
#
1.1 |
|
07-Jun-2009 |
christos |
branches: 1.1.1; Initial revision
|
#
1.30 |
|
20-Apr-2019 |
christos |
merge conflicts.
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906
|
#
1.29 |
|
26-Aug-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625
|
#
1.28 |
|
07-Jun-2018 |
riastradh |
Disable loading XMSS keys by default too.
Nobody should be using XMSS host keys without an explicit decision, because they're qualitatively different from all other types of host keys in that they require keeping state.
This also eliminates a harmless but confusing warning that began after we stopped generating XMSS keys by default.
|
Revision tags: pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 pgoyette-compat-0415
|
#
1.27 |
|
08-Apr-2018 |
joerg |
Fix clang build by adding __dead annotations.
|
Revision tags: pgoyette-compat-0407
|
#
1.26 |
|
06-Apr-2018 |
christos |
merge conflicts
|
Revision tags: pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base
|
#
1.25 |
|
07-Oct-2017 |
christos |
branches: 1.25.2; merge conflicts.
|
Revision tags: matt-nb8-mediatek-base perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.24 |
|
20-Apr-2017 |
joerg |
branches: 1.24.4; GC multistate_privsep.
|
#
1.23 |
|
18-Apr-2017 |
christos |
merge conflicts
|
Revision tags: pgoyette-localcount-20170320 bouyer-socketcan-base pgoyette-localcount-20170107
|
#
1.22 |
|
25-Dec-2016 |
christos |
branches: 1.22.2; merge conflicts
|
Revision tags: pgoyette-localcount-20161104 localcount-20160914 pgoyette-localcount-20160806
|
#
1.21 |
|
02-Aug-2016 |
christos |
merge conflicts.
|
Revision tags: pgoyette-localcount-20160726 pgoyette-localcount-base
|
#
1.20 |
|
11-Mar-2016 |
christos |
branches: 1.20.2; merge conflicts
|
#
1.19 |
|
13-Aug-2015 |
christos |
merge conflicts
|
#
1.18 |
|
03-Jul-2015 |
christos |
merge conflicts
|
#
1.17 |
|
03-Apr-2015 |
christos |
Merge conflicts
|
#
1.16 |
|
19-Oct-2014 |
christos |
merge openssh-6.7
|
Revision tags: netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 tls-maxphys-base
|
#
1.15 |
|
28-Jan-2014 |
martin |
branches: 1.15.4; Mark a potentially unused variable (depending on #ifdef)
|
#
1.14 |
|
15-Dec-2013 |
spz |
Coverity issues 996120 and 996121, Use after free
Use the M_CP_STROPT definition exclusive to servconf.c twice and you have freed your original string.
servconf.h won copying authorized_keys_command and authorized_keys_command_user in COPY_MATCH_STRING_OPTS in 1.107, but servconf.c didn't drop its own, so it walks into this trap. Remove the duplicate copies, and disarm the trap.
Note this is on a code path where authorized_keys_command and authorized_keys_command_user don't actually get used except for a debug dump of the config, and dump_cfg_string protects itself against trying to print NULL pointers, so all you get is sshd -T -C ... giving wrong results, which is rather insignificant as far as security issues go.
|
#
1.13 |
|
08-Nov-2013 |
christos |
merge conflicts.
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.12 |
|
29-Mar-2013 |
christos |
welcome to openssh-6.2
|
Revision tags: agc-symver-base yamt-pagecache-base8 yamt-pagecache-base7
|
#
1.11 |
|
12-Dec-2012 |
christos |
update to 6.1
This is primarily a bugfix release.
Features:
* sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. * ssh-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel * sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1)/sshd(8): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while. * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. bz#2023, * sshd(8): Handle long comments in config files better. bz#2025 * ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. bz#1995 * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.
|
Revision tags: yamt-pagecache-base6 yamt-pagecache-base5
|
#
1.10 |
|
02-May-2012 |
christos |
branches: 1.10.2; merge OpenSSH 6.0
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857 * ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings * support cancellation of local/dynamic forwardings from ~C commandline
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports * scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying * ssh(1): skip attempting to create ~/.ssh when -F is passed * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943 * sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859 * sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683 * Fixed a number of memory and file descriptor leaks
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 netbsd-6-1-RC2 netbsd-6-1-RC1 netbsd-6-0-1-RELEASE matt-nb6-plus-nbase netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 yamt-pagecache-base4 netbsd-6-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base
|
#
1.9 |
|
07-Sep-2011 |
christos |
branches: 1.9.2; 1.9.4; 1.9.8; 1.9.10; merge openssh-5.9
|
#
1.8 |
|
25-Jul-2011 |
christos |
- Merge conflicts - WARNS=5
|
Revision tags: cherry-xenmp-base bouyer-quota2-nbase bouyer-quota2-base
|
#
1.7 |
|
09-Jan-2011 |
christos |
avoid unused variable warning.
|
Revision tags: matt-mips64-premerge-20101231
|
#
1.6 |
|
22-Nov-2010 |
adam |
Fix compiler warnings
|
#
1.5 |
|
21-Nov-2010 |
adam |
Merge in our changes: - Updated OpenSSH-HPN to hpn13v10 - Added OpenSSH-LPK patches to retrive pubkey from LDAP - Replaced arc4random_buf() (which is not available on NetBSD) with arc4random - Disabled roaming reconnect (otherwise: problem with undef symbols in libssh)
|
#
1.4 |
|
21-Nov-2010 |
adam |
Resolve conflicts
|
#
1.3 |
|
27-Dec-2009 |
christos |
merge changes.
|
Revision tags: matt-premerge-20091211
|
#
1.2 |
|
07-Jun-2009 |
christos |
Merge in our changes: - conditionalize login_cap - conditionalize bsd_auth - bring in pam from portable - restore krb5, krb4, afs, skey - bring in hpn patches, disable mt aes cipher, keep speedups and cipher none - add ignore root rhosts option - fix ctype macro arguments - umac is broken, disable it - better ~homedir handling - netbsd style tunnels - urandom, xhome, chrootdir, rescuedir NetBSD handling - utmp/utmpx handling - handle tty posix_vdisable properly - handle setuid and unsetuid the posix way instead of setresuid() - add all missing functions - add new moduli - add build glue
|
#
1.1 |
|
07-Jun-2009 |
christos |
branches: 1.1.1; Initial revision
|
#
1.25 |
|
07-Oct-2017 |
christos |
merge conflicts.
|
Revision tags: perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.24 |
|
20-Apr-2017 |
joerg |
GC multistate_privsep.
|
#
1.23 |
|
18-Apr-2017 |
christos |
merge conflicts
|
Revision tags: pgoyette-localcount-20170320 bouyer-socketcan-base pgoyette-localcount-20170107
|
#
1.22 |
|
25-Dec-2016 |
christos |
branches: 1.22.2; merge conflicts
|
Revision tags: pgoyette-localcount-20161104 localcount-20160914 pgoyette-localcount-20160806
|
#
1.21 |
|
02-Aug-2016 |
christos |
merge conflicts.
|
Revision tags: pgoyette-localcount-20160726 pgoyette-localcount-base
|
#
1.20 |
|
11-Mar-2016 |
christos |
branches: 1.20.2; merge conflicts
|
#
1.19 |
|
13-Aug-2015 |
christos |
merge conflicts
|
#
1.18 |
|
03-Jul-2015 |
christos |
merge conflicts
|
#
1.17 |
|
03-Apr-2015 |
christos |
Merge conflicts
|
#
1.16 |
|
19-Oct-2014 |
christos |
merge openssh-6.7
|
Revision tags: netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 tls-maxphys-base
|
#
1.15 |
|
28-Jan-2014 |
martin |
branches: 1.15.4; Mark a potentially unused variable (depending on #ifdef)
|
#
1.14 |
|
15-Dec-2013 |
spz |
Coverity issues 996120 and 996121, Use after free
Use the M_CP_STROPT definition exclusive to servconf.c twice and you have freed your original string.
servconf.h won copying authorized_keys_command and authorized_keys_command_user in COPY_MATCH_STRING_OPTS in 1.107, but servconf.c didn't drop its own, so it walks into this trap. Remove the duplicate copies, and disarm the trap.
Note this is on a code path where authorized_keys_command and authorized_keys_command_user don't actually get used except for a debug dump of the config, and dump_cfg_string protects itself against trying to print NULL pointers, so all you get is sshd -T -C ... giving wrong results, which is rather insignificant as far as security issues go.
|
#
1.13 |
|
08-Nov-2013 |
christos |
merge conflicts.
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.12 |
|
29-Mar-2013 |
christos |
welcome to openssh-6.2
|
Revision tags: agc-symver-base yamt-pagecache-base8 yamt-pagecache-base7
|
#
1.11 |
|
12-Dec-2012 |
christos |
update to 6.1
This is primarily a bugfix release.
Features:
* sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. * ssh-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel * sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1)/sshd(8): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while. * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. bz#2023, * sshd(8): Handle long comments in config files better. bz#2025 * ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. bz#1995 * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.
|
Revision tags: yamt-pagecache-base6 yamt-pagecache-base5
|
#
1.10 |
|
02-May-2012 |
christos |
branches: 1.10.2; merge OpenSSH 6.0
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857 * ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings * support cancellation of local/dynamic forwardings from ~C commandline
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports * scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying * ssh(1): skip attempting to create ~/.ssh when -F is passed * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943 * sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859 * sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683 * Fixed a number of memory and file descriptor leaks
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 netbsd-6-1-RC2 netbsd-6-1-RC1 netbsd-6-0-1-RELEASE matt-nb6-plus-nbase netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 yamt-pagecache-base4 netbsd-6-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base
|
#
1.9 |
|
07-Sep-2011 |
christos |
branches: 1.9.2; 1.9.4; 1.9.8; 1.9.10; merge openssh-5.9
|
#
1.8 |
|
25-Jul-2011 |
christos |
- Merge conflicts - WARNS=5
|
Revision tags: cherry-xenmp-base bouyer-quota2-nbase bouyer-quota2-base
|
#
1.7 |
|
09-Jan-2011 |
christos |
avoid unused variable warning.
|
Revision tags: matt-mips64-premerge-20101231
|
#
1.6 |
|
22-Nov-2010 |
adam |
Fix compiler warnings
|
#
1.5 |
|
21-Nov-2010 |
adam |
Merge in our changes: - Updated OpenSSH-HPN to hpn13v10 - Added OpenSSH-LPK patches to retrive pubkey from LDAP - Replaced arc4random_buf() (which is not available on NetBSD) with arc4random - Disabled roaming reconnect (otherwise: problem with undef symbols in libssh)
|
#
1.4 |
|
21-Nov-2010 |
adam |
Resolve conflicts
|
#
1.3 |
|
27-Dec-2009 |
christos |
merge changes.
|
Revision tags: matt-premerge-20091211
|
#
1.2 |
|
07-Jun-2009 |
christos |
Merge in our changes: - conditionalize login_cap - conditionalize bsd_auth - bring in pam from portable - restore krb5, krb4, afs, skey - bring in hpn patches, disable mt aes cipher, keep speedups and cipher none - add ignore root rhosts option - fix ctype macro arguments - umac is broken, disable it - better ~homedir handling - netbsd style tunnels - urandom, xhome, chrootdir, rescuedir NetBSD handling - utmp/utmpx handling - handle tty posix_vdisable properly - handle setuid and unsetuid the posix way instead of setresuid() - add all missing functions - add new moduli - add build glue
|
#
1.1 |
|
07-Jun-2009 |
christos |
branches: 1.1.1; Initial revision
|
Revision tags: prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.24 |
|
20-Apr-2017 |
joerg |
GC multistate_privsep.
|
#
1.23 |
|
18-Apr-2017 |
christos |
merge conflicts
|
Revision tags: pgoyette-localcount-20170320 bouyer-socketcan-base pgoyette-localcount-20170107
|
#
1.22 |
|
25-Dec-2016 |
christos |
branches: 1.22.2; merge conflicts
|
Revision tags: pgoyette-localcount-20161104 localcount-20160914 pgoyette-localcount-20160806
|
#
1.21 |
|
02-Aug-2016 |
christos |
merge conflicts.
|
Revision tags: pgoyette-localcount-20160726 pgoyette-localcount-base
|
#
1.20 |
|
11-Mar-2016 |
christos |
branches: 1.20.2; merge conflicts
|
#
1.19 |
|
13-Aug-2015 |
christos |
merge conflicts
|
#
1.18 |
|
03-Jul-2015 |
christos |
merge conflicts
|
#
1.17 |
|
03-Apr-2015 |
christos |
Merge conflicts
|
#
1.16 |
|
19-Oct-2014 |
christos |
merge openssh-6.7
|
Revision tags: netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 tls-maxphys-base
|
#
1.15 |
|
28-Jan-2014 |
martin |
branches: 1.15.4; Mark a potentially unused variable (depending on #ifdef)
|
#
1.14 |
|
15-Dec-2013 |
spz |
Coverity issues 996120 and 996121, Use after free
Use the M_CP_STROPT definition exclusive to servconf.c twice and you have freed your original string.
servconf.h won copying authorized_keys_command and authorized_keys_command_user in COPY_MATCH_STRING_OPTS in 1.107, but servconf.c didn't drop its own, so it walks into this trap. Remove the duplicate copies, and disarm the trap.
Note this is on a code path where authorized_keys_command and authorized_keys_command_user don't actually get used except for a debug dump of the config, and dump_cfg_string protects itself against trying to print NULL pointers, so all you get is sshd -T -C ... giving wrong results, which is rather insignificant as far as security issues go.
|
#
1.13 |
|
08-Nov-2013 |
christos |
merge conflicts.
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.12 |
|
29-Mar-2013 |
christos |
welcome to openssh-6.2
|
Revision tags: agc-symver-base yamt-pagecache-base8 yamt-pagecache-base7
|
#
1.11 |
|
12-Dec-2012 |
christos |
update to 6.1
This is primarily a bugfix release.
Features:
* sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. * ssh-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel * sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1)/sshd(8): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while. * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. bz#2023, * sshd(8): Handle long comments in config files better. bz#2025 * ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. bz#1995 * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.
|
Revision tags: yamt-pagecache-base6 yamt-pagecache-base5
|
#
1.10 |
|
02-May-2012 |
christos |
branches: 1.10.2; merge OpenSSH 6.0
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857 * ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings * support cancellation of local/dynamic forwardings from ~C commandline
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports * scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying * ssh(1): skip attempting to create ~/.ssh when -F is passed * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943 * sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859 * sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683 * Fixed a number of memory and file descriptor leaks
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 netbsd-6-1-RC2 netbsd-6-1-RC1 netbsd-6-0-1-RELEASE matt-nb6-plus-nbase netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 yamt-pagecache-base4 netbsd-6-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base
|
#
1.9 |
|
07-Sep-2011 |
christos |
branches: 1.9.2; merge openssh-5.9
|
#
1.8 |
|
25-Jul-2011 |
christos |
- Merge conflicts - WARNS=5
|
Revision tags: cherry-xenmp-base bouyer-quota2-nbase bouyer-quota2-base
|
#
1.7 |
|
09-Jan-2011 |
christos |
avoid unused variable warning.
|
Revision tags: matt-mips64-premerge-20101231
|
#
1.6 |
|
22-Nov-2010 |
adam |
Fix compiler warnings
|
#
1.5 |
|
21-Nov-2010 |
adam |
Merge in our changes: - Updated OpenSSH-HPN to hpn13v10 - Added OpenSSH-LPK patches to retrive pubkey from LDAP - Replaced arc4random_buf() (which is not available on NetBSD) with arc4random - Disabled roaming reconnect (otherwise: problem with undef symbols in libssh)
|
#
1.4 |
|
21-Nov-2010 |
adam |
Resolve conflicts
|
#
1.3 |
|
27-Dec-2009 |
christos |
merge changes.
|
Revision tags: matt-premerge-20091211
|
#
1.2 |
|
07-Jun-2009 |
christos |
Merge in our changes: - conditionalize login_cap - conditionalize bsd_auth - bring in pam from portable - restore krb5, krb4, afs, skey - bring in hpn patches, disable mt aes cipher, keep speedups and cipher none - add ignore root rhosts option - fix ctype macro arguments - umac is broken, disable it - better ~homedir handling - netbsd style tunnels - urandom, xhome, chrootdir, rescuedir NetBSD handling - utmp/utmpx handling - handle tty posix_vdisable properly - handle setuid and unsetuid the posix way instead of setresuid() - add all missing functions - add new moduli - add build glue
|
#
1.1 |
|
07-Jun-2009 |
christos |
branches: 1.1.1; Initial revision
|
#
1.22 |
|
25-Dec-2016 |
christos |
merge conflicts
|
Revision tags: pgoyette-localcount-20161104 localcount-20160914 pgoyette-localcount-20160806
|
#
1.21 |
|
02-Aug-2016 |
christos |
merge conflicts.
|
Revision tags: pgoyette-localcount-20160726 pgoyette-localcount-base
|
#
1.20 |
|
11-Mar-2016 |
christos |
branches: 1.20.2; merge conflicts
|
#
1.19 |
|
13-Aug-2015 |
christos |
merge conflicts
|
#
1.18 |
|
03-Jul-2015 |
christos |
merge conflicts
|
#
1.17 |
|
03-Apr-2015 |
christos |
Merge conflicts
|
#
1.16 |
|
19-Oct-2014 |
christos |
merge openssh-6.7
|
Revision tags: netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 tls-maxphys-base
|
#
1.15 |
|
28-Jan-2014 |
martin |
branches: 1.15.4; Mark a potentially unused variable (depending on #ifdef)
|
#
1.14 |
|
15-Dec-2013 |
spz |
Coverity issues 996120 and 996121, Use after free
Use the M_CP_STROPT definition exclusive to servconf.c twice and you have freed your original string.
servconf.h won copying authorized_keys_command and authorized_keys_command_user in COPY_MATCH_STRING_OPTS in 1.107, but servconf.c didn't drop its own, so it walks into this trap. Remove the duplicate copies, and disarm the trap.
Note this is on a code path where authorized_keys_command and authorized_keys_command_user don't actually get used except for a debug dump of the config, and dump_cfg_string protects itself against trying to print NULL pointers, so all you get is sshd -T -C ... giving wrong results, which is rather insignificant as far as security issues go.
|
#
1.13 |
|
08-Nov-2013 |
christos |
merge conflicts.
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.12 |
|
29-Mar-2013 |
christos |
welcome to openssh-6.2
|
Revision tags: agc-symver-base yamt-pagecache-base8 yamt-pagecache-base7
|
#
1.11 |
|
12-Dec-2012 |
christos |
update to 6.1
This is primarily a bugfix release.
Features:
* sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. * ssh-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel * sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1)/sshd(8): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while. * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. bz#2023, * sshd(8): Handle long comments in config files better. bz#2025 * ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. bz#1995 * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.
|
Revision tags: yamt-pagecache-base6 yamt-pagecache-base5
|
#
1.10 |
|
02-May-2012 |
christos |
branches: 1.10.2; merge OpenSSH 6.0
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857 * ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings * support cancellation of local/dynamic forwardings from ~C commandline
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports * scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying * ssh(1): skip attempting to create ~/.ssh when -F is passed * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943 * sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859 * sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683 * Fixed a number of memory and file descriptor leaks
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 netbsd-6-1-RC2 netbsd-6-1-RC1 netbsd-6-0-1-RELEASE matt-nb6-plus-nbase netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 yamt-pagecache-base4 netbsd-6-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base
|
#
1.9 |
|
07-Sep-2011 |
christos |
branches: 1.9.2; merge openssh-5.9
|
#
1.8 |
|
25-Jul-2011 |
christos |
- Merge conflicts - WARNS=5
|
Revision tags: cherry-xenmp-base bouyer-quota2-nbase bouyer-quota2-base
|
#
1.7 |
|
09-Jan-2011 |
christos |
avoid unused variable warning.
|
Revision tags: matt-mips64-premerge-20101231
|
#
1.6 |
|
22-Nov-2010 |
adam |
Fix compiler warnings
|
#
1.5 |
|
21-Nov-2010 |
adam |
Merge in our changes: - Updated OpenSSH-HPN to hpn13v10 - Added OpenSSH-LPK patches to retrive pubkey from LDAP - Replaced arc4random_buf() (which is not available on NetBSD) with arc4random - Disabled roaming reconnect (otherwise: problem with undef symbols in libssh)
|
#
1.4 |
|
21-Nov-2010 |
adam |
Resolve conflicts
|
#
1.3 |
|
27-Dec-2009 |
christos |
merge changes.
|
Revision tags: matt-premerge-20091211
|
#
1.2 |
|
07-Jun-2009 |
christos |
Merge in our changes: - conditionalize login_cap - conditionalize bsd_auth - bring in pam from portable - restore krb5, krb4, afs, skey - bring in hpn patches, disable mt aes cipher, keep speedups and cipher none - add ignore root rhosts option - fix ctype macro arguments - umac is broken, disable it - better ~homedir handling - netbsd style tunnels - urandom, xhome, chrootdir, rescuedir NetBSD handling - utmp/utmpx handling - handle tty posix_vdisable properly - handle setuid and unsetuid the posix way instead of setresuid() - add all missing functions - add new moduli - add build glue
|
#
1.1 |
|
07-Jun-2009 |
christos |
branches: 1.1.1; Initial revision
|
Revision tags: pgoyette-localcount-20161104 localcount-20160914 pgoyette-localcount-20160806
|
#
1.21 |
|
02-Aug-2016 |
christos |
merge conflicts.
|
Revision tags: pgoyette-localcount-20160726 pgoyette-localcount-base
|
#
1.20 |
|
10-Mar-2016 |
christos |
branches: 1.20.2; merge conflicts
|
#
1.19 |
|
13-Aug-2015 |
christos |
merge conflicts
|
#
1.18 |
|
02-Jul-2015 |
christos |
merge conflicts
|
#
1.17 |
|
03-Apr-2015 |
christos |
Merge conflicts
|
#
1.16 |
|
19-Oct-2014 |
christos |
merge openssh-6.7
|
Revision tags: netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 tls-maxphys-base
|
#
1.15 |
|
28-Jan-2014 |
martin |
branches: 1.15.4; Mark a potentially unused variable (depending on #ifdef)
|
#
1.14 |
|
15-Dec-2013 |
spz |
Coverity issues 996120 and 996121, Use after free
Use the M_CP_STROPT definition exclusive to servconf.c twice and you have freed your original string.
servconf.h won copying authorized_keys_command and authorized_keys_command_user in COPY_MATCH_STRING_OPTS in 1.107, but servconf.c didn't drop its own, so it walks into this trap. Remove the duplicate copies, and disarm the trap.
Note this is on a code path where authorized_keys_command and authorized_keys_command_user don't actually get used except for a debug dump of the config, and dump_cfg_string protects itself against trying to print NULL pointers, so all you get is sshd -T -C ... giving wrong results, which is rather insignificant as far as security issues go.
|
#
1.13 |
|
08-Nov-2013 |
christos |
merge conflicts.
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.12 |
|
29-Mar-2013 |
christos |
welcome to openssh-6.2
|
Revision tags: agc-symver-base yamt-pagecache-base8 yamt-pagecache-base7
|
#
1.11 |
|
12-Dec-2012 |
christos |
update to 6.1
This is primarily a bugfix release.
Features:
* sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. * ssh-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel * sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1)/sshd(8): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while. * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. bz#2023, * sshd(8): Handle long comments in config files better. bz#2025 * ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. bz#1995 * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.
|
Revision tags: yamt-pagecache-base6 yamt-pagecache-base5
|
#
1.10 |
|
01-May-2012 |
christos |
branches: 1.10.2; merge OpenSSH 6.0
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857 * ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings * support cancellation of local/dynamic forwardings from ~C commandline
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports * scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying * ssh(1): skip attempting to create ~/.ssh when -F is passed * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943 * sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859 * sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683 * Fixed a number of memory and file descriptor leaks
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 netbsd-6-1-RC2 netbsd-6-1-RC1 netbsd-6-0-1-RELEASE matt-nb6-plus-nbase netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 yamt-pagecache-base4 netbsd-6-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base
|
#
1.9 |
|
07-Sep-2011 |
christos |
branches: 1.9.2; merge openssh-5.9
|
#
1.8 |
|
24-Jul-2011 |
christos |
- Merge conflicts - WARNS=5
|
Revision tags: cherry-xenmp-base bouyer-quota2-nbase bouyer-quota2-base
|
#
1.7 |
|
09-Jan-2011 |
christos |
avoid unused variable warning.
|
Revision tags: matt-mips64-premerge-20101231
|
#
1.6 |
|
22-Nov-2010 |
adam |
Fix compiler warnings
|
#
1.5 |
|
21-Nov-2010 |
adam |
Merge in our changes: - Updated OpenSSH-HPN to hpn13v10 - Added OpenSSH-LPK patches to retrive pubkey from LDAP - Replaced arc4random_buf() (which is not available on NetBSD) with arc4random - Disabled roaming reconnect (otherwise: problem with undef symbols in libssh)
|
#
1.4 |
|
21-Nov-2010 |
adam |
Resolve conflicts
|
#
1.3 |
|
26-Dec-2009 |
christos |
merge changes.
|
Revision tags: matt-premerge-20091211
|
#
1.2 |
|
07-Jun-2009 |
christos |
Merge in our changes: - conditionalize login_cap - conditionalize bsd_auth - bring in pam from portable - restore krb5, krb4, afs, skey - bring in hpn patches, disable mt aes cipher, keep speedups and cipher none - add ignore root rhosts option - fix ctype macro arguments - umac is broken, disable it - better ~homedir handling - netbsd style tunnels - urandom, xhome, chrootdir, rescuedir NetBSD handling - utmp/utmpx handling - handle tty posix_vdisable properly - handle setuid and unsetuid the posix way instead of setresuid() - add all missing functions - add new moduli - add build glue
|
#
1.1 |
|
07-Jun-2009 |
christos |
branches: 1.1.1; Initial revision
|
#
1.19 |
|
13-Aug-2015 |
christos |
merge conflicts
|
#
1.18 |
|
02-Jul-2015 |
christos |
merge conflicts
|
#
1.17 |
|
03-Apr-2015 |
christos |
Merge conflicts
|
#
1.16 |
|
18-Oct-2014 |
christos |
merge openssh-6.7
|
#
1.15 |
|
28-Jan-2014 |
martin |
branches: 1.15.4; Mark a potentially unused variable (depending on #ifdef)
|
#
1.14 |
|
15-Dec-2013 |
spz |
Coverity issues 996120 and 996121, Use after free
Use the M_CP_STROPT definition exclusive to servconf.c twice and you have freed your original string.
servconf.h won copying authorized_keys_command and authorized_keys_command_user in COPY_MATCH_STRING_OPTS in 1.107, but servconf.c didn't drop its own, so it walks into this trap. Remove the duplicate copies, and disarm the trap.
Note this is on a code path where authorized_keys_command and authorized_keys_command_user don't actually get used except for a debug dump of the config, and dump_cfg_string protects itself against trying to print NULL pointers, so all you get is sshd -T -C ... giving wrong results, which is rather insignificant as far as security issues go.
|
#
1.13 |
|
08-Nov-2013 |
christos |
merge conflicts.
|
#
1.12 |
|
28-Mar-2013 |
christos |
welcome to openssh-6.2
|
#
1.11 |
|
11-Dec-2012 |
christos |
update to 6.1
This is primarily a bugfix release.
Features:
* sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. * ssh-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel * sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1)/sshd(8): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while. * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. bz#2023, * sshd(8): Handle long comments in config files better. bz#2025 * ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. bz#1995 * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.
|
#
1.10 |
|
01-May-2012 |
christos |
branches: 1.10.2; merge OpenSSH 6.0
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857 * ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings * support cancellation of local/dynamic forwardings from ~C commandline
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports * scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying * ssh(1): skip attempting to create ~/.ssh when -F is passed * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943 * sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859 * sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683 * Fixed a number of memory and file descriptor leaks
|
#
1.9 |
|
07-Sep-2011 |
christos |
branches: 1.9.2; merge openssh-5.9
|
#
1.8 |
|
24-Jul-2011 |
christos |
- Merge conflicts - WARNS=5
|
#
1.7 |
|
09-Jan-2011 |
christos |
avoid unused variable warning.
|
#
1.6 |
|
22-Nov-2010 |
adam |
Fix compiler warnings
|
#
1.5 |
|
21-Nov-2010 |
adam |
Merge in our changes: - Updated OpenSSH-HPN to hpn13v10 - Added OpenSSH-LPK patches to retrive pubkey from LDAP - Replaced arc4random_buf() (which is not available on NetBSD) with arc4random - Disabled roaming reconnect (otherwise: problem with undef symbols in libssh)
|
#
1.4 |
|
21-Nov-2010 |
adam |
Resolve conflicts
|
#
1.3 |
|
26-Dec-2009 |
christos |
merge changes.
|
#
1.2 |
|
07-Jun-2009 |
christos |
Merge in our changes: - conditionalize login_cap - conditionalize bsd_auth - bring in pam from portable - restore krb5, krb4, afs, skey - bring in hpn patches, disable mt aes cipher, keep speedups and cipher none - add ignore root rhosts option - fix ctype macro arguments - umac is broken, disable it - better ~homedir handling - netbsd style tunnels - urandom, xhome, chrootdir, rescuedir NetBSD handling - utmp/utmpx handling - handle tty posix_vdisable properly - handle setuid and unsetuid the posix way instead of setresuid() - add all missing functions - add new moduli - add build glue
|
#
1.1 |
|
07-Jun-2009 |
christos |
branches: 1.1.1; Initial revision
|
#
1.1.1.13 |
|
13-Aug-2015 |
christos |
import openssh-7.0
Changes since OpenSSH 6.9
|
#
1.1.1.12 |
|
02-Jul-2015 |
christos |
Changes since OpenSSH 6.8
|
#
1.1.1.11 |
|
03-Apr-2015 |
christos |
Changes since OpenSSH 6.7
|
#
1.1.1.10 |
|
18-Oct-2014 |
christos |
Changes since OpenSSH 6.6
|
#
1.1.1.9 |
|
07-Nov-2013 |
christos |
Import new openssh to address
Changes since OpenSSH 6.3
|
#
1.1.1.8 |
|
29-Mar-2013 |
christos |
from openbsd
|
#
1.1.1.7 |
|
12-Dec-2012 |
christos |
From ftp.openbsd.org
|
#
1.1.1.6 |
|
01-May-2012 |
christos |
from ftp.openbsd.org
|
#
1.1.1.5 |
|
06-Sep-2011 |
christos |
new openssh: See http://www.openssh.com/txt/release-5.9
|
#
1.1.1.4 |
|
24-Jul-2011 |
christos |
from ftp.openbsd.org
|
#
1.1.1.3 |
|
20-Nov-2010 |
adam |
Imported openssh-5.6
|
#
1.1.1.2 |
|
26-Dec-2009 |
christos |
import openssh 5.3
|
#
1.1.1.1 |
|
07-Jun-2009 |
christos |
import 5.2 from ftp.openbsd.org
|
#
1.9.2.3 |
|
22-May-2014 |
yamt |
sync with head.
for a reference, the tree before this commit was tagged as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid a limitation of cvs. ("Protocol error: too many arguments")
|
#
1.9.2.2 |
|
15-Jan-2013 |
yamt |
sync with (a bit old) head
|
#
1.9.2.1 |
|
23-May-2012 |
yamt |
sync with head.
|
#
1.10.2.3 |
|
19-Aug-2014 |
tls |
Rebase to HEAD as of a few days ago.
|
#
1.10.2.2 |
|
23-Jun-2013 |
tls |
resync from head
|
#
1.10.2.1 |
|
24-Feb-2013 |
tls |
resync with head
|
#
1.15.4.1 |
|
30-Apr-2015 |
riz |
Pull up blacklistd(8), requested by christos in ticket #711: crypto/external/bsd/openssh/dist/moduli-gen/Makefile up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli-gen.sh up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.1024 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.1536 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.2048 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.3072 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.4096 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.6144 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.7680 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.8192 up to 1.1.1.1 crypto/external/bsd/openssh/dist/bcrypt_pbkdf.c up to 1.2 crypto/external/bsd/openssh/dist/kexc25519.c up to 1.3 crypto/external/bsd/openssh/dist/smult_curve25519_ref.c up to 1.3 crypto/external/bsd/openssh/dist/bitmap.c up to 1.2 plus patch crypto/external/bsd/openssh/dist/PROTOCOL.chacha20poly1305 up to 1.1.1.1 crypto/external/bsd/openssh/dist/PROTOCOL.key up to 1.1.1.1 crypto/external/bsd/openssh/dist/blf.h up to 1.1 crypto/external/bsd/openssh/dist/blocks.c up to 1.3 crypto/external/bsd/openssh/dist/blowfish.c up to 1.2 crypto/external/bsd/openssh/dist/chacha.c up to 1.3 crypto/external/bsd/openssh/dist/chacha.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/cipher-aesctr.c up to 1.1.1.2 crypto/external/bsd/openssh/dist/cipher-aesctr.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/cipher-chachapoly.c up to 1.3 crypto/external/bsd/openssh/dist/cipher-chachapoly.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/crypto_api.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/digest-libc.c up to 1.3 crypto/external/bsd/openssh/dist/digest-openssl.c up to 1.3 crypto/external/bsd/openssh/dist/digest.h up to 1.1.1.2 crypto/external/bsd/openssh/dist/ed25519.c up to 1.3 crypto/external/bsd/openssh/dist/fe25519.c up to 1.3 crypto/external/bsd/openssh/dist/fe25519.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/ge25519.c up to 1.3 crypto/external/bsd/openssh/dist/ge25519.h up to 1.1.1.2 crypto/external/bsd/openssh/dist/ge25519_base.data up to 1.1.1.1 crypto/external/bsd/openssh/dist/hash.c up to 1.3 crypto/external/bsd/openssh/dist/hmac.c up to 1.3 crypto/external/bsd/openssh/dist/hmac.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/kexc25519c.c up to 1.3 crypto/external/bsd/openssh/dist/kexc25519s.c up to 1.3 crypto/external/bsd/openssh/dist/poly1305.c up to 1.3 crypto/external/bsd/openssh/dist/poly1305.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/rijndael.c up to 1.1.1.2 crypto/external/bsd/openssh/dist/rijndael.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/sc25519.c up to 1.3 crypto/external/bsd/openssh/dist/sc25519.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/ssh-ed25519.c up to 1.3 crypto/external/bsd/openssh/dist/sshbuf-getput-basic.c up to 1.3 crypto/external/bsd/openssh/dist/sshbuf-getput-crypto.c up to 1.3 crypto/external/bsd/openssh/dist/sshbuf-misc.c up to 1.3 crypto/external/bsd/openssh/dist/sshbuf.c up to 1.3 crypto/external/bsd/openssh/dist/sshbuf.h up to 1.4 crypto/external/bsd/openssh/dist/ssherr.c up to 1.3 crypto/external/bsd/openssh/dist/ssherr.h up to 1.1.1.2 crypto/external/bsd/openssh/dist/sshkey.c up to 1.3 crypto/external/bsd/openssh/dist/sshkey.h up to 1.1.1.2 crypto/external/bsd/openssh/dist/verify.c up to 1.3 crypto/external/bsd/openssh/dist/opacket.c up to 1.2 crypto/external/bsd/openssh/dist/umac128.c up to 1.1 crypto/external/bsd/openssh/dist/pfilter.c up to 1.2 crypto/external/bsd/openssh/dist/pfilter.h up to 1.1 crypto/external/bsd/openssh/dist/bitmap.h up to 1.2 crypto/external/bsd/openssh/dist/opacket.h up to 1.2 crypto/external/bsd/openssh/dist/ssh_api.c up to 1.2 crypto/external/bsd/openssh/dist/ssh_api.h up to 1.2 crypto/external/bsd/openssh/dist/auth2-jpake.c delete crypto/external/bsd/openssh/dist/compress.c delete crypto/external/bsd/openssh/dist/compress.h delete crypto/external/bsd/openssh/dist/jpake.c delete crypto/external/bsd/openssh/dist/jpake.h delete crypto/external/bsd/openssh/dist/schnorr.c delete crypto/external/bsd/openssh/dist/schnorr.h delete crypto/external/bsd/openssh/dist/strtonum.c 1.1 crypto/external/bsd/openssh/Makefile.inc up to 1.8 crypto/external/bsd/openssh/bin/Makefile.inc up to 1.3 crypto/external/bsd/openssh/bin/ssh-keyscan/Makefile up to 1.2 crypto/external/bsd/openssh/bin/sshd/Makefile up to 1.12 crypto/external/bsd/openssh/dist/PROTOCOL up to 1.5 crypto/external/bsd/openssh/dist/PROTOCOL.krl up to 1.1.1.2 crypto/external/bsd/openssh/dist/addrmatch.c up to 1.8 crypto/external/bsd/openssh/dist/atomicio.c up to 1.6 crypto/external/bsd/openssh/dist/auth-bsdauth.c up to 1.4 crypto/external/bsd/openssh/dist/auth-chall.c up to 1.6 crypto/external/bsd/openssh/dist/auth-krb5.c up to 1.7 crypto/external/bsd/openssh/dist/auth-options.c up to 1.9 crypto/external/bsd/openssh/dist/auth-options.h up to 1.6 crypto/external/bsd/openssh/dist/auth-passwd.c up to 1.4 crypto/external/bsd/openssh/dist/auth-rh-rsa.c up to 1.6 crypto/external/bsd/openssh/dist/auth-rhosts.c up to 1.5 crypto/external/bsd/openssh/dist/auth-rsa.c up to 1.10 crypto/external/bsd/openssh/dist/auth.c up to 1.12 crypto/external/bsd/openssh/dist/auth.h up to 1.10 crypto/external/bsd/openssh/dist/auth1.c up to 1.11 crypto/external/bsd/openssh/dist/auth2-chall.c up to 1.7 crypto/external/bsd/openssh/dist/auth2-gss.c up to 1.8 crypto/external/bsd/openssh/dist/auth2-hostbased.c up to 1.7 crypto/external/bsd/openssh/dist/auth2-kbdint.c up to 1.5 crypto/external/bsd/openssh/dist/auth2-krb5.c up to 1.4 crypto/external/bsd/openssh/dist/auth2-none.c up to 1.5 crypto/external/bsd/openssh/dist/auth2-passwd.c up to 1.5 crypto/external/bsd/openssh/dist/auth2-pubkey.c up to 1.11 crypto/external/bsd/openssh/dist/auth2.c up to 1.11 crypto/external/bsd/openssh/dist/authfd.c up to 1.8 crypto/external/bsd/openssh/dist/authfd.h up to 1.5 crypto/external/bsd/openssh/dist/authfile.c up to 1.10 crypto/external/bsd/openssh/dist/authfile.h up to 1.6 crypto/external/bsd/openssh/dist/bufaux.c up to 1.7 crypto/external/bsd/openssh/dist/bufbn.c up to 1.5 crypto/external/bsd/openssh/dist/bufec.c up to 1.5 crypto/external/bsd/openssh/dist/buffer.c up to 1.6 crypto/external/bsd/openssh/dist/buffer.h up to 1.7 crypto/external/bsd/openssh/dist/canohost.c up to 1.8 crypto/external/bsd/openssh/dist/channels.c up to 1.13 crypto/external/bsd/openssh/dist/channels.h up to 1.10 crypto/external/bsd/openssh/dist/cipher-3des1.c up to 1.7 crypto/external/bsd/openssh/dist/cipher-bf1.c up to 1.6 crypto/external/bsd/openssh/dist/cipher.c up to 1.7 crypto/external/bsd/openssh/dist/cipher.h up to 1.7 crypto/external/bsd/openssh/dist/clientloop.c up to 1.13 crypto/external/bsd/openssh/dist/compat.c up to 1.9 crypto/external/bsd/openssh/dist/compat.h up to 1.6 crypto/external/bsd/openssh/dist/deattack.c up to 1.4 crypto/external/bsd/openssh/dist/deattack.h up to 1.4 crypto/external/bsd/openssh/dist/dh.c up to 1.8 crypto/external/bsd/openssh/dist/dh.h up to 1.4 crypto/external/bsd/openssh/dist/dispatch.c up to 1.5 crypto/external/bsd/openssh/dist/dispatch.h up to 1.4 crypto/external/bsd/openssh/dist/dns.c up to 1.11 crypto/external/bsd/openssh/dist/dns.h up to 1.6 crypto/external/bsd/openssh/dist/groupaccess.c up to 1.5 crypto/external/bsd/openssh/dist/gss-genr.c up to 1.7 crypto/external/bsd/openssh/dist/gss-serv-krb5.c up to 1.8 crypto/external/bsd/openssh/dist/gss-serv.c up to 1.7 crypto/external/bsd/openssh/dist/hostfile.c up to 1.7 crypto/external/bsd/openssh/dist/hostfile.h up to 1.7 crypto/external/bsd/openssh/dist/includes.h up to 1.4 crypto/external/bsd/openssh/dist/kex.c up to 1.10 crypto/external/bsd/openssh/dist/kex.h up to 1.9 crypto/external/bsd/openssh/dist/kexdh.c up to 1.4 crypto/external/bsd/openssh/dist/kexdhc.c up to 1.6 crypto/external/bsd/openssh/dist/kexdhs.c up to 1.8 crypto/external/bsd/openssh/dist/kexecdh.c up to 1.5 crypto/external/bsd/openssh/dist/kexecdhc.c up to 1.5 crypto/external/bsd/openssh/dist/kexecdhs.c up to 1.5 crypto/external/bsd/openssh/dist/kexgex.c up to 1.4 crypto/external/bsd/openssh/dist/kexgexc.c up to 1.6 crypto/external/bsd/openssh/dist/kexgexs.c up to 1.8 crypto/external/bsd/openssh/dist/key.c up to 1.16 crypto/external/bsd/openssh/dist/key.h up to 1.9 crypto/external/bsd/openssh/dist/krl.c up to 1.5 crypto/external/bsd/openssh/dist/krl.h up to 1.1.1.2 crypto/external/bsd/openssh/dist/mac.c up to 1.11 crypto/external/bsd/openssh/dist/mac.h up to 1.5 crypto/external/bsd/openssh/dist/match.c up to 1.5 crypto/external/bsd/openssh/dist/misc.c up to 1.10 crypto/external/bsd/openssh/dist/misc.h up to 1.9 plus patch crypto/external/bsd/openssh/dist/moduli.c up to 1.8 crypto/external/bsd/openssh/dist/monitor.c up to 1.14 crypto/external/bsd/openssh/dist/monitor.h up to 1.7 crypto/external/bsd/openssh/dist/monitor_fdpass.c up to 1.5 crypto/external/bsd/openssh/dist/monitor_mm.c up to 1.6 crypto/external/bsd/openssh/dist/monitor_mm.h up to 1.4 crypto/external/bsd/openssh/dist/monitor_wrap.c up to 1.11 crypto/external/bsd/openssh/dist/monitor_wrap.h up to 1.8 crypto/external/bsd/openssh/dist/msg.c up to 1.4 crypto/external/bsd/openssh/dist/msg.h up to 1.4 crypto/external/bsd/openssh/dist/mux.c up to 1.11 crypto/external/bsd/openssh/dist/myproposal.h up to 1.10 crypto/external/bsd/openssh/dist/namespace.h up to 1.5 crypto/external/bsd/openssh/dist/packet.c up to 1.18 crypto/external/bsd/openssh/dist/packet.h up to 1.11 crypto/external/bsd/openssh/dist/pathnames.h up to 1.9 crypto/external/bsd/openssh/dist/pkcs11.h up to 1.4 crypto/external/bsd/openssh/dist/progressmeter.c up to 1.7 crypto/external/bsd/openssh/dist/progressmeter.h up to 1.4 crypto/external/bsd/openssh/dist/reallocarray.c new crypto/external/bsd/openssh/dist/readconf.c up to 1.13 crypto/external/bsd/openssh/dist/readconf.h up to 1.12 crypto/external/bsd/openssh/dist/readpass.c up to 1.6 crypto/external/bsd/openssh/dist/roaming_client.c up to 1.7 crypto/external/bsd/openssh/dist/roaming_common.c up to 1.9 crypto/external/bsd/openssh/dist/roaming_dummy.c up to 1.4 crypto/external/bsd/openssh/dist/rsa.c up to 1.5 crypto/external/bsd/openssh/dist/rsa.h up to 1.4 crypto/external/bsd/openssh/dist/sandbox-systrace.c up to 1.1.1.5 crypto/external/bsd/openssh/dist/scp.1 up to 1.9 crypto/external/bsd/openssh/dist/scp.c up to 1.11 crypto/external/bsd/openssh/dist/servconf.c up to 1.17 crypto/external/bsd/openssh/dist/servconf.h up to 1.11 crypto/external/bsd/openssh/dist/serverloop.c up to 1.12 crypto/external/bsd/openssh/dist/session.c up to 1.14 crypto/external/bsd/openssh/dist/session.h up to 1.4 crypto/external/bsd/openssh/dist/sftp-client.c up to 1.13 crypto/external/bsd/openssh/dist/sftp-client.h up to 1.7 crypto/external/bsd/openssh/dist/sftp-common.c up to 1.7 crypto/external/bsd/openssh/dist/sftp-common.h up to 1.5 crypto/external/bsd/openssh/dist/sftp-glob.c up to 1.8 crypto/external/bsd/openssh/dist/sftp-server.8 up to 1.9 crypto/external/bsd/openssh/dist/sftp-server.c up to 1.11 crypto/external/bsd/openssh/dist/sftp.1 up to 1.11 crypto/external/bsd/openssh/dist/sftp.c up to 1.15 crypto/external/bsd/openssh/dist/ssh-add.1 up to 1.9 crypto/external/bsd/openssh/dist/ssh-add.c up to 1.10 crypto/external/bsd/openssh/dist/ssh-agent.1 up to 1.8 crypto/external/bsd/openssh/dist/ssh-agent.c up to 1.14 crypto/external/bsd/openssh/dist/ssh-dss.c up to 1.7 crypto/external/bsd/openssh/dist/ssh-ecdsa.c up to 1.6 crypto/external/bsd/openssh/dist/ssh-gss.h up to 1.5 crypto/external/bsd/openssh/dist/ssh-keygen.1 up to 1.13 crypto/external/bsd/openssh/dist/ssh-keygen.c up to 1.16 crypto/external/bsd/openssh/dist/ssh-keyscan.1 up to 1.10 crypto/external/bsd/openssh/dist/ssh-keyscan.c up to 1.13 crypto/external/bsd/openssh/dist/ssh-keysign.8 up to 1.9 crypto/external/bsd/openssh/dist/ssh-keysign.c up to 1.8 crypto/external/bsd/openssh/dist/ssh-pkcs11-client.c up to 1.6 crypto/external/bsd/openssh/dist/ssh-pkcs11-helper.c up to 1.8 crypto/external/bsd/openssh/dist/ssh-pkcs11.c up to 1.7 crypto/external/bsd/openssh/dist/ssh-pkcs11.h up to 1.4 crypto/external/bsd/openssh/dist/ssh-rsa.c up to 1.7 crypto/external/bsd/openssh/dist/ssh.1 up to 1.14 crypto/external/bsd/openssh/dist/ssh.c up to 1.16 crypto/external/bsd/openssh/dist/ssh2.h up to 1.6 crypto/external/bsd/openssh/dist/ssh_config up to 1.8 crypto/external/bsd/openssh/dist/ssh_config.5 up to 1.13 crypto/external/bsd/openssh/dist/sshconnect.c up to 1.11 crypto/external/bsd/openssh/dist/sshconnect.h up to 1.6 crypto/external/bsd/openssh/dist/sshconnect1.c up to 1.6 crypto/external/bsd/openssh/dist/sshconnect2.c up to 1.19 crypto/external/bsd/openssh/dist/sshd.8 up to 1.13 crypto/external/bsd/openssh/dist/sshd.c up to 1.18 crypto/external/bsd/openssh/dist/sshd_config up to 1.13 crypto/external/bsd/openssh/dist/sshd_config.5 up to 1.17 crypto/external/bsd/openssh/dist/sshlogin.c up to 1.6 crypto/external/bsd/openssh/dist/sshpty.c up to 1.4 crypto/external/bsd/openssh/dist/uidswap.c up to 1.4 crypto/external/bsd/openssh/dist/umac.c up to 1.9 crypto/external/bsd/openssh/dist/version.h up to 1.14 crypto/external/bsd/openssh/dist/xmalloc.c up to 1.5 crypto/external/bsd/openssh/lib/Makefile up to 1.17 plus patch crypto/external/bsd/openssh/lib/shlib_version up to 1.13 distrib/sets/lists/base/ad.aarch64 patch distrib/sets/lists/base/ad.arm patch distrib/sets/lists/base/ad.mips patch distrib/sets/lists/base/ad.powerpc patch distrib/sets/lists/base/md.amd64 patch distrib/sets/lists/base/md.sparc64 patch distrib/sets/lists/base/mi patch distrib/sets/lists/base/shl.mi patch distrib/sets/lists/comp/ad.aarch64 patch distrib/sets/lists/comp/ad.arm patch distrib/sets/lists/comp/ad.mips patch distrib/sets/lists/comp/ad.powerpc patch distrib/sets/lists/comp/md.amd64 patch distrib/sets/lists/comp/md.sparc64 patch distrib/sets/lists/comp/mi patch distrib/sets/lists/comp/shl.mi patch distrib/sets/lists/debug/ad.aarch64 patch distrib/sets/lists/debug/ad.arm patch distrib/sets/lists/debug/ad.mips patch distrib/sets/lists/debug/ad.powerpc patch distrib/sets/lists/debug/md.amd64 patch distrib/sets/lists/debug/md.sparc64 patch distrib/sets/lists/debug/shl.mi patch distrib/sets/lists/etc/mi patch distrib/sets/lists/man/mi patch etc/defaults/rc.conf 1.130 etc/mtree/NetBSD.dist.base 1.142 external/bsd/Makefile up to 1.48 external/bsd/blacklist/bin/Makefile up to 1.11 plus patch external/bsd/blacklist/bin/blacklistctl.8 up to 1.6 external/bsd/blacklist/bin/blacklistctl.c up to 1.17 external/bsd/blacklist/bin/blacklistd.8 up to 1.10 external/bsd/blacklist/bin/blacklistd.c up to 1.32 external/bsd/blacklist/bin/blacklistd.conf.5 up to 1.2 external/bsd/blacklist/bin/conf.c up to 1.18 external/bsd/blacklist/bin/conf.h up to 1.6 external/bsd/blacklist/bin/internal.c up to 1.5 external/bsd/blacklist/bin/internal.h up to 1.12 external/bsd/blacklist/bin/run.c up to 1.12 external/bsd/blacklist/bin/run.h up to 1.5 external/bsd/blacklist/bin/state.c up to 1.15 external/bsd/blacklist/bin/state.h up to 1.5 external/bsd/blacklist/bin/support.c up to 1.6 external/bsd/blacklist/bin/support.h up to 1.5 external/bsd/blacklist/etc/rc.d/Makefile up to 1.1 external/bsd/blacklist/etc/rc.d/blacklistd up to 1.1 external/bsd/blacklist/etc/Makefile up to 1.3 external/bsd/blacklist/etc/blacklistd.conf up to 1.3 external/bsd/blacklist/etc/npf.conf up to 1.1 external/bsd/blacklist/Makefile up to 1.2 external/bsd/blacklist/Makefile.inc up to 1.3 external/bsd/blacklist/README up to 1.7 external/bsd/blacklist/TODO up to 1.7 external/bsd/blacklist/diff/ftpd.diff up to 1.1 external/bsd/blacklist/diff/named.diff up to 1.6 external/bsd/blacklist/diff/ssh.diff up to 1.6 external/bsd/blacklist/include/Makefile up to 1.1 external/bsd/blacklist/include/bl.h up to 1.12 external/bsd/blacklist/include/blacklist.h up to 1.3 external/bsd/blacklist/include/config.h new external/bsd/blacklist/lib/Makefile up to 1.3 external/bsd/blacklist/lib/bl.c up to 1.24 external/bsd/blacklist/lib/blacklist.c up to 1.5 external/bsd/blacklist/lib/libblacklist.3 up to 1.3 external/bsd/blacklist/lib/shlib_version up to 1.1 external/bsd/blacklist/libexec/Makefile up to 1.1 external/bsd/blacklist/libexec/blacklistd-helper up to 1.4 external/bsd/blacklist/port/m4/.cvsignore up to 1.1 external/bsd/blacklist/port/Makefile.am up to 1.4 external/bsd/blacklist/port/_strtoi.h up to 1.1 external/bsd/blacklist/port/clock_gettime.c up to 1.2 external/bsd/blacklist/port/configure.ac up to 1.7 external/bsd/blacklist/port/fgetln.c up to 1.1 external/bsd/blacklist/port/fparseln.c up to 1.1 external/bsd/blacklist/port/getprogname.c up to 1.4 external/bsd/blacklist/port/pidfile.c up to 1.1 external/bsd/blacklist/port/popenve.c up to 1.2 external/bsd/blacklist/port/port.h up to 1.6 external/bsd/blacklist/port/sockaddr_snprintf.c up to 1.9 external/bsd/blacklist/port/strlcat.c up to 1.2 external/bsd/blacklist/port/strlcpy.c up to 1.2 external/bsd/blacklist/port/strtoi.c up to 1.3 external/bsd/blacklist/test/Makefile up to 1.2 external/bsd/blacklist/test/cltest.c up to 1.6 external/bsd/blacklist/test/srvtest.c up to 1.9 lib/libpam/modules/pam_ssh/pam_ssh.c up to 1.23 libexec/ftpd/pfilter.c up to 1.1 libexec/ftpd/pfilter.h up to 1.1 libexec/ftpd/Makefile up to 1.64 libexec/ftpd/ftpd.c up to 1.201
Add blacklistd(8), a daemon to block and release network ports on demand to mitigate abuse, and related changes to system daemons to support it. [christos, ticket #711]
|