Start the process of splitting sshd into separate binaries. This step
splits sshd into a listener and a session binary. More splits are
planned.

After this changes, the listener binary will validate the configuration,
load the hostkeys, listen on port 22 and manage MaxStartups only. All
session handling will be performed by a new sshd-session binary that the
listener fork+execs.

This reduces the listener process to the minimum necessary and sets us
up for future work on the sshd-session binary.

feedback/ok markus@ deraadt@

NB. if you're updating via source, please restart sshd after installing,
otherwise you run the risk of locking yourself out.

Add some server debugging for hostbased auth.

auth_debug_add queues messages about the auth process which is sent to
the client after successful authentication. This also sends those to
the server debug log to aid in debugging. From bz#3507, ok djm@

free(3) wants stdlib.h

use asprintf to construct .rhosts paths

mark const string array contents const too, i.e.
static const char *array => static const char * const array
from Mike Frysinger

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

make IgnoreRhosts a tri-state option: "yes" ignore rhosts/shosts,
"no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts
files but not .rhosts. ok dtucker@

remove some duplicate #includes

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

sshd: switch authentication to sshbuf API; ok djm@

remove ssh1 server code; ok djm@

refactor canohost.c: move functions that cache results closer to the
places that use them (authn and session code). After this, no state is
cached in canohost.c

feedback and ok markus@

KNF and add a little more debug()

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

Hold authentication debug messages until after successful authentication.
Fixes an info leak of environment variables specified in authorized_keys,
reported by Jacob Appelbaum. ok djm@

Include unistd.h for close(), prevents warnings in -portable

refuse to read ~/.shosts or ~/.ssh/authorized_keys that are not
regular files; report from Solar Designer via Colin Watson in bz#1471
ok dtucker@ deraadt@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <string.h> out of includes.h

move #include <pwd.h> out of includes.h; ok markus@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.35.2;
move #include <sys/stat.h> out of includes.h; ok markus@

move #include <netgroup.h> out of includes.h; ok markus@

branches: 1.33.2;
knf says that a 2nd level indent is four (not three or five) spaces

branches: 1.32.4; 1.32.6;
standardise arguments to auth methods - they should all take authctxt.
check authctxt->valid rather then pw != NULL; ok markus@

branches: 1.31.2;
deprecate VerifyReverseMapping since it's dangerous if combined
with IP based access control as noted by Mike Harding; replace with
a UseDNS option, UseDNS is on by default and includes the
VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
ok deraadt@, djm@

just in case, put numbers to sscanf %s arg.

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.28.2; 1.28.4;
handle debug messages during rhosts-rsa and hostbased authentication; ok provos@

branches: 1.27.2;
unused include

s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@

basic KNF done while i was looking for something else

branches: 1.24.2;
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

branches: 1.23.2;
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2)
similar to RhostRSAAuthentication unless you enable (the experimental)
HostbasedUsesNameFromPacketOnly option. please test. :)

do gid/groups-swap in addition to uid-swap, should help if /home/group
is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks
to olar@openwall.com is comments. we had many requests for this.

sync with netbsd tree changes.
- more strict prototypes, include necessary headers
- use paths.h/pathnames.h decls
- size_t typecase to int -> u_long

make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

move ssh1 definitions to ssh1.h, pathnames to pathnames.h

replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'
with u_char.

branches: 1.16.2;
move fake-auth from auth1.c to individual auth methods, disables s/key in debug-msg

cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

OpenBSD tag

branches: 1.13.2;
whitespace cleanup

check format string for packet_disconnect and packet_send_debug, too

KNF, final part 3

much more KNF

KNF part 1

more %d vs. %s in fmt-strings

split do_authentication() in subroutines
move checking of remote port to central place

make all access to options via 'extern Options options'
and 'extern ServerOptions options' respectively;
options are no longer passed as arguments:
* make options handling more consistent
* remove #include "readconf.h" from ssh.h
* readconf.h is only included if necessary

use strcasecmp()

wringing out all the water

numerous sprintf, strncpy, strcpy cleanups

convert all uses of gmp to SSL bignum
convert all used of rsa to SSL rsa functions
remove all use of randomstate to OpenBSD arc4random() and arc4_stir()
all this done at a long long night in Canada.

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.

Add some server debugging for hostbased auth.

auth_debug_add queues messages about the auth process which is sent to
the client after successful authentication. This also sends those to
the server debug log to aid in debugging. From bz#3507, ok djm@

free(3) wants stdlib.h

use asprintf to construct .rhosts paths

mark const string array contents const too, i.e.
static const char *array => static const char * const array
from Mike Frysinger

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

make IgnoreRhosts a tri-state option: "yes" ignore rhosts/shosts,
"no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts
files but not .rhosts. ok dtucker@

remove some duplicate #includes

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

sshd: switch authentication to sshbuf API; ok djm@

remove ssh1 server code; ok djm@

refactor canohost.c: move functions that cache results closer to the
places that use them (authn and session code). After this, no state is
cached in canohost.c

feedback and ok markus@

KNF and add a little more debug()

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

Hold authentication debug messages until after successful authentication.
Fixes an info leak of environment variables specified in authorized_keys,
reported by Jacob Appelbaum. ok djm@

Include unistd.h for close(), prevents warnings in -portable

refuse to read ~/.shosts or ~/.ssh/authorized_keys that are not
regular files; report from Solar Designer via Colin Watson in bz#1471
ok dtucker@ deraadt@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <string.h> out of includes.h

move #include <pwd.h> out of includes.h; ok markus@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.35.2;
move #include <sys/stat.h> out of includes.h; ok markus@

move #include <netgroup.h> out of includes.h; ok markus@

branches: 1.33.2;
knf says that a 2nd level indent is four (not three or five) spaces

branches: 1.32.4; 1.32.6;
standardise arguments to auth methods - they should all take authctxt.
check authctxt->valid rather then pw != NULL; ok markus@

branches: 1.31.2;
deprecate VerifyReverseMapping since it's dangerous if combined
with IP based access control as noted by Mike Harding; replace with
a UseDNS option, UseDNS is on by default and includes the
VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
ok deraadt@, djm@

just in case, put numbers to sscanf %s arg.

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.28.2; 1.28.4;
handle debug messages during rhosts-rsa and hostbased authentication; ok provos@

branches: 1.27.2;
unused include

s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@

basic KNF done while i was looking for something else

branches: 1.24.2;
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

branches: 1.23.2;
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2)
similar to RhostRSAAuthentication unless you enable (the experimental)
HostbasedUsesNameFromPacketOnly option. please test. :)

do gid/groups-swap in addition to uid-swap, should help if /home/group
is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks
to olar@openwall.com is comments. we had many requests for this.

sync with netbsd tree changes.
- more strict prototypes, include necessary headers
- use paths.h/pathnames.h decls
- size_t typecase to int -> u_long

make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

move ssh1 definitions to ssh1.h, pathnames to pathnames.h

replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'
with u_char.

branches: 1.16.2;
move fake-auth from auth1.c to individual auth methods, disables s/key in debug-msg

cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

OpenBSD tag

branches: 1.13.2;
whitespace cleanup

check format string for packet_disconnect and packet_send_debug, too

KNF, final part 3

much more KNF

KNF part 1

more %d vs. %s in fmt-strings

split do_authentication() in subroutines
move checking of remote port to central place

make all access to options via 'extern Options options'
and 'extern ServerOptions options' respectively;
options are no longer passed as arguments:
* make options handling more consistent
* remove #include "readconf.h" from ssh.h
* readconf.h is only included if necessary

use strcasecmp()

wringing out all the water

numerous sprintf, strncpy, strcpy cleanups

convert all uses of gmp to SSL bignum
convert all used of rsa to SSL rsa functions
remove all use of randomstate to OpenBSD arc4random() and arc4_stir()
all this done at a long long night in Canada.

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.

free(3) wants stdlib.h

use asprintf to construct .rhosts paths

mark const string array contents const too, i.e.
static const char *array => static const char * const array
from Mike Frysinger

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

make IgnoreRhosts a tri-state option: "yes" ignore rhosts/shosts,
"no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts
files but not .rhosts. ok dtucker@

remove some duplicate #includes

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

sshd: switch authentication to sshbuf API; ok djm@

remove ssh1 server code; ok djm@

refactor canohost.c: move functions that cache results closer to the
places that use them (authn and session code). After this, no state is
cached in canohost.c

feedback and ok markus@

KNF and add a little more debug()

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

Hold authentication debug messages until after successful authentication.
Fixes an info leak of environment variables specified in authorized_keys,
reported by Jacob Appelbaum. ok djm@

Include unistd.h for close(), prevents warnings in -portable

refuse to read ~/.shosts or ~/.ssh/authorized_keys that are not
regular files; report from Solar Designer via Colin Watson in bz#1471
ok dtucker@ deraadt@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <string.h> out of includes.h

move #include <pwd.h> out of includes.h; ok markus@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.35.2;
move #include <sys/stat.h> out of includes.h; ok markus@

move #include <netgroup.h> out of includes.h; ok markus@

branches: 1.33.2;
knf says that a 2nd level indent is four (not three or five) spaces

branches: 1.32.4; 1.32.6;
standardise arguments to auth methods - they should all take authctxt.
check authctxt->valid rather then pw != NULL; ok markus@

branches: 1.31.2;
deprecate VerifyReverseMapping since it's dangerous if combined
with IP based access control as noted by Mike Harding; replace with
a UseDNS option, UseDNS is on by default and includes the
VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
ok deraadt@, djm@

just in case, put numbers to sscanf %s arg.

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.28.2; 1.28.4;
handle debug messages during rhosts-rsa and hostbased authentication; ok provos@

branches: 1.27.2;
unused include

s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@

basic KNF done while i was looking for something else

branches: 1.24.2;
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

branches: 1.23.2;
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2)
similar to RhostRSAAuthentication unless you enable (the experimental)
HostbasedUsesNameFromPacketOnly option. please test. :)

do gid/groups-swap in addition to uid-swap, should help if /home/group
is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks
to olar@openwall.com is comments. we had many requests for this.

sync with netbsd tree changes.
- more strict prototypes, include necessary headers
- use paths.h/pathnames.h decls
- size_t typecase to int -> u_long

make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

move ssh1 definitions to ssh1.h, pathnames to pathnames.h

replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'
with u_char.

branches: 1.16.2;
move fake-auth from auth1.c to individual auth methods, disables s/key in debug-msg

cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

OpenBSD tag

branches: 1.13.2;
whitespace cleanup

check format string for packet_disconnect and packet_send_debug, too

KNF, final part 3

much more KNF

KNF part 1

more %d vs. %s in fmt-strings

split do_authentication() in subroutines
move checking of remote port to central place

make all access to options via 'extern Options options'
and 'extern ServerOptions options' respectively;
options are no longer passed as arguments:
* make options handling more consistent
* remove #include "readconf.h" from ssh.h
* readconf.h is only included if necessary

use strcasecmp()

wringing out all the water

numerous sprintf, strncpy, strcpy cleanups

convert all uses of gmp to SSL bignum
convert all used of rsa to SSL rsa functions
remove all use of randomstate to OpenBSD arc4random() and arc4_stir()
all this done at a long long night in Canada.

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.

use asprintf to construct .rhosts paths

mark const string array contents const too, i.e.
static const char *array => static const char * const array
from Mike Frysinger

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

make IgnoreRhosts a tri-state option: "yes" ignore rhosts/shosts,
"no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts
files but not .rhosts. ok dtucker@

remove some duplicate #includes

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

sshd: switch authentication to sshbuf API; ok djm@

remove ssh1 server code; ok djm@

refactor canohost.c: move functions that cache results closer to the
places that use them (authn and session code). After this, no state is
cached in canohost.c

feedback and ok markus@

KNF and add a little more debug()

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

Hold authentication debug messages until after successful authentication.
Fixes an info leak of environment variables specified in authorized_keys,
reported by Jacob Appelbaum. ok djm@

Include unistd.h for close(), prevents warnings in -portable

refuse to read ~/.shosts or ~/.ssh/authorized_keys that are not
regular files; report from Solar Designer via Colin Watson in bz#1471
ok dtucker@ deraadt@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <string.h> out of includes.h

move #include <pwd.h> out of includes.h; ok markus@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.35.2;
move #include <sys/stat.h> out of includes.h; ok markus@

move #include <netgroup.h> out of includes.h; ok markus@

branches: 1.33.2;
knf says that a 2nd level indent is four (not three or five) spaces

branches: 1.32.4; 1.32.6;
standardise arguments to auth methods - they should all take authctxt.
check authctxt->valid rather then pw != NULL; ok markus@

branches: 1.31.2;
deprecate VerifyReverseMapping since it's dangerous if combined
with IP based access control as noted by Mike Harding; replace with
a UseDNS option, UseDNS is on by default and includes the
VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
ok deraadt@, djm@

just in case, put numbers to sscanf %s arg.

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.28.2; 1.28.4;
handle debug messages during rhosts-rsa and hostbased authentication; ok provos@

branches: 1.27.2;
unused include

s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@

basic KNF done while i was looking for something else

branches: 1.24.2;
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

branches: 1.23.2;
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2)
similar to RhostRSAAuthentication unless you enable (the experimental)
HostbasedUsesNameFromPacketOnly option. please test. :)

do gid/groups-swap in addition to uid-swap, should help if /home/group
is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks
to olar@openwall.com is comments. we had many requests for this.

sync with netbsd tree changes.
- more strict prototypes, include necessary headers
- use paths.h/pathnames.h decls
- size_t typecase to int -> u_long

make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

move ssh1 definitions to ssh1.h, pathnames to pathnames.h

replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'
with u_char.

branches: 1.16.2;
move fake-auth from auth1.c to individual auth methods, disables s/key in debug-msg

cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

OpenBSD tag

branches: 1.13.2;
whitespace cleanup

check format string for packet_disconnect and packet_send_debug, too

KNF, final part 3

much more KNF

KNF part 1

more %d vs. %s in fmt-strings

split do_authentication() in subroutines
move checking of remote port to central place

make all access to options via 'extern Options options'
and 'extern ServerOptions options' respectively;
options are no longer passed as arguments:
* make options handling more consistent
* remove #include "readconf.h" from ssh.h
* readconf.h is only included if necessary

use strcasecmp()

wringing out all the water

numerous sprintf, strncpy, strcpy cleanups

convert all uses of gmp to SSL bignum
convert all used of rsa to SSL rsa functions
remove all use of randomstate to OpenBSD arc4random() and arc4_stir()
all this done at a long long night in Canada.

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.

mark const string array contents const too, i.e.
static const char *array => static const char * const array
from Mike Frysinger

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

make IgnoreRhosts a tri-state option: "yes" ignore rhosts/shosts,
"no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts
files but not .rhosts. ok dtucker@

remove some duplicate #includes

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

sshd: switch authentication to sshbuf API; ok djm@

remove ssh1 server code; ok djm@

refactor canohost.c: move functions that cache results closer to the
places that use them (authn and session code). After this, no state is
cached in canohost.c

feedback and ok markus@

KNF and add a little more debug()

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

Hold authentication debug messages until after successful authentication.
Fixes an info leak of environment variables specified in authorized_keys,
reported by Jacob Appelbaum. ok djm@

Include unistd.h for close(), prevents warnings in -portable

refuse to read ~/.shosts or ~/.ssh/authorized_keys that are not
regular files; report from Solar Designer via Colin Watson in bz#1471
ok dtucker@ deraadt@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <string.h> out of includes.h

move #include <pwd.h> out of includes.h; ok markus@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.35.2;
move #include <sys/stat.h> out of includes.h; ok markus@

move #include <netgroup.h> out of includes.h; ok markus@

branches: 1.33.2;
knf says that a 2nd level indent is four (not three or five) spaces

branches: 1.32.4; 1.32.6;
standardise arguments to auth methods - they should all take authctxt.
check authctxt->valid rather then pw != NULL; ok markus@

branches: 1.31.2;
deprecate VerifyReverseMapping since it's dangerous if combined
with IP based access control as noted by Mike Harding; replace with
a UseDNS option, UseDNS is on by default and includes the
VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
ok deraadt@, djm@

just in case, put numbers to sscanf %s arg.

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.28.2; 1.28.4;
handle debug messages during rhosts-rsa and hostbased authentication; ok provos@

branches: 1.27.2;
unused include

s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@

basic KNF done while i was looking for something else

branches: 1.24.2;
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

branches: 1.23.2;
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2)
similar to RhostRSAAuthentication unless you enable (the experimental)
HostbasedUsesNameFromPacketOnly option. please test. :)

do gid/groups-swap in addition to uid-swap, should help if /home/group
is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks
to olar@openwall.com is comments. we had many requests for this.

sync with netbsd tree changes.
- more strict prototypes, include necessary headers
- use paths.h/pathnames.h decls
- size_t typecase to int -> u_long

make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

move ssh1 definitions to ssh1.h, pathnames to pathnames.h

replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'
with u_char.

branches: 1.16.2;
move fake-auth from auth1.c to individual auth methods, disables s/key in debug-msg

cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

OpenBSD tag

branches: 1.13.2;
whitespace cleanup

check format string for packet_disconnect and packet_send_debug, too

KNF, final part 3

much more KNF

KNF part 1

more %d vs. %s in fmt-strings

split do_authentication() in subroutines
move checking of remote port to central place

make all access to options via 'extern Options options'
and 'extern ServerOptions options' respectively;
options are no longer passed as arguments:
* make options handling more consistent
* remove #include "readconf.h" from ssh.h
* readconf.h is only included if necessary

use strcasecmp()

wringing out all the water

numerous sprintf, strncpy, strcpy cleanups

convert all uses of gmp to SSL bignum
convert all used of rsa to SSL rsa functions
remove all use of randomstate to OpenBSD arc4random() and arc4_stir()
all this done at a long long night in Canada.

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

make IgnoreRhosts a tri-state option: "yes" ignore rhosts/shosts,
"no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts
files but not .rhosts. ok dtucker@

remove some duplicate #includes

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

sshd: switch authentication to sshbuf API; ok djm@

remove ssh1 server code; ok djm@

refactor canohost.c: move functions that cache results closer to the
places that use them (authn and session code). After this, no state is
cached in canohost.c

feedback and ok markus@

KNF and add a little more debug()

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

Hold authentication debug messages until after successful authentication.
Fixes an info leak of environment variables specified in authorized_keys,
reported by Jacob Appelbaum. ok djm@

Include unistd.h for close(), prevents warnings in -portable

refuse to read ~/.shosts or ~/.ssh/authorized_keys that are not
regular files; report from Solar Designer via Colin Watson in bz#1471
ok dtucker@ deraadt@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <string.h> out of includes.h

move #include <pwd.h> out of includes.h; ok markus@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.35.2;
move #include <sys/stat.h> out of includes.h; ok markus@

move #include <netgroup.h> out of includes.h; ok markus@

branches: 1.33.2;
knf says that a 2nd level indent is four (not three or five) spaces

branches: 1.32.4; 1.32.6;
standardise arguments to auth methods - they should all take authctxt.
check authctxt->valid rather then pw != NULL; ok markus@

branches: 1.31.2;
deprecate VerifyReverseMapping since it's dangerous if combined
with IP based access control as noted by Mike Harding; replace with
a UseDNS option, UseDNS is on by default and includes the
VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
ok deraadt@, djm@

just in case, put numbers to sscanf %s arg.

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.28.2; 1.28.4;
handle debug messages during rhosts-rsa and hostbased authentication; ok provos@

branches: 1.27.2;
unused include

s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@

basic KNF done while i was looking for something else

branches: 1.24.2;
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

branches: 1.23.2;
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2)
similar to RhostRSAAuthentication unless you enable (the experimental)
HostbasedUsesNameFromPacketOnly option. please test. :)

do gid/groups-swap in addition to uid-swap, should help if /home/group
is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks
to olar@openwall.com is comments. we had many requests for this.

sync with netbsd tree changes.
- more strict prototypes, include necessary headers
- use paths.h/pathnames.h decls
- size_t typecase to int -> u_long

make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

move ssh1 definitions to ssh1.h, pathnames to pathnames.h

replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'
with u_char.

branches: 1.16.2;
move fake-auth from auth1.c to individual auth methods, disables s/key in debug-msg

cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

OpenBSD tag

branches: 1.13.2;
whitespace cleanup

check format string for packet_disconnect and packet_send_debug, too

KNF, final part 3

much more KNF

KNF part 1

more %d vs. %s in fmt-strings

split do_authentication() in subroutines
move checking of remote port to central place

make all access to options via 'extern Options options'
and 'extern ServerOptions options' respectively;
options are no longer passed as arguments:
* make options handling more consistent
* remove #include "readconf.h" from ssh.h
* readconf.h is only included if necessary

use strcasecmp()

wringing out all the water

numerous sprintf, strncpy, strcpy cleanups

convert all uses of gmp to SSL bignum
convert all used of rsa to SSL rsa functions
remove all use of randomstate to OpenBSD arc4random() and arc4_stir()
all this done at a long long night in Canada.

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.

make IgnoreRhosts a tri-state option: "yes" ignore rhosts/shosts,
"no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts
files but not .rhosts. ok dtucker@

remove some duplicate #includes

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

sshd: switch authentication to sshbuf API; ok djm@

remove ssh1 server code; ok djm@

refactor canohost.c: move functions that cache results closer to the
places that use them (authn and session code). After this, no state is
cached in canohost.c

feedback and ok markus@

KNF and add a little more debug()

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

Hold authentication debug messages until after successful authentication.
Fixes an info leak of environment variables specified in authorized_keys,
reported by Jacob Appelbaum. ok djm@

Include unistd.h for close(), prevents warnings in -portable

refuse to read ~/.shosts or ~/.ssh/authorized_keys that are not
regular files; report from Solar Designer via Colin Watson in bz#1471
ok dtucker@ deraadt@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <string.h> out of includes.h

move #include <pwd.h> out of includes.h; ok markus@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.35.2;
move #include <sys/stat.h> out of includes.h; ok markus@

move #include <netgroup.h> out of includes.h; ok markus@

branches: 1.33.2;
knf says that a 2nd level indent is four (not three or five) spaces

branches: 1.32.4; 1.32.6;
standardise arguments to auth methods - they should all take authctxt.
check authctxt->valid rather then pw != NULL; ok markus@

branches: 1.31.2;
deprecate VerifyReverseMapping since it's dangerous if combined
with IP based access control as noted by Mike Harding; replace with
a UseDNS option, UseDNS is on by default and includes the
VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
ok deraadt@, djm@

just in case, put numbers to sscanf %s arg.

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.28.2; 1.28.4;
handle debug messages during rhosts-rsa and hostbased authentication; ok provos@

branches: 1.27.2;
unused include

s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@

basic KNF done while i was looking for something else

branches: 1.24.2;
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

branches: 1.23.2;
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2)
similar to RhostRSAAuthentication unless you enable (the experimental)
HostbasedUsesNameFromPacketOnly option. please test. :)

do gid/groups-swap in addition to uid-swap, should help if /home/group
is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks
to olar@openwall.com is comments. we had many requests for this.

sync with netbsd tree changes.
- more strict prototypes, include necessary headers
- use paths.h/pathnames.h decls
- size_t typecase to int -> u_long

make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

move ssh1 definitions to ssh1.h, pathnames to pathnames.h

replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'
with u_char.

branches: 1.16.2;
move fake-auth from auth1.c to individual auth methods, disables s/key in debug-msg

cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

OpenBSD tag

branches: 1.13.2;
whitespace cleanup

check format string for packet_disconnect and packet_send_debug, too

KNF, final part 3

much more KNF

KNF part 1

more %d vs. %s in fmt-strings

split do_authentication() in subroutines
move checking of remote port to central place

make all access to options via 'extern Options options'
and 'extern ServerOptions options' respectively;
options are no longer passed as arguments:
* make options handling more consistent
* remove #include "readconf.h" from ssh.h
* readconf.h is only included if necessary

use strcasecmp()

wringing out all the water

numerous sprintf, strncpy, strcpy cleanups

convert all uses of gmp to SSL bignum
convert all used of rsa to SSL rsa functions
remove all use of randomstate to OpenBSD arc4random() and arc4_stir()
all this done at a long long night in Canada.

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.

remove some duplicate #includes

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

sshd: switch authentication to sshbuf API; ok djm@

remove ssh1 server code; ok djm@

refactor canohost.c: move functions that cache results closer to the
places that use them (authn and session code). After this, no state is
cached in canohost.c

feedback and ok markus@

KNF and add a little more debug()

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

Hold authentication debug messages until after successful authentication.
Fixes an info leak of environment variables specified in authorized_keys,
reported by Jacob Appelbaum. ok djm@

Include unistd.h for close(), prevents warnings in -portable

refuse to read ~/.shosts or ~/.ssh/authorized_keys that are not
regular files; report from Solar Designer via Colin Watson in bz#1471
ok dtucker@ deraadt@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <string.h> out of includes.h

move #include <pwd.h> out of includes.h; ok markus@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.35.2;
move #include <sys/stat.h> out of includes.h; ok markus@

move #include <netgroup.h> out of includes.h; ok markus@

branches: 1.33.2;
knf says that a 2nd level indent is four (not three or five) spaces

branches: 1.32.4; 1.32.6;
standardise arguments to auth methods - they should all take authctxt.
check authctxt->valid rather then pw != NULL; ok markus@

branches: 1.31.2;
deprecate VerifyReverseMapping since it's dangerous if combined
with IP based access control as noted by Mike Harding; replace with
a UseDNS option, UseDNS is on by default and includes the
VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
ok deraadt@, djm@

just in case, put numbers to sscanf %s arg.

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.28.2; 1.28.4;
handle debug messages during rhosts-rsa and hostbased authentication; ok provos@

branches: 1.27.2;
unused include

s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@

basic KNF done while i was looking for something else

branches: 1.24.2;
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

branches: 1.23.2;
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2)
similar to RhostRSAAuthentication unless you enable (the experimental)
HostbasedUsesNameFromPacketOnly option. please test. :)

do gid/groups-swap in addition to uid-swap, should help if /home/group
is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks
to olar@openwall.com is comments. we had many requests for this.

sync with netbsd tree changes.
- more strict prototypes, include necessary headers
- use paths.h/pathnames.h decls
- size_t typecase to int -> u_long

make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

move ssh1 definitions to ssh1.h, pathnames to pathnames.h

replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'
with u_char.

branches: 1.16.2;
move fake-auth from auth1.c to individual auth methods, disables s/key in debug-msg

cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

OpenBSD tag

branches: 1.13.2;
whitespace cleanup

check format string for packet_disconnect and packet_send_debug, too

KNF, final part 3

much more KNF

KNF part 1

more %d vs. %s in fmt-strings

split do_authentication() in subroutines
move checking of remote port to central place

make all access to options via 'extern Options options'
and 'extern ServerOptions options' respectively;
options are no longer passed as arguments:
* make options handling more consistent
* remove #include "readconf.h" from ssh.h
* readconf.h is only included if necessary

use strcasecmp()

wringing out all the water

numerous sprintf, strncpy, strcpy cleanups

convert all uses of gmp to SSL bignum
convert all used of rsa to SSL rsa functions
remove all use of randomstate to OpenBSD arc4random() and arc4_stir()
all this done at a long long night in Canada.

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

sshd: switch authentication to sshbuf API; ok djm@

remove ssh1 server code; ok djm@

refactor canohost.c: move functions that cache results closer to the
places that use them (authn and session code). After this, no state is
cached in canohost.c

feedback and ok markus@

KNF and add a little more debug()

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

Hold authentication debug messages until after successful authentication.
Fixes an info leak of environment variables specified in authorized_keys,
reported by Jacob Appelbaum. ok djm@

Include unistd.h for close(), prevents warnings in -portable