diff options
author | Damien Miller <djm@mindrot.org> | 2011-01-22 20:24:34 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2011-01-22 20:24:34 +1100 |
commit | 4a5eb41cee4cdda9d224d575b435d6277f4cc086 (patch) | |
tree | 53922593d9c465bf8bdc2a49c19946a48c8a9f5a | |
parent | 966accc5331784f26e3231dcd3c162f581e1dce6 (diff) |
trim entries older than 5.5p1
-rw-r--r-- | ChangeLog | 2743 |
1 files changed, 0 insertions, 2743 deletions
@@ -1201,2746 +1201,3 @@ ok markus@ -20100410 - - (dtucker) [configure.ac] Put the check for the existence of getaddrinfo - back so we disable the IPv6 tests if we don't have it. - -20100409 - - (dtucker) [contrib/cygwin/Makefile] Don't overwrite files with the wrong - ones. Based on a patch from Roumen Petrov. - - (dtucker) [configure.ac] Bug #1744: use pkg-config for libedit flags if we - have it and the path is not provided to --with-libedit. Based on a patch - from Iain Morgan. - - (dtucker) [configure.ac defines.h loginrec.c logintest.c] Bug #1732: enable - utmpx support on FreeBSD where possible. Patch from Ed Schouten, ok djm@ - -20100326 - - (djm) [openbsd-compat/bsd-arc4random.c] Fix preprocessor detection - for arc4random_buf() and arc4random_uniform(); from Josh Gilkerson - - (dtucker) [configure.ac] Bug #1741: Add section for Haiku, patch originally - by Ingo Weinhold via Scott McCreary, ok djm@ - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/03/25 23:38:28 - [servconf.c] - from portable: getcwd(NULL, 0) doesn't work on all platforms, so - use a stack buffer; ok dtucker@ - - djm@cvs.openbsd.org 2010/03/26 00:26:58 - [ssh.1] - mention that -S none disables connection sharing; from Colin Watson - - (djm) [session.c] Allow ChrootDirectory to work on SELinux platforms - - set up SELinux execution context before chroot() call. From Russell - Coker via Colin watson; bz#1726 ok dtucker@ - - (djm) [channels.c] Check for EPFNOSUPPORT as a socket() errno; bz#1721 - ok dtucker@ - - (dtucker) Bug #1725: explicitly link libX11 into gnome-ssh-askpass2 using - pkg-config, patch from Colin Watson. Needed for newer linkers (ie gold). - - (djm) [contrib/ssh-copy-id] Don't blow up when the agent has no keys; - bz#1723 patch from Adeodato Simóvia Colin Watson; ok dtucker@ - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2010/03/26 01:06:13 - [ssh_config.5] - Reformat default value of PreferredAuthentications entry (current - formatting implies ", " is acceptable as a separator, which it's not. - ok djm@ - -20100324 - - (dtucker) [contrib/cygwin/ssh-host-config] Mount the Windows directory - containing the services file explicitely case-insensitive. This allows to - tweak the Windows services file reliably. Patch from vinschen at redhat. - -20100321 - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2010/03/08 09:41:27 - [ssh-keygen.1] - sort the list of constraints (to -O); ok djm - - jmc@cvs.openbsd.org 2010/03/10 07:40:35 - [ssh-keygen.1] - typos; from Ross Richardson - closes prs 6334 and 6335 - - djm@cvs.openbsd.org 2010/03/10 23:27:17 - [auth2-pubkey.c] - correct certificate logging and make it more consistent between - authorized_keys and TrustedCAKeys; ok markus@ - - djm@cvs.openbsd.org 2010/03/12 01:06:25 - [servconf.c] - unbreak AuthorizedKeys option with a $HOME-relative path; reported by - vinschen AT redhat.com, ok dtucker@ - - markus@cvs.openbsd.org 2010/03/12 11:37:40 - [servconf.c] - do not prepend AuthorizedKeysFile with getcwd(), unbreaks relative paths - free() (not xfree()) the buffer returned by getcwd() - - djm@cvs.openbsd.org 2010/03/13 21:10:38 - [clientloop.c] - protocol conformance fix: send language tag when disconnecting normally; - spotted by 1.41421 AT gmail.com, ok markus@ deraadt@ - - djm@cvs.openbsd.org 2010/03/13 21:45:46 - [ssh-keygen.1] - Certificates are named *-cert.pub, not *_cert.pub; committing a diff - from stevesk@ ok me - - jmc@cvs.openbsd.org 2010/03/13 23:38:13 - [ssh-keygen.1] - fix a formatting error (args need quoted); noted by stevesk - - stevesk@cvs.openbsd.org 2010/03/15 19:40:02 - [key.c key.h ssh-keygen.c] - also print certificate type (user or host) for ssh-keygen -L - ok djm kettenis - - stevesk@cvs.openbsd.org 2010/03/16 15:46:52 - [auth-options.c] - spelling in error message. ok djm kettenis - - djm@cvs.openbsd.org 2010/03/16 16:36:49 - [version.h] - crank version to openssh-5.5 since we have a few fixes since 5.4; - requested deraadt@ kettenis@ - - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] - [contrib/suse/openssh.spec] Crank version numbers - -20100314 - - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix - compilation failure when !HAVE_DLOPEN. Reported by felix-mindrot - AT fefe.de - - (djm) [Makefile.in] Respecify -lssh after -lopenbsd-compat for - ssh-pkcs11-helper to repair static builds (we do the same for - ssh-keyscan). Reported by felix-mindrot AT fefe.de - -20100312 - - (tim) [Makefile.in] Now that scard is gone, no need to make $(datadir) - - (tim) [Makefile.in] Add missing $(EXEEXT) to install targets. - Patch from Corinna Vinschen. - - (tim) [contrib/cygwin/Makefile] Fix list of documentation files to install - on a Cygwin installation. Patch from Corinna Vinschen. - -20100311 - - (tim) [contrib/suse/openssh.spec] crank version number here too. - report by imorgan AT nas.nasa.gov - -20100309 - - (dtucker) [configure.ac] Use a proper AC_CHECK_DECL for BROKEN_GETADDRINFO - so setting it in CFLAGS correctly skips IPv6 tests. - -20100308 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/03/07 22:16:01 - [ssh-keygen.c] - make internal strptime string match strftime format; - suggested by vinschen AT redhat.com and markus@ - - djm@cvs.openbsd.org 2010/03/08 00:28:55 - [ssh-keygen.1] - document permit-agent-forwarding certificate constraint; patch from - stevesk@ - - djm@cvs.openbsd.org 2010/03/07 22:01:32 - [version.h] - openssh-5.4 - - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] - crank version numbers - - (djm) Release OpenSSH-5.4p1 - -20100307 - - (dtucker) [auth.c] Bug #1710: call setauthdb on AIX before getpwuid so that - it gets the passwd struct from the LAM that knows about the user which is - not necessarily the default. Patch from Alexandre Letourneau. - - (dtucker) [session.c] Bug #1567: move setpcred call to before chroot and - do not set real uid, since that's needed for the chroot, and will be set - by permanently_set_uid. - - (dtucker) [session.c] Also initialize creds to NULL for handing to - setpcred. - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2010/03/07 11:57:13 - [auth-rhosts.c monitor.c monitor_wrap.c session.c auth-options.c sshd.c] - Hold authentication debug messages until after successful authentication. - Fixes an info leak of environment variables specified in authorized_keys, - reported by Jacob Appelbaum. ok djm@ - -20100305 - - OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2010/03/04 12:51:25 - [ssh.1 sshd_config.5] - tweak previous; - - djm@cvs.openbsd.org 2010/03/04 20:35:08 - [ssh-keygen.1 ssh-keygen.c] - Add a -L flag to print the contents of a certificate; ok markus@ - - jmc@cvs.openbsd.org 2010/03/04 22:52:40 - [ssh-keygen.1] - fix Bk/Ek; - - djm@cvs.openbsd.org 2010/03/04 23:17:25 - [sshd_config.5] - missing word; spotted by jmc@ - - djm@cvs.openbsd.org 2010/03/04 23:19:29 - [ssh.1 sshd.8] - move section on CA and revoked keys from ssh.1 to sshd.8's known hosts - format section and rework it a bit; requested by jmc@ - - djm@cvs.openbsd.org 2010/03/04 23:27:25 - [auth-options.c ssh-keygen.c] - "force-command" is not spelled "forced-command"; spotted by - imorgan AT nas.nasa.gov - - djm@cvs.openbsd.org 2010/03/05 02:58:11 - [auth.c] - make the warning for a revoked key louder and more noticable - - jmc@cvs.openbsd.org 2010/03/05 06:50:35 - [ssh.1 sshd.8] - tweak previous; - - jmc@cvs.openbsd.org 2010/03/05 08:31:20 - [ssh.1] - document certificate authentication; help/ok djm - - djm@cvs.openbsd.org 2010/03/05 10:28:21 - [ssh-add.1 ssh.1 ssh_config.5] - mention loading of certificate files from [private]-cert.pub when - they are present; feedback and ok jmc@ - - (tim) [ssh-pkcs11.c] Fix "non-constant initializer" errors in older - compilers. OK djm@ - - (djm) [ssh-rand-helper.c] declare optind, avoiding compilation failure - on some platforms - - (djm) [configure.ac] set -fno-strict-aliasing for gcc4; ok dtucker@ - -20100304 - - (djm) [ssh-keygen.c] Use correct local variable, instead of - maybe-undefined global "optarg" - - (djm) [contrib/redhat/openssh.spec] Replace obsolete BuildPreReq - on XFree86-devel with neutral /usr/include/X11/Xlib.h; - imorgan AT nas.nasa.gov in bz#1731 - - (djm) [.cvsignore] Ignore ssh-pkcs11-helper - - (djm) [regress/Makefile] Cleanup sshd_proxy_orig - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/03/03 01:44:36 - [auth-options.c key.c] - reject strings with embedded ASCII nul chars in certificate key IDs, - principal names and constraints - - djm@cvs.openbsd.org 2010/03/03 22:49:50 - [sshd.8] - the authorized_keys option for CA keys is "cert-authority", not - "from=cert-authority". spotted by imorgan AT nas.nasa.gov - - djm@cvs.openbsd.org 2010/03/03 22:50:40 - [PROTOCOL.certkeys] - s/similar same/similar/; from imorgan AT nas.nasa.gov - - djm@cvs.openbsd.org 2010/03/04 01:44:57 - [key.c] - use buffer_get_string_ptr_ret() where we are checking the return - value explicitly instead of the fatal()-causing buffer_get_string_ptr() - - djm@cvs.openbsd.org 2010/03/04 10:36:03 - [auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c] - [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h] - [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5] - Add a TrustedUserCAKeys option to sshd_config to specify CA keys that - are trusted to authenticate users (in addition than doing it per-user - in authorized_keys). - - Add a RevokedKeys option to sshd_config and a @revoked marker to - known_hosts to allow keys to me revoked and banned for user or host - authentication. - - feedback and ok markus@ - - djm@cvs.openbsd.org 2010/03/03 00:47:23 - [regress/cert-hostkey.sh regress/cert-userkey.sh] - add an extra test to ensure that authentication with the wrong - certificate fails as it should (and it does) - - djm@cvs.openbsd.org 2010/03/04 10:38:23 - [regress/cert-hostkey.sh regress/cert-userkey.sh] - additional regression tests for revoked keys and TrustedUserCAKeys - -20100303 - - (djm) [PROTOCOL.certkeys] Add RCS Ident - - OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2010/02/26 22:09:28 - [ssh-keygen.1 ssh.1 sshd.8] - tweak previous; - - otto@cvs.openbsd.org 2010/03/01 11:07:06 - [ssh-add.c] - zap what seems to be a left-over debug message; ok markus@ - - djm@cvs.openbsd.org 2010/03/02 23:20:57 - [ssh-keygen.c] - POSIX strptime is stricter than OpenBSD's so do a little dance to - appease it. - - (djm) [regress/cert-userkey.sh] s/echo -n/echon/ here too - -20100302 - - (tim) [config.guess config.sub] Bug 1722: Update to latest versions from - http://git.savannah.gnu.org/gitweb/ (2009-12-30 and 2010-01-22 - respectively). - -20100301 - - (dtucker) [regress/{cert-hostkey,cfgmatch,cipher-speed}.sh} Replace - "echo -n" with "echon" for portability. - - (dtucker) [openbsd-compat/port-linux.c] Make failure to write to the OOM - adjust log at verbose only, since according to cjwatson in bug #1470 - some virtualization platforms don't allow writes. - -20100228 - - (djm) [auth.c] On Cygwin, refuse usernames that have differences in - case from that matched in the system password database. On this - platform, passwords are stored case-insensitively, but sshd requires - exact case matching for Match blocks in sshd_config(5). Based on - a patch from vinschen AT redhat.com. - - (tim) [ssh-pkcs11-helper.c] Move declarations before calling functions - to make older compilers (gcc 2.95) happy. - -20100227 - - (djm) [ssh-pkcs11-helper.c ] Ensure RNG is initialised and seeded - - (djm) [openbsd-compat/bsd-cygwin_util.c] Reduce the set of environment - variables copied into sshd child processes. From vinschen AT redhat.com - -20100226 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/02/26 20:29:54 - [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c] - [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c] - [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c] - [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c] - [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c] - [sshconnect2.c sshd.8 sshd.c sshd_config.5] - Add support for certificate key types for users and hosts. - - OpenSSH certificate key types are not X.509 certificates, but a much - simpler format that encodes a public key, identity information and - some validity constraints and signs it with a CA key. CA keys are - regular SSH keys. This certificate style avoids the attack surface - of X.509 certificates and is very easy to deploy. - - Certified host keys allow automatic acceptance of new host keys - when a CA certificate is marked as trusted in ~/.ssh/known_hosts. - see VERIFYING HOST KEYS in ssh(1) for details. - - Certified user keys allow authentication of users when the signing - CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS - FILE FORMAT" in sshd(8) for details. - - Certificates are minted using ssh-keygen(1), documentation is in - the "CERTIFICATES" section of that manpage. - - Documentation on the format of certificates is in the file - PROTOCOL.certkeys - - feedback and ok markus@ - - djm@cvs.openbsd.org 2010/02/26 20:33:21 - [Makefile regress/cert-hostkey.sh regress/cert-userkey.sh] - regression tests for certified keys - -20100224 - - (djm) [pkcs11.h ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c] - [ssh-pkcs11.h] Add $OpenBSD$ RCS idents so we can sync portable - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/02/11 20:37:47 - [pathnames.h] - correct comment - - dtucker@cvs.openbsd.org 2009/11/09 04:20:04 - [regress/Makefile] - add regression test for ssh-keygen pubkey conversions - - dtucker@cvs.openbsd.org 2010/01/11 02:53:44 - [regress/forwarding.sh] - regress test for stdio forwarding - - djm@cvs.openbsd.org 2010/02/09 04:57:36 - [regress/addrmatch.sh] - clean up droppings - - djm@cvs.openbsd.org 2010/02/09 06:29:02 - [regress/Makefile] - turn on all the malloc(3) checking options when running regression - tests. this has caught a few bugs for me in the past; ok dtucker@ - - djm@cvs.openbsd.org 2010/02/24 06:21:56 - [regress/test-exec.sh] - wait for sshd to fully stop in cleanup() function; avoids races in tests - that do multiple start_sshd/cleanup cycles; "I hate pidfiles" deraadt@ - - markus@cvs.openbsd.org 2010/02/08 10:52:47 - [regress/agent-pkcs11.sh] - test for PKCS#11 support (currently disabled) - - (djm) [Makefile.in ssh-pkcs11-helper.8] Add manpage for PKCS#11 helper - - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] - [contrib/suse/openssh.spec] Add PKCS#11 helper binary and manpage - -20100212 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/02/02 22:49:34 - [bufaux.c] - make buffer_get_string_ret() really non-fatal in all cases (it was - using buffer_get_int(), which could fatal() on buffer empty); - ok markus dtucker - - markus@cvs.openbsd.org 2010/02/08 10:50:20 - [pathnames.h readconf.c readconf.h scp.1 sftp.1 ssh-add.1 ssh-add.c] - [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config.5] - replace our obsolete smartcard code with PKCS#11. - ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf - ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11 - provider (shared library) while ssh-agent(1) delegates PKCS#11 to - a forked a ssh-pkcs11-helper process. - PKCS#11 is currently a compile time option. - feedback and ok djm@; inspired by patches from Alon Bar-Lev - - jmc@cvs.openbsd.org 2010/02/08 22:03:05 - [ssh-add.1 ssh-keygen.1 ssh.1 ssh.c] - tweak previous; ok markus - - djm@cvs.openbsd.org 2010/02/09 00:50:36 - [ssh-agent.c] - fallout from PKCS#11: unbreak -D - - djm@cvs.openbsd.org 2010/02/09 00:50:59 - [ssh-keygen.c] - fix -Wall - - djm@cvs.openbsd.org 2010/02/09 03:56:28 - [buffer.c buffer.h] - constify the arguments to buffer_len, buffer_ptr and buffer_dump - - djm@cvs.openbsd.org 2010/02/09 06:18:46 - [auth.c] - unbreak ChrootDirectory+internal-sftp by skipping check for executable - shell when chrooting; reported by danh AT wzrd.com; ok dtucker@ - - markus@cvs.openbsd.org 2010/02/10 23:20:38 - [ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5] - pkcs#11 is no longer optional; improve wording; ok jmc@ - - jmc@cvs.openbsd.org 2010/02/11 13:23:29 - [ssh.1] - libarary -> library; - - (djm) [INSTALL Makefile.in README.smartcard configure.ac scard-opensc.c] - [scard.c scard.h pkcs11.h scard/Makefile.in scard/Ssh.bin.uu scard/Ssh.java] - Remove obsolete smartcard support - - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c] - Make it compile on OSX - - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c] - Use ssh_get_progname to fill __progname - - (djm) [configure.ac] Enable PKCS#11 support only when we find a working - dlopen() - -20100210 - - (djm) add -lselinux to LIBS before calling AC_CHECK_FUNCS for - getseuserbyname; patch from calebcase AT gmail.com via - cjwatson AT debian.org - -20100202 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/01/30 21:08:33 - [sshd.8] - debug output goes to stderr, not "the system log"; ok markus dtucker - - djm@cvs.openbsd.org 2010/01/30 21:12:08 - [channels.c] - fake local addr:port when stdio fowarding as some servers (Tectia at - least) validate that they are well-formed; - reported by imorgan AT nas.nasa.gov - ok dtucker - -20100130 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/01/28 00:21:18 - [clientloop.c] - downgrade an error() to a debug() - this particular case can be hit in - normal operation for certain sequences of mux slave vs session closure - and is harmless - - djm@cvs.openbsd.org 2010/01/29 00:20:41 - [sshd.c] - set FD_CLOEXEC on sock_in/sock_out; bz#1706 from jchadima AT redhat.com - ok dtucker@ - - djm@cvs.openbsd.org 2010/01/29 20:16:17 - [mux.c] - kill correct channel (was killing already-dead mux channel, not - its session channel) - - djm@cvs.openbsd.org 2010/01/30 02:54:53 - [mux.c] - don't mark channel as read failed if it is already closing; suppresses - harmless error messages when connecting to SSH.COM Tectia server - report by imorgan AT nas.nasa.gov - -20100129 - - (dtucker) [openbsd-compat/openssl-compat.c] Bug #1707: Call OPENSSL_config() - after registering the hardware engines, which causes the openssl.cnf file to - be processed. See OpenSSL's man page for OPENSSL_config(3) for details. - Patch from Solomon Peachy, ok djm@. - -20100128 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/01/26 02:15:20 - [mux.c] - -Wuninitialized and remove a // comment; from portable - (Id sync only) - - djm@cvs.openbsd.org 2010/01/27 13:26:17 - [mux.c] - fix bug introduced in mux rewrite: - - In a mux master, when a socket to a mux slave closes before its server - session (as may occur when the slave has been signalled), gracefully - close the server session rather than deleting its channel immediately. - A server may have more messages on that channel to send (e.g. an exit - message) that will fatal() the client if they are sent to a channel that - has been prematurely deleted. - - spotted by imorgan AT nas.nasa.gov - - djm@cvs.openbsd.org 2010/01/27 19:21:39 - [sftp.c] - add missing "p" flag to getopt optstring; - bz#1704 from imorgan AT nas.nasa.gov - -20100126 - - (djm) OpenBSD CVS Sync - - tedu@cvs.openbsd.org 2010/01/17 21:49:09 - [ssh-agent.1] - Correct and clarify ssh-add's password asking behavior. - Improved text dtucker and ok jmc - - dtucker@cvs.openbsd.org 2010/01/18 01:50:27 - [roaming_client.c] - s/long long unsigned/unsigned long long/, from tim via portable - (Id sync only, change already in portable) - - djm@cvs.openbsd.org 2010/01/26 01:28:35 - [channels.c channels.h clientloop.c clientloop.h mux.c nchan.c ssh.c] - rewrite ssh(1) multiplexing code to a more sensible protocol. - - The new multiplexing code uses channels for the listener and - accepted control sockets to make the mux master non-blocking, so - no stalls when processing messages from a slave. - - avoid use of fatal() in mux master protocol parsing so an errant slave - process cannot take down a running master. - - implement requesting of port-forwards over multiplexed sessions. Any - port forwards requested by the slave are added to those the master has - established. - - add support for stdio forwarding ("ssh -W host:port ...") in mux slaves. - - document master/slave mux protocol so that other tools can use it to - control a running ssh(1). Note: there are no guarantees that this - protocol won't be incompatibly changed (though it is versioned). - - feedback Salvador Fandino, dtucker@ - channel changes ok markus@ - -20100122 - - (tim) [configure.ac] Due to constraints in Windows Sockets in terms of - socket inheritance, reduce the default SO_RCVBUF/SO_SNDBUF buffer size - in Cygwin to 65535. Patch from Corinna Vinschen. - -20100117 - - (tim) [configure.ac] OpenServer 5 needs BROKEN_GETADDRINFO too. - - (tim) [configure.ac] On SVR5 systems, use the C99-conforming functions - snprintf() and vsnprintf() named _xsnprintf() and _xvsnprintf(). - -20100116 - - (dtucker) [openbsd-compat/pwcache.c] Pull in includes.h and thus defines.h - so we correctly detect whether or not we have a native user_from_uid. - - (dtucker) [openbsd-compat/openbsd-compat.h] Prototypes for user_from_uid - and group_from_gid. - - (dtucker) [openbsd-compat/openbsd-compat.h] Fix prototypes, spotted by - Tim. - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2010/01/15 09:24:23 - [sftp-common.c] - unused - - (dtucker) [openbsd-compat/pwcache.c] Shrink ifdef area to prevent unused - variable warnings. - - (dtucker) [openbsd-compat/openbsd-compat.h] Typo. - - (tim) [regress/portnum.sh] Shell portability fix. - - (tim) [configure.ac] Define BROKEN_GETADDRINFO on SVR5 systems. The native - getaddrinfo() is too old and limited for addr_pton() in addrmatch.c. - - (tim) [roaming_client.c] Use of <sys/queue.h> is not really portable so we - use "openbsd-compat/sys-queue.h". s/long long unsigned/unsigned long long/ - to keep USL compilers happy. - -20100115 - - (dtucker) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2010/01/13 12:48:34 - [sftp.1 sftp.c] - sftp.1: put ls -h in the right place - sftp.c: as above, plus add -p to get/put, and shorten their arg names - to keep the help usage nicely aligned - ok djm - - djm@cvs.openbsd.org 2010/01/13 23:47:26 - [auth.c] - when using ChrootDirectory, make sure we test for the existence of the - user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; - ok dtucker - - dtucker@cvs.openbsd.org 2010/01/14 23:41:49 - [sftp-common.c] - use user_from{uid,gid} to lookup up ids since it keeps a small cache. - ok djm - - guenther@cvs.openbsd.org 2010/01/15 00:05:22 - [sftp.c] - Reset SIGTERM to SIG_DFL before executing ssh, so that even if sftp - inherited SIGTERM as ignored it will still be able to kill the ssh it - starts. - ok dtucker@ - - (dtucker) [openbsd-compat/pwcache.c] Pull in pwcache.c from OpenBSD (no - changes yet but there will be some to come). - - (dtucker) [configure.ac openbsd-compat/{Makefile.in,pwcache.c} Portability - for pwcache. Also, added caching of negative hits. - -20100114 - - (djm) [platform.h] Add missing prototype for - platform_krb5_get_principal_name - -20100113 - - (dtucker) [monitor_fdpass.c] Wrap poll.h include in ifdefs. - - (dtucker) [openbsd-compat/readpassphrase.c] Resync against OpenBSD's r1.18: - missing restore of SIGTTOU and some whitespace. - - (dtucker) [openbsd-compat/readpassphrase.c] Update to OpenBSD's r1.21. - - (dtucker) [openbsd-compat/readpassphrase.c] Update to OpenBSD's r1.22. - Fixes bz #1590, where sometimes you could not interrupt a connection while - ssh was prompting for a passphrase or password. - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2010/01/13 00:19:04 - [sshconnect.c auth.c] - Fix a couple of typos/mispellings in comments - - dtucker@cvs.openbsd.org 2010/01/13 01:10:56 - [key.c] - Ignore and log any Protocol 1 keys where the claimed size is not equal to - the actual size. Noted by Derek Martin, ok djm@ - - dtucker@cvs.openbsd.org 2010/01/13 01:20:20 - [canohost.c ssh-keysign.c sshconnect2.c] - Make HostBased authentication work with a ProxyCommand. bz #1569, patch - from imorgan at nas nasa gov, ok djm@ - - djm@cvs.openbsd.org 2010/01/13 01:40:16 - [sftp.c sftp-server.c sftp.1 sftp-common.c sftp-common.h] - support '-h' (human-readable units) for sftp's ls command, just like - ls(1); ok dtucker@ - - djm@cvs.openbsd.org 2010/01/13 03:48:13 - [servconf.c servconf.h sshd.c] - avoid run-time failures when specifying hostkeys via a relative - path by prepending the cwd in these cases; bz#1290; ok dtucker@ - - djm@cvs.openbsd.org 2010/01/13 04:10:50 - [sftp.c] - don't append a space after inserting a completion of a directory (i.e. - a path ending in '/') for a slightly better user experience; ok dtucker@ - - (dtucker) [sftp-common.c] Wrap include of util.h in an ifdef. - - (tim) [defines.h] openbsd-compat/readpassphrase.c now needs _NSIG. - feedback and ok dtucker@ - -20100112 - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2010/01/11 01:39:46 - [ssh_config channels.c ssh.1 channels.h ssh.c] - Add a 'netcat mode' (ssh -W). This connects stdio on the client to a - single port forward on the server. This allows, for example, using ssh as - a ProxyCommand to route connections via intermediate servers. - bz #1618, man page help from jmc@, ok markus@ - - dtucker@cvs.openbsd.org 2010/01/11 04:46:45 - [authfile.c sshconnect2.c] - Do not prompt for a passphrase if we fail to open a keyfile, and log the - reason the open failed to debug. - bz #1693, found by tj AT castaglia org, ok djm@ - - djm@cvs.openbsd.org 2010/01/11 10:51:07 - [ssh-keygen.c] - when converting keys, truncate key comments at 72 chars as per RFC4716; - bz#1630 reported by tj AT castaglia.org; ok markus@ - - dtucker@cvs.openbsd.org 2010/01/12 00:16:47 - [authfile.c] - Fix bug introduced in r1.78 (incorrect brace location) that broke key auth. - Patch from joachim joachimschipper nl. - - djm@cvs.openbsd.org 2010/01/12 00:58:25 - [monitor_fdpass.c] - avoid spinning when fd passing on nonblocking sockets by calling poll() - in the EINTR/EAGAIN path, much like we do in atomicio; ok dtucker@ - - djm@cvs.openbsd.org 2010/01/12 00:59:29 - [roaming_common.c] - delete with extreme prejudice a debug() that fired with every keypress; - ok dtucker deraadt - - dtucker@cvs.openbsd.org 2010/01/12 01:31:05 - [session.c] - Do not allow logins if /etc/nologin exists but is not readable by the user - logging in. Noted by Jan.Pechanec at Sun, ok djm@ deraadt@ - - djm@cvs.openbsd.org 2010/01/12 01:36:08 - [buffer.h bufaux.c] - add a buffer_get_string_ptr_ret() that does the same as - buffer_get_string_ptr() but does not fatal() on error; ok dtucker@ - - dtucker@cvs.openbsd.org 2010/01/12 08:33:17 - [session.c] - Add explicit stat so we reliably detect nologin with bad perms. - ok djm markus - -20100110 - - (dtucker) [configure.ac misc.c readconf.c servconf.c ssh-keyscan.c] - Remove hacks add for RoutingDomain in preparation for its removal. - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2010/01/09 23:04:13 - [channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h - ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c - readconf.h scp.1 sftp.1 ssh_config.5 misc.h] - Remove RoutingDomain from ssh since it's now not needed. It can be - replaced with "route exec" or "nc -V" as a proxycommand. "route exec" - also ensures that trafic such as DNS lookups stays withing the specified - routingdomain. For example (from reyk): - # route -T 2 exec /usr/sbin/sshd - or inherited from the parent process - $ route -T 2 exec sh - $ ssh 10.1.2.3 - ok deraadt@ markus@ stevesk@ reyk@ - - dtucker@cvs.openbsd.org 2010/01/10 03:51:17 - [servconf.c] - Add ChrootDirectory to sshd.c test-mode output - - dtucker@cvs.openbsd.org 2010/01/10 07:15:56 - [auth.c] - Output a debug if we can't open an existing keyfile. bz#1694, ok djm@ - -20100109 - - (dtucker) Wrap use of IPPROTO_IPV6 in an ifdef for platforms that don't - have it. - - (dtucker) [defines.h] define PRIu64 for platforms that don't have it. - - (dtucker) [roaming_client.c] Wrap inttypes.h in an ifdef. - - (dtucker) [loginrec.c] Use the SUSv3 specified name for the user name - when using utmpx. Patch from Ed Schouten. - - (dtucker) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2010/01/09 00:20:26 - [sftp-server.c sftp-server.8] - add a 'read-only' mode to sftp-server(8) that disables open in write mode - and all other fs-modifying protocol methods. bz#430 ok dtucker@ - - djm@cvs.openbsd.org 2010/01/09 00:57:10 - [PROTOCOL] - tweak language - - jmc@cvs.openbsd.org 2010/01/09 03:36:00 - [sftp-server.8] - bad place to forget a comma... - - djm@cvs.openbsd.org 2010/01/09 05:04:24 - [mux.c sshpty.h clientloop.c sshtty.c] - quell tc[gs]etattr warnings when forcing a tty (ssh -tt), since we - usually don't actually have a tty to read/set; bz#1686 ok dtucker@ - - dtucker@cvs.openbsd.org 2010/01/09 05:17:00 - [roaming_client.c] - Remove a PRIu64 format string that snuck in with roaming. ok djm@ - - dtucker@cvs.openbsd.org 2010/01/09 11:13:02 - [sftp.c] - Prevent sftp from derefing a null pointer when given a "-" without a - command. Also, allow whitespace to follow a "-". bz#1691, path from - Colin Watson via Debian. ok djm@ deraadt@ - - dtucker@cvs.openbsd.org 2010/01/09 11:17:56 - [sshd.c] - Afer sshd receives a SIGHUP, ignore subsequent HUPs while sshd re-execs - itself. Prevents two HUPs in quick succession from resulting in sshd - dying. bz#1692, patch from Colin Watson via Ubuntu. - - (dtucker) [defines.h] Remove now-undeeded PRIu64 define. - -20100108 - - (dtucker) OpenBSD CVS Sync - - andreas@cvs.openbsd.org 2009/10/24 11:11:58 - [roaming.h] - Declarations needed for upcoming changes. - ok markus@ - - andreas@cvs.openbsd.org 2009/10/24 11:13:54 - [sshconnect2.c kex.h kex.c] - Let the client detect if the server supports roaming by looking - for the resume@appgate.com kex algorithm. - ok markus@ - - andreas@cvs.openbsd.org 2009/10/24 11:15:29 - [clientloop.c] - client_loop() must detect if the session has been suspended and resumed, - and take appropriate action in that case. - From Martin Forssen, maf at appgate dot com - - andreas@cvs.openbsd.org 2009/10/24 11:19:17 - [ssh2.h] - Define the KEX messages used when resuming a suspended connection. - ok markus@ - - andreas@cvs.openbsd.org 2009/10/24 11:22:37 - [roaming_common.c] - Do the actual suspend/resume in the client. This won't be useful until - the server side supports roaming. - Most code from Martin Forssen, maf at appgate dot com. Some changes by - me and markus@ - ok markus@ - - andreas@cvs.openbsd.org 2009/10/24 11:23:42 - [ssh.c] - Request roaming to be enabled if UseRoaming is true and the server - supports it. - ok markus@ - - reyk@cvs.openbsd.org 2009/10/28 16:38:18 - [ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c - channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1 - sftp.1 sshd_config.5 readconf.c ssh.c misc.c] - Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan. - ok markus@ - - jmc@cvs.openbsd.org 2009/10/28 21:45:08 - [sshd_config.5 sftp.1] - tweak previous; - - djm@cvs.openbsd.org 2009/11/10 02:56:22 - [ssh_config.5] - explain the constraints on LocalCommand some more so people don't - try to abuse it. - - djm@cvs.openbsd.org 2009/11/10 02:58:56 - [sshd_config.5] - clarify that StrictModes does not apply to ChrootDirectory. Permissions - and ownership are always checked when chrooting. bz#1532 - - dtucker@cvs.openbsd.org 2009/11/10 04:30:45 - [sshconnect2.c channels.c sshconnect.c] - Set close-on-exec on various descriptors so they don't get leaked to - child processes. bz #1643, patch from jchadima at redhat, ok deraadt. - - markus@cvs.openbsd.org 2009/11/11 21:37:03 - [channels.c channels.h] - fix race condition in x11/agent channel allocation: don't read after - the end of the select read/write fdset and make sure a reused FD - is not touched before the pre-handlers are called. - with and ok djm@ - - djm@cvs.openbsd.org 2009/11/17 05:31:44 - [clientloop.c] - fix incorrect exit status when multiplexing and channel ID 0 is recycled - bz#1570 reported by peter.oliver AT eon-is.co.uk; ok dtucker - - djm@cvs.openbsd.org 2009/11/19 23:39:50 - [session.c] - bz#1606: error when an attempt is made to connect to a server - with ForceCommand=internal-sftp with a shell session (i.e. not a - subsystem session). Avoids stuck client when attempting to ssh to such a - service. ok dtucker@ - - dtucker@cvs.openbsd.org 2009/11/20 00:15:41 - [session.c] - Warn but do not fail if stat()ing the subsystem binary fails. This helps - with chrootdirectory+forcecommand=sftp-server and restricted shells. - bz #1599, ok djm. - - djm@cvs.openbsd.org 2009/11/20 00:54:01 - [sftp.c] - bz#1588 change "Connecting to host..." message to "Connected to host." - and delay it until after the sftp protocol connection has been established. - Avoids confusing sequence of messages when the underlying ssh connection - experiences problems. ok dtucker@ - - dtucker@cvs.openbsd.org 2009/11/20 00:59:36 - [sshconnect2.c] - Use the HostKeyAlias when prompting for passwords. bz#1039, ok djm@ - - djm@cvs.openbsd.org 2009/11/20 03:24:07 - [misc.c] - correct off-by-one in percent_expand(): we would fatal() when trying - to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually - work. Note that nothing in OpenSSH actually uses close to this limit at - present. bz#1607 from Jan.Pechanec AT Sun.COM - - halex@cvs.openbsd.org 2009/11/22 13:18:00 - [sftp.c] - make passing of zero-length arguments to ssh safe by - passing "-<switch>" "<value>" rather than "-<switch><value>" - ok dtucker@, guenther@, djm@ - - dtucker@cvs.openbsd.org 2009/12/06 23:41:15 - [sshconnect2.c] - zap unused variable and strlen; from Steve McClellan, ok djm - - djm@cvs.openbsd.org 2009/12/06 23:53:45 - [roaming_common.c] - use socklen_t for getsockopt optlen parameter; reported by - Steve.McClellan AT radisys.com, ok dtucker@ - - dtucker@cvs.openbsd.org 2009/12/06 23:53:54 - [sftp.c] - fix potential divide-by-zero in sftp's "df" output when talking to a server - that reports zero files on the filesystem (Unix filesystems always have at - least the root inode). From Steve McClellan at radisys, ok djm@ - - markus@cvs.openbsd.org 2009/12/11 18:16:33 - [key.c] - switch from 35 to the more common value of RSA_F4 == (2**16)+1 == 65537 - for the RSA public exponent; discussed with provos; ok djm@ - - guenther@cvs.openbsd.org 2009/12/20 07:28:36 - [ssh.c sftp.c scp.c] - When passing user-controlled options with arguments to other programs, - pass the option and option argument as separate argv entries and - not smashed into one (e.g., as -l foo and not -lfoo). Also, always - pass a "--" argument to stop option parsing, so that a positional - argument that starts with a '-' isn't treated as an option. This - fixes some error cases as well as the handling of hostnames and - filenames that start with a '-'. - Based on a diff by halex@ - ok halex@ djm@ deraadt@ - - djm@cvs.openbsd.org 2009/12/20 23:20:40 - [PROTOCOL] - fix an incorrect magic number and typo in PROTOCOL; bz#1688 - report and fix from ueno AT unixuser.org - - stevesk@cvs.openbsd.org 2009/12/25 19:40:21 - [readconf.c servconf.c misc.h ssh-keyscan.c misc.c] - validate routing domain is in range 0-RT_TABLEID_MAX. - 'Looks right' deraadt@ - - stevesk@cvs.openbsd.org 2009/12/29 16:38:41 - [sshd_config.5 readconf.c ssh_config.5 scp.1 servconf.c sftp.1 ssh.1] - Rename RDomain config option to RoutingDomain to be more clear and - consistent with other options. - NOTE: if you currently use RDomain in the ssh client or server config, - or ssh/sshd -o, you must update to use RoutingDomain. - ok markus@ djm@ - - jmc@cvs.openbsd.org 2009/12/29 18:03:32 - [sshd_config.5 ssh_config.5] - sort previous; - |