ChangeLog revision 162852
120060926 2 - (dtucker) [bufaux.h] nuke bufaux.h; it's already gone from OpenBSD and not 3 referenced any more. ok djm@ 4 - (dtucker) [sftp-server.8] Resync; spotted by djm@ 5 620060924 7 - (tim) [configure.ac] Remove CFLAGS hack for UnixWare 1.x/2.x (added 8 to rev 1.308) to work around broken gcc 2.x header file. 9 1020060923 11 - (dtucker) [configure.ac] Bug #1234: Put opensc libs into $LIBS rather than 12 $LDFLAGS. Patch from vapier at gentoo org. 13 1420060922 15 - (dtucker) [packet.c canohost.c] Include arpa/inet.h for htonl macros on 16 some platforms (eg HP-UX 11.00). From santhi.amirta at gmail com. 17 1820060921 19 - (dtucker) OpenBSD CVS Sync 20 - otto@cvs.openbsd.org 2006/09/19 05:52:23 21 [sftp.c] 22 Use S_IS* macros insted of masking with S_IF* flags. The latter may 23 have multiple bits set, which lead to surprising results. Spotted by 24 Paul Stoeber, more to come. ok millert@ pedro@ jaredy@ djm@ 25 - markus@cvs.openbsd.org 2006/09/19 21:14:08 26 [packet.c] 27 client NULL deref on protocol error; Tavis Ormandy, Google Security Team 28 - (dtucker) [defines.h] Include unistd.h before defining getpgrp; fixes 29 build error on Ultrix. From Bernhard Simon. 30 3120060918 32 - (dtucker) [configure.ac] On AIX, check to see if the compiler will allow 33 macro redefinitions, and if not, remove "-qlanglvl=ansi" from the flags. 34 Allows build out of the box with older VAC and XLC compilers. Found by 35 David Bronder and Bernhard Simon. 36 - (dtucker) [openbsd-compat/port-aix.{c,h}] Reduce scope of includes. 37 Prevents macro redefinition warnings of "RDONLY". 38 3920060916 40 - OpenBSD CVS Sync 41 - djm@cvs.openbsd.org 2006/09/16 19:53:37 42 [deattack.c deattack.h packet.c] 43 limit maximum work performed by the CRC compensation attack detector, 44 problem reported by Tavis Ormandy, Google Security Team; 45 ok markus@ deraadt@ 46 - (djm) Add openssh.xml to .cvsignore and sort it 47 - (dtucker) [auth-pam.c] Propogate TZ environment variable to PAM auth 48 process so that any logging it does is with the right timezone. From 49 Scott Strickler, ok djm@. 50 - (dtucker) [monitor.c] Correctly handle auditing of single commands when 51 using Protocol 1. From jhb at freebsd. 52 - (djm) [sshd.c] Fix warning/API abuse; ok dtucker@ 53 - (dtucker) [INSTALL] Add info about audit support. 54 5520060912 56 - (djm) [Makefile.in buildpkg.sh.in configure.ac openssh.xml.in] 57 Support SMF in Solaris Packages if enabled by configure. Patch from 58 Chad Mynhier, tested by dtucker@ 59 6020060911 61 - (dtucker) [cipher-aes.c] Include string.h for memcpy and friends. Noted 62 by Pekka Savola. 63 6420060910 65 - (dtucker) [contrib/aix/buildbff.sh] Ensure that perl is available. 66 - (dtucker) [configure.ac] Add -lcrypt to let DragonFly build OOTB. 67 6820060909 69 - (dtucker) [openbsd-compat/bsd-snprintf.c] Add stdarg.h. 70 - (dtucker) [contrib/aix/buildbff.sh] Always create privsep user. 71 - (dtucker) [buildpkg.sh.in] Always create privsep user. ok djm@ 72 7320060908 74 - (dtucker) [auth-sia.c] Add includes required for build on Tru64. Patch 75 from Chris Adams. 76 - (dtucker) [configure.ac] The BSM header test needs time.h in some cases. 77 7820060907 79 - (djm) [sshd.c auth.c] Set up fakepw() with privsep uid/gid, so it can 80 be used to drop privilege to; fixes Solaris GSSAPI crash reported by 81 Magnus Abrante; suggestion and feedback dtucker@ 82 NB. this change will require that the privilege separation user must 83 exist on all the time, not just when UsePrivilegeSeparation=yes 84 - (tim) [configure.ac] s/BROKEN_UPDWTMP/BROKEN_UPDWTMPX/ on SCO OSR6 85 - (dtucker) [loginrec.c] Wrap paths.h in HAVE_PATHS_H. 86 - (dtucker) [regress/cfgmatch.sh] stop_client is racy, so give us a better 87 chance of winning. 88 8920060905 90 - (dtucker) [configure.ac] s/AC_DEFINES/AC_DEFINE/ spotted by Roumen Petrov. 91 - (dtucker) [loginrec.c] Include paths.h for _PATH_BTMP. 92 9320060904 94 - (dtucker) [configure.ac] Define BROKEN_UPDWTMP on SCO OSR6 as the native 95 updwdtmp seems to generate invalid wtmp entries. From Roger Cornelius, 96 ok djm@ 97 9820060903 99 - (dtucker) [configure.ac openbsd-compat/openbsd-compat.h] Check for 100 declaration of writev(2) and declare it ourselves if necessary. Makes 101 the atomiciov() calls build on really old systems. ok djm@ 102 10320060902 104 - (dtucker) [openbsd-compat/port-irix.c] Add errno.h, found by Iain Morgan. 105 - (dtucker) [ssh-keyscan.c ssh-rand-helper.c ssh.c sshconnect.c 106 openbsd-compat/bindresvport.c openbsd-compat/getrrsetbyname.c 107 openbsd-compat/port-tun.c openbsd-compat/rresvport.c] Include <arpa/inet.h> 108 for hton* and ntoh* macros. Required on (at least) HP-UX since we define 109 _XOPEN_SOURCE_EXTENDED. Found by santhi.amirta at gmail com. 110 11120060901 112 - (djm) [audit-bsm.c audit.c auth-bsdauth.c auth-chall.c auth-pam.c] 113 [auth-rsa.c auth-shadow.c auth-sia.c auth1.c auth2-chall.c] 114 [auth2-gss.c auth2-kbdint.c auth2-none.c authfd.c authfile.c] 115 [cipher-3des1.c cipher-aes.c cipher-bf1.c cipher-ctr.c clientloop.c] 116 [dh.c dns.c entropy.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c] 117 [kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c loginrec.c mac.c] 118 [md5crypt.c monitor.c monitor_wrap.c readconf.c rsa.c] 119 [scard-opensc.c scard.c session.c ssh-add.c ssh-agent.c ssh-dss.c] 120 [ssh-keygen.c ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c] 121 [sshconnect1.c sshconnect2.c sshd.c] 122 [openbsd-compat/bsd-cray.c openbsd-compat/port-aix.c] 123 [openbsd-compat/port-linux.c openbsd-compat/port-solaris.c] 124 [openbsd-compat/port-uw.c] 125 Lots of headers for SCO OSR6, mainly adding stdarg.h for log.h; 126 compile problems reported by rac AT tenzing.org 127 - (djm) [includes.h monitor.c openbsd-compat/bindresvport.c] 128 [openbsd-compat/rresvport.c] Some more headers: netinet/in.h 129 sys/socket.h and unistd.h in various places 130 - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Fix implict declaration 131 warnings for binary_open and binary_close. Patch from Corinna Vinschen. 132 - (dtucker) [configure.ac includes.h openbsd-compat/glob.{c,h}] Explicitly 133 test for GLOB_NOMATCH and use our glob functions if it's not found. 134 Stops sftp from segfaulting when attempting to get a nonexistent file on 135 Cygwin (previous versions of OpenSSH didn't use the native glob). Partly 136 from and tested by Corinna Vinschen. 137 - (dtucker) [README contrib/{caldera,redhat,suse}/openssh.spec] Crank 138 versions. 139 14020060831 141 - (djm) [CREDITS LICENCE Makefile.in auth.c configure.ac includes.h ] 142 [platform.c platform.h sshd.c openbsd-compat/Makefile.in] 143 [openbsd-compat/openbsd-compat.h openbsd-compat/port-solaris.c] 144 [openbsd-compat/port-solaris.h] Add support for Solaris process 145 contracts, enabled with --use-solaris-contracts. Patch from Chad 146 Mynhier, tweaked by dtucker@ and myself; ok dtucker@ 147 - (dtucker) [contrib/cygwin/ssh-host-config] Add SeTcbPrivilege privilege 148 while setting up the ssh service account. Patch from Corinna Vinschen. 149 15020060830 151 - (djm) OpenBSD CVS Sync 152 - dtucker@cvs.openbsd.org 2006/08/21 08:14:01 153 [sshd_config.5] 154 Document HostbasedUsesNameFromPacketOnly. Corrections from jmc@, 155 ok jmc@ djm@ 156 - dtucker@cvs.openbsd.org 2006/08/21 08:15:57 157 [sshd.8] 158 Add more detail about what permissions are and aren't accepted for 159 authorized_keys files. Corrections jmc@, ok djm@, "looks good" jmc@ 160 - djm@cvs.openbsd.org 2006/08/29 10:40:19 161 [channels.c session.c] 162 normalise some inconsistent (but harmless) NULL pointer checks 163 spotted by the Stanford SATURN tool, via Isil Dillig; 164 ok markus@ deraadt@ 165 - dtucker@cvs.openbsd.org 2006/08/29 12:02:30 166 [gss-genr.c] 167 Work around a problem in Heimdal that occurs when KRB5CCNAME file is 168 missing, by checking whether or not kerberos allocated us a context 169 before attempting to free it. Patch from Simon Wilkinson, tested by 170 biorn@, ok djm@ 171 - dtucker@cvs.openbsd.org 2006/08/30 00:06:51 172 [sshconnect2.c] 173 Fix regression where SSH2 banner is printed at loglevels ERROR and FATAL 174 where previously it weren't. bz #1221, found by Dean Kopesky, ok djm@ 175 - djm@cvs.openbsd.org 2006/08/30 00:14:37 176 [version.h] 177 crank to 4.4 178 - (djm) [openbsd-compat/xcrypt.c] needs unistd.h 179 - (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always call 180 loginsuccess on AIX immediately after authentication to clear the failed 181 login count. Previously this would only happen when an interactive 182 session starts (ie when a pty is allocated) but this means that accounts 183 that have primarily non-interactive sessions (eg scp's) may gradually 184 accumulate enough failures to lock out an account. This change may have 185 a side effect of creating two audit records, one with a tty of "ssh" 186 corresponding to the authentication and one with the allocated pty per 187 interactive session. 188 18920060824 190 - (dtucker) [openbsd-compat/basename.c] Include errno.h. 191 - (dtucker) [openbsd-compat/bsd-misc.c] Add includes needed for select(2) on 192 older systems. 193 - (dtucker) [openbsd-compat/bsd-misc.c] Include <sys/select.h> for select(2) 194 on POSIX systems. 195 - (dtucker) [openbsd-compat/bsd-openpty.c] Include for ioctl(2). 196 - (dtucker) [openbsd-compat/rresvport.c] Include <stdlib.h> for malloc. 197 - (dtucker) [openbsd-compat/xmmap.c] Move #define HAVE_MMAP to prevent 198 unused variable warning when we have a broken or missing mmap(2). 199 20020060822 201 - (dtucker) [Makefile.in] Bug #1177: fix incorrect path for sshrc in 202 Makefile. Patch from santhi.amirta at gmail, ok djm. 203 20420060820 205 - (dtucker) [log.c] Move ifdef to prevent unused variable warning. 206 - (dtucker) [configure.ac] Save $LIBS during PAM library tests and restore 207 afterward. Removes the need to mangle $LIBS later to remove -lpam and -ldl. 208 - (dtucker) [configure.ac] Relocate --with-pam parts in preparation for 209 fixing bug #1181. No changes yet. 210 - (dtucker) [configure.ac] Bug #1181: Explicitly test to see if OpenSSL 211 (0.9.8a and presumably newer) requires -ldl to successfully link. 212 - (dtucker) [configure.ac] Remove errant "-". 213 21420060819 215 - (djm) OpenBSD CVS Sync 216 - djm@cvs.openbsd.org 2006/08/18 22:41:29 217 [gss-genr.c] 218 GSSAPI error code should be 0 and not -1; from simon@sxw.org.uk 219 - (dtucker) [openbsd-compat/regress/Makefile.in] Add $(EXEEXT) and add a 220 single rule for the test progs. 221 22220060818 223 - (dtucker) [configure.ac openbsd-compat/bsd-closefrom.c] Resync with 224 closefrom.c from sudo. 225 - (dtucker) [openbsd-compat/bsd-closefrom.c] Comment out rcsid. 226 - (dtucker) [openbsd-compat/regress/snprintftest.c] Newline on error. 227 - (dtucker) [openbsd-compat/regress/Makefile.in] Use implicit rules for the 228 test progs instead; they work better than what we have. 229 - (djm) OpenBSD CVS Sync 230 - stevesk@cvs.openbsd.org 2006/08/06 01:13:32 231 [compress.c monitor.c monitor_wrap.c] 232 "zlib.h" can be <zlib.h>; ok djm@ markus@ 233 - miod@cvs.openbsd.org 2006/08/12 20:46:46 234 [monitor.c monitor_wrap.c] 235 Revert previous include file ordering change, for ssh to compile under 236 gcc2 (or until openssl include files are cleaned of parameter names 237 in function prototypes) 238 - dtucker@cvs.openbsd.org 2006/08/14 12:40:25 239 [servconf.c servconf.h sshd_config.5] 240 Add ability to match groups to Match keyword in sshd_config. Feedback 241 djm@, stevesk@, ok stevesk@. 242 - djm@cvs.openbsd.org 2006/08/16 11:47:15 243 [sshd.c] 244 factor inetd connection, TCP listen and main TCP accept loop out of 245 main() into separate functions to improve readability; ok markus@ 246 - deraadt@cvs.openbsd.org 2006/08/18 09:13:26 247 [log.c log.h sshd.c] 248 make signal handler termination path shorter; risky code pointed out by 249 mark dowd; ok djm markus 250 - markus@cvs.openbsd.org 2006/08/18 09:15:20 251 [auth.h session.c sshd.c] 252 delay authentication related cleanups until we're authenticated and 253 all alarms have been cancelled; ok deraadt 254 - djm@cvs.openbsd.org 2006/08/18 10:27:16 255 [misc.h] 256 reorder so prototypes are sorted by the files they refer to; no 257 binary change 258 - djm@cvs.openbsd.org 2006/08/18 13:54:54 259 [gss-genr.c ssh-gss.h sshconnect2.c] 260 bz #1218 - disable SPNEGO as per RFC4462; diff from simon AT sxw.org.uk 261 ok markus@ 262 - djm@cvs.openbsd.org 2006/08/18 14:40:34 263 [gss-genr.c ssh-gss.h] 264 constify host argument to match the rest of the GSSAPI functions and 265 unbreak compilation with -Werror 266 - (djm) Disable sigdie() for platforms that cannot safely syslog inside 267 a signal handler (basically all of them, excepting OpenBSD); 268 ok dtucker@ 269 27020060817 271 - (dtucker) [openbsd-compat/fake-rfc2553.c openbsd-compat/setproctitle.c] 272 Include stdlib.h for malloc and friends. 273 - (dtucker) [configure.ac openbsd-compat/bsd-closefrom.c] Use F_CLOSEM fcntl 274 for closefrom() on AIX. Pointed out by William Ahern. 275 - (dtucker) [openbsd-compat/regress/{Makefile.in,closefromtest.c}] Regress 276 test for closefrom() in compat code. 277 27820060816 279 - (djm) [audit-bsm.c] Sprinkle in some headers 280 28120060815 282 - (dtucker) [LICENCE] Add Reyk to the list for the compat dir. 283 28420060806 285 - (djm) [openbsd-compat/bsd-getpeereid.c] Add some headers to quiet warnings 286 on Solaris 10 287 28820060806 289 - (dtucker) [defines.h] With the includes.h changes we no longer get the 290 name clash on "YES" so we can remove the workaround for it. 291 - (dtucker) [openbsd-compat/{bsd-asprintf.c,bsd-openpty.c,bsd-snprintf.c, 292 glob.c}] Include stdlib.h for malloc and friends in compat code. 293 29420060805 295 - (djm) OpenBSD CVS Sync 296 - stevesk@cvs.openbsd.org 2006/07/24 13:58:22 297 [sshconnect.c] 298 disable tunnel forwarding when no strict host key checking 299 and key changed; ok djm@ markus@ dtucker@ 300 - stevesk@cvs.openbsd.org 2006/07/25 02:01:34 301 [scard.c] 302 need #include <string.h> 303 - stevesk@cvs.openbsd.org 2006/07/25 02:59:21 304 [channels.c clientloop.c packet.c scp.c serverloop.c sftp-client.c] 305 [sftp-server.c ssh-agent.c ssh-keyscan.c sshconnect.c sshd.c] 306 move #include <sys/time.h> out of includes.h 307 - stevesk@cvs.openbsd.org 2006/07/26 02:35:17 308 [atomicio.c auth.c dh.c authfile.c buffer.c clientloop.c kex.c] 309 [groupaccess.c gss-genr.c kexgexs.c misc.c monitor.c monitor_mm.c] 310 [packet.c scp.c serverloop.c session.c sftp-client.c sftp-common.c] 311 [sftp-server.c sftp.c ssh-add.c ssh-agent.c ssh-keygen.c sshlogin.c] 312 [uidswap.c xmalloc.c] 313 move #include <sys/param.h> out of includes.h 314 - stevesk@cvs.openbsd.org 2006/07/26 13:57:17 315 [authfd.c authfile.c dh.c canohost.c channels.c clientloop.c compat.c] 316 [hostfile.c kex.c log.c misc.c moduli.c monitor.c packet.c readpass.c] 317 [scp.c servconf.c session.c sftp-server.c sftp.c ssh-add.c ssh-agent.c] 318 [ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c sshconnect.c] 319 [sshconnect1.c sshd.c xmalloc.c] 320 move #include <stdlib.h> out of includes.h 321 - jmc@cvs.openbsd.org 2006/07/27 08:00:50 322 [ssh_config.5] 323 avoid confusing wording in HashKnownHosts: 324 originally spotted by alan amesbury; 325 ok deraadt 326 - jmc@cvs.openbsd.org 2006/07/27 08:00:50 327 [ssh_config.5] 328 avoid confusing wording in HashKnownHosts: 329 originally spotted by alan amesbury; 330 ok deraadt 331 - dtucker@cvs.openbsd.org 2006/08/01 11:34:36 332 [sshconnect.c] 333 Allow fallback to known_hosts entries without port qualifiers for 334 non-standard ports too, so that all existing known_hosts entries will be 335 recognised. Requested by, feedback and ok markus@ 336 - stevesk@cvs.openbsd.org 2006/08/01 23:22:48 337 [auth-passwd.c auth-rhosts.c auth-rsa.c auth.c auth.h auth1.c] 338 [auth2-chall.c auth2-pubkey.c authfile.c buffer.c canohost.c] 339 [channels.c clientloop.c dh.c dns.c dns.h hostfile.c kex.c kexdhc.c] 340 [kexgexc.c kexgexs.c key.c key.h log.c misc.c misc.h moduli.c] 341 [monitor_wrap.c packet.c progressmeter.c readconf.c readpass.c scp.c] 342 [servconf.c session.c sftp-client.c sftp-common.c sftp-server.c sftp.c] 343 [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh.c sshconnect.c] 344 [sshconnect1.c sshconnect2.c sshd.c sshlogin.c sshtty.c uuencode.c] 345 [uuencode.h xmalloc.c] 346 move #include <stdio.h> out of includes.h 347 - stevesk@cvs.openbsd.org 2006/08/01 23:36:12 348 [authfile.c channels.c progressmeter.c scard.c servconf.c ssh.c] 349 clean extra spaces 350 - deraadt@cvs.openbsd.org 2006/08/03 03:34:42 351 [OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c] 352 [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c] 353 [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c] 354 [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ] 355 [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c] 356 [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c] 357 [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c] 358 [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c] 359 [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c] 360 [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c] 361 [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c] 362 [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c] 363 [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c] 364 [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h] 365 [serverloop.c session.c session.h sftp-client.c sftp-common.c] 366 [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c] 367 [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c] 368 [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c] 369 [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c] 370 [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h] 371 [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h] 372 almost entirely get rid of the culture of ".h files that include .h files" 373 ok djm, sort of ok stevesk 374 makes the pain stop in one easy step 375 NB. portable commit contains everything *except* removing includes.h, as 376 that will take a fair bit more work as we move headers that are required 377 for portability workarounds to defines.h. (also, this step wasn't "easy") 378 - stevesk@cvs.openbsd.org 2006/08/04 20:46:05 379 [monitor.c session.c ssh-agent.c] 380 spaces 381 - (djm) [auth-pam.c defines.h] Move PAM related bits to auth-pam.c 382 - (djm) [auth-pam.c auth.c bufaux.h entropy.c openbsd-compat/port-tun.c] 383 remove last traces of bufaux.h - it was merged into buffer.h in the big 384 includes.h commit 385 - (djm) [auth.c loginrec.c] Missing netinet/in.h for loginrec 386 - (djm) [openbsd-compat/regress/snprintftest.c] 387 [openbsd-compat/regress/strduptest.c] Add missing includes so they pass 388 compilation with "-Wall -Werror" 389 - (djm) [auth-pam.c auth-shadow.c auth2-none.c cleanup.c sshd.c] 390 [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Sprinkle more 391 includes for Linux in 392 - (dtucker) [cleanup.c] Need defines.h for __dead. 393 - (dtucker) [auth2-gss.c] We still need the #ifdef GSSAPI in -portable. 394 - (dtucker) [openbsd-compat/{bsd-arc4random.c,port-tun.c,xmmap.c}] Lots of 395 #include stdarg.h, needed for log.h. 396 - (dtucker) [entropy.c] Needs unistd.h too. 397 - (dtucker) [ssh-rand-helper.c] Needs stdarg.h for log.h. 398 - (dtucker) [openbsd-compat/getrrsetbyname.c] Nees stdlib.h for malloc. 399 - (dtucker) [openbsd-compat/strtonum.c] Include stdlib.h for strtoll, 400 otherwise it is implicitly declared as returning an int. 401 - (dtucker) OpenBSD CVS Sync 402 - dtucker@cvs.openbsd.org 2006/08/05 07:52:52 403 [auth2-none.c sshd.c monitor_wrap.c] 404 Add headers required to build with KERBEROS5=no. ok djm@ 405 - dtucker@cvs.openbsd.org 2006/08/05 08:00:33 406 [auth-skey.c] 407 Add headers required to build with -DSKEY. ok djm@ 408 - dtucker@cvs.openbsd.org 2006/08/05 08:28:24 409 [monitor_wrap.c auth-skey.c auth2-chall.c] 410 Zap unused variables in -DSKEY code. ok djm@ 411 - dtucker@cvs.openbsd.org 2006/08/05 08:34:04 412 [packet.c] 413 Typo in comment 414 - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Add headers required to compile 415 on Cygwin. 416 - (dtucker) [openbsd-compat/fake-rfc2553.c] Add headers needed for inet_ntoa. 417 - (dtucker) [auth-skey.c] monitor_wrap.h needs ssh-gss.h. 418 - (dtucker) [audit.c audit.h] Repair headers. 419 - (dtucker) [audit-bsm.c] Add additional headers now required. 420 42120060804 422 - (dtucker) [configure.ac] The "crippled AES" test does not work on recent 423 versions of Solaris, so use AC_LINK_IFELSE to actually link the test program 424 rather than just compiling it. Spotted by dlg@. 425 42620060802 427 - (dtucker) [openbsd-compat/daemon.c] Add unistd.h for fork() prototype. 428 42920060725 430 - (dtucker) [openbsd-compat/xmmap.c] Need fcntl.h for O_RDRW. 431 43220060724 433 - (djm) OpenBSD CVS Sync 434 - jmc@cvs.openbsd.org 2006/07/12 13:39:55 435 [sshd_config.5] 436 - new sentence, new line 437 - s/The the/The/ 438 - kill a bad comma 439 - stevesk@cvs.openbsd.org 2006/07/12 22:28:52 440 [auth-options.c canohost.c channels.c includes.h readconf.c] 441 [servconf.c ssh-keyscan.c ssh.c sshconnect.c sshd.c] 442 move #include <netdb.h> out of includes.h; ok djm@ 443 - stevesk@cvs.openbsd.org 2006/07/12 22:42:32 444 [includes.h ssh.c ssh-rand-helper.c] 445 move #include <stddef.h> out of includes.h 446 - stevesk@cvs.openbsd.org 2006/07/14 01:15:28 447 [monitor_wrap.h] 448 don't need incompletely-typed 'struct passwd' now with 449 #include <pwd.h>; ok markus@ 450 - stevesk@cvs.openbsd.org 2006/07/17 01:31:10 451 [authfd.c authfile.c channels.c cleanup.c clientloop.c groupaccess.c] 452 [includes.h log.c misc.c msg.c packet.c progressmeter.c readconf.c] 453 [readpass.c scp.c servconf.c sftp-client.c sftp-server.c sftp.c] 454 [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c] 455 [sshconnect.c sshlogin.c sshpty.c uidswap.c] 456 move #include <unistd.h> out of includes.h 457 - dtucker@cvs.openbsd.org 2006/07/17 12:02:24 458 [auth-options.c] 459 Use '\0' rather than 0 to terminates strings; ok djm@ 460 - dtucker@cvs.openbsd.org 2006/07/17 12:06:00 461 [channels.c channels.h servconf.c sshd_config.5] 462 Add PermitOpen directive to sshd_config which is equivalent to the 463 "permitopen" key option. Allows server admin to allow TCP port 464 forwarding only two specific host/port pairs. Useful when combined 465 with Match. 466 If permitopen is used in both sshd_config and a key option, both 467 must allow a given connection before it will be permitted. 468 Note that users can still use external forwarders such as netcat, 469 so to be those must be controlled too for the limits to be effective. 470 Feedback & ok djm@, man page corrections & ok jmc@. 471 - jmc@cvs.openbsd.org 2006/07/18 07:50:40 472 [sshd_config.5] 473 tweak; ok dtucker 474 - jmc@cvs.openbsd.org 2006/07/18 07:56:28 475 [scp.1] 476 replace DIAGNOSTICS with .Ex; 477 - jmc@cvs.openbsd.org 2006/07/18 08:03:09 478 [ssh-agent.1 sshd_config.5] 479 mark up angle brackets; 480 - dtucker@cvs.openbsd.org 2006/07/18 08:22:23 481 [sshd_config.5] 482 Clarify description of Match, with minor correction from jmc@ 483 - stevesk@cvs.openbsd.org 2006/07/18 22:27:55 484 [dh.c] 485 remove unneeded includes; ok djm@ 486 - dtucker@cvs.openbsd.org 2006/07/19 08:56:41 487 [servconf.c sshd_config.5] 488 Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to 489 Match. ok djm@ 490 - dtucker@cvs.openbsd.org 2006/07/19 13:07:10 491 [servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5] 492 Add ForceCommand keyword to sshd_config, equivalent to the "command=" 493 key option, man page entry and example in sshd_config. 494 Feedback & ok djm@, man page corrections & ok jmc@ 495 - stevesk@cvs.openbsd.org 2006/07/20 15:26:15 496 [auth1.c serverloop.c session.c sshconnect2.c] 497 missed some needed #include <unistd.h> when KERBEROS5=no; issue from 498 massimo@cedoc.mo.it 499 - dtucker@cvs.openbsd.org 2006/07/21 12:43:36 500 [channels.c channels.h servconf.c servconf.h sshd_config.5] 501 Make PermitOpen take a list of permitted ports and act more like most 502 other keywords (ie the first match is the effective setting). This 503 also makes it easier to override a previously set PermitOpen. ok djm@ 504 - stevesk@cvs.openbsd.org 2006/07/21 21:13:30 505 [channels.c] 506 more ARGSUSED (lint) for dispatch table-driven functions; ok djm@ 507 - stevesk@cvs.openbsd.org 2006/07/21 21:26:55 508 [progressmeter.c] 509 ARGSUSED for signal handler 510 - stevesk@cvs.openbsd.org 2006/07/22 19:08:54 511 [includes.h moduli.c progressmeter.c scp.c sftp-common.c] 512 [sftp-server.c ssh-agent.c sshlogin.c] 513 move #include <time.h> out of includes.h 514 - stevesk@cvs.openbsd.org 2006/07/22 20:48:23 515 [atomicio.c auth-options.c auth-passwd.c auth-rhosts.c auth-rsa.c] 516 [auth.c auth1.c auth2-chall.c auth2-hostbased.c auth2-passwd.c auth2.c] 517 [authfd.c authfile.c bufaux.c bufbn.c buffer.c canohost.c channels.c] 518 [cipher-3des1.c cipher-bf1.c cipher-ctr.c cipher.c clientloop.c] 519 [compat.c deattack.c dh.c dns.c gss-genr.c gss-serv.c hostfile.c] 520 [includes.h kex.c kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c log.c] 521 [mac.c match.c md-sha256.c misc.c moduli.c monitor.c monitor_fdpass.c] 522 [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c rsa.c] 523 [progressmeter.c readconf.c readpass.c scp.c servconf.c serverloop.c] 524 [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c sftp.c] 525 [ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c] 526 [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c sshconnect2.c] 527 [sshd.c sshlogin.c sshpty.c ttymodes.c uidswap.c xmalloc.c] 528 move #include <string.h> out of includes.h 529 - stevesk@cvs.openbsd.org 2006/07/23 01:11:05 530 [auth.h dispatch.c kex.h sftp-client.c] 531 #include <signal.h> for sig_atomic_t; need this prior to <sys/param.h> 532 move 533 - (djm) [acss.c auth-krb5.c auth-options.c auth-pam.c auth-shadow.c] 534 [canohost.c channels.c cipher-acss.c defines.h dns.c gss-genr.c] 535 [gss-serv-krb5.c gss-serv.c log.h loginrec.c logintest.c readconf.c] 536 [servconf.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rand-helper.c] 537 [ssh.c sshconnect.c sshd.c openbsd-compat/bindresvport.c] 538 [openbsd-compat/bsd-arc4random.c openbsd-compat/bsd-misc.c] 539 [openbsd-compat/getrrsetbyname.c openbsd-compat/glob.c] 540 [openbsd-compat/mktemp.c openbsd-compat/port-linux.c] 541 [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c] 542 [openbsd-compat/setproctitle.c openbsd-compat/xmmap.c] 543 make the portable tree compile again - sprinkle unistd.h and string.h 544 back in. Don't redefine __unused, as it turned out to be used in 545 headers on Linux, and replace its use in auth-pam.c with ARGSUSED 546 - (djm) [openbsd-compat/glob.c] 547 Move get_arg_max() into the ifdef HAVE_GLOB block so that it compiles 548 on OpenBSD (or other platforms with a decent glob implementation) with 549 -Werror 550 - (djm) [uuencode.c] 551 Add resolv.h, is it contains the prototypes for __b64_ntop/__b64_pton on 552 some platforms 553 - (djm) [session.c] 554 fix compile error with -Werror -Wall: 'path' is only used in 555 do_setup_env() if HAVE_LOGIN_CAP is not defined 556 - (djm) [openbsd-compat/basename.c openbsd-compat/bsd-closefrom.c] 557 [openbsd-compat/bsd-cray.c openbsd-compat/bsd-openpty.c] 558 [openbsd-compat/bsd-snprintf.c openbsd-compat/fake-rfc2553.c] 559 [openbsd-compat/port-aix.c openbsd-compat/port-irix.c] 560 [openbsd-compat/rresvport.c] 561 These look to need string.h and/or unistd.h (based on a grep for function 562 names) 563 - (djm) [Makefile.in] 564 Remove generated openbsd-compat/regress/Makefile in distclean target 565 - (djm) [regress/Makefile regress/agent-getpeereid.sh regress/cfgmatch.sh] 566 [regress/cipher-speed.sh regress/forcecommand.sh regress/forwarding.sh] 567 Sync regress tests to -current; include dtucker@'s new cfgmatch and 568 forcecommand tests. Add cipher-speed.sh test (not linked in yet) 569 - (dtucker) [cleanup.c] Since config.h defines _LARGE_FILES on AIX, including 570 system headers before defines.h will cause conflicting definitions. 571 - (dtucker) [regress/forcecommand.sh] Portablize. 572 57320060713 574 - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h 575 57620060712 577 - (dtucker) [configure.ac defines.h] Only define SHUT_RD (and friends) and 578 O_NONBLOCK if they're really needed. Fixes build errors on HP-UX, old 579 Linuxes and probably more. 580 - (dtucker) [configure.ac] OpenBSD needs <sys/types.h> before <sys/socket.h> 581 for SHUT_RD. 582 - (dtucker) [openbsd-compat/port-tun.c] OpenBSD needs <netinet/in.h> before 583 <netinet/ip.h>. 584 - (dtucker) OpenBSD CVS Sync 585 - stevesk@cvs.openbsd.org 2006/07/10 16:01:57 586 [sftp-glob.c sftp-common.h sftp.c] 587 buffer.h only needed in sftp-common.h and remove some unneeded 588 user includes; ok djm@ 589 - jmc@cvs.openbsd.org 2006/07/10 16:04:21 590 [sshd.8] 591 s/and and/and/ 592 - stevesk@cvs.openbsd.org 2006/07/10 16:37:36 593 [readpass.c log.h scp.c fatal.c xmalloc.c includes.h ssh-keyscan.c misc.c 594 auth.c packet.c log.c] 595 move #include <stdarg.h> out of includes.h; ok markus@ 596 - dtucker@cvs.openbsd.org 2006/07/11 10:12:07 597 [ssh.c] 598 Only copy the part of environment variable that we actually use. Prevents 599 ssh bailing when SendEnv is used and an environment variable with a really 600 long value exists. ok djm@ 601 - markus@cvs.openbsd.org 2006/07/11 18:50:48 602 [clientloop.c ssh.1 ssh.c channels.c ssh_config.5 readconf.h session.c 603 channels.h readconf.c] 604 add ExitOnForwardFailure: terminate the connection if ssh(1) 605 cannot set up all requested dynamic, local, and remote port 606 forwardings. ok djm, dtucker, stevesk, jmc 607 - stevesk@cvs.openbsd.org 2006/07/11 20:07:25 608 [scp.c auth.c monitor.c serverloop.c sftp-server.c sshpty.c readpass.c 609 sshd.c monitor_wrap.c monitor_fdpass.c ssh-agent.c ttymodes.c atomicio.c 610 includes.h session.c sshlogin.c monitor_mm.c packet.c sshconnect2.c 611 sftp-client.c nchan.c clientloop.c sftp.c misc.c canohost.c channels.c 612 ssh-keygen.c progressmeter.c uidswap.c msg.c readconf.c sshconnect.c] 613 move #include <errno.h> out of includes.h; ok markus@ 614 - stevesk@cvs.openbsd.org 2006/07/11 20:16:43 615 [ssh.c] 616 cast asterisk field precision argument to int to remove warning; 617 ok markus@ 618 - stevesk@cvs.openbsd.org 2006/07/11 20:27:56 619 [authfile.c ssh.c] 620 need <errno.h> here also (it's also included in <openssl/err.h>) 621 - dtucker@cvs.openbsd.org 2006/07/12 11:34:58 622 [sshd.c servconf.h servconf.c sshd_config.5 auth.c] 623 Add support for conditional directives to sshd_config via a "Match" 624 keyword, which works similarly to the "Host" directive in ssh_config. 625 Lines after a Match line override the default set in the main section 626 if the condition on the Match line is true, eg 627 AllowTcpForwarding yes 628 Match User anoncvs 629 AllowTcpForwarding no 630 will allow port forwarding by all users except "anoncvs". 631 Currently only a very small subset of directives are supported. 632 ok djm@ 633 - (dtucker) [loginrec.c openbsd-compat/xmmap.c openbsd-compat/bindresvport.c 634 openbsd-compat/glob.c openbsd-compat/mktemp.c openbsd-compat/port-tun.c 635 openbsd-compat/readpassphrase.c openbsd-compat/strtonum.c] Include <errno.h>. 636 - (dtucker) [openbsd-compat/setproctitle.c] Include stdarg.h. 637 - (dtucker) [ssh-keyscan.c ssh-rand-helper.c] More errno.h here too. 638 - (dtucker) [openbsd-compat/openbsd-compat.h] v*printf needs stdarg.h. 639 - (dtucker) [openbsd-compat/bsd-asprintf.c openbsd-compat/port-aix.c 640 openbsd-compat/rresvport.c] More errno.h. 641 64220060711 643 - (dtucker) [configure.ac ssh-keygen.c openbsd-compat/bsd-openpty.c 644 openbsd-compat/daemon.c] Add includes needed by open(2). Conditionally 645 include paths.h. Fixes build error on Solaris. 646 - (dtucker) [entropy.c] More fcntl.h, this time on AIX (and probably 647 others). 648 64920060710 650 - (dtucker) [INSTALL] New autoconf version: 2.60. 651 - OpenBSD CVS Sync 652 - djm@cvs.openbsd.org 2006/06/14 10:50:42 653 [sshconnect.c] 654 limit the number of pre-banner characters we will accept; ok markus@ 655 - djm@cvs.openbsd.org 2006/06/26 10:36:15 656 [clientloop.c] 657 mention optional bind_address in runtime port forwarding setup 658 command-line help. patch from santhi.amirta AT gmail.com 659 - stevesk@cvs.openbsd.org 2006/07/02 17:12:58 660 [ssh.1 ssh.c ssh_config.5 sshd_config.5] 661 more details and clarity for tun(4) device forwarding; ok and help 662 jmc@ 663 - stevesk@cvs.openbsd.org 2006/07/02 18:36:47 664 [gss-serv-krb5.c gss-serv.c] 665 no "servconf.h" needed here 666 (gss-serv-krb5.c change not applied, portable needs the server options) 667 - stevesk@cvs.openbsd.org 2006/07/02 22:45:59 668 [groupaccess.c groupaccess.h includes.h session.c sftp-common.c sshpty.c] 669 move #include <grp.h> out of includes.h 670 (portable needed uidswap.c too) 671 - stevesk@cvs.openbsd.org 2006/07/02 23:01:55 672 [clientloop.c ssh.1] 673 use -KR[bind_address:]port here; ok djm@ 674 - stevesk@cvs.openbsd.org 2006/07/03 08:54:20 675 [includes.h ssh.c sshconnect.c sshd.c] 676 move #include "version.h" out of includes.h; ok markus@ 677 - stevesk@cvs.openbsd.org 2006/07/03 17:59:32 678 [channels.c includes.h] 679 move #include <arpa/inet.h> out of includes.h; old ok djm@ 680 (portable needed session.c too) 681 - stevesk@cvs.openbsd.org 2006/07/05 02:42:09 682 [canohost.c hostfile.c includes.h misc.c packet.c readconf.c] 683 [serverloop.c sshconnect.c uuencode.c] 684 move #include <netinet/in.h> out of includes.h; ok deraadt@ 685 (also ssh-rand-helper.c logintest.c loginrec.c) 686 - djm@cvs.openbsd.org 2006/07/06 10:47:05 687 [servconf.c servconf.h session.c sshd_config.5] 688 support arguments to Subsystem commands; ok markus@ 689 - djm@cvs.openbsd.org 2006/07/06 10:47:57 690 [sftp-server.8 sftp-server.c] 691 add commandline options to enable logging of transactions; ok markus@ 692 - stevesk@cvs.openbsd.org 2006/07/06 16:03:53 693 [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c] 694 [auth-rhosts.c auth-rsa.c auth.c auth.h auth2-hostbased.c] 695 [auth2-pubkey.c auth2.c includes.h misc.c misc.h monitor.c] 696 [monitor_wrap.c monitor_wrap.h scp.c serverloop.c session.c] 697 [session.h sftp-common.c ssh-add.c ssh-keygen.c ssh-keysign.c] 698 [ssh.c sshconnect.c sshconnect.h sshd.c sshpty.c sshpty.h uidswap.c] 699 [uidswap.h] 700 move #include <pwd.h> out of includes.h; ok markus@ 701 - stevesk@cvs.openbsd.org 2006/07/06 16:22:39 702 [ssh-keygen.c] 703 move #include "dns.h" up 704 - stevesk@cvs.openbsd.org 2006/07/06 17:36:37 705 [monitor_wrap.h] 706 typo in comment 707 - stevesk@cvs.openbsd.org 2006/07/08 21:47:12 708 [authfd.c canohost.c clientloop.c dns.c dns.h includes.h] 709 [monitor_fdpass.c nchan.c packet.c servconf.c sftp.c ssh-agent.c] 710 [ssh-keyscan.c ssh.c sshconnect.h sshd.c sshlogin.h] 711 move #include <sys/socket.h> out of includes.h 712 - stevesk@cvs.openbsd.org 2006/07/08 21:48:53 713 [monitor.c session.c] 714 missed these from last commit: 715 move #include <sys/socket.h> out of includes.h 716 - stevesk@cvs.openbsd.org 2006/07/08 23:30:06 717 [log.c] 718 move user includes after /usr/include files 719 - stevesk@cvs.openbsd.org 2006/07/09 15:15:11 720 [auth2-none.c authfd.c authfile.c includes.h misc.c monitor.c] 721 [readpass.c scp.c serverloop.c sftp-client.c sftp-server.c] 722 [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c] 723 [sshlogin.c sshpty.c] 724 move #include <fcntl.h> out of includes.h 725 - stevesk@cvs.openbsd.org 2006/07/09 15:27:59 726 [ssh-add.c] 727 use O_RDONLY vs. 0 in open(); no binary change 728 - djm@cvs.openbsd.org 2006/07/10 11:24:54 729 [sftp-server.c] 730 remove optind - it isn't used here 731 - djm@cvs.openbsd.org 2006/07/10 11:25:53 732 [sftp-server.c] 733 don't log variables that aren't yet set 734 - (djm) [loginrec.c ssh-rand-helper.c sshd.c openbsd-compat/glob.c] 735 [openbsd-compat/mktemp.c openbsd-compat/openbsd-compat.h] 736 [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c] 737 [openbsd-compat/xcrypt.c] Fix includes.h fallout, mainly fcntl.h 738 - OpenBSD CVS Sync 739 - djm@cvs.openbsd.org 2006/07/10 12:03:20 740 [scp.c] 741 duplicate argv at the start of main() because it gets modified later; 742 pointed out by deraadt@ ok markus@ 743 - djm@cvs.openbsd.org 2006/07/10 12:08:08 744 [channels.c] 745 fix misparsing of SOCKS 5 packets that could result in a crash; 746 reported by mk@ ok markus@ 747 - dtucker@cvs.openbsd.org 2006/07/10 12:46:51 748 [misc.c misc.h sshd.8 sshconnect.c] 749 Add port identifier to known_hosts for non-default ports, based originally 750 on a patch from Devin Nate in bz#910. 751 For any connection using the default port or using a HostKeyAlias the 752 format is unchanged, otherwise the host name or address is enclosed 753 within square brackets in the same format as sshd's ListenAddress. 754 Tested by many, ok markus@. 755 - (dtucker) [openbsd-compat/openbsd-compat.h] Need to include <sys/socket.h> 756 for struct sockaddr on platforms that use the fake-rfc stuff. 757 75820060706 759 - (dtucker) [configure.ac] Try AIX blibpath test in different order when 760 compiling with gcc. gcc 4.1.x will accept (but ignore) -b flags so 761 configure would not select the correct libpath linker flags. 762 - (dtucker) [INSTALL] A bit more info on autoconf. 763 76420060705 765 - (dtucker) [ssh-rand-helper.c] Don't exit if mkdir fails because the 766 target already exists. 767 76820060630 769 - (dtucker) [openbsd-compat/openbsd-compat.h] SNPRINTF_CONST for snprintf 770 declaration too. Patch from russ at sludge.net. 771 - (dtucker) [openbsd-compat/getrrsetbyname.c] Undef _res before defining it, 772 prevents warnings on platforms where _res is in the system headers. 773 - (dtucker) [INSTALL] Bug #1202: Note when autoconf is required and which 774 version. 775 77620060627 777 - (dtucker) [configure.ac] Bug #1203: Add missing '[', which causes problems 778 with autoconf 2.60. Patch from vapier at gentoo.org. 779 78020060625 781 - (dtucker) [channels.c serverloop.c] Apply the bug #1102 workaround to ptys 782 only, otherwise sshd can hang exiting non-interactive sessions. 783 78420060624 785 - (dtucker) [configure.ac] Bug #1193: Define PASSWD_NEEDS_USERNAME on Solaris. 786 Works around limitation in Solaris' passwd program for changing passwords 787 where the username is longer than 8 characters. ok djm@ 788 - (dtucker) [serverloop.c] Get ifdef/ifndef the right way around for the bug 789 #1102 workaround. 790 79120060623 792 - (dtucker) [README.platform configure.ac openbsd-compat/port-tun.c] Add 793 tunnel support for Mac OS X/Darwin via a third-party tun driver. Patch 794 from reyk@, tested by anil@ 795 - (dtucker) [channels.c configure.ac serverloop.c] Bug #1102: Around AIX 796 4.3.3 ML3 or so, the AIX pty layer starting passing zero-length writes 797 on the pty slave as zero-length reads on the pty master, which sshd 798 interprets as the descriptor closing. Since most things don't do zero 799 length writes this rarely matters, but occasionally it happens, and when 800 it does the SSH pty session appears to hang, so we add a special case for 801 this condition. ok djm@ 802 80320060613 804 - (djm) [getput.h] This file has been replaced by functions in misc.c 805 - OpenBSD CVS Sync 806 - djm@cvs.openbsd.org 2006/05/08 10:49:48 807 [sshconnect2.c] 808 uint32_t -> u_int32_t (which we use everywhere else) 809 (Id sync only - portable already had this) 810 - markus@cvs.openbsd.org 2006/05/16 09:00:00 811 [clientloop.c] 812 missing free; from Kylene Hall 813 - markus@cvs.openbsd.org 2006/05/17 12:43:34 814 [scp.c sftp.c ssh-agent.c ssh-keygen.c sshconnect.c] 815 fix leak; coverity via Kylene Jo Hall 816 - miod@cvs.openbsd.org 2006/05/18 21:27:25 817 [kexdhc.c kexgexc.c] 818 paramter -> parameter 819 - dtucker@cvs.openbsd.org 2006/05/29 12:54:08 820 [ssh_config.5] 821 Add gssapi-with-mic to PreferredAuthentications default list; ok jmc 822 - dtucker@cvs.openbsd.org 2006/05/29 12:56:33 823 [ssh_config] 824 Add GSSAPIAuthentication and GSSAPIDelegateCredentials to examples in 825 sample ssh_config. ok markus@ 826 - jmc@cvs.openbsd.org 2006/05/29 16:10:03 827 [ssh_config.5] 828 oops - previous was too long; split the list of auths up 829 - mk@cvs.openbsd.org 2006/05/30 11:46:38 830 [ssh-add.c] 831 Sync usage() with man page and reality. 832 ok deraadt dtucker 833 - jmc@cvs.openbsd.org 2006/05/29 16:13:23 834 [ssh.1] 835 add GSSAPI to the list of authentication methods supported; 836 - mk@cvs.openbsd.org 2006/05/30 11:46:38 837 [ssh-add.c] 838 Sync usage() with man page and reality. 839 ok deraadt dtucker 840 - markus@cvs.openbsd.org 2006/06/01 09:21:48 841 [sshd.c] 842 call get_remote_ipaddr() early; fixes logging after client disconnects; 843 report mpf@; ok dtucker@ 844 - markus@cvs.openbsd.org 2006/06/06 10:20:20 845 [readpass.c sshconnect.c sshconnect.h sshconnect2.c uidswap.c] 846 replace remaining setuid() calls with permanently_set_uid() and 847 check seteuid() return values; report Marcus Meissner; ok dtucker djm 848 - markus@cvs.openbsd.org 2006/06/08 14:45:49 849 [readpass.c sshconnect.c sshconnect2.c uidswap.c uidswap.h] 850 do not set the gid, noted by solar; ok djm 851 - djm@cvs.openbsd.org 2006/06/13 01:18:36 852 [ssh-agent.c] 853 always use a format string, even when printing a constant 854 - djm@cvs.openbsd.org 2006/06/13 02:17:07 855 [ssh-agent.c] 856 revert; i am on drugs. spotted by alexander AT beard.se 857 85820060521 859 - (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor 860 and slave, we can remove the special-case handling in the audit hook in 861 auth_log. 862 86320060517 864 - (dtucker) [ssh-rand-helper.c] Check return code of mkdir and fix file 865 pointer leak. From kjhall at us.ibm.com, found by coverity. 866 86720060515 868 - (dtucker) [openbsd-compat/getrrsetbyname.c] Use _compat_res instead of 869 _res, prevents problems on some platforms that have _res as a global but 870 don't have getrrsetbyname(), eg IRIX 5.3. Found and tested by 871 georg.schwarz at freenet.de, ok djm@. 872 - (dtucker) [defines.h] Find a value for IOV_MAX or use a conservative 873 default. Patch originally from tim@, ok djm 874 - (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and 875 do not allow kbdint again after the PAM account check fails. ok djm@ 876 87720060506 878 - (dtucker) OpenBSD CVS Sync 879 - dtucker@cvs.openbsd.org 2006/04/25 08:02:27 880 [authfile.c authfile.h sshconnect2.c ssh.c sshconnect1.c] 881 Prevent ssh from trying to open private keys with bad permissions more than 882 once or prompting for their passphrases (which it subsequently ignores 883 anyway), similar to a previous change in ssh-add. bz #1186, ok djm@ 884 - djm@cvs.openbsd.org 2006/05/04 14:55:23 885 [dh.c] 886 tighter DH exponent checks here too; feedback and ok markus@ 887 - djm@cvs.openbsd.org 2006/04/01 05:37:46 888 [OVERVIEW] 889 $OpenBSD$ in here too 890 - dtucker@cvs.openbsd.org 2006/05/06 08:35:40 891 [auth-krb5.c] 892 Add $OpenBSD$ in comment here too 893 89420060504 895 - (dtucker) [auth-pam.c groupaccess.c monitor.c monitor_wrap.c scard-opensc.c 896 session.c ssh-rand-helper.c sshd.c openbsd-compat/bsd-cygwin_util.c 897 openbsd-compat/setproctitle.c] Convert malloc(foo*bar) -> calloc(foo,bar) 898 in Portable-only code; since calloc zeros, remove now-redundant memsets. 899 Also add a couple of sanity checks. With & ok djm@ 900 90120060503 902 - (dtucker) [packet.c] Remove in_systm.h since it's also in includes.h 903 and double including it on IRIX 5.3 causes problems. From Georg Schwarz, 904 "no objections" tim@ 905 90620060423 907 - (djm) OpenBSD CVS Sync 908 - deraadt@cvs.openbsd.org 2006/04/01 05:42:20 909 [scp.c] 910 minimal lint cleanup (unused crud, and some size_t); ok djm 911 - djm@cvs.openbsd.org 2006/04/01 05:50:29 912 [scp.c] 913 xasprintification; ok deraadt@ 914 - djm@cvs.openbsd.org 2006/04/01 05:51:34 915 [atomicio.c] 916 ANSIfy; requested deraadt@ 917 - dtucker@cvs.openbsd.org 2006/04/02 08:34:52 918 [ssh-keysign.c] 919 sessionid can be 32 bytes now too when sha256 kex is used; ok djm@ 920 - djm@cvs.openbsd.org 2006/04/03 07:10:38 921 [gss-genr.c] 922 GSSAPI buffers shouldn't be nul-terminated, spotted in bugzilla #1066 923 by dleonard AT vintela.com. use xasprintf() to simplify code while in 924 there; "looks right" deraadt@ 925 - djm@cvs.openbsd.org 2006/04/16 00:48:52 926 [buffer.c buffer.h channels.c] 927 Fix condition where we could exit with a fatal error when an input 928 buffer became too large and the remote end had advertised a big window. 929 The problem was a mismatch in the backoff math between the channels code 930 and the buffer code, so make a buffer_check_alloc() function that the 931 channels code can use to propsectivly check whether an incremental 932 allocation will succeed. bz #1131, debugged with the assistance of 933 cove AT wildpackets.com; ok dtucker@ deraadt@ 934 - djm@cvs.openbsd.org 2006/04/16 00:52:55 935 [atomicio.c atomicio.h] 936 introduce atomiciov() function that wraps readv/writev to retry 937 interrupted transfers like atomicio() does for read/write; 938 feedback deraadt@ dtucker@ stevesk@ ok deraadt@ 939 - djm@cvs.openbsd.org 2006/04/16 00:54:10 940 [sftp-client.c] 941 avoid making a tiny 4-byte write to send the packet length of sftp 942 commands, which would result in a separate tiny packet on the wire by 943 using atomiciov(writev, ...) to write the length and the command in one 944 pass; ok deraadt@ 945 - djm@cvs.openbsd.org 2006/04/16 07:59:00 946 [atomicio.c] 947 reorder sanity test so that it cannot dereference past the end of the 948 iov array; well spotted canacar@! 949 - dtucker@cvs.openbsd.org 2006/04/18 10:44:28 950 [bufaux.c bufbn.c Makefile.in] 951 Move Buffer bignum functions into their own file, bufbn.c. This means 952 that sftp and sftp-server (which use the Buffer functions in bufaux.c 953 but not the bignum ones) no longer need to be linked with libcrypto. 954 ok markus@ 955 - djm@cvs.openbsd.org 2006/04/20 09:27:09 956 [auth.h clientloop.c dispatch.c dispatch.h kex.h] 957 replace the last non-sig_atomic_t flag used in a signal handler with a 958 sig_atomic_t, unfortunately with some knock-on effects in other (non- 959 signal) contexts in which it is used; ok markus@ 960 - markus@cvs.openbsd.org 2006/04/20 09:47:59 961 [sshconnect.c] 962 simplify; ok djm@ 963 - djm@cvs.openbsd.org 2006/04/20 21:53:44 964 [includes.h session.c sftp.c] 965 Switch from using pipes to socketpairs for communication between 966 sftp/scp and ssh, and between sshd and its subprocesses. This saves 967 a file descriptor per session and apparently makes userland ppp over 968 ssh work; ok markus@ deraadt@ (ID Sync only - portable makes this 969 decision on a per-platform basis) 970 - djm@cvs.openbsd.org 2006/04/22 04:06:51 971 [uidswap.c] 972 use setres[ug]id() to permanently revoke privileges; ok deraadt@ 973 (ID Sync only - portable already uses setres[ug]id() whenever possible) 974 - stevesk@cvs.openbsd.org 2006/04/22 18:29:33 975 [crc32.c] 976 remove extra spaces 977 - (djm) [auth.h dispatch.h kex.h] sprinkle in signal.h to get 978 sig_atomic_t 979 98020060421 981 - (djm) [Makefile.in configure.ac session.c sshpty.c] 982 [contrib/redhat/sshd.init openbsd-compat/Makefile.in] 983 [openbsd-compat/openbsd-compat.h openbsd-compat/port-linux.c] 984 [openbsd-compat/port-linux.h] Add support for SELinux, setting 985 the execution and TTY contexts. based on patch from Daniel Walsh, 986 bz #880; ok dtucker@ 987 98820060418 989 - (djm) [canohost.c] Reorder IP options check so that it isn't broken 990 by mapped addresses; bz #1179 reported by markw wtech-llc.com; 991 ok dtucker@ 992 99320060331 994 - OpenBSD CVS Sync 995 - deraadt@cvs.openbsd.org 2006/03/27 01:21:18 996 [xmalloc.c] 997 we can do the size & nmemb check before the integer overflow check; 998 evol 999 - deraadt@cvs.openbsd.org 2006/03/27 13:03:54 1000 [dh.c] 1001 use strtonum() instead of atoi(), limit dhg size to 64k; ok djm 1002 - djm@cvs.openbsd.org 2006/03/27 23:15:46 1003 [sftp.c] 1004 always use a format string for addargs; spotted by mouring@ 1005 - deraadt@cvs.openbsd.org 2006/03/28 00:12:31 1006 [README.tun ssh.c] 1007 spacing 1008 - deraadt@cvs.openbsd.org 2006/03/28 01:52:28 1009 [channels.c] 1010 do not accept unreasonable X ports numbers; ok djm 1011 - deraadt@cvs.openbsd.org 2006/03/28 01:53:43 1012 [ssh-agent.c] 1013 use strtonum() to parse the pid from the file, and range check it 1014 better; ok djm 1015 - djm@cvs.openbsd.org 2006/03/30 09:41:25 1016 [channels.c] 1017 ARGSUSED for dispatch table-driven functions 1018 - djm@cvs.openbsd.org 2006/03/30 09:58:16 1019 [authfd.c bufaux.c deattack.c gss-serv.c mac.c misc.c misc.h] 1020 [monitor_wrap.c msg.c packet.c sftp-client.c sftp-server.c ssh-agent.c] 1021 replace {GET,PUT}_XXBIT macros with functionally similar functions, 1022 silencing a heap of lint warnings. also allows them to use 1023 __bounded__ checking which can't be applied to macros; requested 1024 by and feedback from deraadt@ 1025 - djm@cvs.openbsd.org 2006/03/30 10:41:25 1026 [ssh.c ssh_config.5] 1027 add percent escape chars to the IdentityFile option, bz #1159 based 1028 on a patch by imaging AT math.ualberta.ca; feedback and ok dtucker@ 1029 - dtucker@cvs.openbsd.org 2006/03/30 11:05:17 1030 [ssh-keygen.c] 1031 Correctly handle truncated files while converting keys; ok djm@ 1032 - dtucker@cvs.openbsd.org 2006/03/30 11:40:21 1033 [auth.c monitor.c] 1034 Prevent duplicate log messages when privsep=yes; ok djm@ 1035 - jmc@cvs.openbsd.org 2006/03/31 09:09:30 1036 [ssh_config.5] 1037 kill trailing whitespace; 1038 - djm@cvs.openbsd.org 2006/03/31 09:13:56 1039 [ssh_config.5] 1040 remote user escape is %r not %h; spotted by jmc@ 1041 104220060326 1043 - OpenBSD CVS Sync 1044 - jakob@cvs.openbsd.org 2006/03/15 08:46:44 1045 [ssh-keygen.c] 1046 if no key file are given when printing the DNS host record, use the 1047 host key file(s) as default. ok djm@ 1048 - biorn@cvs.openbsd.org 2006/03/16 10:31:45 1049 [scp.c] 1050 Try to display errormessage even if remout == -1 1051 ok djm@, markus@ 1052 - djm@cvs.openbsd.org 2006/03/17 22:31:50 1053 [authfd.c] 1054 another unreachable found by lint 1055 - djm@cvs.openbsd.org 2006/03/17 22:31:11 1056 [authfd.c] 1057 unreachanble statement, found by lint 1058 - djm@cvs.openbsd.org 2006/03/19 02:22:32 1059 [serverloop.c] 1060 memory leaks detected by Coverity via elad AT netbsd.org; 1061 ok deraadt@ dtucker@ 1062 - djm@cvs.openbsd.org 2006/03/19 02:22:56 1063 [sftp.c] 1064 more memory leaks detected by Coverity via elad AT netbsd.org; 1065 deraadt@ ok 1066 - djm@cvs.openbsd.org 2006/03/19 02:23:26 1067 [hostfile.c] 1068 FILE* leak detected by Coverity via elad AT netbsd.org; 1069 ok deraadt@ 1070 - djm@cvs.openbsd.org 2006/03/19 02:24:05 1071 [dh.c readconf.c servconf.c] 1072 potential NULL pointer dereferences detected by Coverity 1073 via elad AT netbsd.org; ok deraadt@ 1074 - djm@cvs.openbsd.org 2006/03/19 07:41:30 1075 [sshconnect2.c] 1076 memory leaks detected by Coverity via elad AT netbsd.org; 1077 deraadt@ ok 1078 - dtucker@cvs.openbsd.org 2006/03/19 11:51:52 1079 [servconf.c] 1080 Correct strdelim null test; ok djm@ 1081 - deraadt@cvs.openbsd.org 2006/03/19 18:52:11 1082 [auth1.c authfd.c channels.c] 1083 spacing 1084 - deraadt@cvs.openbsd.org 2006/03/19 18:53:12 1085 [kex.c kex.h monitor.c myproposal.h session.c] 1086 spacing 1087 - deraadt@cvs.openbsd.org 2006/03/19 18:56:41 1088 [clientloop.c progressmeter.c serverloop.c sshd.c] 1089 ARGSUSED for signal handlers 1090 - deraadt@cvs.openbsd.org 2006/03/19 18:59:49 1091 [ssh-keyscan.c] 1092 please lint 1093 - deraadt@cvs.openbsd.org 2006/03/19 18:59:30 1094 [ssh.c] 1095 spacing 1096 - deraadt@cvs.openbsd.org 2006/03/19 18:59:09 1097 [authfile.c] 1098 whoever thought that break after return was a good idea needs to 1099 get their head examimed 1100 - djm@cvs.openbsd.org 2006/03/20 04:09:44 1101 [monitor.c] 1102 memory leaks detected by Coverity via elad AT netbsd.org; 1103 deraadt@ ok 1104 that should be all of them now 1105 - djm@cvs.openbsd.org 2006/03/20 11:38:46 1106 [key.c] 1107 (really) last of the Coverity diffs: avoid possible NULL deref in 1108 key_free. via elad AT netbsd.org; markus@ ok 1109 - deraadt@cvs.openbsd.org 2006/03/20 17:10:19 1110 [auth.c key.c misc.c packet.c ssh-add.c] 1111 in a switch (), break after return or goto is stupid 1112 - deraadt@cvs.openbsd.org 2006/03/20 17:13:16 1113 [key.c] 1114 djm did a typo 1115 - deraadt@cvs.openbsd.org 2006/03/20 17:17:23 1116 [ssh-rsa.c] 1117 in a switch (), break after return or goto is stupid 1118 - deraadt@cvs.openbsd.org 2006/03/20 18:14:02 1119 [channels.c clientloop.c monitor_wrap.c monitor_wrap.h serverloop.c] 1120 [ssh.c sshpty.c sshpty.h] 1121 sprinkle u_int throughout pty subsystem, ok markus 1122 - deraadt@cvs.openbsd.org 2006/03/20 18:17:20 1123 [auth1.c auth2.c sshd.c] 1124 sprinkle some ARGSUSED for table driven functions (which sometimes 1125 must ignore their args) 1126 - deraadt@cvs.openbsd.org 2006/03/20 18:26:55 1127 [channels.c monitor.c session.c session.h ssh-agent.c ssh-keygen.c] 1128 [ssh-rsa.c ssh.c sshlogin.c] 1129 annoying spacing fixes getting in the way of real diffs 1130 - deraadt@cvs.openbsd.org 2006/03/20 18:27:50 1131 [monitor.c] 1132 spacing 1133 - deraadt@cvs.openbsd.org 2006/03/20 18:35:12 1134 [channels.c] 1135 x11_fake_data is only ever used as u_char * 1136 - deraadt@cvs.openbsd.org 2006/03/20 18:41:43 1137 [dns.c] 1138 cast xstrdup to propert u_char * 1139 - deraadt@cvs.openbsd.org 2006/03/20 18:42:27 1140 [canohost.c match.c ssh.c sshconnect.c] 1141 be strict with tolower() casting 1142 - deraadt@cvs.openbsd.org 2006/03/20 18:48:34 1143 [channels.c fatal.c kex.c packet.c serverloop.c] 1144 spacing 1145 - deraadt@cvs.openbsd.org 2006/03/20 21:11:53 1146 [ttymodes.c] 1147 spacing 1148 - djm@cvs.openbsd.org 2006/03/25 00:05:41 1149 [auth-bsdauth.c auth-skey.c auth.c auth2-chall.c channels.c] 1150 [clientloop.c deattack.c gss-genr.c kex.c key.c misc.c moduli.c] 1151 [monitor.c monitor_wrap.c packet.c scard.c sftp-server.c ssh-agent.c] 1152 [ssh-keyscan.c ssh.c sshconnect.c sshconnect2.c sshd.c uuencode.c] 1153 [xmalloc.c xmalloc.h] 1154 introduce xcalloc() and xasprintf() failure-checked allocations 1155 functions and use them throughout openssh 1156 1157 xcalloc is particularly important because malloc(nmemb * size) is a 1158 dangerous idiom (subject to integer overflow) and it is time for it 1159 to die 1160 1161 feedback and ok deraadt@ 1162 - djm@cvs.openbsd.org 2006/03/25 01:13:23 1163 [buffer.c channels.c deattack.c misc.c scp.c session.c sftp-client.c] 1164 [sftp-server.c ssh-agent.c ssh-rsa.c xmalloc.c xmalloc.h auth-pam.c] 1165 [uidswap.c] 1166 change OpenSSH's xrealloc() function from being xrealloc(p, new_size) 1167 to xrealloc(p, new_nmemb, new_itemsize). 1168 1169 realloc is particularly prone to integer overflows because it is 1170 almost always allocating "n * size" bytes, so this is a far safer 1171 API; ok deraadt@ 1172 - djm@cvs.openbsd.org 2006/03/25 01:30:23 1173 [sftp.c] 1174 "abormally" is a perfectly cromulent word, but "abnormally" is better 1175 - djm@cvs.openbsd.org 2006/03/25 13:17:03 1176 [atomicio.c auth-bsdauth.c auth-chall.c auth-options.c auth-passwd.c] 1177 [auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth-skey.c auth.c auth1.c] 1178 [auth2-chall.c auth2-hostbased.c auth2-kbdint.c auth2-none.c] 1179 [auth2-passwd.c auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c] 1180 [buffer.c canohost.c channels.c cipher-3des1.c cipher-bf1.c] 1181 [cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c compress.c] 1182 [deattack.c dh.c dispatch.c fatal.c groupaccess.c hostfile.c kex.c] 1183 [kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c] 1184 [mac.c match.c md-sha256.c misc.c monitor.c monitor_fdpass.c] 1185 [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c progressmeter.c] 1186 [readconf.c readpass.c rsa.c scard.c scp.c servconf.c serverloop.c] 1187 [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c] 1188 [sftp.c ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c] 1189 [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c] 1190 [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c] 1191 [uidswap.c uuencode.c xmalloc.c] 1192 Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that 1193 Theo nuked - our scripts to sync -portable need them in the files 1194 - deraadt@cvs.openbsd.org 2006/03/25 18:29:35 1195 [auth-rsa.c authfd.c packet.c] 1196 needed casts (always will be needed) 1197 - deraadt@cvs.openbsd.org 2006/03/25 18:30:55 1198 [clientloop.c serverloop.c] 1199 spacing 1200 - deraadt@cvs.openbsd.org 2006/03/25 18:36:15 1201 [sshlogin.c sshlogin.h] 1202 nicer size_t and time_t types 1203 - deraadt@cvs.openbsd.org 2006/03/25 18:40:14 1204 [ssh-keygen.c] 1205 cast strtonum() result to right type 1206 - deraadt@cvs.openbsd.org 2006/03/25 18:41:45 1207 [ssh-agent.c] 1208 mark two more signal handlers ARGSUSED 1209 - deraadt@cvs.openbsd.org 2006/03/25 18:43:30 1210 [channels.c] 1211 use strtonum() instead of atoi() [limit X screens to 400, sorry] 1212 - deraadt@cvs.openbsd.org 2006/03/25 18:56:55 1213 [bufaux.c channels.c packet.c] 1214 remove (char *) casts to a function that accepts void * for the arg 1215 - deraadt@cvs.openbsd.org 2006/03/25 18:58:10 1216 [channels.c] 1217 delete cast not required 1218 - djm@cvs.openbsd.org 2006/03/25 22:22:43 1219 [atomicio.h auth-options.h auth.h auth2-gss.c authfd.h authfile.h] 1220 [bufaux.h buffer.h canohost.h channels.h cipher.h clientloop.h] 1221 [compat.h compress.h crc32.c crc32.h deattack.h dh.h dispatch.h] 1222 [dns.c dns.h getput.h groupaccess.h gss-genr.c gss-serv-krb5.c] 1223 [gss-serv.c hostfile.h includes.h kex.h key.h log.h mac.h match.h] 1224 [misc.h monitor.h monitor_fdpass.h monitor_mm.h monitor_wrap.h msg.h] 1225 [myproposal.h packet.h pathnames.h progressmeter.h readconf.h rsa.h] 1226 [scard.h servconf.h serverloop.h session.h sftp-common.h sftp.h] 1227 [ssh-gss.h ssh.h ssh1.h ssh2.h sshconnect.h sshlogin.h sshpty.h] 1228 [ttymodes.h uidswap.h uuencode.h xmalloc.h] 1229 standardise spacing in $OpenBSD$ tags; requested by deraadt@ 1230 - deraadt@cvs.openbsd.org 2006/03/26 01:31:48 1231 [uuencode.c] 1232 typo 1233 123420060325 1235 - OpenBSD CVS Sync 1236 - djm@cvs.openbsd.org 2006/03/16 04:24:42 1237 [ssh.1] 1238 Add RFC4419 (Diffie-Hellman group exchange KEX) to the list of SSH RFCs 1239 that OpenSSH supports 1240 - deraadt@cvs.openbsd.org 2006/03/19 18:51:18 1241 [atomicio.c auth-bsdauth.c auth-chall.c auth-krb5.c auth-options.c] 1242 [auth-pam.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c] 1243 [auth-shadow.c auth-skey.c auth.c auth1.c auth2-chall.c] 1244 [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c] 1245 [auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c buffer.c] 1246 [canohost.c channels.c cipher-3des1.c cipher-acss.c cipher-aes.c] 1247 [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c] 1248 [compress.c deattack.c dh.c dispatch.c dns.c entropy.c fatal.c] 1249 [groupaccess.c hostfile.c includes.h kex.c kexdh.c kexdhc.c] 1250 [kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c loginrec.c] 1251 [loginrec.h logintest.c mac.c match.c md-sha256.c md5crypt.c misc.c] 1252 [monitor.c monitor_fdpass.c monitor_mm.c monitor_wrap.c msg.c] 1253 [nchan.c packet.c progressmeter.c readconf.c readpass.c rsa.c] 1254 [scard.c scp.c servconf.c serverloop.c session.c sftp-client.c] 1255 [sftp-common.c sftp-glob.c sftp-server.c sftp.c ssh-add.c] 1256 [ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c] 1257 [ssh-rand-helper.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c] 1258 [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c] 1259 [uidswap.c uuencode.c xmalloc.c openbsd-compat/bsd-arc4random.c] 1260 [openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-cygwin_util.c] 1261 [openbsd-compat/bsd-getpeereid.c openbsd-compat/bsd-misc.c] 1262 [openbsd-compat/bsd-nextstep.c openbsd-compat/bsd-snprintf.c] 1263 [openbsd-compat/bsd-waitpid.c openbsd-compat/fake-rfc2553.c] 1264 RCSID() can die 1265 - deraadt@cvs.openbsd.org 2006/03/19 18:53:12 1266 [kex.h myproposal.h] 1267 spacing 1268 - djm@cvs.openbsd.org 2006/03/20 04:07:22 1269 [auth2-gss.c] 1270 GSSAPI related leaks detected by Coverity via elad AT netbsd.org; 1271 reviewed by simon AT sxw.org.uk; deraadt@ ok 1272 - djm@cvs.openbsd.org 2006/03/20 04:07:49 1273 [gss-genr.c] 1274 more GSSAPI related leaks detected by Coverity via elad AT netbsd.org; 1275 reviewed by simon AT sxw.org.uk; deraadt@ ok 1276 - djm@cvs.openbsd.org 2006/03/20 04:08:18 1277 [gss-serv.c] 1278 last lot of GSSAPI related leaks detected by Coverity via 1279 elad AT netbsd.org; reviewed by simon AT sxw.org.uk; deraadt@ ok 1280 - deraadt@cvs.openbsd.org 2006/03/20 18:14:02 1281 [monitor_wrap.h sshpty.h] 1282 sprinkle u_int throughout pty subsystem, ok markus 1283 - deraadt@cvs.openbsd.org 2006/03/20 18:26:55 1284 [session.h] 1285 annoying spacing fixes getting in the way of real diffs 1286 - deraadt@cvs.openbsd.org 2006/03/20 18:41:43 1287 [dns.c] 1288 cast xstrdup to propert u_char * 1289 - jakob@cvs.openbsd.org 2006/03/22 21:16:24 1290 [ssh.1] 1291 simplify SSHFP example; ok jmc@ 1292 - djm@cvs.openbsd.org 2006/03/22 21:27:15 1293 [deattack.c deattack.h] 1294 remove IV support from the CRC attack detector, OpenSSH has never used 1295 it - it only applied to IDEA-CFB, which we don't support. 1296 prompted by NetBSD Coverity report via elad AT netbsd.org; 1297 feedback markus@ "nuke it" deraadt@ 1298 129920060318 1300 - (djm) [auth-pam.c] Fix memleak in error path, from Coverity via 1301 elad AT NetBSD.org 1302 - (dtucker) [openbsd-compat/bsd-snprintf.c] Bug #1173: make fmtint() take 1303 a LLONG rather than a long. Fixes scp'ing of large files on platforms 1304 with missing/broken snprintfs. Patch from e.borovac at bom.gov.au. 1305 130620060316 1307 - (dtucker) [entropy.c] Add headers for WIFEXITED and friends. 1308 - (dtucker) [configure.ac md-sha256.c] NetBSD has sha2.h in 1309 /usr/include/crypto. Hint from djm@. 1310 - (tim) [kex.c myproposal.h md-sha256.c openbsd-compat/sha2.c,h] 1311 Disable sha256 when openssl < 0.9.7. Patch from djm@. 1312 - (djm) [kex.c] Slightly more clean deactivation of dhgex-sha256 on old 1313 OpenSSL; ok tim 1314 131520060315 1316 - (djm) OpenBSD CVS Sync: 1317 - msf@cvs.openbsd.org 2006/02/06 15:54:07 1318 [ssh.1] 1319 - typo fix 1320 ok jmc@ 1321 - jmc@cvs.openbsd.org 2006/02/06 21:44:47 1322 [ssh.1] 1323 make this a little less ambiguous... 1324 - stevesk@cvs.openbsd.org 2006/02/07 01:08:04 1325 [auth-rhosts.c includes.h] 1326 move #include <netgroup.h> out of includes.h; ok markus@ 1327 - stevesk@cvs.openbsd.org 2006/02/07 01:18:09 1328 [includes.h ssh-agent.c ssh-keyscan.c sshconnect2.c] 1329 move #include <sys/queue.h> out of includes.h; ok markus@ 1330 - stevesk@cvs.openbsd.org 2006/02/07 01:42:00 1331 [channels.c clientloop.c clientloop.h includes.h packet.h] 1332 [serverloop.c sshpty.c sshpty.h sshtty.c ttymodes.c] 1333 move #include <termios.h> out of includes.h; ok markus@ 1334 - stevesk@cvs.openbsd.org 2006/02/07 01:52:50 1335 [sshtty.c] 1336 "log.h" not needed 1337 - stevesk@cvs.openbsd.org 2006/02/07 03:47:05 1338 [hostfile.c] 1339 "packet.h" not needed 1340 - stevesk@cvs.openbsd.org 2006/02/07 03:59:20 1341 [deattack.c] 1342 duplicate #include 1343 - stevesk@cvs.openbsd.org 2006/02/08 12:15:27 1344 [auth.c clientloop.c includes.h misc.c monitor.c readpass.c] 1345 [session.c sftp.c ssh-agent.c ssh-keysign.c ssh.c sshconnect.c] 1346 [sshd.c sshpty.c] 1347 move #include <paths.h> out of includes.h; ok markus@ 1348 - stevesk@cvs.openbsd.org 2006/02/08 12:32:49 1349 [includes.h misc.c] 1350 move #include <netinet/tcp.h> out of includes.h; ok markus@ 1351 - stevesk@cvs.openbsd.org 2006/02/08 13:15:44 1352 [gss-serv.c monitor.c] 1353 small KNF 1354 - stevesk@cvs.openbsd.org 2006/02/08 14:16:59 1355 [sshconnect.c] 1356 <openssl/bn.h> not needed 1357 - stevesk@cvs.openbsd.org 2006/02/08 14:31:30 1358 [includes.h ssh-agent.c ssh-keyscan.c ssh.c] 1359 move #include <sys/resource.h> out of includes.h; ok markus@ 1360 - stevesk@cvs.openbsd.org 2006/02/08 14:38:18 1361 [includes.h packet.c] 1362 move #include <netinet/in_systm.h> and <netinet/ip.h> out of 1363 includes.h; ok markus@ 1364 - stevesk@cvs.openbsd.org 2006/02/08 23:51:24 1365 [includes.h scp.c sftp-glob.c sftp-server.c] 1366 move #include <dirent.h> out of includes.h; ok markus@ 1367 - stevesk@cvs.openbsd.org 2006/02/09 00:32:07 1368 [includes.h] 1369 #include <sys/endian.h> not needed; ok djm@ 1370 NB. ID Sync only - we still need this (but it may move later) 1371 - jmc@cvs.openbsd.org 2006/02/09 10:10:47 1372 [sshd.8] 1373 - move some text into a CAVEATS section 1374 - merge the COMMAND EXECUTION... section into AUTHENTICATION 1375 - stevesk@cvs.openbsd.org 2006/02/10 00:27:13 1376 [channels.c clientloop.c includes.h misc.c progressmeter.c sftp.c] 1377 [ssh.c sshd.c sshpty.c] 1378 move #include <sys/ioctl.h> out of includes.h; ok markus@ 1379 - stevesk@cvs.openbsd.org 2006/02/10 01:44:27 1380 [includes.h monitor.c readpass.c scp.c serverloop.c session.c] 1381 [sftp.c sshconnect.c sshconnect2.c sshd.c] 1382 move #include <sys/wait.h> out of includes.h; ok markus@ 1383 - otto@cvs.openbsd.org 2006/02/11 19:31:18 1384 [atomicio.c] 1385 type correctness; from Ray Lai in PR 5011; ok millert@ 1386 - djm@cvs.openbsd.org 2006/02/12 06:45:34 1387 [ssh.c ssh_config.5] 1388 add a %l expansion code to the ControlPath, which is filled in with the 1389 local hostname at runtime. Requested by henning@ to avoid some problems 1390 with /home on NFS; ok dtucker@ 1391 - djm@cvs.openbsd.org 2006/02/12 10:44:18 1392 [readconf.c] 1393 raise error when the user specifies a RekeyLimit that is smaller than 16 1394 (the smallest of our cipher's blocksize) or big enough to cause integer 1395 wraparound; ok & feedback dtucker@ 1396 - jmc@cvs.openbsd.org 2006/02/12 10:49:44 1397 [ssh_config.5] 1398 slight rewording; ok djm 1399 - jmc@cvs.openbsd.org 2006/02/12 10:52:41 1400 [sshd.8] 1401 rework the description of authorized_keys a little; 1402 - jmc@cvs.openbsd.org 2006/02/12 17:57:19 1403 [sshd.8] 1404 sort the list of options permissable w/ authorized_keys; 1405 ok djm dtucker 1406 - jmc@cvs.openbsd.org 2006/02/13 10:16:39 1407 [sshd.8] 1408 no need to subsection the authorized_keys examples - instead, convert 1409 this to look like an actual file. also use proto 2 keys, and use IETF 1410 example addresses; 1411 - jmc@cvs.openbsd.org 2006/02/13 10:21:25 1412 [sshd.8] 1413 small tweaks for the ssh_known_hosts section; 1414 - jmc@cvs.openbsd.org 2006/02/13 11:02:26 1415 [sshd.8] 1416 turn this into an example ssh_known_hosts file; ok djm 1417 - jmc@cvs.openbsd.org 2006/02/13 11:08:43 1418 [sshd.8] 1419 - avoid nasty line split 1420 - `*' does not need to be escaped 1421 - jmc@cvs.openbsd.org 2006/02/13 11:27:25 1422 [sshd.8] 1423 sort FILES and use a -compact list; 1424 - david@cvs.openbsd.org 2006/02/15 05:08:24 1425 [sftp-client.c] 1426 typo in comment; ok djm@ 1427 - jmc@cvs.openbsd.org 2006/02/15 16:53:20 1428 [ssh.1] 1429 remove the IETF draft references and replace them with some updated RFCs; 1430 - jmc@cvs.openbsd.org 2006/02/15 16:55:33 1431 [sshd.8] 1432 remove ietf draft references; RFC list now maintained in ssh.1; 1433 - jmc@cvs.openbsd.org 2006/02/16 09:05:34 1434 [sshd.8] 1435 sync some of the FILES entries w/ ssh.1; 1436 - jmc@cvs.openbsd.org 2006/02/19 19:52:10 1437 [sshd.8] 1438 move the sshrc stuff out of FILES, and into its own section: 1439 FILES is not a good place to document how stuff works; 1440 - jmc@cvs.openbsd.org 2006/02/19 20:02:17 1441 [sshd.8] 1442 sync the (s)hosts.equiv FILES entries w/ those from ssh.1; 1443 - jmc@cvs.openbsd.org 2006/02/19 20:05:00 1444 [sshd.8] 1445 grammar; 1446 - jmc@cvs.openbsd.org 2006/02/19 20:12:25 1447 [ssh_config.5] 1448 add some vertical space; 1449 - stevesk@cvs.openbsd.org 2006/02/20 16:36:15 1450 [authfd.c channels.c includes.h session.c ssh-agent.c ssh.c] 1451 move #include <sys/un.h> out of includes.h; ok djm@ 1452 - stevesk@cvs.openbsd.org 2006/02/20 17:02:44 1453 [clientloop.c includes.h monitor.c progressmeter.c scp.c] 1454 [serverloop.c session.c sftp.c ssh-agent.c ssh.c sshd.c] 1455 move #include <signal.h> out of includes.h; ok markus@ 1456 - stevesk@cvs.openbsd.org 2006/02/20 17:19:54 1457 [auth-rhosts.c auth-rsa.c auth.c auth2-none.c auth2-pubkey.c] 1458 [authfile.c clientloop.c includes.h readconf.c scp.c session.c] 1459 [sftp-client.c sftp-common.c sftp-common.h sftp-glob.c] 1460 [sftp-server.c sftp.c ssh-add.c ssh-keygen.c ssh.c sshconnect.c] 1461 [sshconnect2.c sshd.c sshpty.c] 1462 move #include <sys/stat.h> out of includes.h; ok markus@ 1463 - stevesk@cvs.openbsd.org 2006/02/22 00:04:45 1464 [canohost.c clientloop.c includes.h match.c readconf.c scp.c ssh.c] 1465 [sshconnect.c] 1466 move #include <ctype.h> out of includes.h; ok djm@ 1467 - jmc@cvs.openbsd.org 2006/02/24 10:25:14 1468 [ssh_config.5] 1469 add section on patterns; 1470 from dtucker + myself 1471 - jmc@cvs.openbsd.org 2006/02/24 10:33:54 1472 [sshd_config.5] 1473 signpost to PATTERNS; 1474 - jmc@cvs.openbsd.org 2006/02/24 10:37:07 1475 [ssh_config.5] 1476 tidy up the refs to PATTERNS; 1477 - jmc@cvs.openbsd.org 2006/02/24 10:39:52 1478 [sshd.8] 1479 signpost to PATTERNS section; 1480 - jmc@cvs.openbsd.org 2006/02/24 20:22:16 1481 [ssh-keysign.8 ssh_config.5 sshd_config.5] 1482 some consistency fixes; 1483 - jmc@cvs.openbsd.org 2006/02/24 20:31:31 1484 [ssh.1 ssh_config.5 sshd.8 sshd_config.5] 1485 more consistency fixes; 1486 - jmc@cvs.openbsd.org 2006/02/24 23:20:07 1487 [ssh_config.5] 1488 some grammar/wording fixes; 1489 - jmc@cvs.openbsd.org 2006/02/24 23:43:57 1490 [sshd_config.5] 1491 some grammar/wording fixes; 1492 - jmc@cvs.openbsd.org 2006/02/24 23:51:17 1493 [sshd_config.5] 1494 oops - bits i missed; 1495 - jmc@cvs.openbsd.org 2006/02/25 12:26:17 1496 [ssh_config.5] 1497 document the possible values for KbdInteractiveDevices; 1498 help/ok dtucker 1499 - jmc@cvs.openbsd.org 2006/02/25 12:28:34 1500 [sshd_config.5] 1501 document the order in which allow/deny directives are processed; 1502 help/ok dtucker 1503 - jmc@cvs.openbsd.org 2006/02/26 17:17:18 1504 [ssh_config.5] 1505 move PATTERNS to the end of the main body; requested by dtucker 1506 - jmc@cvs.openbsd.org 2006/02/26 18:01:13 1507 [sshd_config.5] 1508 subsection is pointless here; 1509 - jmc@cvs.openbsd.org 2006/02/26 18:03:10 1510 [ssh_config.5] 1511 comma; 1512 - djm@cvs.openbsd.org 2006/02/28 01:10:21 1513 [session.c] 1514 fix logout recording when privilege separation is disabled, analysis and 1515 patch from vinschen at redhat.com; tested by dtucker@ ok deraadt@ 1516 NB. ID sync only - patch already in portable 1517 - djm@cvs.openbsd.org 2006/03/04 04:12:58 1518 [serverloop.c] 1519 move a debug() outside of a signal handler; ok markus@ a little while back 1520 - djm@cvs.openbsd.org 2006/03/12 04:23:07 1521 [ssh.c] 1522 knf nit 1523 - djm@cvs.openbsd.org 2006/03/13 08:16:00 1524 [sshd.c] 1525 don't log that we are listening on a socket before the listen() call 1526 actually succeeds, bz #1162 reported by Senthil Kumar; ok dtucker@ 1527 - dtucker@cvs.openbsd.org 2006/03/13 08:33:00 1528 [packet.c] 1529 Set TCP_NODELAY for all connections not just "interactive" ones. Fixes 1530 poor performance and protocol stalls under some network conditions (mindrot 1531 bugs #556 and #981). Patch originally from markus@, ok djm@ 1532 - dtucker@cvs.openbsd.org 2006/03/13 08:43:16 1533 [ssh-keygen.c] 1534 Make ssh-keygen handle CR and CRLF line termination when converting IETF 1535 format keys, in adition to vanilla LF. mindrot #1157, tested by Chris 1536 Pepper, ok djm@ 1537 - dtucker@cvs.openbsd.org 2006/03/13 10:14:29 1538 [misc.c ssh_config.5 sshd_config.5] 1539 Allow config directives to contain whitespace by surrounding them by double 1540 quotes. mindrot #482, man page help from jmc@, ok djm@ 1541 - dtucker@cvs.openbsd.org 2006/03/13 10:26:52 1542 [authfile.c authfile.h ssh-add.c] 1543 Make ssh-add check file permissions before attempting to load private 1544 key files multiple times; it will fail anyway and this prevents confusing 1545 multiple prompts and warnings. mindrot #1138, ok djm@ 1546 - djm@cvs.openbsd.org 2006/03/14 00:15:39 1547 [canohost.c] 1548 log the originating address and not just the name when a reverse 1549 mapping check fails, requested by linux AT linuon.com 1550 - markus@cvs.openbsd.org 2006/03/14 16:32:48 1551 [ssh_config.5 sshd_config.5] 1552 *AliveCountMax applies to protcol v2 only; ok dtucker, djm 1553 - djm@cvs.openbsd.org 2006/03/07 09:07:40 1554 [kex.c kex.h monitor.c myproposal.h ssh-keyscan.c sshconnect2.c sshd.c] 1555 Implement the diffie-hellman-group-exchange-sha256 key exchange method 1556 using the SHA256 code in libc (and wrapper to make it into an OpenSSL 1557 EVP), interop tested against CVS PuTTY 1558 NB. no portability bits committed yet 1559 - (djm) [configure.ac defines.h kex.c md-sha256.c] 1560 [openbsd-compat/sha2.h openbsd-compat/openbsd-compat.h] 1561 [openbsd-compat/sha2.c] First stab at portability glue for SHA256 1562 KEX support, should work with libc SHA256 support or OpenSSL 1563 EVP_sha256 if present 1564 - (djm) [includes.h] Restore accidentally dropped netinet/in.h 1565 - (djm) [Makefile.in openbsd-compat/Makefile.in] Add added files 1566 - (djm) [md-sha256.c configure.ac] md-sha256.c needs sha2.h if present 1567 - (djm) [regress/.cvsignore] Ignore Makefile here 1568 - (djm) [loginrec.c] Need stat.h 1569 - (djm) [openbsd-compat/sha2.h] Avoid include macro clash with 1570 system sha2.h 1571 - (djm) [ssh-rand-helper.c] Needs a bunch of headers 1572 - (djm) [ssh-agent.c] Restore dropped stat.h 1573 - (djm) [openbsd-compat/sha2.h openbsd-compat/sha2.c] Comment out 1574 SHA384, which we don't need and doesn't compile without tweaks 1575 - (djm) [auth-pam.c clientloop.c includes.h monitor.c session.c] 1576 [sftp-client.c ssh-keysign.c ssh.c sshconnect.c sshconnect2.c] 1577 [sshd.c openbsd-compat/bsd-misc.c openbsd-compat/bsd-openpty.c] 1578 [openbsd-compat/glob.c openbsd-compat/mktemp.c] 1579 [openbsd-compat/readpassphrase.c] Lots of include fixes for 1580 OpenSolaris 1581 - (tim) [includes.h] put sys/stat.h back in to quiet some "macro redefined:" 1582 - (tim) [openssh/sshpty.c openssh/openbsd-compat/port-tun.c] put in some 1583 includes removed from includes.h 1584 - (dtucker) [configure.ac] Fix glob test conversion to AC_TRY_COMPILE 1585 - (djm) [includes.h] Put back paths.h, it is needed in defines.h 1586 - (dtucker) [openbsd-compat/openbsd-compat.h] AIX (at least) needs 1587 sys/ioctl.h for struct winsize. 1588 - (dtucker) [configure.ac] login_cap.h requires sys/types.h on NetBSD. 1589 159020060313 1591 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) 1592 since not all platforms support it. Instead, use internal equivalent while 1593 computing LLONG_MIN and LLONG_MAX. Remove special case for alpha-dec-osf* 1594 as it's no longer required. Tested by Bernhard Simon, ok djm@ 1595 159620060304 1597 - (dtucker) [contrib/cygwin/ssh-host-config] Require use of lastlog as a 1598 file rather than directory, required as Cygwin will be importing lastlog(1). 1599 Also tightens up permissions on the file. Patch from vinschen@redhat.com. 1600 - (dtucker) [gss-serv-krb5.c] Bug #1166: Correct #ifdefs for gssapi_krb5.h 1601 includes. Patch from gentoo.riverrat at gmail.com. 1602 160320060226 1604 - (dtucker) [configure.ac] Bug #1156: QNX apparently needs SSHD_ACQUIRES_CTTY 1605 patch from kraai at ftbfs.org. 1606 160720060223 1608 - (dtucker) [sshd_config sshd_config.5] Update UsePAM to reflect current 1609 reality. Pointed out by tryponraj at gmail.com. 1610 161120060222 1612 - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Minor tidy up: only 1613 compile in compat code if required. 1614 161520060221 1616 - (dtucker) [openbsd-compat/openssl-compat.h] Prevent warning about 1617 redefinition of SSLeay_add_all_algorithms. 1618 161920060220 1620 - (dtucker) [INSTALL configure.ac openbsd-compat/openssl-compat.{c,h}] 1621 Add optional enabling of OpenSSL's (hardware) Engine support, via 1622 configure --with-ssl-engine. Based in part on a diff by michal at 1623 logix.cz. 1624 162520060219 1626 - (dtucker) [Makefile.in configure.ac, added openbsd-compat/regress/] 1627 Add first attempt at regress tests for compat library. ok djm@ 1628 162920060214 1630 - (tim) [buildpkg.sh.in] Make the names consistent. 1631 s/pkg_post_make_install_fixes.sh/pkg-post-make-install-fixes.sh/ OK dtucker@ 1632 163320060212 1634 - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Make loop counter unsigned 1635 to silence compiler warning, from vinschen at redhat.com. 1636 - (tim) [configure.ac] Bug #1149. Disable /etc/default/login check for QNX. 1637 - (dtucker) [README version.h contrib/caldera/openssh.spec 1638 contrib/redhat/openssh.spec contrib/suse/openssh.spec] Bump version 1639 strings to match 4.3p2 release. 1640 164120060208 1642 - (tim) [session.c] Logout records were not updated on systems with 1643 post auth privsep disabled due to bug 1086 changes. Analysis and patch 1644 by vinschen at redhat.com. OK tim@, dtucker@. 1645 - (dtucker) [configure.ac] Typo in Ultrix and NewsOS sections (NEED_SETPRGP 1646 -> NEED_SETPGRP), reported by Bernhard Simon. ok tim@ 1647 164820060206 1649 - (tim) [configure.ac] Remove unnecessary tests for net/if.h and 1650 netinet/in_systm.h. OK dtucker@. 1651 165220060205 1653 - (tim) [configure.ac] Add AC_REVISION. Add sys/time.h to lastlog.h test 1654 for Solaris. OK dtucker@. 1655 - (tim) [configure.ac] Bug #1149. Changes in QNX section only. Patch by 1656 kraai at ftbfs.org. 1657 165820060203 1659 - (tim) [configure.ac] test for egrep (AC_PROG_EGREP) before first 1660 AC_CHECK_HEADERS test. Without it, if AC_CHECK_HEADERS is first run 1661 by a platform specific check, builtin standard includes tests will be 1662 skipped on the other platforms. 1663 Analysis and suggestion by vinschen at redhat.com, patch by dtucker@. 1664 OK tim@, djm@. 1665 166620060202 1667 - (dtucker) [configure.ac] Bug #1148: Fix "crippled AES" test so that it 1668 works with picky compilers. Patch from alex.kiernan at thus.net. 1669 167020060201 1671 - (djm) [regress/test-exec.sh] Try 'logname' as well as 'whoami' to 1672 determine the user's login name - needed for regress tests on Solaris 1673 10 and OpenSolaris 1674 - (djm) OpenBSD CVS Sync 1675 - jmc@cvs.openbsd.org 2006/02/01 09:06:50 1676 [sshd.8] 1677 - merge sections on protocols 1 and 2 into a single section 1678 - remove configuration file section 1679 ok markus 1680 - jmc@cvs.openbsd.org 2006/02/01 09:11:41 1681 [sshd.8] 1682 small tweak; 1683 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] 1684 [contrib/suse/openssh.spec] Update versions ahead of release 1685 - markus@cvs.openbsd.org 2006/02/01 11:27:22 1686 [version.h] 1687 openssh 4.3 1688 - (djm) Release OpenSSH 4.3p1 1689 169020060131 1691 - (djm) OpenBSD CVS Sync 1692 - jmc@cvs.openbsd.org 2006/01/20 11:21:45 1693 [ssh_config.5] 1694 - word change, agreed w/ markus 1695 - consistency fixes 1696 - jmc@cvs.openbsd.org 2006/01/25 09:04:34 1697 [sshd.8] 1698 move the options description up the page, and a few additional tweaks 1699 whilst in here; 1700 ok markus 1701 - jmc@cvs.openbsd.org 2006/01/25 09:07:22 1702 [sshd.8] 1703 move subsections to full sections; 1704 - jmc@cvs.openbsd.org 2006/01/26 08:47:56 1705 [ssh.1] 1706 add a section on verifying host keys in dns; 1707 written with a lot of help from jakob; 1708 feedback dtucker/markus; 1709 ok markus 1710 - reyk@cvs.openbsd.org 2006/01/30 12:22:22 1711 [channels.c] 1712 mark channel as write failed or dead instead of read failed on error 1713 of the channel output filter. 1714 ok markus@ 1715 - jmc@cvs.openbsd.org 2006/01/30 13:37:49 1716 [ssh.1] 1717 remove an incorrect sentence; 1718 reported by roumen petrov; 1719 ok djm markus 1720 - djm@cvs.openbsd.org 2006/01/31 10:19:02 1721 [misc.c misc.h scp.c sftp.c] 1722 fix local arbitrary command execution vulnerability on local/local and 1723 remote/remote copies (CVE-2006-0225, bz #1094), patch by 1724 t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@ 1725 - djm@cvs.openbsd.org 2006/01/31 10:35:43 1726 [scp.c] 1727 "scp a b c" shouldn't clobber "c" when it is not a directory, report and 1728 fix from biorn@; ok markus@ 1729 - (djm) Sync regress tests to OpenBSD: 1730 - dtucker@cvs.openbsd.org 2005/03/10 10:20:39 1731 [regress/forwarding.sh] 1732 Regress test for ClearAllForwardings (bz #994); ok markus@ 1733 - dtucker@cvs.openbsd.org 2005/04/25 09:54:09 1734 [regress/multiplex.sh] 1735 Don't call cleanup in multiplex as test-exec will cleanup anyway 1736 found by tim@, ok djm@ 1737 NB. ID sync only, we already had this 1738 - djm@cvs.openbsd.org 2005/05/20 23:14:15 1739 [regress/test-exec.sh] 1740 force addressfamily=inet for tests, unbreaking dynamic-forward regress for 1741 recently committed nc SOCKS5 changes 1742 - djm@cvs.openbsd.org 2005/05/24 04:10:54 1743 [regress/try-ciphers.sh] 1744 oops, new arcfour modes here too 1745 - markus@cvs.openbsd.org 2005/06/30 11:02:37 1746 [regress/scp.sh] 1747 allow SUDO=sudo; from Alexander Bluhm 1748 - grunk@cvs.openbsd.org 2005/11/14 21:25:56 1749 [regress/agent-getpeereid.sh] 1750 all other scripts in this dir use $SUDO, not 'sudo', so pull this even 1751 ok markus@ 1752 - dtucker@cvs.openbsd.org 2005/12/14 04:36:39 1753 [regress/scp-ssh-wrapper.sh] 1754 Fix assumption about how many args scp will pass; ok djm@ 1755 NB. ID sync only, we already had this 1756 - djm@cvs.openbsd.org 2006/01/27 06:49:21 1757 [scp.sh] 1758 regress test for local to local scp copies; ok dtucker@ 1759 - djm@cvs.openbsd.org 2006/01/31 10:23:23 1760 [scp.sh] 1761 regression test for CVE-2006-0225 written by dtucker@ 1762 - djm@cvs.openbsd.org 2006/01/31 10:36:33 1763 [scp.sh] 1764 regress test for "scp a b c" where "c" is not a directory 1765 176620060129 1767 - (dtucker) [configure.ac opensshd.init.in] Bug #1144: Use /bin/sh for the 1768 opensshd.init script interpretter if /sbin/sh does not exist. ok tim@ 1769 177020060120 1771 - (dtucker) OpenBSD CVS Sync 1772 - jmc@cvs.openbsd.org 2006/01/15 17:37:05 1773 [ssh.1] 1774 correction from deraadt 1775 - jmc@cvs.openbsd.org 2006/01/18 10:53:29 1776 [ssh.1] 1777 add a section on ssh-based vpn, based on reyk's README.tun; 1778 - dtucker@cvs.openbsd.org 2006/01/20 00:14:55 1779 [scp.1 ssh.1 ssh_config.5 sftp.1] 1780 Document RekeyLimit. Based on patch from jan.iven at cern.ch from mindrot 1781 #1056 with feedback from jmc, djm and markus; ok jmc@ djm@ 1782 178320060114 1784 - (djm) OpenBSD CVS Sync 1785 - jmc@cvs.openbsd.org 2006/01/06 13:27:32 1786 [ssh.1] 1787 weed out some duplicate info in the known_hosts FILES entries; 1788 ok djm 1789 - jmc@cvs.openbsd.org 2006/01/06 13:29:10 1790 [ssh.1] 1791 final round of whacking FILES for duplicate info, and some consistency 1792 fixes; 1793 ok djm 1794 - jmc@cvs.openbsd.org 2006/01/12 14:44:12 1795 [ssh.1] 1796 split sections on tcp and x11 forwarding into two sections. 1797 add an example in the tcp section, based on sth i wrote for ssh faq; 1798 help + ok: djm markus dtucker 1799 - jmc@cvs.openbsd.org 2006/01/12 18:48:48 1800 [ssh.1] 1801 refer to `TCP' rather than `TCP/IP' in the context of connection 1802 forwarding; 1803 ok markus 1804 - jmc@cvs.openbsd.org 2006/01/12 22:20:00 1805 [sshd.8] 1806 refer to TCP forwarding, rather than TCP/IP forwarding; 1807 - jmc@cvs.openbsd.org 2006/01/12 22:26:02 1808 [ssh_config.5] 1809 refer to TCP forwarding, rather than TCP/IP forwarding; 1810 - jmc@cvs.openbsd.org 2006/01/12 22:34:12 1811 [ssh.1] 1812 back out a sentence - AUTHENTICATION already documents this; 1813 181420060109 1815 - (dtucker) [contrib/cygwin/ssh-host-config] Make sshd service depend on 1816 tcpip service so it's always started after IP is up. Patch from 1817 vinschen at redhat.com. 1818 181920060106 1820 - (djm) OpenBSD CVS Sync 1821 - jmc@cvs.openbsd.org 2006/01/03 16:31:10 1822 [ssh.1] 1823 move FILES to a -compact list, and make each files an item in that list. 1824 this avoids nastly line wrap when we have long pathnames, and treats 1825 each file as a separate item; 1826 remove the .Pa too, since it is useless. 1827 - jmc@cvs.openbsd.org 2006/01/03 16:35:30 1828 [ssh.1] 1829 use a larger width for the ENVIRONMENT list; 1830 - jmc@cvs.openbsd.org 2006/01/03 16:52:36 1831 [ssh.1] 1832 put FILES in some sort of order: sort by pathname 1833 - jmc@cvs.openbsd.org 2006/01/03 16:55:18 1834 [ssh.1] 1835 tweak the description of ~/.ssh/environment 1836 - jmc@cvs.openbsd.org 2006/01/04 18:42:46 1837 [ssh.1] 1838 chop out some duplication in the .{r,s}hosts/{h,sh}osts.equiv FILES 1839 entries; 1840 ok markus 1841 - jmc@cvs.openbsd.org 2006/01/04 18:45:01 1842 [ssh.1] 1843 remove .Xr's to rsh(1) and telnet(1): they are hardly needed; 1844 - jmc@cvs.openbsd.org 2006/01/04 19:40:24 1845 [ssh.1] 1846 +.Xr ssh-keyscan 1 , 1847 - jmc@cvs.openbsd.org 2006/01/04 19:50:09 1848 [ssh.1] 1849 -.Xr gzip 1 , 1850 - djm@cvs.openbsd.org 2006/01/05 23:43:53 1851 [misc.c] 1852 check that stdio file descriptors are actually closed before clobbering 1853 them in sanitise_stdfd(). problems occurred when a lower numbered fd was 1854 closed, but higher ones weren't. spotted by, and patch tested by 1855 Fr�d�ric Olivi� 1856 185720060103 1858 - (djm) [channels.c] clean up harmless merge error, from reyk@ 1859 186020060103 1861 - (djm) OpenBSD CVS Sync 1862 - jmc@cvs.openbsd.org 2006/01/02 17:09:49 1863 [ssh_config.5 sshd_config.5] 1864 some corrections from michael knudsen; 1865 186620060102 1867 - (djm) [README.tun] Add README.tun, missed during sync of tun(4) support 1868 - (djm) OpenBSD CVS Sync 1869 - jmc@cvs.openbsd.org 2005/12/31 10:46:17 1870 [ssh.1] 1871 merge the "LOGIN SESSION AND REMOTE EXECUTION" and "SERVER 1872 AUTHENTICATION" sections into "AUTHENTICATION"; 1873 some rewording done to make the text read better, plus some 1874 improvements from djm; 1875 ok djm 1876 - jmc@cvs.openbsd.org 2005/12/31 13:44:04 1877 [ssh.1] 1878 clean up ENVIRONMENT a little; 1879 - jmc@cvs.openbsd.org 2005/12/31 13:45:19 1880 [ssh.1] 1881 .Nm does not require an argument; 1882 - stevesk@cvs.openbsd.org 2006/01/01 08:59:27 1883 [includes.h misc.c] 1884 move <net/if.h>; ok djm@ 1885 - stevesk@cvs.openbsd.org 2006/01/01 10:08:48 1886 [misc.c] 1887 no trailing "\n" for debug() 1888 - djm@cvs.openbsd.org 2006/01/02 01:20:31 1889 [sftp-client.c sftp-common.h sftp-server.c] 1890 use a common max. packet length, no binary change 1891 - reyk@cvs.openbsd.org 2006/01/02 07:53:44 1892 [misc.c] 1893 clarify tun(4) opening - set the mode and bring the interface up. also 1894 (re)sets the tun(4) layer 2 LINK0 flag for existing tunnel interfaces. 1895 suggested and ok by djm@ 1896 - jmc@cvs.openbsd.org 2006/01/02 12:31:06 1897 [ssh.1] 1898 start to cut some duplicate info from FILES; 1899 help/ok djm 1900 190120060101 1902 - (djm) [Makefile.in configure.ac includes.h misc.c] 1903 [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Add support 1904 for tunnel forwarding for FreeBSD and NetBSD. NetBSD's support is 1905 limited to IPv4 tunnels only, and most versions don't support the 1906 tap(4) device at all. 1907 - (djm) [configure.ac] Fix linux/if_tun.h test 1908 - (djm) [openbsd-compat/port-tun.c] Linux needs linux/if.h too 1909 191020051229 1911 - (djm) OpenBSD CVS Sync 1912 - stevesk@cvs.openbsd.org 2005/12/28 22:46:06 1913 [canohost.c channels.c clientloop.c] 1914 use 'break-in' for consistency; ok deraadt@ ok and input jmc@ 1915 - reyk@cvs.openbsd.org 2005/12/30 15:56:37 1916 [channels.c channels.h clientloop.c] 1917 add channel output filter interface. 1918 ok djm@, suggested by markus@ 1919 - jmc@cvs.openbsd.org 2005/12/30 16:59:00 1920 [sftp.1] 1921 do not suggest that interactive authentication will work 1922 with the -b flag; 1923 based on a diff from john l. scarfone; 1924 ok djm 1925 - stevesk@cvs.openbsd.org 2005/12/31 01:38:45 1926 [ssh.1] 1927 document -MM; ok djm@ 1928 - (djm) [openbsd-compat/port-tun.c openbsd-compat/port-tun.h configure.ac] 1929 [serverloop.c ssh.c openbsd-compat/Makefile.in] 1930 [openbsd-compat/openbsd-compat.h] Implement tun(4) forwarding 1931 compatability support for Linux, diff from reyk@ 1932 - (djm) [configure.ac] Disable Linux tun(4) compat code if linux/tun.h does 1933 not exist 1934 - (djm) [configure.ac] oops, make that linux/if_tun.h 1935 193620051229 1937 - (tim) [buildpkg.sh.in] grep for $SSHDUID instead of $SSHDGID on /etc/passwd 1938 193920051224 1940 - (djm) OpenBSD CVS Sync 1941 - jmc@cvs.openbsd.org 2005/12/20 21:59:43 1942 [ssh.1] 1943 merge the sections on protocols 1 and 2 into one section on 1944 authentication; 1945 feedback djm dtucker 1946 ok deraadt markus dtucker 1947 - jmc@cvs.openbsd.org 2005/12/20 22:02:50 1948 [ssh.1] 1949 .Ss -> .Sh: subsections have not made this page more readable 1950 - jmc@cvs.openbsd.org 2005/12/20 22:09:41 1951 [ssh.1] 1952 move info on ssh return values and config files up into the main 1953 description; 1954 - jmc@cvs.openbsd.org 2005/12/21 11:48:16 1955 [ssh.1] 1956 -L and -R descriptions are now above, not below, ~C description; 1957 - jmc@cvs.openbsd.org 2005/12/21 11:57:25 1958 [ssh.1] 1959 options now described `above', rather than `later'; 1960 - jmc@cvs.openbsd.org 2005/12/21 12:53:31 1961 [ssh.1] 1962 -Y does X11 forwarding too; 1963 ok markus 1964 - stevesk@cvs.openbsd.org 2005/12/21 22:44:26 1965 [sshd.8] 1966 clarify precedence of -p, Port, ListenAddress; ok and help jmc@ 1967 - jmc@cvs.openbsd.org 2005/12/22 10:31:40 1968 [ssh_config.5] 1969 put the description of "UsePrivilegedPort" in the correct place; 1970 - jmc@cvs.openbsd.org 2005/12/22 11:23:42 1971 [ssh.1] 1972 expand the description of -w somewhat; 1973 help/ok reyk 1974 - jmc@cvs.openbsd.org 2005/12/23 14:55:53 1975 [ssh.1] 1976 - sync the description of -e w/ synopsis 1977 - simplify the description of -I 1978 - note that -I is only available if support compiled in, and that it 1979 isn't by default 1980 feedback/ok djm@ 1981 - jmc@cvs.openbsd.org 2005/12/23 23:46:23 1982 [ssh.1] 1983 less mark up for -c; 1984 - djm@cvs.openbsd.org 2005/12/24 02:27:41 1985 [session.c sshd.c] 1986 eliminate some code duplicated in privsep and non-privsep paths, and 1987 explicitly clear SIGALRM handler; "groovy" deraadt@ 1988 198920051220 1990 - (dtucker) OpenBSD CVS Sync 1991 - reyk@cvs.openbsd.org 2005/12/13 15:03:02 1992 [serverloop.c] 1993 if forced_tun_device is not set, it is -1 and not SSH_TUNID_ANY 1994 - jmc@cvs.openbsd.org 2005/12/16 18:07:08 1995 [ssh.1] 1996 move the option descriptions up the page: start of a restructure; 1997 ok markus deraadt 1998 - jmc@cvs.openbsd.org 2005/12/16 18:08:53 1999 [ssh.1] 2000 simplify a sentence; 2001 - jmc@cvs.openbsd.org 2005/12/16 18:12:22 2002 [ssh.1] 2003 make the description of -c a little nicer; 2004 - jmc@cvs.openbsd.org 2005/12/16 18:14:40 2005 [ssh.1] 2006 signpost the protocol sections; 2007 - stevesk@cvs.openbsd.org 2005/12/17 21:13:05 2008 [ssh_config.5 session.c] 2009 spelling: fowarding, fowarded 2010 - stevesk@cvs.openbsd.org 2005/12/17 21:36:42 2011 [ssh_config.5] 2012 spelling: intented -> intended 2013 - dtucker@cvs.openbsd.org 2005/12/20 04:41:07 2014 [ssh.c] 2015 exit(255) on error to match description in ssh(1); bz #1137; ok deraadt@ 2016 201720051219 2018 - (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac 2019 openbsd-compat/openssl-compat.h] Check for and work around broken AES 2020 ciphers >128bit on (some) Solaris 10 systems. ok djm@ 2021 202220051217 2023 - (dtucker) [defines.h] HP-UX system headers define "YES" and "NO" which 2024 scp.c also uses, so undef them here. 2025 - (dtucker) [configure.ac openbsd-compat/bsd-snprintf.c] Bug #1133: Our 2026 snprintf replacement can have a conflicting declaration in HP-UX's system 2027 headers (const vs. no const) so we now check for and work around it. Patch 2028 from the dynamic duo of David Leonard and Ted Percival. 2029 203020051214 2031 - (dtucker) OpenBSD CVS Sync (regress/) 2032 - dtucker@cvs.openbsd.org 2005/12/30 04:36:39 2033 [regress/scp-ssh-wrapper.sh] 2034 Fix assumption about how many args scp will pass; ok djm@ 2035 203620051213 2037 - (djm) OpenBSD CVS Sync 2038 - jmc@cvs.openbsd.org 2005/11/30 11:18:27 2039 [ssh.1] 2040 timezone -> time zone 2041 - jmc@cvs.openbsd.org 2005/11/30 11:45:20 2042 [ssh.1] 2043 avoid ambiguities in describing TZ; 2044 ok djm@ 2045 - reyk@cvs.openbsd.org 2005/12/06 22:38:28 2046 [auth-options.c auth-options.h channels.c channels.h clientloop.c] 2047 [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h] 2048 [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c] 2049 [sshconnect.h sshd.8 sshd_config sshd_config.5] 2050 Add support for tun(4) forwarding over OpenSSH, based on an idea and 2051 initial channel code bits by markus@. This is a simple and easy way to 2052 use OpenSSH for ad hoc virtual private network connections, e.g. 2053 administrative tunnels or secure wireless access. It's based on a new 2054 ssh channel and works similar to the existing TCP forwarding support, 2055 except that it depends on the tun(4) network interface on both ends of 2056 the connection for layer 2 or layer 3 tunneling. This diff also adds 2057 support for LocalCommand in the ssh(1) client. 2058 ok djm@, markus@, jmc@ (manpages), tested and discussed with others 2059 - djm@cvs.openbsd.org 2005/12/07 03:52:22 2060 [clientloop.c] 2061 reyk forgot to compile with -Werror (missing header) 2062 - jmc@cvs.openbsd.org 2005/12/07 10:52:13 2063 [ssh.1] 2064 - avoid line split in SYNOPSIS 2065 - add args to -w 2066 - kill trailing whitespace 2067 - jmc@cvs.openbsd.org 2005/12/08 14:59:44 2068 [ssh.1 ssh_config.5] 2069 make `!command' a little clearer; 2070 ok reyk 2071 - jmc@cvs.openbsd.org 2005/12/08 15:06:29 2072 [ssh_config.5] 2073 keep options in order; 2074 - reyk@cvs.openbsd.org 2005/12/08 18:34:11 2075 [auth-options.c includes.h misc.c misc.h readconf.c servconf.c] 2076 [serverloop.c ssh.c ssh_config.5 sshd_config.5 configure.ac] 2077 two changes to the new ssh tunnel support. this breaks compatibility 2078 with the initial commit but is required for a portable approach. 2079 - make the tunnel id u_int and platform friendly, use predefined types. 2080 - support configuration of layer 2 (ethernet) or layer 3 2081 (point-to-point, default) modes. configuration is done using the 2082 Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and 2083 restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option 2084 in sshd_config(5). 2085 ok djm@, man page bits by jmc@ 2086 - jmc@cvs.openbsd.org 2005/12/08 21:37:50 2087 [ssh_config.5] 2088 new sentence, new line; 2089 - markus@cvs.openbsd.org 2005/12/12 13:46:18 2090 [channels.c channels.h session.c] 2091 make sure protocol messages for internal channels are ignored. 2092 allow adjust messages for non-open channels; with and ok djm@ 2093 - (djm) [misc.c] Disable tunnel code for non-OpenBSD (for now), enable 2094 again by providing a sys_tun_open() function for your platform and 2095 setting the CUSTOM_SYS_TUN_OPEN define. More work is required to match 2096 OpenBSD's tunnel protocol, which prepends the address family to the 2097 packet 2098 209920051201 2100 - (djm) [envpass.sh] Remove regress script that was accidentally committed 2101 in top level directory and not noticed for over a year :) 2102 210320051129 2104 - (tim) [ssh-keygen.c] Move DSA length test after setting default when 2105 bits == 0. 2106 - (dtucker) OpenBSD CVS Sync 2107 - dtucker@cvs.openbsd.org 2005/11/29 02:04:55 2108 [ssh-keygen.c] 2109 Populate default key sizes before checking them; from & ok tim@ 2110 - (tim) [configure.ac sshd.8] Enable locked account check (a "*LK*" string) 2111 for UnixWare. 2112 211320051128 2114 - (dtucker) [regress/yes-head.sh] Work around breakage caused by some 2115 versions of GNU head. Based on patch from zappaman at buraphalinux.org 2116 - (dtucker) [includes.h] Bug #1122: __USE_GNU is a glibc internal macro, use 2117 _GNU_SOURCE instead. Patch from t8m at centrum.cz. 2118 - (dtucker) OpenBSD CVS Sync 2119 - dtucker@cvs.openbsd.org 2005/11/28 05:16:53 2120 [ssh-keygen.1 ssh-keygen.c] 2121 Enforce DSA key length of exactly 1024 bits to comply with FIPS-186-2, 2122 increase minumum RSA key size to 768 bits and update man page to reflect 2123 these. Patch originally bz#1119 (senthilkumar_sen at hotpop.com), 2124 ok djm@, grudging ok deraadt@. 2125 - dtucker@cvs.openbsd.org 2005/11/28 06:02:56 2126 [ssh-agent.1] 2127 Update agent socket path templates to reflect reality, correct xref for 2128 time formats. bz#1121, patch from openssh at roumenpetrov.info, ok djm@ 2129 213020051126 2131 - (dtucker) [configure.ac] Bug #1126: AIX 5.2 and 5.3 (and presumably newer, 2132 when they're available) need the real UID set otherwise pam_chauthtok will 2133 set ADMCHG after changing the password, forcing the user to change it 2134 again immediately. 2135 213620051125 2137 - (dtucker) [configure.ac] Apply tim's fix for older systems where the 2138 resolver state in resolv.h is "state" not "__res_state". With slight 2139 modification by me to also work on old AIXes. ok djm@ 2140 - (dtucker) [progressmeter.c scp.c sftp-server.c] Use correct casts for 2141 snprintf formats, fixes warnings on some 64 bit platforms. Patch from 2142 shaw at vranix.com, ok djm@ 2143 214420051124 2145 - (djm) [configure.ac openbsd-compat/Makefile.in openbsd-compat/bsd-asprintf.c 2146 openbsd-compat/bsd-snprintf.c openbsd-compat/openbsd-compat.h] Add an 2147 asprintf() implementation, after syncing our {v,}snprintf() implementation 2148 with some extra fixes from Samba's version. With help and debugging from 2149 dtucker and tim; ok dtucker@ 2150 - (dtucker) [configure.ac] Fix typos in comments and AC_SEARCH_LIB argument 2151 order in Reliant Unix block. Patch from johane at lysator.liu.se. 2152 - (dtucker) [regress/test-exec.sh] Use 1024 bit keys since we generate so 2153 many and use them only once. Speeds up testing on older/slower hardware. 2154 215520051122 2156 - (dtucker) OpenBSD CVS Sync 2157 - deraadt@cvs.openbsd.org 2005/11/12 18:37:59 2158 [ssh-add.c] 2159 space 2160 - deraadt@cvs.openbsd.org 2005/11/12 18:38:15 2161 [scp.c] 2162 avoid close(-1), as in rcp; ok cloder 2163 - millert@cvs.openbsd.org 2005/11/15 11:59:54 2164 [includes.h] 2165 Include sys/queue.h explicitly instead of assuming some other header 2166 will pull it in. At the moment it gets pulled in by sys/select.h 2167 (which ssh has no business including) via event.h. OK markus@ 2168 (ID sync only in -portable) 2169 - dtucker@cvs.openbsd.org 2005/11/21 09:42:10 2170 [auth-krb5.c] 2171 Perform Kerberos calls even for invalid users to prevent leaking 2172 information about account validity. bz #975, patch originally from 2173 Senthil Kumar, sanity checked by Simon Wilkinson, tested by djm@, biorn@, 2174 ok markus@ 2175 - dtucker@cvs.openbsd.org 2005/11/22 03:36:03 2176 [hostfile.c] 2177 Correct format/arguments to debug call; spotted by shaw at vranix.com 2178 ok djm@ 2179 - (dtucker) [loginrec.c] Add casts to prevent compiler warnings, patch 2180 from shaw at vranix.com. 2181 218220051120 2183 - (dtucker) [openbsd-compat/openssl-compat.h] Add comment explaining what 2184 is going on. 2185 218620051112 2187 - (dtucker) [openbsd-compat/getrrsetbyname.c] Restore Portable-specific 2188 ifdef lost during sync. Spotted by tim@. 2189 - (dtucker) [openbsd-compat/{realpath.c,stroll.c,rresvport.c}] $OpenBSD tag. 2190 - (dtucker) [configure.ac] Use "$AWK" instead of "awk" in gcc version test. 2191 - (dtucker) [configure.ac] Remove duplicate utimes() check. ok djm@ 2192 - (dtucker) [regress/reconfigure.sh] Fix potential race in the reconfigure 2193 test: if sshd takes too long to reconfigure the subsequent connection will 2194 fail. Zap pidfile before HUPing sshd which will rewrite it when it's ready. 2195 219620051110 2197 - (dtucker) [openbsd-compat/setenv.c] Merge changes for __findenv from 2198 OpenBSD getenv.c revs 1.4 - 1.8 (ANSIfication of arguments, removal of 2199 "register"). 2200 - (dtucker) [openbsd-compat/setenv.c] Make __findenv static, remove 2201 unnecessary prototype. 2202 - (dtucker) [openbsd-compat/setenv.c] Sync changes from OpenBSD setenv.c 2203 revs 1.7 - 1.9. 2204 - (dtucker) [auth-krb5.c] Fix -Wsign-compare warning in non-Heimdal path. 2205 Patch from djm@. 2206 - (dtucker) [configure.ac] Disable pointer-sign warnings on gcc 4.0+ 2207 since they're not useful right now. Patch from djm@. 2208 - (dtucker) [openbsd-compat/getgrouplist.c] Sync OpenBSD revs 1.10 - 1.2 (ANSI 2209 prototypes, removal of "register"). 2210 - (dtucker) [openbsd-compat/strlcat.c] Sync OpenBSD revs 1.11 - 1.12 (removal 2211 of "register"). 2212 - (dtucker) [openbsd-compat/{LOTS}] Move the "OPENBSD ORIGINAL" markers to 2213 after the copyright notices. Having them at the top next to the CVSIDs 2214 guarantees a conflict for each and every sync. 2215 - (dtucker) [openbsd-compat/strlcpy.c] Update from OpenBSD 1.8 -> 1.10. 2216 - (dtucker) [openbsd-compat/sigact.h] Add "OPENBSD ORIGINAL" marker. 2217 - (dtucker) [openbsd-compat/strmode.c] Update from OpenBSD 1.5 -> 1.7. 2218 Removal of rcsid, "whiteout" inode type. 2219 - (dtucker) [openbsd-compat/basename.c] Update from OpenBSD 1.11 -> 1.14. 2220 Removal of rcsid, will no longer strlcpy parts of the string. 2221 - (dtucker) [openbsd-compat/strtoll.c] Update from OpenBSD 1.4 -> 1.5. 2222 - (dtucker) [openbsd-compat/strtoul.c] Update from OpenBSD 1.5 -> 1.7. 2223 - (dtucker) [openbsd-compat/readpassphrase.c] Update from OpenBSD 1.16 -> 1.18. 2224 - (dtucker) [openbsd-compat/readpassphrase.h] Update from OpenBSD 1.3 -> 1.5. 2225 - (dtucker) [openbsd-compat/glob.c] Update from OpenBSD 1.22 -> 1.25. 2226 - (dtucker) [openbsd-compat/glob.h] Update from OpenBSD 1.8 -> 1.9. 2227 - (dtucker) [openbsd-compat/getcwd.c] Update from OpenBSD 1.9 -> 1.14. 2228 - (dtucker) [openbsd-compat/getcwd.c] Replace lstat with fstat to match up 2229 with OpenBSD code since we don't support platforms without fstat any more. 2230 - (dtucker) [openbsd-compat/inet_aton.c] Update from OpenBSD 1.7 -> 1.9. 2231 - (dtucker) [openbsd-compat/inet_ntoa.c] Update from OpenBSD 1.4 -> 1.6. 2232 - (dtucker) [openbsd-compat/inet_ntop.c] Update from OpenBSD 1.5 -> 1.7. 2233 - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.5 -> 1.6. 2234 - (dtucker) [openbsd-compat/strsep.c] Update from OpenBSD 1.5 -> 1.6. 2235 - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.10 -> 1.13. 2236 - (dtucker) [openbsd-compat/mktemp.c] Update from OpenBSD 1.17 -> 1.19. 2237 - (dtucker) [openbsd-compat/rresvport.c] Update from OpenBSD 1.6 -> 1.8. 2238 - (dtucker) [openbsd-compat/bindresvport.c] Add "OPENBSD ORIGINAL" marker. 2239 - (dtucker) [openbsd-compat/bindresvport.c] Update from OpenBSD 1.16 -> 1.17. 2240 - (dtucker) [openbsd-compat/sigact.c] Update from OpenBSD 1.3 -> 1.4. 2241 Id and copyright sync only, there were no substantial changes we need. 2242 - (dtucker) [openbsd-compat/bsd-closefrom.c openbsd-compat/base64.c] 2243 -Wsign-compare fixes from djm. 2244 - (dtucker) [openbsd-compat/sigact.h] Update from OpenBSD 1.2 -> 1.3. 2245 Id and copyright sync only, there were no substantial changes we need. 2246 - (dtucker) [configure.ac] Try to get the gcc version number in a way that 2247 doesn't change between versions, and use a safer default. 2248 224920051105 2250 - (djm) OpenBSD CVS Sync 2251 - markus@cvs.openbsd.org 2005/10/07 11:13:57 2252 [ssh-keygen.c] 2253 change DSA default back to 1024, as it's defined for 1024 bits only 2254 and this causes interop problems with other clients. moreover, 2255 in order to improve the security of DSA you need to change more 2256 components of DSA key generation (e.g. the internal SHA1 hash); 2257 ok deraadt 2258 - djm@cvs.openbsd.org 2005/10/10 10:23:08 2259 [channels.c channels.h clientloop.c serverloop.c session.c] 2260 fix regression I introduced in 4.2: X11 forwardings initiated after 2261 a session has exited (e.g. "(sleep 5; xterm) &") would not start. 2262 bz #1086 reported by t8m AT centrum.cz; ok markus@ dtucker@ 2263 - djm@cvs.openbsd.org 2005/10/11 23:37:37 2264 [channels.c] 2265 bz #1076 set SO_REUSEADDR on X11 forwarding listner sockets, preventing 2266 bind() failure when a previous connection's listeners are in TIME_WAIT, 2267 reported by plattner AT inf.ethz.ch; ok dtucker@ 2268 - stevesk@cvs.openbsd.org 2005/10/13 14:03:01 2269 [auth2-gss.c gss-genr.c gss-serv.c] 2270 remove unneeded #includes; ok markus@ 2271 - stevesk@cvs.openbsd.org 2005/10/13 14:20:37 2272 [gss-serv.c] 2273 spelling in comments 2274 - stevesk@cvs.openbsd.org 2005/10/13 19:08:08 2275 [gss-serv-krb5.c gss-serv.c] 2276 unused declarations; ok deraadt@ 2277 (id sync only for gss-serv-krb5.c) 2278 - stevesk@cvs.openbsd.org 2005/10/13 19:13:41 2279 [dns.c] 2280 unneeded #include, unused declaration, little knf; ok deraadt@ 2281 - stevesk@cvs.openbsd.org 2005/10/13 22:24:31 2282 [auth2-gss.c gss-genr.c gss-serv.c monitor.c] 2283 KNF; ok djm@ 2284 - stevesk@cvs.openbsd.org 2005/10/14 02:17:59 2285 [ssh-keygen.c ssh.c sshconnect2.c] 2286 no trailing "\n" for log functions; ok djm@ 2287 - stevesk@cvs.openbsd.org 2005/10/14 02:29:37 2288 [channels.c clientloop.c] 2289 free()->xfree(); ok djm@ 2290 - stevesk@cvs.openbsd.org 2005/10/15 15:28:12 2291 [sshconnect.c] 2292 make external definition static; ok deraadt@ 2293 - stevesk@cvs.openbsd.org 2005/10/17 13:45:05 2294 [dns.c] 2295 fix memory leaks from 2 sources: 2296 1) key_fingerprint_raw() 2297 2) malloc in dns_read_rdata() 2298 ok jakob@ 2299 - stevesk@cvs.openbsd.org 2005/10/17 14:01:28 2300 [dns.c] 2301 remove #ifdef LWRES; ok jakob@ 2302 - stevesk@cvs.openbsd.org 2005/10/17 14:13:35 2303 [dns.c dns.h] 2304 more cleanups; ok jakob@ 2305 - djm@cvs.openbsd.org 2005/10/30 01:23:19 2306 [ssh_config.5] 2307 mention control socket fallback behaviour, reported by 2308 tryponraj AT gmail.com 2309 - djm@cvs.openbsd.org 2005/10/30 04:01:03 2310 [ssh-keyscan.c] 2311 make ssh-keygen discard junk from server before SSH- ident, spotted by 2312 dave AT cirt.net; ok dtucker@ 2313 - djm@cvs.openbsd.org 2005/10/30 04:03:24 2314 [ssh.c] 2315 fix misleading debug message; ok dtucker@ 2316 - dtucker@cvs.openbsd.org 2005/10/30 08:29:29 2317 [canohost.c sshd.c] 2318 Check for connections with IP options earlier and drop silently. ok djm@ 2319 - jmc@cvs.openbsd.org 2005/10/30 08:43:47 2320 [ssh_config.5] 2321 remove trailing whitespace; 2322 - djm@cvs.openbsd.org 2005/10/30 08:52:18 2323 [clientloop.c packet.c serverloop.c session.c ssh-agent.c ssh-keygen.c] 2324 [ssh.c sshconnect.c sshconnect1.c sshd.c] 2325 no need to escape single quotes in comments, no binary change 2326 - dtucker@cvs.openbsd.org 2005/10/31 06:15:04 2327 [sftp.c] 2328 Fix sorting with "ls -1" command. From Robert Tsai, "looks right" deraadt@ 2329 - djm@cvs.openbsd.org 2005/10/31 11:12:49 2330 [ssh-keygen.1 ssh-keygen.c] 2331 generate a protocol 2 RSA key by default 2332 - djm@cvs.openbsd.org 2005/10/31 11:48:29 2333 [serverloop.c] 2334 make sure we clean up wtmp, etc. file when we receive a SIGTERM, 2335 SIGINT or SIGQUIT when running without privilege separation (the 2336 normal privsep case is already OK). Patch mainly by dtucker@ and 2337 senthilkumar_sen AT hotpop.com; ok dtucker@ 2338 - jmc@cvs.openbsd.org 2005/10/31 19:55:25 2339 [ssh-keygen.1] 2340 grammar; 2341 - dtucker@cvs.openbsd.org 2005/11/03 13:38:29 2342 [canohost.c] 2343 Cache reverse lookups with and without DNS separately; ok markus@ 2344 - djm@cvs.openbsd.org 2005/11/04 05:15:59 2345 [kex.c kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c] 2346 remove hardcoded hash lengths in key exchange code, allowing 2347 implementation of KEX methods with different hashes (e.g. SHA-256); 2348 ok markus@ dtucker@ stevesk@ 2349 - djm@cvs.openbsd.org 2005/11/05 05:01:15 2350 [bufaux.c] 2351 Fix leaks in error paths, bz #1109 and #1110 reported by kremenek AT 2352 cs.stanford.edu; ok dtucker@ 2353 - (dtucker) [README.platform] Add PAM section. 2354 - (djm) [openbsd-compat/getrrsetbyname.c] Sync to latest OpenBSD version, 2355 resolving memory leak bz#1111 reported by kremenek AT cs.stanford.edu; 2356 ok dtucker@ 2357 235820051102 2359 - (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup(). 2360 Reported by olavi at ipunplugged.com and antoine.brodin at laposte.net 2361 via FreeBSD. 2362 236320051030 2364 - (djm) [contrib/suse/openssh.spec contrib/suse/rc. 2365 sshd contrib/suse/sysconfig.ssh] Bug #1106: Updated SuSE spec and init 2366 files from imorgan AT nas.nasa.gov 2367 - (dtucker) [session.c] Bug #1045do not check /etc/nologin when PAM is 2368 enabled, instead allow PAM to handle it. Note that on platforms using PAM, 2369 the pam_nologin module should be added to sshd's session stack in order to 2370 maintain exising behaviour. Based on patch and discussion from t8m at 2371 centrum.cz, ok djm@ 2372 237320051025 2374 - (dtucker) [configure.ac] Relocate LLONG_MAX calculation to after the 2375 sizeof(long long) checks, to make fixing bug #1104 easier (no changes 2376 yet). 2377 - (dtucker) [configure.ac] Bug #1104: Tru64's printf family doesn't 2378 understand "%lld", even though the compiler has "long long", so handle 2379 it as a special case. Patch tested by mcaskill.scott at epa.gov. 2380 - (dtucker) [contrib/cygwin/ssh-user-config] Remove duplicate yes/no 2381 prompt. Patch from vinschen at redhat.com. 2382 238320051017 2384 - (dtucker) [configure.ac] Bug #1097: Fix configure for cross-compiling. 2385 /etc/default/login report and testing from aabaker at iee.org, corrections 2386 from tim@. 2387 238820051009 2389 - (dtucker) [configure.ac defines.h openbsd-compat/vis.{c,h}] Sync current 2390 versions from OpenBSD. ok djm@ 2391 239220051008 2393 - (dtucker) [configure.ac] Bug #1098: define $MAIL for HP-UX; report from 2394 brian.smith at agilent com. 2395 - (djm) [configure.ac] missing 'test' call for -with-Werror test 2396 239720051005 2398 - (dtucker) [configure.ac sshd.8] Enable locked account check (a prepended 2399 "*LOCKED*" string) for FreeBSD. Patch jeremie at le-hen.org and 2400 senthilkumar_sen at hotpop.com. 2401 240220051003 2403 - (dtucker) OpenBSD CVS Sync 2404 - markus@cvs.openbsd.org 2005/09/07 08:53:53 2405 [channels.c] 2406 enforce chanid != NULL; ok djm 2407 - markus@cvs.openbsd.org 2005/09/09 19:18:05 2408 [clientloop.c] 2409 typo; from mark at mcs.vuw.ac.nz, bug #1082 2410 - djm@cvs.openbsd.org 2005/09/13 23:40:07 2411 [sshd.c ssh.c misc.h sftp.c ssh-keygen.c ssh-keysign.c sftp-server.c 2412 scp.c misc.c ssh-keyscan.c ssh-add.c ssh-agent.c] 2413 ensure that stdio fds are attached; ok deraadt@ 2414 - djm@cvs.openbsd.org 2005/09/19 11:37:34 2415 [ssh_config.5 ssh.1] 2416 mention ability to specify bind_address for DynamicForward and -D options; 2417 bz#1077 spotted by Haruyama Seigo 2418 - djm@cvs.openbsd.org 2005/09/19 11:47:09 2419 [sshd.c] 2420 stop connection abort on rekey with delayed compression enabled when 2421 post-auth privsep is disabled (e.g. when root is logged in); ok dtucker@ 2422 - djm@cvs.openbsd.org 2005/09/19 11:48:10 2423 [gss-serv.c] 2424 typo 2425 - jmc@cvs.openbsd.org 2005/09/19 15:38:27 2426 [ssh.1] 2427 some more .Bk/.Ek to avoid ugly line split; 2428 - jmc@cvs.openbsd.org 2005/09/19 15:42:44 2429 [ssh.c] 2430 update -D usage here too; 2431 - djm@cvs.openbsd.org 2005/09/19 23:31:31 2432 [ssh.1] 2433 spelling nit from stevesk@ 2434 - djm@cvs.openbsd.org 2005/09/21 23:36:54 2435 [sshd_config.5] 2436 aquire -> acquire, from stevesk@ 2437 - djm@cvs.openbsd.org 2005/09/21 23:37:11 2438 [sshd.c] 2439 change label at markus@'s request 2440 - jaredy@cvs.openbsd.org 2005/09/30 20:34:26 2441 [ssh-keyscan.1] 2442 deploy .An -nosplit; ok jmc 2443 - dtucker@cvs.openbsd.org 2005/10/03 07:44:42 2444 [canohost.c] 2445 Relocate check_ip_options call to prevent logging of garbage for 2446 connections with IP options set. bz#1092 from David Leonard, 2447 "looks good" deraadt@ 2448 - (dtucker) [regress/README.regress] Bug #989: Document limitation that scp 2449 is required in the system path for the multiplex test to work. 2450 245120050930 2452 - (dtucker) [openbsd-compat/openbsd-compat.h] Bug #1096: Add prototype 2453 for strtoll. Patch from o.flebbe at science-computing.de. 2454 - (dtucker) [monitor.c] Bug #1087: Send loginmsg to preauth privsep 2455 child during PAM account check without clearing it. This restores the 2456 post-login warnings such as LDAP password expiry. Patch from Tomas Mraz 2457 with help from several others. 2458 245920050929 2460 - (dtucker) [monitor_wrap.c] Remove duplicate definition of loginmsg 2461 introduced during sync. 2462 246320050928 2464 - (dtucker) [entropy.c] Use u_char for receiving RNG seed for consistency. 2465 - (dtucker) [auth-pam.c] Bug #1028: send final non-query messages from 2466 PAM via keyboard-interactive. Patch tested by the folks at Vintela. 2467 246820050927 2469 - (dtucker) [entropy.c] Remove unnecessary tests for getuid and geteuid 2470 calls, since they can't possibly fail. ok djm@ 2471 - (dtucker) [entropy.c entropy.h sshd.c] Pass RNG seed to the reexec'ed 2472 process when sshd relies on ssh-random-helper. Should result in faster 2473 logins on systems without a real random device or prngd. ok djm@ 2474 247520050924 2476 - (dtucker) [auth2.c] Move start_pam() calls out of if-else block to remove 2477 duplicate call. ok djm@ 2478 247920050922 2480 - (dtucker) [configure.ac] Use -R linker flag for libedit too; patch from 2481 skeleten at shillest.net. 2482 - (dtucker) [configure.ac] Fix help for --with-opensc; patch from skeleten at 2483 shillest.net. 2484 248520050919 2486 - (tim) [aclocal.m4 configure.ac] Delete acconfig.h and add templates to 2487 AC_DEFINE and AC_DEFINE_UNQUOTED to quiet autoconf 2.59 warning messages. 2488 ok dtucker@ 2489 249020050912 2491 - (tim) [configure.ac] Bug 1078. Fix --without-kerberos5. Reported by 2492 Mike Frysinger. 2493 249420050908 2495 - (tim) [defines.h openbsd-compat/port-uw.c] Add long password support to 2496 OpenServer 6 and add osr5bigcrypt support so when someone migrates 2497 passwords between UnixWare and OpenServer they will still work. OK dtucker@ 2498 249920050901 2500 - (djm) Update RPM spec file versions 2501 250220050831 2503 - (djm) OpenBSD CVS Sync 2504 - djm@cvs.openbsd.org 2005/08/30 22:08:05 2505 [gss-serv.c sshconnect2.c] 2506 destroy credentials if krb5_kuserok() call fails. Stops credentials being 2507 delegated to users who are not authorised for GSSAPIAuthentication when 2508 GSSAPIDeletegateCredentials=yes and another authentication mechanism 2509 succeeds; bz#1073 reported by paul.moore AT centrify.com, fix by 2510 simon AT sxw.org.uk, tested todd@ biorn@ jakob@; ok deraadt@ 2511 - markus@cvs.openbsd.org 2005/08/31 09:28:42 2512 [version.h] 2513 4.2 2514 - (dtucker) [README] Update release note URL to 4.2 2515 - (tim) [configure.ac auth.c defines.h session.c openbsd-compat/port-uw.c 2516 openbsd-compat/port-uw.h openbsd-compat/xcrypt.c] libiaf cleanup. Disable 2517 libiaf bits for OpenServer6. Free memory allocated by ia_get_logpwd(). 2518 Feedback and OK dtucker@ 2519 252020050830 2521 - (tim) [configure.ac] Back out last change. It needs to be done differently. 2522 252320050829 2524 - (tim) [configure.ac] ia_openinfo() seems broken on OSR6. Limit UW long 2525 password support to 7.x for now. 2526 252720050826 2528 - (tim) [CREDITS LICENCE auth.c configure.ac defines.h includes.h session.c 2529 openbsd-compat/Makefile.in openbsd-compat/openbsd-compat.h 2530 openbsd-compat/xcrypt.c] New files [openssh/openbsd-compat/port-uw.c 2531 openssh/openbsd-compat/port-uw.h] Support long passwords (> 8-char) 2532 on UnixWare 7 from Dhiraj Gulati and Ahsan Rashid. Cleanup and testing 2533 by tim@. Feedback and OK dtucker@ 2534 253520050823 2536 - (dtucker) [regress/test-exec.sh] Do not prepend an extra "/" to a fully- 2537 qualified sshd pathname since some systems (eg Cygwin) may consider "/foo" 2538 and "//foo" to be different. Spotted by vinschen at redhat.com. 2539 - (tim) [configure.ac] Not all gcc's support -Wsign-compare. Enhancements 2540 and OK dtucker@ 2541 - (tim) [defines.h] PATH_MAX bits for OpenServer OK dtucker@ 2542 254320050821 2544 - (dtucker) [configure.ac defines.h includes.h sftp.c] Add support for 2545 LynxOS, patch from Olli Savia (ops at iki.fi). ok djm@ 2546 254720050816 2548 - (djm) [ttymodes.c] bugzilla #1025: Fix encoding of _POSIX_VDISABLE, 2549 from Jacob Nevins; ok dtucker@ 2550 255120050815 2552 - (tim) [sftp.c] wrap el_end() in #ifdef USE_LIBEDIT 2553 - (tim) [configure.ac] corrections to libedit tests. Report and patches 2554 by skeleten AT shillest.net 2555 255620050812 2557 - (djm) OpenBSD CVS Sync 2558 - markus@cvs.openbsd.org 2005/07/28 17:36:22 2559 [packet.c] 2560 missing packet_init_compression(); from solar 2561 - djm@cvs.openbsd.org 2005/07/30 01:26:16 2562 [ssh.c] 2563 fix -D listen_host initialisation, so it picks up gateway_ports setting 2564 correctly 2565 - djm@cvs.openbsd.org 2005/07/30 02:03:47 2566 [readconf.c] 2567 listen_hosts initialisation here too; spotted greg AT y2005.nest.cx 2568 - dtucker@cvs.openbsd.org 2005/08/06 10:03:12 2569 [servconf.c] 2570 Unbreak sshd ListenAddress for bare IPv6 addresses. 2571 Report from Janusz Mucka; ok djm@ 2572 - jaredy@cvs.openbsd.org 2005/08/08 13:22:48 2573 [sftp.c] 2574 sftp prompt enhancements: 2575 - in non-interactive mode, do not print an empty prompt at the end 2576 before finishing 2577 - print newline after EOF in editline mode 2578 - call el_end() in editline mode 2579 ok dtucker djm 2580 258120050810 2582 - (dtucker) [configure.ac] Test libedit library and headers for compatibility. 2583 Report from skeleten AT shillest.net, ok djm@ 2584 - (dtucker) [LICENCE configure.ac defines.h openbsd-compat/realpath.c] 2585 Sync current (thread-safe) version of realpath.c from OpenBSD (which is 2586 in turn based on FreeBSD's). ok djm@ 2587 258820050809 2589 - (tim) [configure.ac] Allow --with-audit=no. OK dtucker@ 2590 Report by skeleten AT shillest.net 2591 259220050803 2593 - (dtucker) [openbsd-compat/fake-rfc2553.h] Check for EAI_* defines 2594 individually and use a value less likely to collide with real values from 2595 netdb.h. Fixes compile warnings on FreeBSD 5.3. ok djm@ 2596 - (dtucker) [openbsd-compat/fake-rfc2553.h] MAX_INT -> INT_MAX since the 2597 latter is specified in the standard. 2598 259920050802 2600 - (dtucker) OpenBSD CVS Sync 2601 - dtucker@cvs.openbsd.org 2005/07/27 10:39:03 2602 [scp.c hostfile.c sftp-client.c] 2603 Silence bogus -Wuninitialized warnings; ok djm@ 2604 - (dtucker) [configure.ac] Enable -Wuninitialized by default when compiling 2605 with gcc. ok djm@ 2606 - (dtucker) [configure.ac] Add a --with-Werror option to configure for 2607 adding -Werror to CFLAGS when all of the configure tests are done. ok djm@ 2608 260920050726 2610 - (dtucker) [configure.ac] Update zlib warning message too, pointed out by 2611 tim@. 2612 - (djm) OpenBSD CVS Sync 2613 - otto@cvs.openbsd.org 2005/07/19 15:32:26 2614 [auth-passwd.c] 2615 auth_usercheck(3) can return NULL, so check for that. Report from 2616 mpech@. ok markus@ 2617 - markus@cvs.openbsd.org 2005/07/25 11:59:40 2618 [kex.c kex.h myproposal.h packet.c packet.h servconf.c session.c] 2619 [sshconnect2.c sshd.c sshd_config sshd_config.5] 2620 add a new compression method that delays compression until the user 2621 has been authenticated successfully and set compression to 'delayed' 2622 for sshd. 2623 this breaks older openssh clients (< 3.5) if they insist on 2624 compression, so you have to re-enable compression in sshd_config. 2625 ok djm@ 2626 262720050725 2628 - (dtucker) [configure.ac] Update zlib version check for CAN-2005-2096. 2629 263020050717 2631- OpenBSD CVS Sync 2632 - djm@cvs.openbsd.org 2005/07/16 01:35:24 2633 [auth1.c channels.c cipher.c clientloop.c kex.c session.c ssh.c] 2634 [sshconnect.c] 2635 spacing 2636 - (djm) [acss.c auth-pam.c auth-shadow.c auth-skey.c auth1.c canohost.c] 2637 [cipher-acss.c loginrec.c ssh-rand-helper.c sshd.c] Fix whitespace at EOL 2638 in portable too ("perl -p -i -e 's/\s+$/\n/' *.[ch]") 2639 - (djm) [auth-pam.c sftp.c] spaces vs. tabs at start of line 2640 - djm@cvs.openbsd.org 2005/07/17 06:49:04 2641 [channels.c channels.h session.c session.h] 2642 Fix a number of X11 forwarding channel leaks: 2643 1. Refuse multiple X11 forwarding requests on the same session 2644 2. Clean up all listeners after a single_connection X11 forward, not just 2645 the one that made the single connection 2646 3. Destroy X11 listeners when the session owning them goes away 2647 testing and ok dtucker@ 2648 - djm@cvs.openbsd.org 2005/07/17 07:17:55 2649 [auth-rh-rsa.c auth-rhosts.c auth2-chall.c auth2-gss.c channels.c] 2650 [cipher-ctr.c gss-genr.c gss-serv.c kex.c moduli.c readconf.c] 2651 [serverloop.c session.c sftp-client.c sftp.c ssh-add.c ssh-keygen.c] 2652 [sshconnect.c sshconnect2.c] 2653 knf says that a 2nd level indent is four (not three or five) spaces 2654 -(djm) [audit.c auth1.c auth2.c entropy.c loginrec.c serverloop.c] 2655 [ssh-rand-helper.c] fix portable 2nd level indents at 4 spaces too 2656 - (djm) [monitor.c monitor_wrap.c] -Wsign-compare for PAM monitor calls 2657 265820050716 2659 - (dtucker) [auth-pam.c] Ensure that only one side of the authentication 2660 socketpair stays open on in both the monitor and PAM process. Patch from 2661 Joerg Sonnenberger. 2662 266320050714 2664 - (dtucker) OpenBSD CVS Sync 2665 - dtucker@cvs.openbsd.org 2005/07/06 09:33:05 2666 [ssh.1] 2667 clarify meaning of ssh -b ; with & ok jmc@ 2668 - dtucker@cvs.openbsd.org 2005/07/08 09:26:18 2669 [misc.c] 2670 Make comment match code; ok djm@ 2671 - markus@cvs.openbsd.org 2005/07/08 09:41:33 2672 [channels.h] 2673 race when efd gets closed while there is still buffered data: 2674 change CHANNEL_EFD_OUTPUT_ACTIVE() 2675 1) c->efd must always be valid AND 2676 2a) no EOF has been seen OR 2677 2b) there is buffered data 2678 report, initial fix and testing Chuck Cranor 2679 - dtucker@cvs.openbsd.org 2005/07/08 10:20:41 2680 [ssh_config.5] 2681 change BindAddress to match recent ssh -b change; prompted by markus@ 2682 - jmc@cvs.openbsd.org 2005/07/08 12:53:10 2683 [ssh_config.5] 2684 new sentence, new line; 2685 - dtucker@cvs.openbsd.org 2005/07/14 04:00:43 2686 [misc.h] 2687 use __sentinel__ attribute; ok deraadt@ djm@ markus@ 2688 - (dtucker) [configure.ac defines.h] Define __sentinel__ to nothing if the 2689 compiler doesn't understand it to prevent warnings. If any mainstream 2690 compiler versions acquire it we can test for those versions. Based on 2691 discussion with djm@. 2692 269320050707 2694 - dtucker [auth-krb5.c auth.h gss-serv-krb5.c] Move KRB5CCNAME generation for 2695 the MIT Kerberos code path into a common function and expand mkstemp 2696 template to be consistent with the rest of OpenSSH. From sxw at 2697 inf.ed.ac.uk, ok djm@ 2698 - (dtucker) [auth-krb5.c] There's no guarantee that snprintf will set errno 2699 in the case where the buffer is insufficient, so always return ENOMEM. 2700 Also pointed out by sxw at inf.ed.ac.uk. 2701 - (dtucker) [acconfig.h auth-krb5.c configure.ac gss-serv-krb5.c] Remove 2702 calls to krb5_init_ets, which has not been required since krb-1.1.x and 2703 most Kerberos versions no longer export in their public API. From sxw 2704 at inf.ed.ac.uk, ok djm@ 2705 270620050706 2707 - (djm) OpenBSD CVS Sync 2708 - markus@cvs.openbsd.org 2005/07/01 13:19:47 2709 [channels.c] 2710 don't free() if getaddrinfo() fails; report mpech@ 2711 - djm@cvs.openbsd.org 2005/07/04 00:58:43 2712 [channels.c clientloop.c clientloop.h misc.c misc.h ssh.c ssh_config.5] 2713 implement support for X11 and agent forwarding over multiplex slave 2714 connections. Because of protocol limitations, the slave connections inherit 2715 the master's DISPLAY and SSH_AUTH_SOCK rather than distinctly forwarding 2716 their own. 2717 ok dtucker@ "put it in" deraadt@ 2718 - jmc@cvs.openbsd.org 2005/07/04 11:29:51 2719 [ssh_config.5] 2720 fix Xr and a little grammar; 2721 - markus@cvs.openbsd.org 2005/07/04 14:04:11 2722 [channels.c] 2723 don't forget to set x11_saved_display 2724 272520050626 2726 - (djm) OpenBSD CVS Sync 2727 - djm@cvs.openbsd.org 2005/06/17 22:53:47 2728 [ssh.c sshconnect.c] 2729 Fix ControlPath's %p expanding to "0" for a default port, 2730 spotted dwmw2 AT infradead.org; ok markus@ 2731 - djm@cvs.openbsd.org 2005/06/18 04:30:36 2732 [ssh.c ssh_config.5] 2733 allow ControlPath=none, patch from dwmw2 AT infradead.org; ok dtucker@ 2734 - djm@cvs.openbsd.org 2005/06/25 22:47:49 2735 [ssh.c] 2736 do the default port filling code a few lines earlier, so it really 2737 does fix %p 2738 273920050618 2740 - (djm) OpenBSD CVS Sync 2741 - djm@cvs.openbsd.org 2005/05/20 12:57:01; 2742 [auth1.c] split protocol 1 auth methods into separate functions, makes 2743 authloop much more readable; fixes and ok markus@ (portable ok & 2744 polish dtucker@) 2745 - djm@cvs.openbsd.org 2005/06/17 02:44:33 2746 [auth1.c] make this -Wsign-compare clean; ok avsm@ markus@ 2747 - (djm) [loginrec.c ssh-rand-helper.c] Fix -Wsign-compare for portable, 2748 tested and fixes tim@ 2749 275020050617 2751 - (djm) OpenBSD CVS Sync 2752 - djm@cvs.openbsd.org 2005/06/16 03:38:36 2753 [channels.c channels.h clientloop.c clientloop.h ssh.c] 2754 move x11_get_proto from ssh.c to clientloop.c, to make muliplexed xfwd 2755 easier later; ok deraadt@ 2756 - markus@cvs.openbsd.org 2005/06/16 08:00:00 2757 [canohost.c channels.c sshd.c] 2758 don't exit if getpeername fails for forwarded ports; bugzilla #1054; 2759 ok djm 2760 - djm@cvs.openbsd.org 2005/06/17 02:44:33 2761 [auth-rsa.c auth.c auth1.c auth2-chall.c auth2-gss.c authfd.c authfile.c] 2762 [bufaux.c canohost.c channels.c cipher.c clientloop.c dns.c gss-serv.c] 2763 [kex.c kex.h key.c mac.c match.c misc.c packet.c packet.h scp.c] 2764 [servconf.c session.c session.h sftp-client.c sftp-server.c sftp.c] 2765 [ssh-keyscan.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c sshd.c] 2766 make this -Wsign-compare clean; ok avsm@ markus@ 2767 NB. auth1.c changes not committed yet (conflicts with uncommitted sync) 2768 NB2. more work may be needed to make portable Wsign-compare clean 2769 - (dtucker) [cipher.c openbsd-compat/openbsd-compat.h 2770 openbsd-compat/openssl-compat.c] only include openssl compat stuff where 2771 it's needed as it can cause conflicts elsewhere (eg xcrypt.c). Found by 2772 and ok tim@ 2773 277420050616 2775 - (djm) OpenBSD CVS Sync 2776 - jaredy@cvs.openbsd.org 2005/06/07 13:25:23 2777 [progressmeter.c] 2778 catch SIGWINCH and resize progress meter accordingly; ok markus dtucker 2779 - djm@cvs.openbsd.org 2005/06/06 11:20:36 2780 [auth.c auth.h misc.c misc.h ssh.c ssh_config.5 sshconnect.c] 2781 introduce a generic %foo expansion function. replace existing % expansion 2782 and add expansion to ControlPath; ok markus@ 2783 - djm@cvs.openbsd.org 2005/06/08 03:50:00 2784 [ssh-keygen.1 ssh-keygen.c sshd.8] 2785 increase default rsa/dsa key length from 1024 to 2048 bits; 2786 ok markus@ deraadt@ 2787 - djm@cvs.openbsd.org 2005/06/08 11:25:09 2788 [clientloop.c readconf.c readconf.h ssh.c ssh_config.5] 2789 add ControlMaster=auto/autoask options to support opportunistic 2790 multiplexing; tested avsm@ and jakob@, ok markus@ 2791 - dtucker@cvs.openbsd.org 2005/06/09 13:43:49 2792 [cipher.c] 2793 Correctly initialize end of array sentinel; ok djm@ 2794 (Id sync only, change already in portable) 2795 279620050609 2797 - (dtucker) [cipher.c openbsd-compat/Makefile.in 2798 openbsd-compat/openbsd-compat.h openbsd-compat/openssl-compat.{c,h}] 2799 Move compatibility code for supporting older OpenSSL versions to the 2800 compat layer. Suggested by and "no objection" djm@ 2801 280220050607 2803 - (dtucker) [configure.ac] Continue the hunt for LLONG_MIN and LLONG_MAX: 2804 in today's episode we attempt to coax it from limits.h where it may be 2805 hiding, failing that we take the DIY approach. Tested by tim@ 2806 280720050603 2808 - (dtucker) [configure.ac] Only try gcc -std=gnu99 if LLONG_MAX isn't 2809 defined, and check that it helps before keeping it in CFLAGS. Some old 2810 gcc's don't set an error code when encountering an unknown value in -std. 2811 Found and tested by tim@. 2812 - (dtucker) [configure.ac] Point configure's reporting address at the 2813 openssh-unix-dev list. ok tim@ djm@ 2814 281520050602 2816 - (tim) [configure.ac] Some platforms need sys/types.h for arpa/nameser.h. 2817 Take AC_CHECK_HEADERS test out of ultrix section. It caused other platforms 2818 to skip builtin standard includes tests. (first AC_CHECK_HEADERS test 2819 must be run on all platforms) Add missing ;; to case statement. OK dtucker@ 2820 282120050601 2822 - (dtucker) [configure.ac] Look for _getshort and _getlong in 2823 arpa/nameser.h. 2824 - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoll.c] 2825 Add strtoll to the compat library, from OpenBSD. 2826 - (dtucker) OpenBSD CVS Sync 2827 - avsm@cvs.openbsd.org 2005/05/26 02:08:05 2828 [scp.c] 2829 If copying multiple files to a target file (which normally fails, as it 2830 must be a target directory), kill the spawned ssh child before exiting. 2831 This stops it trying to authenticate and spewing lots of output. 2832 deraadt@ ok 2833 - dtucker@cvs.openbsd.org 2005/05/26 09:08:12 2834 [ssh-keygen.c] 2835 uint32_t -> u_int32_t for consistency; ok djm@ 2836 - djm@cvs.openbsd.org 2005/05/27 08:30:37 2837 [ssh.c] 2838 fix -O for cases where no ControlPath has been specified or socket at 2839 ControlPath is not contactable; spotted by and ok avsm@ 2840 - (tim) [config.guess config.sub] Update to '2005-05-27' version. 2841 - (tim) [configure.ac] set TEST_SHELL for OpenServer 6 2842 284320050531 2844 - (dtucker) [contrib/aix/pam.conf] Correct comments. From davidl at 2845 vintela.com. 2846 - (dtucker) [mdoc2man.awk] Teach it to understand .Ox. 2847 284820050530 2849 - (dtucker) [README] Link to new release notes. Beter late than never... 2850 285120050529 2852 - (dtucker) [openbsd-compat/port-aix.c] Bug #1046: AIX 5.3 expects the 2853 argument to passwdexpired to be initialized to NULL. Suggested by tim@ 2854 While at it, initialize the other arguments to auth functions in case they 2855 ever acquire this behaviour. 2856 - (dtucker) [openbsd-compat/port-aix.c] Whitespace cleanups while there. 2857 - (dtucker) [openbsd-compat/port-aix.c] Minor correction to debug message, 2858 spotted by tim@. 2859 286020050528 2861 - (dtucker) [configure.ac] For AC_CHECK_HEADERS() and AC_CHECK_FUNCS() have 2862 one entry per line to make it easier to merge changes. ok djm@ 2863 - (dtucker) [configure.ac] strsep() may be defined in string.h, so check 2864 for its presence and include it in the strsep check. 2865 - (dtucker) [configure.ac] getpgrp may be defined in unistd.h, so check for 2866 its presence before doing AC_FUNC_GETPGRP. 2867 - (dtucker) [configure.ac] Merge HP-UX blocks into a common block with minor 2868 version-specific variations as required. 2869 - (dtucker) [openbsd-compat/port-aix.h] Use the HAVE_DECL_* definitions as 2870 per the autoconf man page. Configure should always define them but it 2871 doesn't hurt to check. 2872 287320050527 2874 - (djm) [defines.h] Use our realpath if we have to define PATH_MAX, spotted by 2875 David Leach; ok dtucker@ 2876 - (dtucker) [acconfig.h configure.ac defines.h includes.h sshpty.c 2877 openbsd-compat/bsd-misc.c] Add support for Ultrix. No, that's not a typo. 2878 Required changes from Bernhard Simon, integrated by me. ok djm@ 2879 288020050525 2881 - (djm) [mpaux.c mpaux.h Makefile.in] Remove old mpaux.[ch] code, it has not 2882 been used for a while 2883 - (djm) OpenBSD CVS Sync 2884 - otto@cvs.openbsd.org 2005/04/05 13:45:31 2885 [ssh-keygen.c] 2886 - djm@cvs.openbsd.org 2005/04/06 09:43:59 2887 [sshd.c] 2888 avoid harmless logspam by not performing setsockopt() on non-socket; 2889 ok markus@ 2890 - dtucker@cvs.openbsd.org 2005/04/06 12:26:06 2891 [ssh.c] 2892 Fix debug call for port forwards; patch from pete at seebeyond.com, 2893 ok djm@ (ID sync only - change already in portable) 2894 - djm@cvs.openbsd.org 2005/04/09 04:32:54 2895 [misc.c misc.h tildexpand.c Makefile.in] 2896 replace tilde_expand_filename with a simpler implementation, ahead of 2897 more whacking; ok deraadt@ 2898 - jmc@cvs.openbsd.org 2005/04/14 12:30:30 2899 [ssh.1] 2900 arg to -b is an address, not if_name; 2901 ok markus@ 2902 - jakob@cvs.openbsd.org 2005/04/20 10:05:45 2903 [dns.c] 2904 do not try to look up SSHFP for numerical hostname. ok djm@ 2905 - djm@cvs.openbsd.org 2005/04/21 06:17:50 2906 [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8] 2907 [sshd_config.5] OpenSSH doesn't ever look at the $HOME environment 2908 variable, so don't say that we do (bz #623); ok deraadt@ 2909 - djm@cvs.openbsd.org 2005/04/21 11:47:19 2910 [ssh.c] 2911 don't allocate a pty when -n flag (/dev/null stdin) is set, patch from 2912 ignasi.roca AT fujitsu-siemens.com (bz #829); ok dtucker@ 2913 - dtucker@cvs.openbsd.org 2005/04/23 23:43:47 2914 [readpass.c] 2915 Add debug message if read_passphrase can't open /dev/tty; bz #471; 2916 ok djm@ 2917 - jmc@cvs.openbsd.org 2005/04/26 12:59:02 2918 [sftp-client.h] 2919 spelling correction in comment from wiz@netbsd; 2920 - jakob@cvs.openbsd.org 2005/04/26 13:08:37 2921 [ssh.c ssh_config.5] 2922 fallback gracefully if client cannot connect to ControlPath. ok djm@ 2923 - moritz@cvs.openbsd.org 2005/04/28 10:17:56 2924 [progressmeter.c ssh-keyscan.c] 2925 add snprintf checks. ok djm@ markus@ 2926 - markus@cvs.openbsd.org 2005/05/02 21:13:22 2927 [readpass.c] 2928 missing {} 2929 - djm@cvs.openbsd.org 2005/05/10 10:28:11 2930 [ssh.c] 2931 print nice error message for EADDRINUSE as well (ID sync only) 2932 - djm@cvs.openbsd.org 2005/05/10 10:30:43 2933 [ssh.c] 2934 report real errors on fallback from ControlMaster=no to normal connect 2935 - markus@cvs.openbsd.org 2005/05/16 15:30:51 2936 [readconf.c servconf.c] 2937 check return value from strdelim() for NULL (AddressFamily); mpech 2938 - djm@cvs.openbsd.org 2005/05/19 02:39:55 2939 [sshd_config.5] 2940 sort config options, from grunk AT pestilenz.org; ok jmc@ 2941 - djm@cvs.openbsd.org 2005/05/19 02:40:52 2942 [sshd_config] 2943 whitespace nit, from grunk AT pestilenz.org 2944 - djm@cvs.openbsd.org 2005/05/19 02:42:26 2945 [includes.h] 2946 fix cast, from grunk AT pestilenz.org 2947 - djm@cvs.openbsd.org 2005/05/20 10:50:55 2948 [ssh_config.5] 2949 give a ProxyCommand example using nc(1), with and ok jmc@ 2950 - jmc@cvs.openbsd.org 2005/05/20 11:23:32 2951 [ssh_config.5] 2952 oops - article and spacing; 2953 - avsm@cvs.openbsd.org 2005/05/23 22:44:01 2954 [moduli.c ssh-keygen.c] 2955 - removes signed/unsigned comparisons in moduli generation 2956 - use strtonum instead of atoi where its easier 2957 - check some strlcpy overflow and fatal instead of truncate 2958 - djm@cvs.openbsd.org 2005/05/23 23:32:46 2959 [cipher.c myproposal.h ssh.1 ssh_config.5 sshd_config.5] 2960 add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes; 2961 ok markus@ 2962 - avsm@cvs.openbsd.org 2005/05/24 02:05:09 2963 [ssh-keygen.c] 2964 some style nits from dmiller@, and use a fatal() instead of a printf()/exit 2965 - avsm@cvs.openbsd.org 2005/05/24 17:32:44 2966 [atomicio.c atomicio.h authfd.c monitor_wrap.c msg.c scp.c sftp-client.c] 2967 [ssh-keyscan.c sshconnect.c] 2968 Switch atomicio to use a simpler interface; it now returns a size_t 2969 (containing number of bytes read/written), and indicates error by 2970 returning 0. EOF is signalled by errno==EPIPE. 2971 Typical use now becomes: 2972 2973 if (atomicio(read, ..., len) != len) 2974 err(1,"read"); 2975 2976 ok deraadt@, cloder@, djm@ 2977 - (dtucker) [regress/reexec.sh] Add ${EXEEXT} so this test also works on 2978 Cygwin. 2979 - (dtucker) [auth-pam.c] Bug #1033: Fix warnings building with PAM on Linux: 2980 warning: dereferencing type-punned pointer will break strict-aliasing rules 2981 warning: passing arg 3 of `pam_get_item' from incompatible pointer type 2982 The type-punned pointer fix is based on a patch from SuSE's rpm. ok djm@ 2983 - (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Bug #1033: Provide 2984 templates for _getshort and _getlong if missing to prevent compiler warnings 2985 on Linux. 2986 - (djm) [configure.ac openbsd-compat/Makefile.in] 2987 [openbsd-compat/openbsd-compat.h openbsd-compat/strtonum.c] 2988 Add strtonum(3) from OpenBSD libc, new code needs it. 2989 Unfortunately Linux forces us to do a bizarre dance with compiler 2990 options to get LLONG_MIN/MAX; Spotted by and ok dtucker@ 2991 299220050524 2993 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] 2994 [contrib/suse/openssh.spec] Update spec file versions to 4.1p1 2995 - (dtucker) [auth-pam.c] Since people don't seem to be getting the message 2996 that USE_POSIX_THREADS is unsupported, not recommended and generally a bad 2997 idea, it is now known as UNSUPPORTED_POSIX_THREADS_HACK. Attempting to use 2998 USE_POSIX_THREADS will now generate an error so we don't silently change 2999 behaviour. ok djm@ 3000 - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Ensure sufficient memory 3001 allocation when retrieving core Windows environment. Add CYGWIN variable 3002 to propagated variables. Patch from vinschen at redhat.com, ok djm@ 3003 - Release 4.1p1 3004 300520050524 3006 - (djm) [openbsd-compat/readpassphrase.c] bz #950: Retry tcsetattr to ensure 3007 terminal modes are reset correctly. Fix from peak AT argo.troja.mff.cuni.cz; 3008 "looks ok" dtucker@ 3009 301020050512 3011 - (tim) [buildpkg.sh.in] missing ${PKG_INSTALL_ROOT} in init script 3012 hard link section. Bug 1038. 3013 301420050509 3015 - (dtucker) [contrib/cygwin/ssh-host-config] Add a test and warning for a 3016 user-mode mounts in Cygwin installation. Patch from vinschen at redhat.com. 3017 301820050504 3019 - (djm) [ssh.c] some systems return EADDRINUSE on a bind to an already-used 3020 unix domain socket, so catch that too; from jakob@ ok dtucker@ 3021 302220050503 3023 - (dtucker) [canohost.c] normalise socket addresses returned by 3024 get_remote_hostname(). This means that IPv4 addresses in log messages 3025 on IPv6 enabled machines will no longer be prefixed by "::ffff:" and 3026 AllowUsers, DenyUsers, AllowGroups, DenyGroups will match IPv4-style 3027 addresses only for 4-in-6 mapped connections, regardless of whether 3028 or not the machine is IPv6 enabled. ok djm@ 3029 303020050425 3031 - (dtucker) [regress/multiplex.sh] Use "kill -0 $pid" to check for the 3032 existence of a process since it's more portable. Found by jbasney at 3033 ncsa.uiuc.edu; ok tim@ 3034 - (dtucker) [regress/multiplex.sh] Remove cleanup call since test-exec.sh 3035 will clean up anyway. From tim@ 3036 - (dtucker) [regress/multiplex.sh] Put control socket in /tmp so running 3037 "make tests" works even if you're building on a filesystem that doesn't 3038 support sockets. From deengert at anl.gov, ok djm@ 3039 304020050424 3041 - (dtucker) [INSTALL configure.ac] Make zlib version check test for 1.1.4 or 3042 1.2.1.2 or higher. With tim@, ok djm@ 3043 304420050423 3045 - (tim) [config.guess] Add support for OpenServer 6. 3046 304720050421 3048 - (dtucker) [session.c] Bug #1024: Don't check pam_session_is_open if 3049 UseLogin is set as PAM is not used to establish credentials in that 3050 case. Found by Michael Selvesteen, ok djm@ 3051 305220050419 3053 - (dtucker) [INSTALL] Reference README.privsep for the privilege separation 3054 requirements. Pointed out by Bengt Svensson. 3055 - (dtucker) [INSTALL] Put the s/key text and URL back together. 3056 - (dtucker) [INSTALL] Fix s/key text too. 3057 305820050411 3059 - (tim) [configure.ac] UnixWare needs PASSWD_NEEDS_USERNAME 3060 306120050405 3062 - (dtucker) [configure.ac] Define HAVE_SO_PEERCRED if we have it. ok djm@ 3063 - (dtucker) [auth-sia.c] Constify sys_auth_passwd, fixes build error on 3064 Tru64. Patch from cmadams at hiwaay.net. 3065 - (dtucker) [auth-passwd.c auth-sia.h] Remove duplicate definitions of 3066 sys_auth_passwd, pointed out by cmadams at hiwaay.net. 3067 306820050403 3069 - (djm) OpenBSD CVS Sync 3070 - deraadt@cvs.openbsd.org 2005/03/31 18:39:21 3071 [scp.c] 3072 copy argv[] element instead of smashing the one that ps will see; ok otto 3073 - djm@cvs.openbsd.org 2005/04/02 12:41:16 3074 [scp.c] 3075 since ssh has xstrdup, use it instead of strdup+test. unbreaks -Werror 3076 build 3077 - (dtucker) [monitor.c] Don't free buffers in audit functions, monitor_read 3078 will free as needed. ok tim@ djm@ 3079 308020050331 3081 - (dtucker) OpenBSD CVS Sync 3082 - jmc@cvs.openbsd.org 2005/03/16 11:10:38 3083 [ssh_config.5] 3084 get the syntax right for {Local,Remote}Forward; 3085 based on a diff from markus; 3086 problem report from ponraj; 3087 ok dtucker@ markus@ deraadt@ 3088 - markus@cvs.openbsd.org 2005/03/16 21:17:39 3089 [version.h] 3090 4.1 3091 - jmc@cvs.openbsd.org 2005/03/18 17:05:00 3092 [sshd_config.5] 3093 typo; 3094 - (dtucker) [auth.h sshd.c openbsd-compat/port-aix.c] Bug #1006: fix bug in 3095 handling of password expiry messages returned by AIX's authentication 3096 routines, originally reported by robvdwal at sara.nl. 3097 - (dtucker) [ssh.c] Prevent null pointer deref in port forwarding debug 3098 message on some platforms. Patch from pete at seebeyond.com via djm. 3099 - (dtucker) [monitor.c] Remaining part of fix for bug #1006. 3100 310120050329 3102 - (dtucker) [contrib/aix/buildbff.sh] Bug #1005: Look up only the user we're 3103 interested in which is much faster in large (eg LDAP or NIS) environments. 3104 Patch from dleonard at vintela.com. 3105 310620050321 3107 - (dtucker) [configure.ac] Prevent configure --with-zlib from adding -Iyes 3108 and -Lyes to CFLAGS and LIBS. Pointed out by peter at slagheap.net, 3109 with & ok tim@ 3110 - (dtucker) [configure.ac] Make configure error out if the user specifies 3111 --with-libedit but the required libs can't be found, rather than silently 3112 ignoring and continuing. ok tim@ 3113 - (dtucker) [configure.ac openbsd-compat/port-aix.h] Prevent redefinitions 3114 of setauthdb on AIX 5.3, reported by anders.liljegren at its.uu.se. 3115 311620050317 3117 - (tim) [configure.ac] Bug 998. Make path for --with-opensc optional. 3118 Make --without-opensc work. 3119 - (tim) [configure.ac] portability changes on test statements. Some shells 3120 have problems with -a operator. 3121 - (tim) [configure.ac] make some configure options a little more error proof. 3122 - (tim) [configure.ac] remove trailing white space. 3123 312420050314 3125 - (dtucker) OpenBSD CVS Sync 3126 - dtucker@cvs.openbsd.org 2005/03/10 10:15:02 3127 [readconf.c] 3128 Check listen addresses for null, prevents xfree from dying during 3129 ClearAllForwardings (bz #996). From Craig Leres, ok markus@ 3130 - deraadt@cvs.openbsd.org 2005/03/10 22:01:05 3131 [misc.c ssh-keygen.c servconf.c clientloop.c auth-options.c ssh-add.c 3132 monitor.c sftp-client.c bufaux.h hostfile.c ssh.c sshconnect.c channels.c 3133 readconf.c bufaux.c sftp.c] 3134 spacing 3135 - deraadt@cvs.openbsd.org 2005/03/10 22:40:38 3136 [auth-options.c] 3137 spacing 3138 - markus@cvs.openbsd.org 2005/03/11 14:59:06 3139 [ssh-keygen.c] 3140 typo, missing \n; mpech 3141 - jmc@cvs.openbsd.org 2005/03/12 11:55:03 3142 [ssh_config.5] 3143 escape `.' at eol to avoid double spacing issues; 3144 - dtucker@cvs.openbsd.org 2005/03/14 10:09:03 3145 [ssh-keygen.1] 3146 Correct description of -H (bz #997); ok markus@, punctuation jmc@ 3147 - dtucker@cvs.openbsd.org 2005/03/14 11:44:42 3148 [auth.c] 3149 Populate host for log message for logins denied by AllowUsers and 3150 DenyUsers (bz #999); ok markus@ (patch by tryponraj at gmail.com) 3151 - markus@cvs.openbsd.org 2005/03/14 11:46:56 3152 [buffer.c buffer.h channels.c] 3153 limit input buffer size for channels; bugzilla #896; with and ok dtucker@ 3154 - (tim) [contrib/caldera/openssh.spec] links in rc?.d were getting trashed 3155 with a rpm -F 3156 315720050313 3158 - (dtucker) [contrib/cygwin/ssh-host-config] Makes the query for the 3159 localized name of the local administrators group more reliable. From 3160 vinschen at redhat.com. 3161 316220050312 3163 - (dtucker) [regress/test-exec.sh] DEBUG can cause problems where debug 3164 output ends up in the client's output, causing regress failures. Found 3165 by Corinna Vinschen. 3166 316720050309 3168 - (dtucker) [regress/test-exec.sh] Set BIN_SH=xpg4 on OSF1/Digital Unix/Tru64 3169 so that regress tests behave. From Chris Adams. 3170 - (djm) OpenBSD CVS Sync 3171 - jmc@cvs.openbsd.org 2005/03/07 23:41:54 3172 [ssh.1 ssh_config.5] 3173 more macro simplification; 3174 - djm@cvs.openbsd.org 2005/03/08 23:49:48 3175 [version.h] 3176 OpenSSH 4.0 3177 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] 3178 [contrib/suse/openssh.spec] Update spec file versions 3179 - (djm) [log.c] Fix dumb syntax error; ok dtucker@ 3180 - (djm) Release OpenSSH 4.0p1 3181 318220050307 3183 - (dtucker) [configure.ac] Disable gettext search when configuring with 3184 BSM audit support for the time being. ok djm@ 3185 - (dtucker) OpenBSD CVS Sync (regress/) 3186 - fgsch@cvs.openbsd.org 2004/12/10 01:31:30 3187 [Makefile sftp-glob.sh] 3188 some globbing regress; prompted and ok djm@ 3189 - david@cvs.openbsd.org 2005/01/14 04:21:18 3190 [Makefile test-exec.sh] 3191 pass the SUDO make variable to the individual sh tests; ok dtucker@ markus@ 3192 - dtucker@cvs.openbsd.org 2005/02/27 11:33:30 3193 [multiplex.sh test-exec.sh sshd-log-wrapper.sh] 3194 Add optional capability to log output from regress commands; ok markus@ 3195 Use with: make TEST_SSH_LOGFILE=/tmp/regress.log 3196 - djm@cvs.openbsd.org 2005/02/27 23:13:36 3197 [login-timeout.sh] 3198 avoid nameservice lookups in regress test; ok dtucker@ 3199 - djm@cvs.openbsd.org 2005/03/04 08:48:46 3200 [Makefile envpass.sh] 3201 regress test for SendEnv config parsing bug; ok dtucker@ 3202 - (dtucker) [regress/test-exec.sh] Put SUDO in the right place. 3203 - (tim) [configure.ac] SCO 3.2v4.2 no longer supported. 3204 320520050306 3206 - (dtucker) [monitor.c] Bug #125 comment #47: fix errors returned by monitor 3207 when attempting to audit disconnect events. Reported by Phil Dibowitz. 3208 - (dtucker) [session.c sshd.c] Bug #125 comment #49: Send disconnect audit 3209 events earlier, prevents mm_request_send errors reported by Matt Goebel. 3210 321120050305 3212 - (djm) [contrib/cygwin/README] Improve Cygwin build documentation. Patch 3213 from vinschen at redhat.com 3214 - (djm) OpenBSD CVS Sync 3215 - jmc@cvs.openbsd.org 2005/03/02 11:45:01 3216 [ssh.1] 3217 missing word; 3218 - djm@cvs.openbsd.org 2005/03/04 08:48:06 3219 [readconf.c] 3220 fix SendEnv config parsing bug found by Roumen Petrov; ok dtucker@ 3221 322220050302 3223 - (djm) OpenBSD CVS sync: 3224 - jmc@cvs.openbsd.org 2005/03/01 14:47:58 3225 [ssh.1] 3226 remove some unneccesary macros; 3227 do not mark up punctuation; 3228 - jmc@cvs.openbsd.org 2005/03/01 14:55:23 3229 [ssh_config.5] 3230 do not mark up punctuation; 3231 whitespace; 3232 - jmc@cvs.openbsd.org 2005/03/01 14:59:49 3233 [sshd.8] 3234 new sentence, new line; 3235 whitespace; 3236 - jmc@cvs.openbsd.org 2005/03/01 15:05:00 3237 [ssh-keygen.1] 3238 whitespace; 3239 - jmc@cvs.openbsd.org 2005/03/01 15:47:14 3240 [ssh-keyscan.1 ssh-keyscan.c] 3241 sort options and sync usage(); 3242 - jmc@cvs.openbsd.org 2005/03/01 17:19:35 3243 [scp.1 sftp.1] 3244 add HashKnownHosts to -o list; 3245 ok markus@ 3246 - jmc@cvs.openbsd.org 2005/03/01 17:22:06 3247 [ssh.c] 3248 sync usage() w/ man SYNOPSIS; 3249 ok markus@ 3250 - jmc@cvs.openbsd.org 2005/03/01 17:32:19 3251 [ssh-add.1] 3252 sort options; 3253 - jmc@cvs.openbsd.org 2005/03/01 18:15:56 3254 [ssh-keygen.1] 3255 sort options (no attempt made at synopsis clean up though); 3256 spelling (occurance -> occurrence); 3257 use prompt before examples; 3258 grammar; 3259 - djm@cvs.openbsd.org 2005/03/02 01:00:06 3260 [sshconnect.c] 3261 fix addition of new hashed hostnames when CheckHostIP=yes; 3262 found and ok dtucker@ 3263 - djm@cvs.openbsd.org 2005/03/02 01:27:41 3264 [ssh-keygen.c] 3265 ignore hostnames with metachars when hashing; ok deraadt@ 3266 - djm@cvs.openbsd.org 2005/03/02 02:21:07 3267 [ssh.1] 3268 bz#987: mention ForwardX11Trusted in ssh.1, 3269 reported by andrew.benham AT thus.net; ok deraadt@ 3270 - (tim) [regress/agent-ptrace.sh] add another possible gdb error. 3271 327220050301 3273 - (djm) OpenBSD CVS sync: 3274 - otto@cvs.openbsd.org 2005/02/16 09:56:44 3275 [ssh.c] 3276 Better diagnostic if an identity file is not accesible. ok markus@ djm@ 3277 - djm@cvs.openbsd.org 2005/02/18 03:05:53 3278 [canohost.c] 3279 better error messages for getnameinfo failures; ok dtucker@ 3280 - djm@cvs.openbsd.org 2005/02/20 22:59:06 3281 [sftp.c] 3282 turn on ssh batch mode when in sftp batch mode, patch from 3283 jdmossh AT nand.net; 3284 ok markus@ 3285 - jmc@cvs.openbsd.org 2005/02/25 10:55:13 3286 [sshd.8] 3287 add /etc/motd and $HOME/.hushlogin to FILES; 3288 from michael knudsen; 3289 - djm@cvs.openbsd.org 2005/02/28 00:54:10 3290 [ssh_config.5] 3291 bz#849: document timeout on untrusted x11 forwarding sessions. Reported by 3292 orion AT cora.nwra.com; ok markus@ 3293 - djm@cvs.openbsd.org 2005/03/01 10:09:52 3294 [auth-options.c channels.c channels.h clientloop.c compat.c compat.h] 3295 [misc.c misc.h readconf.c readconf.h servconf.c ssh.1 ssh.c ssh_config.5] 3296 [sshd_config.5] 3297 bz#413: allow optional specification of bind address for port forwardings. 3298 Patch originally by Dan Astorian, but worked on by several people 3299 Adds GatewayPorts=clientspecified option on server to allow remote 3300 forwards to bind to client-specified ports. 3301 - djm@cvs.openbsd.org 2005/03/01 10:40:27 3302 [hostfile.c hostfile.h readconf.c readconf.h ssh.1 ssh_config.5] 3303 [sshconnect.c sshd.8] 3304 add support for hashing host names and addresses added to known_hosts 3305 files, to improve privacy of which hosts user have been visiting; ok 3306 markus@ deraadt@ 3307 - djm@cvs.openbsd.org 2005/03/01 10:41:28 3308 [ssh-keyscan.1 ssh-keyscan.c] 3309 option to hash hostnames output by ssh-keyscan; ok markus@ deraadt@ 3310 - djm@cvs.openbsd.org 2005/03/01 10:42:49 3311 [ssh-keygen.1 ssh-keygen.c ssh_config.5] 3312 add tools for managing known_hosts files with hashed hostnames, including 3313 hashing existing files and deleting hosts by name; ok markus@ deraadt@ 3314 331520050226 3316 - (dtucker) [openbsd-compat/bsd-openpty.c openbsd-compat/inet_ntop.c] 3317 Remove two obsolete Cygwin #ifdefs. Patch from vinschen at redhat.com. 3318 - (dtucker) [acconfig.h configure.ac openbsd-compat/bsd-misc.{c,h}] 3319 Remove SETGROUPS_NOOP, was only used by Cygwin, which doesn't need it any 3320 more. Patch from vinschen at redhat.com. 3321 - (dtucker) [Makefile.in] Add a install-nosysconf target for installing the 3322 binaries without the config files. Primarily useful for packaging. 3323 Patch from phil at usc.edu. ok djm@ 3324 332520050224 3326 - (djm) [configure.ac] in_addr_t test needs sys/types.h too 3327 332820050222 3329 - (dtucker) [uidswap.c] Skip uid restore test on Cygwin. Patch from 3330 vinschen at redhat.com. 3331 333220050220 3333 - (dtucker) [LICENCE Makefile.in README.platform audit-bsm.c configure.ac 3334 defines.h] Bug #125: Add *EXPERIMENTAL* BSM audit support. Configure 3335 --with-audit=bsm to enable. Patch originally from Sun Microsystems, 3336 parts by John R. Jackson. ok djm@ 3337 - (dtucker) [configure.ac] Missing comma in AIX section, somehow causes 3338 unrelated platforms to be configured incorrectly. 3339 334020050216 3341 - (djm) write seed to temporary file and atomically rename into place; 3342 ok dtucker@ 3343 - (dtucker) [ssh-rand-helper.c] Provide seed_rng since it may be called 3344 via mkstemp in some configurations. ok djm@ 3345 - (dtucker) [auth-shadow.c] Prevent compiler warnings if "DAY" is defined 3346 by the system headers. 3347 - (dtucker) [configure.ac] Bug #893: check for libresolv early on Reliant 3348 Unix; prevents problems relating to the location of -lresolv in the 3349 link order. 3350 - (dtucker) [session.c] Bug #918: store credentials from gssapi-with-mic 3351 authentication early enough to be available to PAM session modules when 3352 privsep=yes. Patch from deengert at anl.gov, ok'ed in principle by Sam 3353 Hartman and similar to Debian's ssh-krb5 package. 3354 - (dtucker) [configure.ac openbsd-compat/port-aix.{c,h}] Silence some more 3355 compiler warnings on AIX. 3356 335720050215 3358 - (dtucker) [config.sh.in] Collect oslevel -r too. 3359 - (dtucker) [README.platform auth.c configure.ac loginrec.c 3360 openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Bug #835: enable IPv6 3361 on AIX where possible (see README.platform for details) and work around 3362 a misfeature of AIX's getnameinfo. ok djm@ 3363 - (dtucker) [loginrec.c] Add missing #include. 3364 336520050211 3366 - (dtucker) [configure.ac] Tidy up configure --help output. 3367 - (dtucker) [openbsd-compat/fake-rfc2553.h] We now need EAI_SYSTEM too. 3368 336920050210 3370 - (dtucker) [configure.ac] Bug #919: Provide visible feedback for the 3371 --disable-etc-default-login configure option. 3372 337320050209 3374 - (dtucker) OpenBSD CVS Sync 3375 - dtucker@cvs.openbsd.org 2005/01/28 09:45:53 3376 [ssh_config] 3377 Make it clear that the example entries in ssh_config are only some of the 3378 commonly-used options and refer the user to ssh_config(5) for more 3379 details; ok djm@ 3380 - jmc@cvs.openbsd.org 2005/01/28 15:05:43 3381 [ssh_config.5] 3382 grammar; 3383 - jmc@cvs.openbsd.org 2005/01/28 18:14:09 3384 [ssh_config.5] 3385 wording; 3386 ok markus@ 3387 - dtucker@cvs.openbsd.org 2005/01/30 11:18:08 3388 [monitor.c] 3389 Make code match intent; ok djm@ 3390 - dtucker@cvs.openbsd.org 2005/02/08 22:24:57 3391 [sshd.c] 3392 Provide reason in error message if getnameinfo fails; ok markus@ 3393 - (dtucker) [auth-passwd.c openbsd-compat/port-aix.c] Don't call 3394 disable_forwarding() from compat library. Prevent linker errrors trying 3395 to resolve it for binaries other than sshd. ok djm@ 3396 - (dtucker) [configure.ac] Bug #854: prepend pwd to relative --with-ssl-dir 3397 paths. ok djm@ 3398 - (dtucker) [configure.ac session.c] Some platforms (eg some SCO) require 3399 the username to be passed to the passwd command when changing expired 3400 passwords. ok djm@ 3401 340220050208 3403 - (dtucker) [regress/test-exec.sh] Bug #912: Set _POSIX2_VERSION for the 3404 regress tests so newer versions of GNU head(1) behave themselves. Patch 3405 by djm, so ok me. 3406 - (dtucker) [openbsd-compat/port-aix.c] Silence compiler warnings. 3407 - (dtucker) [audit.c audit.h auth.c auth1.c auth2.c loginrec.c monitor.c 3408 monitor_wrap.c monitor_wrap.h session.c sshd.c]: Prepend all of the audit 3409 defines and enums with SSH_ to prevent namespace collisions on some 3410 platforms (eg AIX). 3411 341220050204 3413 - (dtucker) [monitor.c] Permit INVALID_USER audit events from slave too. 3414 - (dtucker) [auth.c] Fix parens in audit log check. 3415 341620050202 3417 - (dtucker) [configure.ac openbsd-compat/realpath.c] Sync up with realpath 3418 rev 1.11 from OpenBSD and make it use fchdir if available. ok djm@ 3419 - (dtucker) [auth.c loginrec.h openbsd-compat/{bsd-cray,port-aix}.{c,h}] 3420 Make record_failed_login() call provide hostname rather than having the 3421 implementations having to do lookups themselves. Only affects AIX and 3422 UNICOS (the latter only uses the "user" parameter anyway). ok djm@ 3423 - (dtucker) [session.c sshd.c] Bug #445: Propogate KRB5CCNAME if set to child 3424 the process. Since we also unset KRB5CCNAME at startup, if it's set after 3425 authentication it must have been set by the platform's native auth system. 3426 This was already done for AIX; this enables it for the general case. 3427 - (dtucker) [auth.c canohost.c canohost.h configure.ac defines.h loginrec.c] 3428 Bug #974: Teach sshd to write failed login records to btmp for failed auth 3429 attempts (currently only for password, kbdint and C/R, only on Linux and 3430 HP-UX), based on code from login.c from util-linux. With ashok_kovai at 3431 hotmail.com, ok djm@ 3432 - (dtucker) [Makefile.in auth.c auth.h auth1.c auth2.c loginrec.c monitor.c 3433 monitor.h monitor_wrap.c monitor_wrap.h session.c sshd.c] Bug #125: 3434 (first stage) Add audit instrumentation to sshd, currently disabled by 3435 default. with suggestions from and ok djm@ 3436 343720050201 3438 - (dtucker) [log.c] Bug #973: force log_init() to open syslog, since on some 3439 platforms syslog will revert to its default values. This may result in 3440 messages from external libraries (eg libwrap) being sent to a different 3441 facility. 3442 - (dtucker) [sshd_config.5] Bug #701: remove warning about 3443 keyboard-interactive since this is no longer the case. 3444 344520050124 3446 - (dtucker) OpenBSD CVS Sync 3447 - otto@cvs.openbsd.org 2005/01/21 08:32:02 3448 [auth-passwd.c sshd.c] 3449 Warn in advance for password and account expiry; initialize loginmsg 3450 buffer earlier and clear it after privsep fork. ok and help dtucker@ 3451 markus@ 3452 - dtucker@cvs.openbsd.org 2005/01/22 08:17:59 3453 [auth.c] 3454 Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and 3455 DenyGroups. bz #909, ok djm@ 3456 - djm@cvs.openbsd.org 2005/01/23 10:18:12 3457 [cipher.c] 3458 config option "Ciphers" should be case-sensitive; ok dtucker@ 3459 - dtucker@cvs.openbsd.org 2005/01/24 10:22:06 3460 [scp.c sftp.c] 3461 Have scp and sftp wait for the spawned ssh to exit before they exit 3462 themselves. This prevents ssh from being unable to restore terminal 3463 modes (not normally a problem on OpenBSD but common with -Portable 3464 on POSIX platforms). From peak at argo.troja.mff.cuni.cz (bz#950); 3465 ok djm@ markus@ 3466 - dtucker@cvs.openbsd.org 2005/01/24 10:29:06 3467 [moduli] 3468 Import new moduli; requested by deraadt@ a week ago 3469 - dtucker@cvs.openbsd.org 2005/01/24 11:47:13 3470 [auth-passwd.c] 3471 #if -> #ifdef so builds without HAVE_LOGIN_CAP work too; ok djm@ otto@ 3472 347320050120 3474 - (dtucker) OpenBSD CVS Sync 3475 - markus@cvs.openbsd.org 2004/12/23 17:35:48 3476 [session.c] 3477 check for NULL; from mpech 3478 - markus@cvs.openbsd.org 2004/12/23 17:38:07 3479 [ssh-keygen.c] 3480 leak; from mpech 3481 - djm@cvs.openbsd.org 2004/12/23 23:11:00 3482 [servconf.c servconf.h sshd.c sshd_config sshd_config.5] 3483 bz #898: support AddressFamily in sshd_config. from 3484 peak@argo.troja.mff.cuni.cz; ok deraadt@ 3485 - markus@cvs.openbsd.org 2005/01/05 08:51:32 3486 [sshconnect.c] 3487 remove dead code, log connect() failures with level error, ok djm@ 3488 - jmc@cvs.openbsd.org 2005/01/08 00:41:19 3489 [sshd_config.5] 3490 `login'(n) -> `log in'(v); 3491 - dtucker@cvs.openbsd.org 2005/01/17 03:25:46 3492 [moduli.c] 3493 Correct spelling: SCHNOOR->SCHNORR; ok djm@ 3494 - dtucker@cvs.openbsd.org 2005/01/17 22:48:39 3495 [sshd.c] 3496 Make debugging output continue after reexec; ok djm@ 3497 - dtucker@cvs.openbsd.org 2005/01/19 13:11:47 3498 [auth-bsdauth.c auth2-chall.c] 3499 Have keyboard-interactive code call the drivers even for responses for 3500 invalid logins. This allows the drivers themselves to decide how to 3501 handle them and prevent leaking information where possible. Existing 3502 behaviour for bsdauth is maintained by checking authctxt->valid in the 3503 bsdauth driver. Note that any third-party kbdint drivers will now need 3504 to be able to handle responses for invalid logins. ok markus@ 3505 - djm@cvs.openbsd.org 2004/12/22 02:13:19 3506 [cipher-ctr.c cipher.c] 3507 remove fallback AES support for old OpenSSL, as OpenBSD has had it for 3508 many years now; ok deraadt@ 3509 (Id sync only: Portable will continue to support older OpenSSLs) 3510 - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user 3511 existence via keyboard-interactive/pam, in conjunction with previous 3512 auth2-chall.c change; with Colin Watson and djm. 3513 - (dtucker) [loginrec.h] Bug #952: Increase size of username field to 128 3514 bytes to prevent errors from login_init_entry() when the username is 3515 exactly 64 bytes(!) long. From brhamon at cisco.com, ok djm@ 3516 - (dtucker) [auth-chall.c auth.h auth2-chall.c] Bug #936: Remove pam from 3517 the list of available kbdint devices if UsePAM=no. ok djm@ 3518 351920050118 3520 - (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement 3521 "make survey" and "make send-survey". This will provide data on the 3522 configure parameters, platform and platform features to the development 3523 team, which will allow (among other things) better targetting of testing. 3524 It's entirely voluntary and is off be default. ok djm@ 3525 - (dtucker) [survey.sh.in] Remove any blank lines from the output of 3526 ccver-v and ccver-V. 3527 352820041220 3529 - (dtucker) [ssh-rand-helper.c] Fall back to command-based seeding if reading 3530 from prngd is enabled at compile time but fails at run time, eg because 3531 prngd is not running. Note that if you have prngd running when OpenSSH is 3532 built, OpenSSL will consider itself internally seeded and rand-helper won't 3533 be built at all unless explicitly enabled via --with-rand-helper. ok djm@ 3534 - (dtucker) [regress/rekey.sh] Touch datafile before filling with dd, since 3535 on some wacky platforms (eg old AIXes), dd will refuse to create an output 3536 file if it doesn't exist. 3537 353820041213 3539 - (dtucker) [contrib/findssh.sh] Clean up on interrupt; from 3540 amarendra.godbole at ge com. 3541 354220041211 3543 - (dtucker) OpenBSD CVS Sync 3544 - markus@cvs.openbsd.org 2004/12/06 16:00:43 3545 [bufaux.c] 3546 use 0x00 not \0 since buf[] is a bignum 3547 - fgsch@cvs.openbsd.org 2004/12/10 03:10:42 3548 [sftp.c] 3549 - fix globbed ls for paths the same lenght as the globbed path when 3550 we have a unique matching. 3551 - fix globbed ls in case of a directory when we have a unique matching. 3552 - as a side effect, if the path does not exist error (used to silently 3553 ignore). 3554 - don't do extra do_lstat() if we only have one matching file. 3555 djm@ ok 3556 - dtucker@cvs.openbsd.org 2004/12/11 01:48:56 3557 [auth-rsa.c auth2-pubkey.c authfile.c misc.c misc.h] 3558 Fix debug call in error path of authorized_keys processing and fix related 3559 warnings; ok djm@ 3560 356120041208 3562 - (tim) [configure.ac] Comment some non obvious platforms in the 3563 target-specific case statement. Suggested and OK by dtucker@ 3564 356520041207 3566 - (dtucker) [regress/scp.sh] Use portable-friendly $DIFFOPTs in new test. 3567 356820041206 3569 - (dtucker) [TODO WARNING.RNG] Update to reflect current reality. ok djm@ 3570 - (dtucker) OpenBSD CVS Sync 3571 - markus@cvs.openbsd.org 2004/11/25 22:22:14 3572 [sftp-client.c sftp.c] 3573 leak; from mpech 3574 - jmc@cvs.openbsd.org 2004/11/29 00:05:17 3575 [sftp.1] 3576 missing full stop; 3577 - djm@cvs.openbsd.org 2004/11/29 07:41:24 3578 [sftp-client.h sftp.c] 3579 Some small fixes from moritz@jodeit.org. ok deraadt@ 3580 - jaredy@cvs.openbsd.org 2004/12/05 23:55:07 3581 [sftp.1] 3582 - explain that patterns can be used as arguments in get/put/ls/etc 3583 commands (prodded by Michael Knudsen) 3584 - describe ls flags as a list 3585 - other minor improvements 3586 ok jmc, djm 3587 - dtucker@cvs.openbsd.org 2004/12/06 11:41:03 3588 [auth-rsa.c auth2-pubkey.c authfile.c misc.c misc.h ssh.h sshd.8] 3589 Discard over-length authorized_keys entries rather than complaining when 3590 they don't decode. bz #884, with & ok djm@ 3591 - (dtucker) OpenBSD CVS Sync (regress/) 3592 - djm@cvs.openbsd.org 2004/06/26 06:16:07 3593 [reexec.sh] 3594 don't change the name of the copied sshd for the reexec fallback test, 3595 makes life simpler for portable 3596 - dtucker@cvs.openbsd.org 2004/07/08 12:59:35 3597 [scp.sh] 3598 Regress test for bz #863 (scp double-error), requires $SUDO. ok markus@ 3599 - david@cvs.openbsd.org 2004/07/09 19:45:43 3600 [Makefile] 3601 add a missing CLEANFILES used in the re-exec test 3602 - djm@cvs.openbsd.org 2004/10/08 02:01:50 3603 [reexec.sh] 3604 shrink and tidy; ok dtucker@ 3605 - djm@cvs.openbsd.org 2004/10/29 23:59:22 3606 [Makefile added brokenkeys.sh] 3607 regression test for handling of corrupt keys in authorized_keys file 3608 - djm@cvs.openbsd.org 2004/11/07 00:32:41 3609 [multiplex.sh] 3610 regression tests for new multiplex commands 3611 - dtucker@cvs.openbsd.org 2004/11/25 09:39:27 3612 [test-exec.sh] 3613 Remove obsolete RhostsAuthentication from test config; ok markus@ 3614 - dtucker@cvs.openbsd.org 2004/12/06 10:49:56 3615 [test-exec.sh] 3616 Check if TEST_SSH_SSHD is a full path to sshd before searching; ok markus@ 3617 361820041203 3619 - (dtucker) OpenBSD CVS Sync 3620 - jmc@cvs.openbsd.org 2004/11/07 17:42:36 3621 [ssh.1] 3622 options sort, and whitespace; 3623 - jmc@cvs.openbsd.org 2004/11/07 17:57:30 3624 [ssh.c] 3625 usage(): 3626 - add -O 3627 - sync -S w/ manpage 3628 - remove -h 3629 - (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is 3630 subsequently denied by the PAM auth stack, send the PAM message to the 3631 user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2). 3632 ok djm@ 3633 363420041107 3635 - (dtucker) OpenBSD CVS Sync 3636 - djm@cvs.openbsd.org 2004/11/05 12:19:56 3637 [sftp.c] 3638 command editing and history support via libedit; ok markus@ 3639 thanks to hshoexer@ and many testers on tech@ too 3640 - djm@cvs.openbsd.org 2004/11/07 00:01:46 3641 [clientloop.c clientloop.h ssh.1 ssh.c] 3642 add basic control of a running multiplex master connection; including the 3643 ability to check its status and request it to exit; ok markus@ 3644 - (dtucker) [INSTALL Makefile.in configure.ac] Add --with-libedit configure 3645 option and supporting makefile bits and documentation. 3646 364720041105 3648 - (dtucker) OpenBSD CVS Sync 3649 - markus@cvs.openbsd.org 2004/08/30 09:18:08 3650 [LICENCE] 3651 s/keygen/keyscan/ 3652 - jmc@cvs.openbsd.org 2004/08/30 21:22:49 3653 [ssh-add.1 ssh.1] 3654 .Xsession -> .xsession; 3655 originally from a pr from f at obiit dot org, but missed by myself; 3656 ok markus@ matthieu@ 3657 - djm@cvs.openbsd.org 2004/09/07 23:41:30 3658 [clientloop.c ssh.c] 3659 cleanup multiplex control socket on SIGHUP too, spotted by sturm@ 3660 ok markus@ deraadt@ 3661 - deraadt@cvs.openbsd.org 2004/09/15 00:46:01 3662 [ssh.c] 3663 /* fallthrough */ is something a programmer understands. But 3664 /* FALLTHROUGH */ is also understood by lint, so that is better. 3665 - jaredy@cvs.openbsd.org 2004/09/15 03:25:41 3666 [sshd_config.5] 3667 mention PrintLastLog only prints last login time for interactive 3668 sessions, like PrintMotd mentions. 3669 From Michael Knudsen, with wording changed slightly to match the 3670 PrintMotd description. 3671 ok djm 3672 - mickey@cvs.openbsd.org 2004/09/15 18:42:27 3673 [sshd.c] 3674 use less doubles in daemons; markus@ ok 3675 - deraadt@cvs.openbsd.org 2004/09/15 18:46:04 3676 [scp.c] 3677 scratch that do { } while (0) wrapper in this case 3678 - djm@cvs.openbsd.org 2004/09/23 13:00:04 3679 [ssh.c] 3680 correctly honour -n in multiplex client mode; spotted by sturm@ ok markus@ 3681 - djm@cvs.openbsd.org 2004/09/25 03:45:14 3682 [sshd.c] 3683 these printf args are no longer double; ok deraadt@ markus@ 3684 - djm@cvs.openbsd.org 2004/10/07 10:10:24 3685 [scp.1 sftp.1 ssh.1 ssh_config.5] 3686 document KbdInteractiveDevices; ok markus@ 3687 - djm@cvs.openbsd.org 2004/10/07 10:12:36 3688 [ssh-agent.c] 3689 don't unlink agent socket when bind() fails, spotted by rich AT 3690 rich-paul.net, ok markus@ 3691 - markus@cvs.openbsd.org 2004/10/20 11:48:53 3692 [packet.c ssh1.h] 3693 disconnect for invalid (out of range) message types. 3694 - djm@cvs.openbsd.org 2004/10/29 21:47:15 3695 [channels.c channels.h clientloop.c] 3696 fix some window size change bugs for multiplexed connections: windows sizes 3697 were not being updated if they had changed after ~^Z suspends and SIGWINCH 3698 was not being processed unless the first connection had requested a tty; 3699 ok markus 3700 - djm@cvs.openbsd.org 2004/10/29 22:53:56 3701 [clientloop.c misc.h readpass.c ssh-agent.c] 3702 factor out common permission-asking code to separate function; ok markus@ 3703 - djm@cvs.openbsd.org 2004/10/29 23:56:17 3704 [bufaux.c bufaux.h buffer.c buffer.h] 3705 introduce a new buffer API that returns an error rather than fatal()ing 3706 when presented with bad data; ok markus@ 3707 - djm@cvs.openbsd.org 2004/10/29 23:57:05 3708 [key.c] 3709 use new buffer API to avoid fatal errors on corrupt keys in authorized_keys 3710 files; ok markus@ 3711 371220041102 3713 - (dtucker) [configure.ac includes.h] Bug #947: Fix compile error on HP-UX 3714 10.x by testing for conflicts in shadow.h and undef'ing _INCLUDE__STDC__ 3715 only if a conflict is detected. 3716 371720041019 3718 - (dtucker) [uidswap.c] Don't test dropping of gids for the root user or 3719 on Cygwin. Cygwin parts from vinschen at redhat com; ok djm@ 3720 372120041016 3722 - (djm) [auth-pam.c] snprintf->strl*, fix server message length calculations; 3723 ok dtucker@ 3724 372520041006 3726 - (dtucker) [README.privsep] Bug #939: update info about HP-UX Trusted Mode 3727 and other PAM platforms. 3728 - (dtucker) [monitor_mm.c openbsd-compat/xmmap.c] Bug #940: cast constants 3729 to void * to appease picky compilers (eg Tru64's "cc -std1"). 3730 373120040930 3732 - (dtucker) [configure.ac] Set AC_PACKAGE_NAME. ok djm@ 3733 373420040923 3735 - (dtucker) [openbsd-compat/bsd-snprintf.c] Previous change was off by one, 3736 which could have caused the justification to be wrong. ok djm@ 3737 373820040921 3739 - (dtucker) [openbsd-compat/bsd-snprintf.c] Check for max length too. 3740 ok djm@ 3741 - (dtucker) [contrib/cygwin/ssh-host-config] Update to match current Cygwin 3742 install process. Patch from vinschen at redhat.com. 3743 374420040912 3745 - (djm) [loginrec.c] Start KNF and tidy up of this long-neglected file. 3746 No change in resultant binary 3747 - (djm) [loginrec.c] __func__ifiy 3748 - (djm) [loginrec.c] xmalloc 3749 - (djm) [ssh.c sshd.c version.h] Don't divulge portable version in protocol 3750 banner. Suggested by deraadt@, ok mouring@, dtucker@ 3751 - (dtucker) [configure.ac] Fix incorrect quoting and tests for cross-compile. 3752 Partly by & ok djm@. 3753 375420040911 3755 - (djm) [ssh-agent.c] unifdef some cygwin code; ok dtucker@ 3756 - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #890: Send output from 3757 failing PAM session modules to user then exit, similar to the way 3758 /etc/nologin is handled. ok djm@ 3759 - (dtucker) [auth-pam.c] Relocate sshpam_store_conv(), no code change. 3760 - (djm) [auth2-kbdint.c auth2-none.c auth2-passwd.c auth2-pubkey.c] 3761 Make cygwin code more consistent with that which surrounds it 3762 - (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c] 3763 Bug #892: Send messages from failing PAM account modules to the client via 3764 SSH2_MSG_USERAUTH_BANNER messages. Note that this will not happen with 3765 SSH2 kbdint authentication, which need to be dealt with separately. ok djm@ 3766 - (dtucker) [session.c] Bug #927: make .hushlogin silent again. ok djm@ 3767 - (dtucker) [configure.ac] Bug #321: Add cross-compile support to configure. 3768 Parts by chua at ayrnetworks.com, astrand at lysator.liu.se and me. ok djm@ 3769 - (dtucker) [auth-krb5.c] Bug #922: Pass KRB5CCNAME to PAM. From deengert 3770 at anl.gov, ok djm@ 3771 377220040830 3773 - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.{c,h}] Bug #915: only 3774 copy required environment variables on Cygwin. Patch from vinschen at 3775 redhat.com, ok djm@ 3776 - (dtucker) [regress/Makefile] Clean scp-ssh-wrapper.scp too. Patch from 3777 vinschen at redhat.com. 3778 - (dtucker) [Makefile.in contrib/ssh-copy-id] Bug #894: Improve portability 3779 of shell constructs. Patch from cjwatson at debian.org. 3780 378120040829 3782 - (dtucker) [openbsd-compat/getrrsetbyname.c] Prevent getrrsetbyname from 3783 failing with NOMEMORY if no sigs are returned and malloc(0) returns NULL. 3784 From Martin.Kraemer at Fujitsu-Siemens.com; ok djm@ 3785 - (dtucker) OpenBSD CVS Sync 3786 - djm@cvs.openbsd.org 2004/08/23 11:48:09 3787 [authfile.c] 3788 fix error path, spotted by Martin.Kraemer AT Fujitsu-Siemens.com; ok markus 3789 - djm@cvs.openbsd.org 2004/08/23 11:48:47 3790 [channels.c] 3791 typo, spotted by Martin.Kraemer AT Fujitsu-Siemens.com; ok markus 3792 - dtucker@cvs.openbsd.org 2004/08/23 14:26:38 3793 [ssh-keysign.c ssh.c] 3794 Use permanently_set_uid() in ssh and ssh-keysign for consistency, matches 3795 change in Portable; ok markus@ (CVS ID sync only) 3796 - dtucker@cvs.openbsd.org 2004/08/23 14:29:23 3797 [ssh-keysign.c] 3798 Remove duplicate getuid(), suggested by & ok markus@ 3799 - markus@cvs.openbsd.org 2004/08/26 16:00:55 3800 [ssh.1 sshd.8] 3801 get rid of references to rhosts authentication; with jmc@ 3802 - djm@cvs.openbsd.org 2004/08/28 01:01:48 3803 [sshd.c] 3804 don't erroneously close stdin for !reexec case, from Dave Johnson; 3805 ok markus@ 3806 - (dtucker) [configure.ac] Include sys/stream.h in sys/ptms.h header check, 3807 fixes configure warning on Solaris reported by wknox at mitre.org. 3808 - (dtucker) [regress/multiplex.sh] Skip test on platforms that do not 3809 support FD passing since multiplex requires it. Noted by tim@ 3810 - (dtucker) [regress/dynamic-forward.sh] Allow time for connections to be torn 3811 down, needed on some platforms, should be harmless on others. Patch from 3812 jason at devrandom.org. 3813 - (dtucker) [regress/scp.sh] Make this work on Cygwin too, which doesn't like 3814 files ending in .exe that aren't binaries; patch from vinschen at redhat.com. 3815 - (dtucker) [Makefile.in] Get regress/Makefile symlink right for out-of-tree 3816 builds too, from vinschen at redhat.com. 3817 - (dtucker) [regress/agent-ptrace.sh] Skip ptrace test on OSF1/DUnix/Tru64 3818 too; patch from cmadams at hiwaay.net. 3819 - (dtucker) [configure.ac] Replace non-portable echo \n with extra echo. 3820 - (dtucker) [openbsd-compat/port-aix.c] Bug #712: Explicitly check for 3821 accounts with authentication configs that sshd can't support (ie 3822 SYSTEM=NONE and AUTH1=something). 3823 382420040828 3825 - (dtucker) [openbsd-compat/mktemp.c] Remove superfluous Cygwin #ifdef; from 3826 vinschen at redhat.com. 3827 382820040823 3829 - (djm) [ssh-rand-helper.c] Typo. Found by 3830 Martin.Kraemer AT Fujitsu-Siemens.com 3831 - (djm) [loginrec.c] Typo and bad args in error messages; Spotted by 3832 Martin.Kraemer AT Fujitsu-Siemens.com 3833 383420040817 3835 - (dtucker) [regress/README.regress] Note compatibility issues with GNU head. 3836 - (djm) OpenBSD CVS Sync 3837 - markus@cvs.openbsd.org 2004/08/16 08:17:01 3838 [version.h] 3839 3.9 3840 - (djm) Crank RPM spec version numbers 3841 - (djm) Release 3.9p1 3842 384320040816 3844 - (dtucker) [acconfig.h auth-pam.c configure.ac] Set real uid to non-root 3845 to convince Solaris PAM to honour password complexity rules. ok djm@ 3846 384720040815 3848 - (dtucker) [Makefile.in ssh-keysign.c ssh.c] Use permanently_set_uid() since 3849 it does the right thing on all platforms. ok djm@ 3850 - (djm) [acconfig.h configure.ac openbsd-compat/Makefile.in 3851 openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-misc.c 3852 openbsd-compat/bsd-misc.h openbsd-compat/openbsd-compat.h] Use smarter 3853 closefrom() replacement from sudo; ok dtucker@ 3854 - (djm) [loginrec.c] Check that seek succeeded here too; ok dtucker 3855 - (dtucker) [Makefile.in] Fix typo. 3856 385720040814 3858 - (dtucker) [auth-krb5.c gss-serv-krb5.c openbsd-compat/xmmap.c] 3859 Explicitly set umask for mkstemp; ok djm@ 3860 - (dtucker) [includes.h] Undef _INCLUDE__STDC__ on HP-UX, otherwise 3861 prot.h and shadow.h provide conflicting declarations of getspnam. ok djm@ 3862 - (dtucker) [loginrec.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h] 3863 Plug AIX login recording into login_write so logins will be recorded for 3864 all auth types. 3865 386620040813 3867 - (dtucker) [openbsd-compat/bsd-misc.c] Typo in #ifdef; from vinschen at 3868 redhat.com 3869- (dtucker) OpenBSD CVS Sync 3870 - avsm@cvs.openbsd.org 2004/08/11 21:43:05 3871 [channels.c channels.h clientloop.c misc.c misc.h serverloop.c ssh-agent.c] 3872 some signed/unsigned int comparison cleanups; markus@ ok 3873 - avsm@cvs.openbsd.org 2004/08/11 21:44:32 3874 [authfd.c scp.c ssh-keyscan.c] 3875 use atomicio instead of homegrown equivalents or read/write. 3876 markus@ ok 3877 - djm@cvs.openbsd.org 2004/08/12 09:18:24 3878 [sshlogin.c] 3879 typo in error message, spotted by moritz AT jodeit.org (Id sync only) 3880 - jakob@cvs.openbsd.org 2004/08/12 21:41:13 3881 [ssh-keygen.1 ssh.1] 3882 improve SSHFP documentation; ok deraadt@ 3883 - jmc@cvs.openbsd.org 2004/08/13 00:01:43 3884 [ssh-keygen.1] 3885 kill whitespace at eol; 3886 - djm@cvs.openbsd.org 2004/08/13 02:51:48 3887 [monitor_fdpass.c] 3888 extra check for no message case; ok markus, deraadt, hshoexer, henning 3889 - dtucker@cvs.openbsd.org 2004/08/13 11:09:24 3890 [servconf.c] 3891 Fix line numbers off-by-one in error messages, from tortay at cc.in2p3.fr 3892 ok markus@, djm@ 3893 389420040812 3895 - (dtucker) [sshd.c] Remove duplicate variable imported during sync. 3896 - (dtucker) OpenBSD CVS Sync 3897 - markus@cvs.openbsd.org 2004/07/28 08:56:22 3898 [sshd.c] 3899 call setsid() _before_ re-exec 3900 - markus@cvs.openbsd.org 2004/07/28 09:40:29 3901 [auth.c auth1.c auth2.c cipher.c cipher.h key.c session.c ssh.c 3902 sshconnect1.c] 3903 more s/illegal/invalid/ 3904 - djm@cvs.openbsd.org 2004/08/04 10:37:52 3905 [dh.c] 3906 return group14 when no primes found - fixes hang on empty /etc/moduli; 3907 ok markus@ 3908 - dtucker@cvs.openbsd.org 2004/08/11 11:09:54 3909 [servconf.c] 3910 Fix minor leak; "looks right" deraadt@ 3911 - dtucker@cvs.openbsd.org 2004/08/11 11:50:09 3912 [sshd.c] 3913 Don't try to close startup_pipe if it's not open; ok djm@ 3914 - djm@cvs.openbsd.org 2004/08/11 11:59:22 3915 [sshlogin.c] 3916 check that lseek went were we told it to; ok markus@ 3917 (Id sync only, but similar changes are needed in loginrec.c) 3918 - djm@cvs.openbsd.org 2004/08/11 12:01:16 3919 [sshlogin.c] 3920 make store_lastlog_message() static to appease -Wall; ok markus 3921 - (dtucker) [sshd.c] Clear loginmsg in postauth monitor, prevents doubling 3922 messages generated before the postauth privsep split. 3923 392420040720 3925 - (djm) OpenBSD CVS Sync 3926 - markus@cvs.openbsd.org 2004/07/21 08:56:12 3927 [auth.c] 3928 s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, 3929 miod, ... 3930 - djm@cvs.openbsd.org 2004/07/21 10:33:31 3931 [auth1.c auth2.c] 3932 bz#899: Don't display invalid usernames in setproctitle 3933 from peak AT argo.troja.mff.cuni.cz; ok markus@ 3934 - djm@cvs.openbsd.org 2004/07/21 10:36:23 3935 [gss-serv-krb5.c] 3936 fix function declaration 3937 - djm@cvs.openbsd.org 2004/07/21 11:51:29 3938 [canohost.c] 3939 bz#902: cache remote port so we don't fatal() in auth_log when remote 3940 connection goes away quickly. from peak AT argo.troja.mff.cuni.cz; 3941 ok markus@ 3942 - (djm) [auth-pam.c] Portable parts of bz#899: Don't display invalid 3943 usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; 3944 394520040720 3946 - (djm) [log.c] bz #111: Escape more control characters when sending data 3947 to syslog; from peak AT argo.troja.mff.cuni.cz 3948 - (djm) [contrib/redhat/sshd.pam] bz #903: Remove redundant entries; from 3949 peak AT argo.troja.mff.cuni.cz 3950 - (djm) [regress/README.regress] Remove caveat regarding TCP wrappers, now 3951 that sshd is fixed to behave better; suggested by tim 3952 395320040719 3954 - (djm) [openbsd-compat/bsd-arc4random.c] Discard early keystream, like OpenBSD 3955 ok dtucker@ 3956 - (djm) [auth-pam.c] Avoid use of xstrdup and friends in conversation function, 3957 instead return PAM_CONV_ERR, avoiding another path to fatal(); ok dtucker@ 3958 - (tim) [configure.ac] updwtmpx() on OpenServer seems to add duplicate entry. 3959 Report by rac AT tenzing.org 3960 396120040717 3962 - (dtucker) [logintest.c scp.c sftp-server.c sftp.c ssh-add.c ssh-agent.c 3963 ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rand-helper.c ssh.c sshd.c 3964 openbsd-compat/bsd-misc.c] Move "char *__progname" to bsd-misc.c. Reduces 3965 diff vs OpenBSD; ok mouring@, tested by tim@ too. 3966 - (dtucker) OpenBSD CVS Sync 3967 - deraadt@cvs.openbsd.org 2004/07/11 17:48:47 3968 [channels.c cipher.c clientloop.c clientloop.h compat.h moduli.c 3969 readconf.c nchan.c pathnames.h progressmeter.c readconf.h servconf.c 3970 session.c sftp-client.c sftp.c ssh-agent.1 ssh-keygen.c ssh.c ssh1.h 3971 sshd.c ttymodes.h] 3972 spaces 3973 - brad@cvs.openbsd.org 2004/07/12 23:34:25 3974 [ssh-keyscan.1] 3975 Fix incorrect macro, .I -> .Em 3976 From: Eric S. Raymond <esr at thyrsus dot com> 3977 ok jmc@ 3978 - dtucker@cvs.openbsd.org 2004/07/17 05:31:41 3979 [monitor.c monitor_wrap.c session.c session.h sshd.c sshlogin.c] 3980 Move "Last logged in at.." message generation to the monitor, right 3981 before recording the new login. Fixes missing lastlog message when 3982 /var/log/lastlog is not world-readable and incorrect datestamp when 3983 multiple sessions are used (bz #463); much assistance & ok markus@ 3984 398520040711 3986 - (dtucker) [auth-pam.c] Check for zero from waitpid() too, which allows 3987 the monitor to properly clean up the PAM thread (Debian bug #252676). 3988 398920040709 3990 - (tim) [contrib/cygwin/README] add minires-devel requirement. Patch from 3991 vinschen AT redhat.com 3992 399320040708 3994 - (dtucker) OpenBSD CVS Sync 3995 - dtucker@cvs.openbsd.org 2004/07/03 05:11:33 3996 [sshlogin.c] (RCSID sync only, the corresponding code is not in Portable) 3997 Use '\0' not 0 for string; ok djm@, deraadt@ 3998 - dtucker@cvs.openbsd.org 2004/07/03 11:02:25 3999 [monitor_wrap.c] 4000 Put s/key functions inside #ifdef SKEY same as monitor.c, 4001 from des@freebsd via bz #330, ok markus@ 4002 - dtucker@cvs.openbsd.org 2004/07/08 12:47:21 4003 [scp.c] 4004 Prevent scp from skipping the file following a double-error. 4005 bz #863, ok markus@ 4006 400720040702 4008 - (dtucker) [mdoc2man.awk] Teach it to ignore .Bk -words, reported by 4009 strube at physik3.gwdg.de a long time ago. 4010 401120040701 4012 - (dtucker) [session.c] Call display_loginmsg again after do_pam_session. 4013 Ensures messages from PAM modules are displayed when privsep=no. 4014 - (dtucker) [auth-pam.c] Bug #705: Make arguments match PAM specs, fixes 4015 warnings on compliant platforms. From paul.a.bolton at bt.com. ok djm@ 4016 - (dtucker) [auth-pam.c] Bug #559 (last piece): Pass DISALLOW_NULL_AUTHTOK 4017 to pam_authenticate for challenge-response auth too. Originally from 4018 fcusack at fcusack.com, ok djm@ 4019 - (tim) [buildpkg.sh.in] Add $REV to bump the package revision within 4020 the same version. Handle the case where someone uses --with-privsep-user= 4021 and the user name does not match the group name. ok dtucker@ 4022 402320040630 4024 - (dtucker) [auth-pam.c] Check for buggy PAM modules that return a NULL 4025 appdata_ptr to the conversation function. ok djm@ 4026 - (djm) OpenBSD CVS Sync 4027 - jmc@cvs.openbsd.org 2004/06/26 09:03:21 4028 [ssh.1] 4029 - remove double word 4030 - rearrange .Bk to keep SYNOPSIS nice 4031 - -M before -m in options description 4032 - jmc@cvs.openbsd.org 2004/06/26 09:11:14 4033 [ssh_config.5] 4034 punctuation and grammar fixes. also, keep the options in order. 4035 - jmc@cvs.openbsd.org 2004/06/26 09:14:40 4036 [sshd_config.5] 4037 new sentence, new line; 4038 - avsm@cvs.openbsd.org 2004/06/26 20:07:16 4039 [sshd.c] 4040 initialise some fd variables to -1, djm@ ok 4041 - djm@cvs.openbsd.org 2004/06/30 08:36:59 4042 [session.c] 4043 unbreak TTY break, diagnosed by darren AT dazwin.com; ok markus@ 4044 404520040627 4046 - (tim) update README files. 4047 - (dtucker) [mdoc2man.awk] Bug #883: correctly recognise .Pa and .Ev macros. 4048 - (dtucker) [regress/README.regress] Document new variables. 4049 - (dtucker) [acconfig.h configure.ac sftp-server.c] Bug #823: add sftp 4050 rename handling for Linux which returns EPERM for link() on (at least some) 4051 filesystems that do not support hard links. sftp-server will fall back to 4052 stat+rename() in such cases. 4053 - (dtucker) [openbsd-compat/port-aix.c] Missing __func__. 4054 405520040626 4056 - (djm) OpenBSD CVS Sync 4057 - djm@cvs.openbsd.org 2004/06/25 18:43:36 4058 [sshd.c] 4059 fix broken fd handling in the re-exec fallback path, particularly when 4060 /dev/crypto is in use; ok deraadt@ markus@ 4061 - djm@cvs.openbsd.org 2004/06/25 23:21:38 4062 [sftp.c] 4063 bz #875: fix bad escape char error message; reported by f_mohr AT yahoo.de 4064 406520040625 4066 - (dtucker) OpenBSD CVS Sync 4067 - djm@cvs.openbsd.org 2004/06/24 19:30:54 4068 [servconf.c servconf.h sshd.c] 4069 re-exec sshd on accept(); initial work, final debugging and ok markus@ 4070 - djm@cvs.openbsd.org 2004/06/25 01:16:09 4071 [sshd.c] 4072 only perform tcp wrappers checks when the incoming connection is on a 4073 socket. silences useless warnings from regress tests that use 4074 proxycommand="sshd -i". prompted by david@ ok markus@ 4075 - djm@cvs.openbsd.org 2004/06/24 19:32:00 4076 [regress/Makefile regress/test-exec.sh, added regress/reexec.sh] 4077 regress test for re-exec corner cases 4078 - djm@cvs.openbsd.org 2004/06/25 01:25:12 4079 [regress/test-exec.sh] 4080 clean reexec-specific junk out of text-exec.sh and simplify; idea markus@ 4081 - dtucker@cvs.openbsd.org 2004/06/25 05:38:48 4082 [sftp-server.c] 4083 Fall back to stat+rename if filesystem doesn't doesn't support hard 4084 links. bz#823, ok djm@ 4085 - (dtucker) [configure.ac openbsd-compat/misc.c [openbsd-compat/misc.h] 4086 Add closefrom() for platforms that don't have it. 4087 - (dtucker) [sshd.c] add line missing from reexec sync. 4088 408920040623 4090 - (dtucker) [auth1.c] Ensure do_pam_account is called for Protocol 1 4091 connections with empty passwords. Patch from davidwu at nbttech.com, 4092 ok djm@ 4093 - (dtucker) OpenBSD CVS Sync 4094 - dtucker@cvs.openbsd.org 2004/06/22 22:42:02 4095 [regress/envpass.sh] 4096 Add quoting for test -z; ok markus@ 4097 - dtucker@cvs.openbsd.org 2004/06/22 22:45:52 4098 [regress/test-exec.sh] 4099 Add TEST_SSH_SSHD_CONFOPTS and TEST_SSH_SSH_CONFOPTS to allow adding 4100 arbitary options to sshd_config and ssh_config during tests. ok markus@ 4101 - dtucker@cvs.openbsd.org 2004/06/22 22:55:56 4102 [regress/dynamic-forward.sh regress/test-exec.sh] 4103 Allow setting of port for regress from TEST_SSH_PORT variable; ok markus@ 4104 - mouring@cvs.openbsd.org 2004/06/23 00:39:38 4105 [rijndael.c] 4106 -Wshadow fix up s/encrypt/do_encrypt/. OK djm@, markus@ 4107 - dtucker@cvs.openbsd.org 2004/06/23 14:31:01 4108 [ssh.c] 4109 Fix counting in master/slave when passing environment variables; ok djm@ 4110 - (dtucker) [cipher.c] encrypt->do_encrypt inside SSH_OLD_EVP to match 4111 -Wshadow change. 4112 - (bal) [Makefile.in] Remove opensshd.init on 'make distclean' 4113 - (dtucker) [auth.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h] 4114 Move loginrestrictions test to port-aix.c, replace with a generic hook. 4115 - (tim) [regress/try-ciphers.sh] "if ! some_command" is not portable. 4116 - (bal) [contrib/README] Removed "mdoc2man.pl" reference and added 4117 reference to "findssl.sh" 4118 411920040622 4120 - (dtucker) OpenBSD CVS Sync 4121 - djm@cvs.openbsd.org 2004/06/20 17:36:59 4122 [ssh.c] 4123 filter passed env vars at slave in connection sharing case; ok markus@ 4124 - djm@cvs.openbsd.org 2004/06/20 18:53:39 4125 [sftp.c] 4126 make "ls -l" listings print user/group names, add "ls -n" to show uid/gid 4127 (like /bin/ls); idea & ok markus@ 4128 - djm@cvs.openbsd.org 2004/06/20 19:28:12 4129 [sftp.1] 4130 mention new -n flag 4131 - avsm@cvs.openbsd.org 2004/06/21 17:36:31 4132 [auth-rsa.c auth2-gss.c auth2-pubkey.c authfile.c canohost.c channels.c 4133 cipher.c dns.c kex.c monitor.c monitor_fdpass.c monitor_wrap.c 4134 monitor_wrap.h nchan.c packet.c progressmeter.c scp.c sftp-server.c sftp.c 4135 ssh-gss.h ssh-keygen.c ssh.c sshconnect.c sshconnect1.c sshlogin.c 4136 sshpty.c] 4137 make ssh -Wshadow clean, no functional changes 4138 markus@ ok 4139 - djm@cvs.openbsd.org 2004/06/21 17:53:03 4140 [session.c] 4141 fix fd leak for multiple subsystem connections; with markus@ 4142 - djm@cvs.openbsd.org 2004/06/21 22:02:58 4143 [log.h] 4144 mark fatal and cleanup exit as __dead; ok markus@ 4145 - djm@cvs.openbsd.org 2004/06/21 22:04:50 4146 [sftp.c] 4147 introduce sorting for ls, same options as /bin/ls; ok markus@ 4148 - djm@cvs.openbsd.org 2004/06/21 22:30:45 4149 [sftp.c] 4150 prefix ls option flags with LS_ 4151 - djm@cvs.openbsd.org 2004/06/21 22:41:31 4152 [sftp.1] 4153 document sort options 4154 - djm@cvs.openbsd.org 2004/06/22 01:16:39 4155 [sftp.c] 4156 don't show .files by default in ls, add -a option to turn them back on; 4157 ok markus 4158 - markus@cvs.openbsd.org 2004/06/22 03:12:13 4159 [regress/envpass.sh regress/multiplex.sh] 4160 more portable env passing tests 4161 - dtucker@cvs.openbsd.org 2004/06/22 05:05:45 4162 [monitor.c monitor_wrap.c] 4163 Change login->username, will prevent -Wshadow errors in Portable; 4164 ok markus@ 4165 - (dtucker) [monitor.c] Fix Portable-specific -Wshadow warnings on "socket". 4166 - (dtucker) [defines.h] Define __dead if not already defined. 4167 - (bal) [auth-passwd.c auth1.c] Clean up unused variables. 4168 416920040620 4170 - (tim) [configure.ac Makefile.in] Only change TEST_SHELL on broken platforms. 4171 417220040619 4173 - (dtucker) [auth-pam.c] Don't use PAM namespace for 4174 pam_password_change_required either. 4175 - (tim) [configure.ac buildpkg.sh.in contrib/solaris/README] move opensshd 4176 init script to top level directory. Add opensshd.init.in. 4177 Remove contrib/solaris/buildpkg.sh, contrib/solaris/opensshd.in 4178 417920040618 4180 - (djm) OpenBSD CVS Sync 4181 - djm@cvs.openbsd.org 2004/06/17 14:52:48 4182 [clientloop.c clientloop.h ssh.c] 4183 support environment passing over shared connections; ok markus@ 4184 - djm@cvs.openbsd.org 2004/06/17 15:10:14 4185 [clientloop.c misc.h readconf.c readpass.c ssh.c ssh_config.5] 4186 Add option for confirmation (ControlMaster=ask) via ssh-askpass before 4187 opening shared connections; ok markus@ 4188 - djm@cvs.openbsd.org 2004/06/17 14:53:27 4189 [regress/multiplex.sh] 4190 shared connection env passing regress test 4191 - (dtucker) [regress/README.regress] Add detail on how to run a single 4192 test from the top-level Makefile. 4193 - (dtucker) OpenBSD CVS Sync 4194 - djm@cvs.openbsd.org 2004/06/17 23:56:57 4195 [ssh.1 ssh.c] 4196 sync usage() and SYNPOSIS with connection sharing changes 4197 - dtucker@cvs.openbsd.org 2004/06/18 06:13:25 4198 [sftp.c] 4199 Use execvp instead of execv so sftp -S ssh works. "makes sense" markus@ 4200 - dtucker@cvs.openbsd.org 2004/06/18 06:15:51 4201 [multiplex.sh] 4202 Use -S for scp/sftp to force the use of the ssh being tested. 4203 ok djm@,markus@ 4204 - (djm) OpenBSD CVS Sync 4205 - djm@cvs.openbsd.org 2004/06/18 10:40:19 4206 [ssh.c] 4207 delay signal handler setup until we have finished talking to the master. 4208 allow interrupting of setup (e.g. if master is stuck); ok markus@ 4209 - markus@cvs.openbsd.org 2004/06/18 10:55:43 4210 [ssh.1 ssh.c] 4211 trim synopsis for -S, allow -S and -oControlMaster, -MM means 'ask'; 4212 ok djm 4213 - djm@cvs.openbsd.org 2004/06/18 11:11:54 4214 [channels.c clientloop.c] 4215 Don't explode in clientloop when we receive a bogus channel id, but 4216 also don't generate them to begin with; ok markus@ 4217 421820040617 4219 - (dtucker) [regress/scp.sh] diff -N is not portable (but needed for some 4220 platforms), so test if diff understands it. Pointed out by tim@, ok djm@ 4221 - (dtucker) OpenBSD CVS Sync regress/ 4222 - dtucker@cvs.openbsd.org 2004/06/17 05:51:59 4223 [regress/multiplex.sh] 4224 Remove datafile between and after tests, kill sshd rather than wait; 4225 ok djm@ 4226 - dtucker@cvs.openbsd.org 2004/06/17 06:00:05 4227 [regress/multiplex.sh] 4228 Use DATA and COPY for test data rather than hard-coded paths; ok djm@ 4229 - dtucker@cvs.openbsd.org 2004/06/17 06:19:06 4230 [regress/multiplex.sh] 4231 Add small description of failing test to failure message; ok djm@ 4232 - (dtucker) [regress/multiplex.sh] add EXEEXT for those platforms that need 4233 it. 4234 - (dtucker) [regress/multiplex.sh] Increase sleep time to 120 sec (60 is not 4235 enough for slow systems, especially if they don't have a kernel RNG). 4236 423720040616 4238 - (dtucker) [openbsd-compat/port-aix.c] Expand whitespace -> tabs. No 4239 code changes. 4240 - (dtucker) OpenBSD CVS Sync regress/ 4241 - djm@cvs.openbsd.org 2004/04/27 09:47:30 4242 [regress/Makefile regress/test-exec.sh, added regress/envpass.sh] 4243 regress test for environment passing, SendEnv & AcceptEnv options; 4244 ok markus@ 4245 - dtucker@cvs.openbsd.org 2004/06/13 13:51:02 4246 [regress/Makefile regress/test-exec.sh, added regress/scp-ssh-wrapper.sh 4247 regress/scp.sh] 4248 Add scp regression test; with & ok markus@ 4249 - djm@cvs.openbsd.org 2004/06/13 15:04:08 4250 [regress/Makefile regress/test-exec.sh, added regress/envpass.sh] 4251 regress test for client multiplexing; ok markus@ 4252 - djm@cvs.openbsd.org 2004/06/13 15:16:54 4253 [regress/test-exec.sh] 4254 remove duplicate setting of $SCP; spotted by markus@ 4255 - dtucker@cvs.openbsd.org 2004/06/16 13:15:09 4256 [regress/scp.sh] 4257 Make scp -r tests use diff -rN not cmp (which won't do dirs. ok markus@ 4258 - dtucker@cvs.openbsd.org 2004/06/16 13:16:40 4259 [regress/multiplex.sh] 4260 Silence multiplex sftp and scp tests. ok markus@ 4261 - (dtucker) [regress/test-exec.sh] 4262 Move Portable-only StrictModes to top of list to make syncs easier. 4263 - (dtucker) [regress/README.regress] 4264 Add $TEST_SHELL to readme. 4265 426620040615 4267 - (djm) OpenBSD CVS Sync 4268 - djm@cvs.openbsd.org 2004/05/26 08:59:57 4269 [sftp.c] 4270 exit -> _exit in forked child on error; from andrushock AT korovino.net 4271 - markus@cvs.openbsd.org 2004/05/26 23:02:39 4272 [channels.c] 4273 missing freeaddrinfo; Andrey Matveev 4274 - dtucker@cvs.openbsd.org 2004/05/27 00:50:13 4275 [readconf.c] 4276 Kill dead code after fatal(); ok djm@ 4277 - dtucker@cvs.openbsd.org 2004/06/01 14:20:45 4278 [auth2-chall.c] 4279 Remove redundant #include; ok markus@ 4280 - pedro@cvs.openbsd.org 2004/06/03 12:22:20 4281 [sftp-client.c sftp.c] 4282 initialize pointers, ok markus@ 4283 - djm@cvs.openbsd.org 2004/06/13 12:53:24 4284 [dh.c dh.h kex.c kex.h kexdhc.c kexdhs.c monitor.c myproposal.h] 4285 [ssh-keyscan.c sshconnect2.c sshd.c] 4286 implement diffie-hellman-group14-sha1 kex method (trivial extension to 4287 existing diffie-hellman-group1-sha1); ok markus@ 4288 - dtucker@cvs.openbsd.org 2004/06/13 14:01:42 4289 [ssh.1 ssh_config.5 sshd_config.5] 4290 List supported ciphers in man pages, tidy up ssh -c; 4291 "looks fine" jmc@, ok markus@ 4292 - djm@cvs.openbsd.org 2004/06/13 15:03:02 4293 [channels.c channels.h clientloop.c clientloop.h includes.h readconf.c] 4294 [readconf.h scp.1 sftp.1 ssh.1 ssh.c ssh_config.5] 4295 implement session multiplexing in the client (the server has supported 4296 this since 2.0); ok markus@ 4297 - djm@cvs.openbsd.org 2004/06/14 01:44:39 4298 [channels.c clientloop.c misc.c misc.h packet.c ssh-agent.c ssh-keyscan.c] 4299 [sshd.c] 4300 set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@ 4301 - djm@cvs.openbsd.org 2004/06/15 05:45:04 4302 [clientloop.c] 4303 missed one unset_nonblock; spotted by Tim Rice 4304 - (djm) Fix Makefile.in for connection sharing changes 4305 - (djm) [ssh.c] Use separate var for address length 4306 430720040603 4308 - (dtucker) [auth-pam.c] Don't use pam_* namespace for sshd's PAM functions. 4309 ok djm@ 4310 431120040601 4312 - (djm) [auth-pam.c] Add copyright for local changes 4313 431420040530 4315 - (dtucker) [auth-pam.c auth-pam.h auth-passwd.c] Bug #874: Re-add PAM 4316 support for PasswordAuthentication=yes. ok djm@ 4317 - (dtucker) [auth-pam.c] Use an invalid password for root if 4318 PermitRootLogin != yes or the login is invalid, to prevent leaking 4319 information. Based on Openwall's owl-always-auth patch. ok djm@ 4320 - (tim) [configure.ac Makefile.in] Add support for "make package" ok djm@ 4321 - (tim) [buildpkg.sh.in] New file. A more flexible version of 4322 contrib/solaris/buildpkg.sh used for "make package". 4323 - (tim) [buildpkg.sh.in] Last minute fix didn't make it in the .in file. 4324 432520040527 4326 - (dtucker) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec 4327 contrib/README CREDITS INSTALL] Bug #873: Correct URLs for x11-ssh-askpass 4328 and Jim Knoble's email address , from Jim himself. 4329 433020040524 4331 - (dtucker) OpenBSD CVS Sync 4332 - djm@cvs.openbsd.org 2004/05/19 12:17:33 4333 [sftp-client.c sftp.c] 4334 gracefully abort transfers on receipt of SIGINT, also ignore SIGINT while 4335 waiting for a command; ok markus@ 4336 - dtucker@cvs.openbsd.org 2004/05/20 10:58:05 4337 [clientloop.c] 4338 Trivial type fix 0 -> '\0'; ok markus@ 4339 - markus@cvs.openbsd.org 2004/05/21 08:43:03 4340 [kex.h moduli.c tildexpand.c] 4341 add prototypes for -Wall; ok djm 4342 - djm@cvs.openbsd.org 2004/05/21 11:33:11 4343 [channels.c channels.h clientloop.c serverloop.c ssh.1] 4344 bz #756: add support for the cancel-tcpip-forward request for the server 4345 and the client (through the ~C commandline). reported by z3p AT 4346 twistedmatrix.com; ok markus@ 4347 - djm@cvs.openbsd.org 2004/05/22 06:32:12 4348 [clientloop.c ssh.1] 4349 use '-h' for help in ~C commandline instead of '-?'; inspired by jmc@ 4350 - jmc@cvs.openbsd.org 2004/05/22 16:01:05 4351 [ssh.1] 4352 kill whitespace at eol; 4353 - dtucker@cvs.openbsd.org 2004/05/23 23:59:53 4354 [auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config 4355 sshd_config.5] 4356 Add MaxAuthTries sshd config option; ok markus@ 4357 - (dtucker) [auth-pam.c] Bug #839: Ensure that pam authentication "thread" 4358 is terminated if the privsep slave exits during keyboard-interactive 4359 authentication. ok djm@ 4360 - (dtucker) [sshd.c] Fix typo in comment. 4361 436220040523 4363 - (djm) [sshd_config] Explain consequences of UsePAM=yes a little better in 4364 sshd_config; ok dtucker@ 4365 - (djm) [configure.ac] Warn if the system has no known way of figuring out 4366 which user is on the other end of a Unix domain socket; ok dtucker@ 4367 - (bal) [openbsd-compat/sys-queue.h] Reintroduce machinary to handle 4368 old/broken/incomplete <sys/queue.h>. 4369 437020040513 4371 - (dtucker) [configure.ac] Bug #867: Additional tests for res_query in 4372 libresolv, fixes problems detecting it on some platforms 4373 (eg Linux/x86-64). From Kurt Roeckx via Debian, ok mouring@ 4374 - (dtucker) OpenBSD CVS Sync 4375 - jmc@cvs.openbsd.org 2004/05/04 18:36:07 4376 [scp.1] 4377 SendEnv here too; 4378 - jmc@cvs.openbsd.org 2004/05/06 11:24:23 4379 [ssh_config.5] 4380 typo from John Cosimano (PR 3770); 4381 - deraadt@cvs.openbsd.org 2004/05/08 00:01:37 4382 [auth.c clientloop.c misc.h servconf.c ssh.c sshpty.h sshtty.c 4383 tildexpand.c], removed: sshtty.h tildexpand.h 4384 make two tiny header files go away; djm ok 4385 - djm@cvs.openbsd.org 2004/05/08 00:21:31 4386 [clientloop.c misc.h readpass.c scard.c ssh-add.c ssh-agent.c ssh-keygen.c 4387 sshconnect.c sshconnect1.c sshconnect2.c] removed: readpass.h 4388 kill a tiny header; ok deraadt@ 4389 - djm@cvs.openbsd.org 2004/05/09 00:06:47 4390 [moduli.c ssh-keygen.c] removed: moduli.h 4391 zap another tiny header; ok deraadt@ 4392 - djm@cvs.openbsd.org 2004/05/09 01:19:28 4393 [OVERVIEW auth-rsa.c auth1.c kex.c monitor.c session.c sshconnect1.c 4394 sshd.c] removed: mpaux.c mpaux.h 4395 kill some more tiny files; ok deraadt@ 4396 - djm@cvs.openbsd.org 2004/05/09 01:26:48 4397 [kex.c] 4398 don't overwrite what we are trying to compute 4399 - deraadt@cvs.openbsd.org 2004/05/11 19:01:43 4400 [auth.c auth2-none.c authfile.c channels.c monitor.c monitor_mm.c 4401 packet.c packet.h progressmeter.c session.c openbsd-compat/xmmap.c] 4402 improve some code lint did not like; djm millert ok 4403 - dtucker@cvs.openbsd.org 2004/05/13 02:47:50 4404 [ssh-agent.1] 4405 Add examples to ssh-agent.1, bz#481 from Ralf Hauser; ok deraadt@ 4406 - (dtucker) [sshd.8] Bug #843: Add warning about PasswordAuthentication to 4407 UsePAM section. Parts from djm@ and jmc@. 4408 - (dtucker) [auth-pam.c scard-opensc.c] Tinderbox says auth-pam.c uses 4409 readpass.h, grep says scard-opensc.c does too. Replace with misc.h. 4410 - (dtucker) [openbsd-compat/getrrsetbyname.c] Check that HAVE_DECL_H_ERROR 4411 is defined before using. 4412 - (dtucker) [openbsd-compat/getrrsetbyname.c] Fix typo too: HAVE_DECL_H_ERROR 4413 -> HAVE_DECL_H_ERRNO. 4414 441520040502 4416 - (dtucker) OpenBSD CVS Sync 4417 - djm@cvs.openbsd.org 2004/04/22 11:56:57 4418 [moduli.c] 4419 Bugzilla #850: Sophie Germain is the correct name of the French 4420 mathematician, "Sophie Germaine" isn't; from Luc.Maisonobe@c-s.fr 4421 - djm@cvs.openbsd.org 2004/04/27 09:46:37 4422 [readconf.c readconf.h servconf.c servconf.h session.c session.h ssh.c 4423 ssh_config.5 sshd_config.5] 4424 bz #815: implement ability to pass specified environment variables from 4425 the client to the server; ok markus@ 4426 - djm@cvs.openbsd.org 2004/04/28 05:17:10 4427 [ssh_config.5 sshd_config.5] 4428 manpage fixes in envpass stuff from Brian Poole (raj AT cerias.purdue.edu) 4429 - jmc@cvs.openbsd.org 2004/04/28 07:02:56 4430 [sshd_config.5] 4431 remove unnecessary .Pp; 4432 - jmc@cvs.openbsd.org 2004/04/28 07:13:42 4433 [sftp.1 ssh.1] 4434 add SendEnv to -o list; 4435 - dtucker@cvs.openbsd.org 2004/05/02 11:54:31 4436 [sshd.8] 4437 Man page grammar fix (bz #858), from damerell at chiark.greenend.org.uk 4438 via Debian; ok djm@ 4439 - dtucker@cvs.openbsd.org 2004/05/02 11:57:52 4440 [ssh.1] 4441 ConnectionTimeout -> ConnectTimeout, from m.a.ellis at ncl.ac.uk via 4442 Debian. ok djm@ 4443 - dtucker@cvs.openbsd.org 2004/05/02 23:02:17 4444 [sftp.1] 4445 ConnectionTimeout -> ConnectTimeout here too, pointed out by jmc@ 4446 - dtucker@cvs.openbsd.org 2004/05/02 23:17:51 4447 [scp.1] 4448 ConnectionTimeout -> ConnectTimeout for scp.1 too. 4449 445020040423 4451 - (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Declare h_errno 4452 as extern int if not already declared. Fixes compile errors on old SCO 4453 platforms. ok tim@ 4454 - (dtucker) [README.platform] List prereqs for building on Cygwin. 4455 445620040421 4457 - (djm) Update config.guess and config.sub to autoconf-2.59 versions; ok tim@ 4458 445920040420 4460 - (djm) OpenBSD CVS Sync 4461 - henning@cvs.openbsd.org 2004/04/08 16:08:21 4462 [sshconnect2.c] 4463 swap the last two parameters to TAILQ_FOREACH_REVERSE. matches what 4464 FreeBSD and NetBSD do. 4465 ok millert@ mcbride@ markus@ ho@, checked to not affect ports by naddy@ 4466 - djm@cvs.openbsd.org 2004/04/18 23:10:26 4467 [readconf.c readconf.h ssh-keysign.c ssh.c] 4468 perform strict ownership and modes checks for ~/.ssh/config files, 4469 as these can be used to execute arbitrary programs; ok markus@ 4470 NB. ssh will now exit when it detects a config with poor permissions 4471 - djm@cvs.openbsd.org 2004/04/19 13:02:40 4472 [ssh.1 ssh_config.5] 4473 document strict permission checks on ~/.ssh/config; prompted by, 4474 with & ok jmc@ 4475 - jmc@cvs.openbsd.org 2004/04/19 16:12:14 4476 [ssh_config.5] 4477 kill whitespace at eol; 4478 - djm@cvs.openbsd.org 2004/04/19 21:51:49 4479 [ssh.c] 4480 fix idiot typo that i introduced in my last commit; 4481 spotted by cschneid AT cschneid.com 4482 - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD, needed for 4483 above change 4484 - (djm) [configure.ac] Check whether libroken is required when building 4485 with Heimdal 4486 448720040419 4488 - (dtucker) OpenBSD CVS Sync 4489 - dtucker@cvs.openbsd.org 2004/02/29 22:04:45 4490 [regress/login-timeout.sh] 4491 Use sudo when restarting daemon during test. ok markus@ 4492 - dtucker@cvs.openbsd.org 2004/03/08 10:17:12 4493 [regress/login-timeout.sh] 4494 Missing OBJ, from tim@. ok markus@ (Already fixed, ID sync only) 4495 - djm@cvs.openbsd.org 2004/03/30 12:41:56 4496 [sftp-client.c] 4497 sync comment with reality 4498 - djm@cvs.openbsd.org 2004/03/31 21:58:47 4499 [canohost.c] 4500 don't skip ip options check when UseDNS=no; ok markus@ (ID sync only) 4501 - markus@cvs.openbsd.org 2004/04/01 12:19:57 4502 [scp.c] 4503 limit trust between local and remote rcp/scp process, 4504 noticed by lcamtuf; ok deraadt@, djm@ 4505 450620040418 4507 - (dtucker) [auth-pam.c] Log username and source host for failed PAM 4508 authentication attempts. With & ok djm@ 4509 - (djm) [openbsd-compat/bsd-cygwin_util.c] Recent versions of Cygwin allow 4510 change of user context without a password, so relax auth method 4511 restrictions; from vinschen AT redhat.com; ok dtucker@ 4512 451320040416 4514 - (dtucker) [regress/sftp-cmds.sh] Skip quoting test on Cygwin, since 4515 FAT/NTFS does not permit quotes in filenames. From vinschen at redhat.com 4516 - (djm) [auth-krb5.c auth.h session.c] Explicitly refer to Kerberos ccache 4517 file using FILE: method, fixes problems on Mac OSX. 4518 Patch from simon@sxw.org.uk; ok dtucker@ 4519 - (tim) [configure.ac] Set SETEUID_BREAKS_SETUID, BROKEN_SETREUID and 4520 BROKEN_SETREGID for SCO OpenServer 3 4521 452220040412 4523 - (dtucker) [sshd_config.5] Add PermitRootLogin without-password warning 4524 from bug #701 (text from jfh at cise.ufl.edu). 4525 - (dtucker) [acconfig.h configure.ac defines.h] Bug #673: check for 4-arg 4526 skeychallenge(), eg on NetBSD. ok mouring@ 4527 - (dtucker) [auth-skey.c defines.h monitor.c] Make skeychallenge explicitly 4528 4-arg, with compatibility for 3-arg versions. From djm@, ok me. 4529 - (djm) [configure.ac] Fix detection of libwrap on OpenBSD; ok dtucker@ 4530 453120040408 4532 - (dtucker) [loginrec.c] Use UT_LINESIZE if available, prevents truncating 4533 pty name on Linux 2.6.x systems. Patch from jpe at eisenmenger.org. 4534 - (bal) [monitor.c monitor_wrap.c] Second try. Put the zlib.h headers 4535 back and #undef TARGET_OS_MAC instead. (Bug report pending with Apple) 4536 - (dtucker) [defines.h loginrec.c] Define UT_LINESIZE if not defined and 4537 simplify loginrec.c. ok tim@ 4538 - (bal) [monitor.c monitor_wrap.c] Ok.. Last time. Promise. Tim suggested 4539 limiting scope and dtucker@ agreed. 4540 454120040407 4542 - (dtucker) [session.c] Flush stdout after displaying loginmsg. From 4543 f_mohr at yahoo.de. 4544 - (bal) [acconfig.h auth-krb5.c configure.ac gss-serv-krb5.c] Check to see 4545 if Krb5 library exports krb5_init_etc() since some OSes (like MacOS/X) 4546 are starting to restrict it as internal since it is not needed by 4547 developers any more. (Patch based on Apple tree) 4548 - (bal) [monitor.c monitor_wrap.c] monitor_wrap.c] moved zlib.h higher since 4549 krb5 on MacOS/X conflicts. There may be a better solution, but this will 4550 work for now. 4551 455220040406 4553 - (dtucker) [acconfig.h configure.ac defines.h] Bug #820: don't use 4554 updwtmpx() on IRIX since it seems to clobber utmp. ok djm@ 4555 - (dtucker) [configure.ac] Bug #816, #748 (again): Attempt to detect 4556 broken getaddrinfo and friends on HP-UX. ok djm@ 4557 455820040330 4559 - (dtucker) [configure.ac] Bug #811: Use "!" for LOCKED_PASSWD_PREFIX on 4560 Linuxes, since that's what many use. ok djm@ 4561 - (dtucker) [auth-pam.c] rename the_authctxt to sshpam_authctxt in auth-pam.c 4562 to reduce potential confusion with the one in sshd.c. ok djm@ 4563 - (djm) Bug #825: Fix ip_options_check() for mapped IPv4/IPv6 connection; 4564 with & ok dtucker@ 4565 456620040327 4567 - (dtucker) [session.c] Bug #817: Clear loginmsg after fork to prevent 4568 duplicate login messages for mutli-session logins. ok djm@ 4569 457020040322 4571 - (djm) [sshd.c] Drop supplemental groups if started as root 4572 - (djm) OpenBSD CVS Sync 4573 - markus@cvs.openbsd.org 2004/03/09 22:11:05 4574 [ssh.c] 4575 increase x11 cookie lifetime to 20 minutes; ok djm 4576 - markus@cvs.openbsd.org 2004/03/10 09:45:06 4577 [ssh.c] 4578 trim usage to match ssh(1) and look more like unix. ok djm@ 4579 - markus@cvs.openbsd.org 2004/03/11 08:36:26 4580 [sshd.c] 4581 trim usage; ok deraadt 4582 - markus@cvs.openbsd.org 2004/03/11 10:21:17 4583 [ssh.c sshd.c] 4584 ssh, sshd: sync version output, ok djm 4585 - markus@cvs.openbsd.org 2004/03/20 10:40:59 4586 [version.h] 4587 3.8.1 4588 - (djm) Crank RPM spec versions 4589 459020040311 4591 - (djm) [configure.ac] Add standard license to configure.ac; ok ben, dtucker 4592 459320040310 4594 - (dtucker) [openbsd-compat/fake-rfc2553.h] Bug #812: #undef getaddrinfo 4595 before redefining it, silences warnings on Tru64. 4596 459720040308 4598 - (dtucker) [sshd.c] Back out rev 1.270 as it caused problems on some 4599 platforms (eg SCO, HP-UX) with logging in the wrong TZ. ok djm@ 4600 - (dtucker) [configure.ac sshd.c openbsd-compat/bsd-misc.h 4601 openbsd-compat/setenv.c] Unset KRB5CCNAME on AIX to prevent it from being 4602 inherited by the child. ok djm@ 4603 - (dtucker) [auth-pam.c auth-pam.h auth1.c auth2.c monitor.c monitor_wrap.c 4604 monitor_wrap.h] Bug #808: Ensure force_pwchange is correctly initialized 4605 even if keyboard-interactive is not used by the client. Prevents 4606 segfaults in some cases where the user's password is expired (note this 4607 is not considered a security exposure). ok djm@ 4608 - (djm) OpenBSD CVS Sync 4609 - markus@cvs.openbsd.org 2004/03/03 06:47:52 4610 [sshd.c] 4611 change proctiltle after accept(2); ok henning, deraadt, djm 4612 - djm@cvs.openbsd.org 2004/03/03 09:30:42 4613 [sftp-client.c] 4614 Don't print duplicate messages when progressmeter is off 4615 Spotted by job317 AT mailvault.com; ok markus@ 4616 - djm@cvs.openbsd.org 2004/03/03 09:31:20 4617 [sftp.c] 4618 Fix initialisation of progress meter; ok markus@ 4619 - markus@cvs.openbsd.org 2004/03/05 10:53:58 4620 [readconf.c readconf.h scp.1 sftp.1 ssh.1 ssh_config.5 sshconnect2.c] 4621 add IdentitiesOnly; ok djm@, pb@ 4622 - djm@cvs.openbsd.org 2004/03/08 09:38:05 4623 [ssh-keyscan.c] 4624 explicitly initialise remote_major and remote_minor. 4625 from cjwatson AT debian.org; ok markus@ 4626 - dtucker@cvs.openbsd.org 2004/03/08 10:18:57 4627 [sshd_config.5] 4628 Document KerberosGetAFSToken; ok markus@ 4629 - (tim) [regress/README.regress] Document ssh-rand-helper issue. ok bal 4630 463120040307 4632 - (tim) [regress/login-timeout.sh] fix building outside of source tree. 4633 463420040304 4635 - (dtucker) [auth-pam.c] Don't try to export PAM when compiled with 4636 -DUSE_POSIX_THREADS. From antoine.verheijen at ualbert ca. ok djm@ 4637 - (dtucker) [auth-pam.c] Reset signal status when starting pam auth thread, 4638 prevent hanging during PAM keyboard-interactive authentications. ok djm@ 4639 - (dtucker) [auth-passwd.c auth-sia.c auth-sia.h defines.h 4640 openbsd-compat/xcrypt.c] Bug #802: Fix build error on Tru64 when 4641 configured --with-osfsia. ok djm@ 4642 464320040303 4644 - (djm) [configure.ac ssh-agent.c] Use prctl to prevent ptrace on ssh-agent 4645 ok dtucker 4646 464720040229 4648 - (tim) [configure.ac] Put back bits mistakenly removed from Rev 1.188 4649 465020040229 4651 - (dtucker) OpenBSD CVS Sync 4652 - djm@cvs.openbsd.org 2004/02/25 00:22:45 4653 [sshd.c] 4654 typo in comment 4655 - dtucker@cvs.openbsd.org 2004/02/27 22:42:47 4656 [dh.c] 4657 Prevent sshd from sending DH groups with a primitive generator of zero or 4658 one, even if they are listed in /etc/moduli. ok markus@ 4659 - dtucker@cvs.openbsd.org 2004/02/27 22:44:56 4660 [dh.c] 4661 Make /etc/moduli line buffer big enough for 8kbit primes, in case anyone 4662 ever uses one. ok markus@ 4663 - dtucker@cvs.openbsd.org 2004/02/27 22:49:27 4664 [dh.c] 4665 Reset bit counter at the right time, fixes debug output in the case where 4666 the DH group is rejected. ok markus@ 4667 - dtucker@cvs.openbsd.org 2004/02/17 08:23:20 4668 [regress/Makefile regress/login-timeout.sh] 4669 Add regression test for LoginGraceTime; ok markus@ 4670 - markus@cvs.openbsd.org 2004/02/24 16:56:30 4671 [regress/test-exec.sh] 4672 allow arguments in ${TEST_SSH_XXX} 4673 - markus@cvs.openbsd.org 2004/02/24 17:06:52 4674 [regress/ssh-com-client.sh regress/ssh-com-keygen.sh 4675 regress/ssh-com-sftp.sh regress/ssh-com.sh] 4676 test against recent ssh.com releases 4677 - dtucker@cvs.openbsd.org 2004/02/28 12:16:57 4678 [regress/dynamic-forward.sh] 4679 Make dynamic-forward understand nc's new output. ok markus@ 4680 - dtucker@cvs.openbsd.org 2004/02/28 13:44:45 4681 [regress/try-ciphers.sh] 4682 Test acss too; ok markus@ 4683 - (dtucker) [regress/try-ciphers.sh] Skip acss if not compiled in (eg if we 4684 built with openssl < 0.9.7) 4685 468620040226 4687 - (bal) KNF our sshlogin.c even if the code looks nothing like upstream 4688 code due to diversity issues. 4689 469020040225 4691 - (djm) Trim ChangeLog 4692 - (djm) Don't specify path to PAM modules in Redhat sshd.pam; from Fedora 4693 469420040224 4695 - (dtucker) OpenBSD CVS Sync 4696 - markus@cvs.openbsd.org 2004/02/19 21:15:04 4697 [sftp-server.c] 4698 switch to new license.template 4699 - markus@cvs.openbsd.org 2004/02/23 12:02:33 4700 [sshd.c] 4701 backout revision 1.279; set listen socket to non-block; ok henning. 4702 - markus@cvs.openbsd.org 2004/02/23 15:12:46 4703 [bufaux.c] 4704 encode 0 correctly in buffer_put_bignum2; noted by Mikulas Patocka 4705 and drop support for negative BNs; ok otto@ 4706 - markus@cvs.openbsd.org 2004/02/23 15:16:46 4707 [version.h] 4708 enter 3.8 4709 - (dtucker) [configure.ac gss-serv-krb5.c ssh-gss.h] Define GSSAPI when found 4710 with krb5-config, hunt down gssapi.h and friends. Based partially on patch 4711 from deengert at anl.gov. ok djm@ 4712 - (djm) [groupaccess.c uidswap.c] Bug #787: Size group arrays at runtime 4713 using sysconf() if available Based on patches from 4714 holger AT van-lengerich.de and openssh_bugzilla AT hockin.org 4715 - (dtucker) [uidswap.c] Minor KNF. ok djm@ 4716 - (tim) [openbsd-compat/getrrsetbyname.c] Make gcc 2.7.2.3 happy. ok djm@ 4717 - (djm) Crank RPM spec versions 4718 - (dtucker) [README] Add pointer to release notes. ok djm@ 4719 - (dtucker) {README.platform] Add platform-specific notes. 4720 - (tim) [configure.ac] SCO3 needs -lcrypt_i for -lprot 4721 - (djm) Release 3.8p1 4722 472320040223 4724 - (dtucker) [session.c] Bug #789: Only make setcred call for !privsep in the 4725 non-interactive path. ok djm@ 4726 472720040222 4728 - (dtucker) [auth-shadow.c auth.c auth.h] Move shadow account expiry test 4729 to auth-shadow.c, no functional change. ok djm@ 4730 - (dtucker) [auth-shadow.c auth.h] Provide warnings of impending account or 4731 password expiry. ok djm@ 4732 - (dtucker) [auth-passwd.c] Only check password expiry once. Prevents 4733 multiple warnings if a wrong password is entered. 4734 - (dtucker) [configure.ac] Apply krb5-config --libs fix to non-gssapi path 4735 too. 4736 473720040220 4738 - (djm) [openbsd-compat/setproctitle.c] fix comments; from grange@ 4739 474020040218 4741 - (dtucker) [configure.ac] Handle case where krb5-config --libs returns a 4742 path with a "-" in it. From Sergio.Gelato at astro.su.se. 4743 - (djm) OpenBSD CVS Sync 4744 - djm@cvs.openbsd.org 2004/02/17 07:17:29 4745 [sftp-glob.c sftp.c] 4746 Remove useless headers; ok deraadt@ 4747 - djm@cvs.openbsd.org 2004/02/17 11:03:08 4748 [sftp.c] 4749 sftp.c and sftp-int.c, together at last; ok markus@ 4750 - jmc@cvs.openbsd.org 2004/02/17 19:35:21 4751 [sshd_config.5] 4752 remove cruft left over from RhostsAuthentication removal; 4753 ok markus@ 4754 - (djm) [log.c] Correct use of HAVE_OPENLOG_R 4755 - (djm) [log.c] Tighten openlog_r tests 4756 475720040217 4758 - (djm) Simplify the license on code I have written. No code changes. 4759 - (djm) OpenBSD CVS Sync 4760 - djm@cvs.openbsd.org 2004/02/17 05:39:51 4761 [sftp-client.c sftp-client.h sftp-glob.c sftp-glob.h sftp-int.c] 4762 [sftp-int.h sftp.c] 4763 switch to license.template for code written by me (belated, I know...) 4764 - (djm) Bug #698: Specify FILE: for KRB5CCNAME; patch from 4765 stadal@suse.cz and simon@sxw.org.uk 4766 - (dtucker) [auth-pam.c] Tidy up PAM debugging. ok djm@ 4767 - (dtucker) [auth-pam.c] Store output from pam_session and pam_setcred for 4768 display after login. Should fix problems like pam_motd not displaying 4769 anything, noticed by cjwatson at debian.org. ok djm@ 4770 477120040212 4772 - (tim) [Makefile.in regress/sftp-badcmds.sh regress/test-exec.sh] 4773 Portablity fixes. Data sftp transfers needs to be world readable. Some 4774 older shells hang on while loops when doing sh -n some_script. OK dtucker@ 4775 - (tim) [configure.ac] Make sure -lcrypto is before -lsocket for sco3. 4776 ok mouring@ 4777 477820040211 4779 - (dtucker) [auth-passwd.c auth-shadow.c] Only enable shadow expiry check 4780 if HAS_SHADOW_EXPIRY is set. 4781 - (tim) [configure.ac] Fix comment to match code changes in ver 1.117 4782 478320040210 4784 - (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c 4785 openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's 4786 native password expiry. 4787 - (dtucker) [LICENCE Makefile.in auth-passwd.c auth-shadow.c auth.c auth.h 4788 defines.h] Bug #14: Use do_pwchange to support password expiry and force 4789 change for platforms using /etc/shadow. ok djm@ 4790 - (dtucker) [openbsd-compat/fake-rfc2553.h] Bug #563: Prepend ssh_ to compat 4791 functions to avoid conflicts with Heimdal's libroken. ok djm@ 4792 - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #14: Use do_pwchange to 4793 change expired PAM passwords for SSHv1 connections without privsep. 4794 pam_chauthtok is still used when privsep is disabled. ok djm@ 4795 - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Move 4796 include from port-aix.h to port-aix.c and remove unnecessary function 4797 definition. Fixes build errors on AIX. 4798 - (dtucker) [configure.ac loginrec.c] Bug #464: Use updwtmpx on platforms 4799 that support it. from & ok mouring@ 4800 - (dtucker) [configure.ac] Bug #345: Do not disable utmp on HP-UX 10.x. 4801 ok djm@ 4802 480320040207 4804 - (dtucker) OpenBSD CVS Sync 4805 - dtucker@cvs.openbsd.org 2004/02/06 23:41:13 4806 [cipher-ctr.c] 4807 Use EVP_CIPHER_CTX_key_length for key length. ok markus@ 4808 (This will fix builds with OpenSSL 0.9.5) 4809 - (dtucker) [cipher.c] enable AES counter modes with OpenSSL 0.9.5. 4810 ok djm@, markus@ 4811 481220040206 4813 - (dtucker) [acss.c acss.h] Fix $Id tags. 4814 - (dtucker) [cipher-acss.c cipher.c] Enable acss only if building with 4815 OpenSSL >= 0.9.7. ok djm@ 4816 - (dtucker) [session.c] Bug #789: Do not call do_pam_setcred as a non-root 4817 user, since some modules might fail due to lack of privilege. ok djm@ 4818 - (dtucker) [configure.ac] Bug #748: Always define BROKEN_GETADDRINFO 4819 for HP-UX 11.11. If there are known-good configs where this is not 4820 required, please report them. ok djm@ 4821 - (dtucker) [sshd.c] Bug #757: Clear child's environment to prevent 4822 accidentally inheriting from root's environment. ok djm@ 4823 - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Bug #796: 4824 Restore previous authdb setting after auth calls. Fixes problems with 4825 setpcred failing on accounts that use AFS or NIS password registries. 4826 - (dtucker) [configure.ac includes.h] Include <sys/stream.h> if present, 4827 required on Solaris 2.5.1 for queue_t, which is used by <sys/ptms.h>. 4828 - (dtucker) OpenBSD CVS Sync 4829 - markus@cvs.openbsd.org 2004/01/30 09:48:57 4830 [auth-passwd.c auth.h pathnames.h session.c] 4831 support for password change; ok dtucker@ 4832 (set password-dead=1w in login.conf to use this). 4833 In -Portable, this is currently only platforms using bsdauth. 4834 - dtucker@cvs.openbsd.org 2004/02/05 05:37:17 4835 [monitor.c sshd.c] 4836 Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@ 4837 - markus@cvs.openbsd.org 2004/02/05 15:33:33 4838 [progressmeter.c] 4839 fix ETA for > 4GB; bugzilla #791; ok henning@ deraadt@ 4840 484120040129 4842 - (dtucker) OpenBSD CVS Sync regress/ 4843 - dtucker@cvs.openbsd.org 2003/10/11 11:49:49 4844 [Makefile banner.sh] 4845 Test missing banner file, suppression of banner with ssh -q, check return 4846 code from ssh. ok markus@ 4847 - jmc@cvs.openbsd.org 2003/11/07 10:16:44 4848 [ssh-com.sh] 4849 adress -> address, and a few more; all from Jonathon Gray; 4850 - djm@cvs.openbsd.org 2004/01/13 09:49:06 4851 [sftp-batch.sh] 4852 - (dtucker) [configure.ac] Add --without-zlib-version-check. Feedback from 4853 tim@, ok several 4854 - (dtucker) [configure.ac openbsd-compat/bsd-cray.c openbsd-compat/bsd-cray.h] 4855 Bug #775: Cray fixes from wendy at cray.com 4856 485720040128 4858 - (dtucker) [regress/README.regress] Add tcpwrappers issue, noted by tim@ 4859 - (dtucker) [moduli] Import new moduli file from OpenBSD. 4860 486120040127 4862 - (djm) OpenBSD CVS Sync 4863 - hshoexer@cvs.openbsd.org 2004/01/23 17:06:03 4864 [cipher.c] 4865 enable acss for ssh 4866 ok deraadt@ markus@ 4867 - mouring@cvs.openbsd.org 2004/01/23 17:57:48 4868 [sftp-int.c] 4869 Fix issue pointed out with ls not handling large directories 4870 with embeded paths correctly. OK damien@ 4871 - hshoexer@cvs.openbsd.org 2004/01/23 19:26:33 4872 [cipher.c] 4873 rename acss@opebsd.org to acss@openssh.org 4874 ok deraadt@ 4875 - djm@cvs.openbsd.org 2004/01/25 03:49:09 4876 [sshconnect.c] 4877 reset nonblocking flag after ConnectTimeout > 0 connect; (bugzilla #785) 4878 from jclonguet AT free.fr; ok millert@ 4879 - djm@cvs.openbsd.org 2004/01/27 10:08:10 4880 [sftp.c] 4881 reorder parsing so user:skey@host:file works (bugzilla #777) 4882 patch from admorten AT umich.edu; ok markus@ 4883 - (djm) [acss.c acss.h cipher-acss.c] Portable support for ACSS 4884 if libcrypto lacks it 4885 488620040126 4887 - (tim) Typo in regress/README.regress 4888 - (tim) [regress/test-exec.sh] RhostsAuthentication is deprecated. 4889 - (tim) [defines.h] Add defines for HFIXEDSZ and T_SIG 4890 - (tim) [configure.ac includes.h] add <sys/ptms.h> for grantpt() and friends. 4891 - (tim) [defines.h openbsd-compat/getrrsetbyname.h] Move defines for HFIXEDSZ 4892 and T_SIG to getrrsetbyname.h 4893 489420040124 4895 - (djm) Typo in openbsd-compat/bsd-openpty.c; from wendyp AT cray.com 4896 489720040123 4898 - (djm) Do pam_session processing for systems with HAVE_LOGIN_CAP; from 4899 ralf.hack AT pipex.net; ok dtucker@ 4900 - (djm) Bug #776: Update contrib/redhat/openssh.spec to dynamically detect 4901 Kerberos location (and thus work with Fedora Core 1); 4902 from jason AT devrandom.org 4903 - (dtucker) [configure.ac] Bug #788: Test for zlib.h presence and for 4904 zlib >= 1.1.4. Partly from jbasney at ncsa.uiuc.edu. ok djm@ 4905 - (dtucker) [contrib/cygwin/README] Document new ssh-host-config options. 4906 Patch from vinschen at redhat.com. 4907 - (dtucker) [acconfig.h configure.ac includes.h servconf.c session.c] 4908 Change AFS symbol to USE_AFS to prevent namespace collisions, do not 4909 include kafs.h unless necessary. From deengert at anl.gov. 4910 - (tim) [configure.ac] Remove hard coded -L/usr/local/lib and 4911 -I/usr/local/include. Users can do LDFLAGS="-L/usr/local/lib" \ 4912 CPPFLAGS="-I/usr/local/include" ./configure if needed. 4913 491420040122 4915 - (dtucker) [configure.ac] Use krb5-config where available for Kerberos/ 4916 GSSAPI detection, libs and includes. ok djm@ 4917 - (dtucker) [session.c] Enable AFS support in conjunction with KRB5 not 4918 just HEIMDAL. 4919 - (tim) [contrib/solaris/buildpkg.sh] Allow for the possibility of 4920 /usr/local being a symbolic link. Fixes problem reported by Henry Grebler. 4921 492220040121 4923 - (djm) OpenBSD CVS Sync 4924 - djm@cvs.openbsd.org 2004/01/13 09:25:05 4925 [sftp-int.c sftp.1 sftp.c] 4926 Tidy sftp batchmode handling, eliminate junk to stderr (bugzilla #754) and 4927 enable use of "-b -" to accept batchfile from stdin; ok markus@ 4928 - jmc@cvs.openbsd.org 2004/01/13 12:17:33 4929 [sftp.1] 4930 remove unnecessary Ic's; 4931 kill whitespace at EOL; 4932 ok djm@ 4933 - markus@cvs.openbsd.org 2004/01/13 19:23:15 4934 [compress.c session.c] 4935 -Wall; ok henning 4936 - markus@cvs.openbsd.org 2004/01/13 19:45:15 4937 [compress.c] 4938 cast for portability; millert@ 4939 - markus@cvs.openbsd.org 2004/01/19 09:24:21 4940 [channels.c] 4941 fake consumption for half closed channels since the peer is waiting for 4942 window adjust messages; bugzilla #790 Matthew Dillon; test + ok dtucker@ 4943 reproduce with sh -c 'ulimit -f 10; ssh host -n od /bsd | cat > foo' 4944 - markus@cvs.openbsd.org 2004/01/19 21:25:15 4945 [auth2-hostbased.c auth2-pubkey.c serverloop.c ssh-keysign.c sshconnect2.c] 4946 fix mem leaks; some fixes from Pete Flugstad; tested dtucker@ 4947 - djm@cvs.openbsd.org 2004/01/21 03:07:59 4948 [sftp.c] 4949 initialise infile in main, rather than statically - from portable 4950 - deraadt@cvs.openbsd.org 2004/01/11 21:55:06 4951 [sshpty.c] 4952 for pty opening, only use the openpty() path. the other stuff only needs 4953 to be in openssh-p; markus ok 4954 - (djm) [openbsd-compat/bsd-openpty.c] Rework old sshpty.c code into an 4955 openpty() replacement 4956 495720040114 4958 - (dtucker) [auth-pam.c] Have monitor die if PAM authentication thread exits 4959 unexpectedly. with & ok djm@ 4960 - (dtucker) [auth-pam.c] Reset signal handler in pthread_cancel too, add 4961 test for case where cleanup has already run. 4962 - (dtucker) [auth-pam.c] Add minor debugging. 4963 496420040113 4965 - (dtucker) [auth-pam.c] Relocate struct pam_ctxt and prototypes. No 4966 functional changes. 4967 496820040108 4969 - (dtucker) [auth-pam.c defines.h] Bug #783: move __unused to defines.h and 4970 only define if not already. From des at freebsd.org. 4971 - (dtucker) [configure.ac] Remove extra (typo) comma. 4972 497320040105 4974 - (dtucker) [contrib/ssh-copy-id] Bug #781: exit if ssh fails. Patch from 4975 cjwatson at debian.org. 4976 - (dtucker) [acconfig.h configure.ac includes.h servconf.c session.c] 4977 Only enable KerberosGetAFSToken if Heimdal's libkafs is found. with jakob@ 4978 497920040102 4980 - (djm) OSX/Darwin needs BIND_8_COMPAT to build getrrsetbyname. Report from 4981 jakob@ 4982 - (djm) Remove useless DNS support configure summary message. from jakob@ 4983 - (djm) OSX/Darwin put the PAM headers in a different place, detect this. 4984 Report from jakob@ 4985 498620031231 4987 - (dtucker) OpenBSD CVS Sync 4988 - djm@cvs.openbsd.org 2003/12/22 09:16:58 4989 [moduli.c ssh-keygen.1 ssh-keygen.c] 4990 tidy up moduli generation debugging, add -v (verbose/debug) option to 4991 ssh-keygen; ok markus@ 4992 - markus@cvs.openbsd.org 2003/12/22 20:29:55 4993 [cipher-3des1.c] 4994 EVP_CIPHER_CTX_cleanup() for the des contexts; pruiksma@freesurf.fr 4995 - jakob@cvs.openbsd.org 2003/12/23 16:12:10 4996 [servconf.c servconf.h session.c sshd_config] 4997 implement KerberosGetAFSToken server option. ok markus@, beck@ 4998 - millert@cvs.openbsd.org 2003/12/29 16:39:50 4999 [sshd_config] 5000 KeepAlive has been obsoleted, use TCPKeepAlive instead; markus@ OK 5001 - dtucker@cvs.openbsd.org 2003/12/31 00:24:50 5002 [auth2-passwd.c] 5003 Ignore password change request during password auth (which we currently 5004 don't support) and discard proposed new password. corrections/ok markus@ 5005 - (dtucker) [configure.ac] Only test setresuid and setresgid if they exist. 5006 500720031219 5008 - (dtucker) [defines.h] Bug #458: Define SIZE_T_MAX as UINT_MAX if we 5009 typedef size_t ourselves. 5010 501120031218 5012 - (dtucker) [configure.ac] Don't use setre[ug]id on DG-UX, from Tom Orban. 5013 - (dtucker) [auth-pam.c] Do PAM chauthtok during SSH2 keyboard-interactive 5014 authentication. Partially fixes bug #423. Feedback & ok djm@ 5015 501620031217 5017 - (djm) OpenBSD CVS Sync 5018 - markus@cvs.openbsd.org 2003/12/09 15:28:43 5019 [serverloop.c] 5020 make ClientKeepAlive work for ssh -N, too (no login shell requested). 5021 1) send a bogus channel request if we find a channel 5022 2) send a bogus global request if we don't have a channel 5023 ok + test beck@ 5024 - markus@cvs.openbsd.org 2003/12/09 17:29:04 5025 [sshd.c] 5026 fix -o and HUP; ok henning@ 5027 - markus@cvs.openbsd.org 2003/12/09 17:30:05 5028 [ssh.c] 5029 don't modify argv for ssh -o; similar to sshd.c 1.283 5030 - markus@cvs.openbsd.org 2003/12/09 21:53:37 5031 [readconf.c readconf.h scp.1 servconf.c servconf.h sftp.1 ssh.1] 5032 [ssh_config.5 sshconnect.c sshd.c sshd_config.5] 5033 rename keepalive to tcpkeepalive; the old name causes too much 5034 confusion; ok djm, dtucker; with help from jmc@ 5035 - dtucker@cvs.openbsd.org 2003/12/09 23:45:32 5036 [clientloop.c] 5037 Clear exit code when ssh -N is terminated with a SIGTERM. ok markus@ 5038 - markus@cvs.openbsd.org 2003/12/14 12:37:21 5039 [ssh_config.5] 5040 we don't support GSS KEX; from Simon Wilkinson 5041 - markus@cvs.openbsd.org 2003/12/16 15:49:51 5042 [clientloop.c clientloop.h readconf.c readconf.h scp.1 sftp.1 ssh.1] 5043 [ssh.c ssh_config.5] 5044 application layer keep alive (ServerAliveInterval ServerAliveCountMax) 5045 for ssh(1), similar to the sshd(8) option; ok beck@; with help from 5046 jmc and dtucker@ 5047 - markus@cvs.openbsd.org 2003/12/16 15:51:54 5048 [dh.c] 5049 use <= instead of < in dh_estimate; ok provos/hshoexer; 5050 do not return < DH_GRP_MIN 5051 - (dtucker) [acconfig.h configure.ac uidswap.c] Bug #645: Check for 5052 setres[ug]id() present but not implemented (eg some Linux/glibc 5053 combinations). 5054 - (bal) [openbsd-compat/bsd-misc.c] unset 'signal' defined if we are 5055 using a real 'signal()' (Noticed by a NeXT Compile) 5056 505720031209 5058 - (dtucker) OpenBSD CVS Sync 5059 - matthieu@cvs.openbsd.org 2003/11/25 23:10:08 5060 [ssh-add.1] 5061 ssh-add doesn't need to be a descendant of ssh-agent. Ok markus@, jmc@. 5062 - djm@cvs.openbsd.org 2003/11/26 21:44:29 5063 [cipher-aes.c] 5064 fix #ifdef before #define; ok markus@ 5065 (RCS ID sync only, Portable already had this) 5066 - markus@cvs.openbsd.org 2003/12/02 12:15:10 5067 [progressmeter.c] 5068 improvments from andreas@: 5069 * saner speed estimate for transfers that takes less than a second by 5070 rounding the time to 1 second. 5071 * when the transfer is finished calculate the actual total speed 5072 rather than the current speed which is given during the transfer 5073 - markus@cvs.openbsd.org 2003/12/02 17:01:15 5074 [channels.c session.c ssh-agent.c ssh.h sshd.c] 5075 use SSH_LISTEN_BACKLOG (=128) in listen(2). 5076 - djm@cvs.openbsd.org 2003/12/07 06:34:18 5077 [moduli.c] 5078 remove unused debugging #define templates 5079 - markus@cvs.openbsd.org 2003/12/08 11:00:47 5080 [kexgexc.c] 5081 print requested group size in debug; ok djm 5082 - dtucker@cvs.openbsd.org 2003/12/09 13:52:55 5083 [moduli.c] 5084 Prevent ssh-keygen -T from outputting moduli with a generator of 0, since 5085 they can't be used for Diffie-Hellman. Assistance and ok djm@ 5086 - (dtucker) [ssh-keyscan.c] Sync RCSIDs, missed in SSH_SSFDMAX change below. 5087 508820031208 5089 - (tim) [configure.ac] Bug 770. Fix --without-rpath. 5090 509120031123 5092 - (djm) [canohost.c] Move IPv4inV6 mapped address normalisation to its own 5093 function and call it unconditionally 5094 - (djm) OpenBSD CVS Sync 5095 - djm@cvs.openbsd.org 2003/11/23 23:17:34 5096 [ssh-keyscan.c] 5097 from portable - use sysconf to detect fd limit; ok markus@ 5098 (tidy diff by adding SSH_SSFDMAX macro to defines.h) 5099 - djm@cvs.openbsd.org 2003/11/23 23:18:45 5100 [ssh-keygen.c] 5101 consistency PATH_MAX -> MAXPATHLEN; ok markus@ 5102 (RCS ID sync only) 5103 - djm@cvs.openbsd.org 2003/11/23 23:21:21 5104 [scp.c] 5105 from portable: rename clashing variable limit-> limit_rate; ok markus@ 5106 (RCS ID sync only) 5107 - dtucker@cvs.openbsd.org 2003/11/24 00:16:35 5108 [ssh.1 ssh.c] 5109 Make ssh -k mean GSSAPIDelegateCredentials=no. Suggestion & ok markus@ 5110 - (djm) Annotate OpenBSD-derived files in openbsd-compat/ with original 5111 source file path (in OpenBSD tree). 5112 511320031122 5114 - (dtucker) [channels.c] Make AIX write limit code clearer. Suggested by djm@ 5115 - (dtucker) [auth-passwd.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h] 5116 Move AIX specific password authentication code to port-aix.c, call 5117 authenticate() until reenter flag is clear. 5118 - (dtucker) [auth-sia.c configure.ac] Tru64 update from cmadams at hiwaay.net. 5119 Use permanently_set_uid for SIA, only define DISABLE_FD_PASSING when SIA 5120 is enabled, rely on SIA to check for locked accounts if enabled. ok djm@ 5121 - (djm) [scp.c] Rename limitbw -> limit_rate to match upstreamed patch 5122 - (djm) [sftp-int.c] Remove duplicated code from bogus sync 5123 - (djm) [packet.c] Shuffle #ifdef to reduce conditionally compiled code 5124 512520031121 5126 - (djm) OpenBSD CVS Sync 5127 - markus@cvs.openbsd.org 2003/11/20 11:39:28 5128 [progressmeter.c] 5129 fix rounding errors; from andreas@ 5130 - djm@cvs.openbsd.org 2003/11/21 11:57:03 5131 [everything] 5132 unexpand and delete whitespace at EOL; ok markus@ 5133 (done locally and RCS IDs synced) 5134 513520031118 5136 - (djm) Fix early exit for root auth success when UsePAM=yes and 5137 PermitRootLogin=no 5138 - (dtucker) [auth-pam.c] Convert chauthtok_conv into a generic tty_conv, 5139 and use it for do_pam_session. Fixes problems like pam_motd not 5140 displaying anything. ok djm@ 5141 - (dtucker) [auth-pam.c] Only use pam_putenv if our platform has it. ok djm@ 5142 - (djm) OpenBSD CVS Sync 5143 - dtucker@cvs.openbsd.org 2003/11/18 00:40:05 5144 [serverloop.c] 5145 Correct check for authctxt->valid. ok djm@ 5146 - djm@cvs.openbsd.org 2003/11/18 10:53:07 5147 [monitor.c] 5148 unbreak fake authloop for non-existent users (my screwup). Spotted and 5149 tested by dtucker@; ok markus@ 5150 515120031117 5152 - (djm) OpenBSD CVS Sync 5153 - djm@cvs.openbsd.org 2003/11/03 09:03:37 5154 [auth-chall.c] 5155 make this a little more idiot-proof; ok markus@ 5156 (includes portable-specific changes) 5157 - jakob@cvs.openbsd.org 2003/11/03 09:09:41 5158 [sshconnect.c] 5159 move changed key warning into warn_changed_key(). ok markus@ 5160 - jakob@cvs.openbsd.org 2003/11/03 09:37:32 5161 [sshconnect.c] 5162 do not free static type pointer in warn_changed_key() 5163 - djm@cvs.openbsd.org 2003/11/04 08:54:09 5164 [auth1.c auth2.c auth2-pubkey.c auth.h auth-krb5.c auth-passwd.c] 5165 [auth-rhosts.c auth-rh-rsa.c auth-rsa.c monitor.c serverloop.c] 5166 [session.c] 5167 standardise arguments to auth methods - they should all take authctxt. 5168 check authctxt->valid rather then pw != NULL; ok markus@ 5169 - jakob@cvs.openbsd.org 2003/11/08 16:02:40 5170 [auth1.c] 5171 remove unused variable (pw). ok djm@ 5172 (id sync only - still used in portable) 5173 - jmc@cvs.openbsd.org 2003/11/08 19:17:29 5174 [sftp-int.c] 5175 typos from Jonathon Gray; 5176 - jakob@cvs.openbsd.org 2003/11/10 16:23:41 5177 [bufaux.c bufaux.h cipher.c cipher.h hostfile.c hostfile.h key.c] 5178 [key.h sftp-common.c sftp-common.h sftp-server.c sshconnect.c sshd.c] 5179 [ssh-dss.c ssh-rsa.c uuencode.c uuencode.h] 5180 constify. ok markus@ & djm@ 5181 - dtucker@cvs.openbsd.org 2003/11/12 10:12:15 5182 [scp.c] 5183 When called with -q, pass -q to ssh; suppresses SSH2 banner. ok markus@ 5184 - jakob@cvs.openbsd.org 2003/11/12 16:39:58 5185 [dns.c dns.h readconf.c ssh_config.5 sshconnect.c] 5186 update SSHFP validation. ok markus@ 5187 - jmc@cvs.openbsd.org 2003/11/12 20:14:51 5188 [ssh_config.5] 5189 make verb agree with subject, and kill some whitespace; 5190 - markus@cvs.openbsd.org 2003/11/14 13:19:09 5191 [sshconnect2.c] 5192 cleanup and minor fixes for the client code; from Simon Wilkinson 5193 - djm@cvs.openbsd.org 2003/11/17 09:45:39 5194 [msg.c msg.h sshconnect2.c ssh-keysign.c] 5195 return error on msg send/receive failure (rather than fatal); ok markus@ 5196 - markus@cvs.openbsd.org 2003/11/17 11:06:07 5197 [auth2-gss.c gss-genr.c gss-serv.c monitor.c monitor.h monitor_wrap.c] 5198 [monitor_wrap.h sshconnect2.c ssh-gss.h] 5199 replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; 5200 test + ok jakob. 5201 - (djm) Bug #632: Don't call pam_end indirectly from within kbd-int 5202 conversation function 5203 - (djm) Export environment variables from authentication subprocess to 5204 parent. Part of Bug #717 5205 520620031115 5207 - (dtucker) [regress/agent-ptrace.sh] Test for GDB output from Solaris and 5208 HP-UX, skip test on AIX. 5209 521020031113 5211 - (dtucker) [auth-pam.c] Append newlines to lines output by the 5212 pam_chauthtok_conv(). 5213 - (dtucker) [README ssh-host-config ssh-user-config Makefile] (All 5214 contrib/cygwin). Major update from vinschen at redhat.com. 5215 - Makefile provides a `cygwin-postinstall' target to run right after 5216 `make install'. 5217 - Better support for Windows 2003 Server. 5218 - Try to get permissions as correct as possible. 5219 - New command line options to allow full automated host configuration. 5220 - Create configs from skeletons in /etc/defaults/etc. 5221 - Use /bin/bash, allows reading user input with readline support. 5222 - Remove really old configs from /usr/local. 5223 - (dtucker) [auth-pam.c] Add newline to accumulated PAM_TEXT_INFO and 5224 PAM_ERROR_MSG messages. 5225 522620031106 5227 - (djm) Clarify UsePAM consequences a little more 5228 522920031103 5230 - (dtucker) [contrib/cygwin/ssh-host-config] Ensure entries in /etc/services 5231 are created correctly with CRLF line terminations. Patch from vinschen at 5232 redhat.com. 5233 - (dtucker) OpenBSD CVS Sync 5234 - markus@cvs.openbsd.org 2003/10/15 09:48:45 5235 [monitor_wrap.c] 5236 check pmonitor != NULL 5237 - markus@cvs.openbsd.org 2003/10/21 09:50:06 5238 [auth2-gss.c] 5239 make sure the doid is larger than 2 5240 - avsm@cvs.openbsd.org 2003/10/26 16:57:43 5241 [sshconnect2.c] 5242 rename 'supported' static var in userauth_gssapi() to 'gss_supported' 5243 to avoid shadowing the global version. markus@ ok 5244 - markus@cvs.openbsd.org 2003/10/28 09:08:06 5245 [misc.c] 5246 error->debug for getsockopt+TCP_NODELAY; several requests 5247 - markus@cvs.openbsd.org 2003/11/02 11:01:03 5248 [auth2-gss.c compat.c compat.h sshconnect2.c] 5249 remove support for SSH_BUG_GSSAPI_BER; simon@sxw.org.uk 5250 - (dtucker) [regress/agent-ptrace.sh] Use numeric uid and gid. 5251 525220031021 5253 - (dtucker) [INSTALL] Some system crypt() functions support MD5 passwords 5254 directly. Noted by Darren.Moffat at sun.com. 5255 - (dtucker) [regress/agent-ptrace.sh] Skip agent-test unless SUDO is set, 5256 make agent setgid during test. 5257 525820031017 5259 - (dtucker) [INSTALL] Note that --with-md5 is now required on platforms with 5260 MD5 passwords even if PAM support is enabled. From steev at detritus.net. 5261 526220031015 5263 - (dtucker) OpenBSD CVS Sync 5264 - jmc@cvs.openbsd.org 2003/10/08 08:27:36 5265 [scp.1 scp.c sftp-server.8 sftp.1 sftp.c ssh.1 sshd.8] 5266 scp and sftp: add options list and sort options. options list requested 5267 by deraadt@ 5268 sshd: use same format as ssh 5269 ssh: remove wrong option from list 5270 sftp-server: Subsystem is documented in ssh_config(5), not sshd(8) 5271 ok deraadt@ markus@ 5272 - markus@cvs.openbsd.org 2003/10/08 15:21:24 5273 [readconf.c ssh_config.5] 5274 default GSS API to no in client, too; ok jakob, deraadt@ 5275 - markus@cvs.openbsd.org 2003/10/11 08:24:08 5276 [readconf.c readconf.h ssh.1 ssh.c ssh_config.5] 5277 remote x11 clients are now untrusted by default, uses xauth(8) to generate 5278 untrusted cookies; ForwardX11Trusted=yes restores old behaviour. 5279 ok deraadt; feedback and ok djm/fries 5280 - markus@cvs.openbsd.org 2003/10/11 08:26:43 5281 [sshconnect2.c] 5282 search keys in reverse order; fixes #684 5283 - markus@cvs.openbsd.org 2003/10/11 11:36:23 5284 [monitor_wrap.c] 5285 return NULL for missing banner; ok djm@ 5286 - jmc@cvs.openbsd.org 2003/10/12 13:12:13 5287 [ssh_config.5] 5288 note that EnableSSHKeySign should be in the non-hostspecific section; 5289 remove unnecessary .Pp; 5290 ok markus@ 5291 - markus@cvs.openbsd.org 2003/10/13 08:22:25 5292 [scp.1 sftp.1] 5293 don't refer to options related to forwarding; ok jmc@ 5294 - jakob@cvs.openbsd.org 2003/10/14 19:42:10 5295 [dns.c dns.h readconf.c ssh-keygen.c sshconnect.c] 5296 include SSHFP lookup code (not enabled by default). ok markus@ 5297 - jakob@cvs.openbsd.org 2003/10/14 19:43:23 5298 [README.dns] 5299 update 5300 - markus@cvs.openbsd.org 2003/10/14 19:54:39 5301 [session.c ssh-agent.c] 5302 10X for mkdtemp; djm@ 5303 - (dtucker) [acconfig.h configure.ac dns.c openbsd-compat/getrrsetbyname.c 5304 openbsd-compat/getrrsetbyname.h] DNS fingerprint support is now always 5305 compiled in but disabled in config. 5306 - (dtucker) [auth.c] Check for disabled password expiry on HP-UX Trusted Mode. 5307 - (tim) [regress/banner.sh] portability fix. 5308 530920031009 5310 - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ 5311 531220031008 5313 - (dtucker) OpenBSD CVS Sync 5314 - dtucker@cvs.openbsd.org 2003/10/07 01:47:27 5315 [sshconnect2.c] 5316 Don't use logit for banner, since it truncates to MSGBUFSIZ; bz #668 & 5317 #707. ok markus@ 5318 - djm@cvs.openbsd.org 2003/10/07 07:04:16 5319 [sftp-int.c] 5320 sftp quoting fix from admorten AT umich.edu; ok markus@ 5321 - deraadt@cvs.openbsd.org 2003/10/07 21:58:28 5322 [sshconnect2.c] 5323 set ptr to NULL after free 5324 - dtucker@cvs.openbsd.org 2003/10/07 01:52:13 5325 [regress/Makefile regress/banner.sh] 5326 Test SSH2 banner. ok markus@ 5327 - djm@cvs.openbsd.org 2003/10/07 07:04:52 5328 [regress/sftp-cmds.sh] 5329 more sftp quoting regress tests; ok markus 5330 533120031007 5332 - (djm) Delete autom4te.cache after autoreconf 5333 - (dtucker) [auth-pam.c auth-pam.h session.c] Make PAM use the new static 5334 cleanup functions. With & ok djm@ 5335 - (dtucker) [contrib/redhat/openssh.spec] Bug #714: Now that UsePAM is a 5336 run-time switch, always build --with-md5-passwords. 5337 - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoul.c] 5338 Bug #670: add strtoul() to openbsd-compat for platforms lacking it. ok djm@ 5339 - (dtucker) [configure.ac] Bug #715: Set BROKEN_SETREUID and BROKEN_SETREGID 5340 on Reliant Unix. Patch from Robert.Dahlem at siemens.com. 5341 - (dtucker) [configure.ac] Bug #710: Check for dlsym() in libdl on 5342 Reliant Unix. Based on patch from Robert.Dahlem at siemens.com. 5343 534420031003 5345 - (dtucker) OpenBSD CVS Sync 5346 - markus@cvs.openbsd.org 2003/10/02 10:41:59 5347 [sshd.c] 5348 print openssl version, too, several requests; ok henning/djm. 5349 - markus@cvs.openbsd.org 2003/10/02 08:26:53 5350 [ssh-gss.h] 5351 missing $OpenBSD:; dtucker 5352 - (tim) [contrib/caldera/openssh.spec] Remove obsolete --with-ipv4-default 5353 option. 5354 535520031002 5356 - (dtucker) OpenBSD CVS Sync 5357 - markus@cvs.openbsd.org 2003/09/23 20:17:11 5358 [Makefile.in auth1.c auth2.c auth.c auth.h auth-krb5.c canohost.c 5359 cleanup.c clientloop.c fatal.c gss-serv.c log.c log.h monitor.c monitor.h 5360 monitor_wrap.c monitor_wrap.h packet.c serverloop.c session.c session.h 5361 ssh-agent.c sshd.c] 5362 replace fatal_cleanup() and linked list of fatal callbacks with static 5363 cleanup_exit() function. re-refine cleanup_exit() where appropriate, 5364 allocate sshd's authctxt eary to allow simpler cleanup in sshd. 5365 tested by many, ok deraadt@ 5366 - markus@cvs.openbsd.org 2003/09/23 20:18:52 5367 [progressmeter.c] 5368 don't print trailing \0; bug #709; Robert.Dahlem@siemens.com 5369 ok millert/deraadt@ 5370 - markus@cvs.openbsd.org 2003/09/23 20:41:11 5371 [channels.c channels.h clientloop.c] 5372 move client only agent code to clientloop.c 5373 - markus@cvs.openbsd.org 2003/09/26 08:19:29 5374 [sshd.c] 5375 no need to set the listen sockets to non-block; ok deraadt@ 5376 - jmc@cvs.openbsd.org 2003/09/29 11:40:51 5377 [ssh.1] 5378 - add list of options to -o and .Xr ssh_config(5) 5379 - some other cleanup 5380 requested by deraadt@; 5381 ok deraadt@ markus@ 5382 - markus@cvs.openbsd.org 2003/09/29 20:19:57 5383 [servconf.c sshd_config] 5384 GSSAPICleanupCreds -> GSSAPICleanupCredentials 5385 - (dtucker) [configure.ac] Don't set DISABLE_SHADOW when configuring 5386 --with-pam. ok djm@ 5387 - (dtucker) [ssh-gss.h] Prototype change missed in sync. 5388 - (dtucker) [session.c] Fix bus errors on some 64-bit Solaris configurations. 5389 Based on patches by Matthias Koeppe and Thomas Baden. ok djm@ 5390 539120030930 5392 - (bal) Fix issues in openbsd-compat/realpath.c 5393 539420030925 5395 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] Bug #633: Remove 5396 DISABLE_SHADOW for HP-UX, use getspnam instead of getprpwnam. Patch from 5397 michael_steffens at hp.com, ok djm@ 5398 - (tim) [sshd_config] UsePAM defaults to no. 5399 540020030924 5401 - (djm) Update version.h and spec files for HEAD 5402 - (dtucker) [configure.ac] IRIX5 needs the same setre[ug]id defines as IRIX6. 5403 540420030923 5405 - (dtucker) [Makefile.in] Bug #644: Fix "make clean" for out-of-tree 5406 builds. Portability corrections from tim@. 5407 - (dtucker) [configure.ac] Bug #665: uid swapping issues on Mac OS X. 5408 Patch from max at quendi.de. 5409 - (dtucker) [configure.ac] Bug #657: uid swapping issues on BSDi. 5410 - (dtucker) [configure.ac] Bug #653: uid swapping issues on Tru64. 5411 - (dtucker) [configure.ac] Bug #693: uid swapping issues on NCR MP-RAS. 5412 Patch from david.haughton at ncr.com 5413 - (dtucker) [configure.ac] Bug #659: uid swapping issues on IRIX 6. 5414 Part of patch supplied by bugzilla-openssh at thewrittenword.com 5415 - (dtucker) [configure.ac openbsd-compat/fake-rfc2553.c 5416 openbsd-compat/fake-rfc2553.h] Bug #659: Test for and handle systems with 5417 where gai_strerror is defined as "const char *". Part of patch supplied 5418 by bugzilla-openssh at thewrittenword.com 5419 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config] Update 5420 ssh-host-config to match current defaults, bump README version. Patch from 5421 vinschen at redhat.com. 5422 - (dtucker) [uidswap.c] Don't test restoration of uid on Cygwin since the 5423 OS does not support permanently dropping privileges. Patch from 5424 vinschen at redhat.com. 5425 - (dtucker) [openbsd-compat/port-aix.c] Use correct include for xmalloc.h, 5426 add canohost.h to stop warning. Based on patch from openssh-unix-dev at 5427 thewrittenword.com 5428 - (dtucker) [INSTALL] Bug #686: Document requirement for zlib 1.1.4 or 5429 higher. 5430 - (tim) Fix typo. s/SETEIUD_BREAKS_SETUID/SETEUID_BREAKS_SETUID/ 5431 - (tim) [configure.ac] Bug 665: move 3 new AC_DEFINES outside of AC_TRY_RUN. 5432 Report by distler AT golem ph utexas edu. 5433 - (dtucker) [contrib/aix/pam.conf] Include example pam.conf for AIX from 5434 article by genty at austin.ibm.com, included with the author's permission. 5435 - (dtucker) OpenBSD CVS Sync 5436 - markus@cvs.openbsd.org 2003/09/18 07:52:54 5437 [sshconnect.c] 5438 missing {}; bug #656; jclonguet at free.fr 5439 - markus@cvs.openbsd.org 2003/09/18 07:54:48 5440 [buffer.c] 5441 protect against double free; #660; zardoz at users.sf.net 5442 - markus@cvs.openbsd.org 2003/09/18 07:56:05 5443 [authfile.c] 5444 missing buffer_free(&encrypted); #662; zardoz at users.sf.net 5445 - markus@cvs.openbsd.org 2003/09/18 08:49:45 5446 [deattack.c misc.c session.c ssh-agent.c] 5447 more buffer allocation fixes; from Solar Designer; CAN-2003-0682; 5448 ok millert@ 5449 - miod@cvs.openbsd.org 2003/09/18 13:02:21 5450 [authfd.c bufaux.c dh.c mac.c ssh-keygen.c] 5451 A few signedness fixes for harmless situations; markus@ ok 5452 - markus@cvs.openbsd.org 2003/09/19 09:02:02 5453 [packet.c] 5454 buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471 5455 - markus@cvs.openbsd.org 2003/09/19 09:03:00 5456 [buffer.c] 5457 sign fix in buffer_dump; Jedi/Sector One; pr 3473 5458 - markus@cvs.openbsd.org 2003/09/19 11:29:40 5459 [ssh-agent.c] 5460 provide a ssh-agent specific fatal() function; ok deraadt 5461 - markus@cvs.openbsd.org 2003/09/19 11:30:39 5462 [ssh-keyscan.c] 5463 avoid fatal_cleanup, just call exit(); ok deraadt 5464 - markus@cvs.openbsd.org 2003/09/19 11:31:33 5465 [channels.c] 5466 do not call channel_free_all on fatal; ok deraadt 5467 - markus@cvs.openbsd.org 2003/09/19 11:33:09 5468 [packet.c sshd.c] 5469 do not call packet_close on fatal; ok deraadt 5470 - markus@cvs.openbsd.org 2003/09/19 17:40:20 5471 [scp.c] 5472 error handling for remote-remote copy; #638; report Harald Koenig; 5473 ok millert, fgs, henning, deraadt 5474 - markus@cvs.openbsd.org 2003/09/19 17:43:35 5475 [clientloop.c sshtty.c sshtty.h] 5476 remove fatal callbacks from client code; ok deraadt 5477 - (bal) "extration" -> "extraction" in ssh-rand-helper.c; repoted by john 5478 on #unixhelp@efnet 5479 - (tim) [configure.ac] add --disable-etc-default-login option. ok djm 5480 - (djm) Sync with V_3_7 branch: 5481 - (djm) Fix SSH1 challenge kludge 5482 - (djm) Bug #671: Fix builds on OpenBSD 5483 - (djm) Bug #676: Fix PAM stack corruption 5484 - (djm) Fix bad free() in PAM code 5485 - (djm) Don't call pam_end before pam_init 5486 - (djm) Enable build with old OpenSSL again 5487 - (djm) Trim deprecated options from INSTALL. Mention UsePAM 5488 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu 5489 5490$Id: ChangeLog,v 1.4558.2.2 2006/09/26 10:57:05 dtucker Exp $ 5491