summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2011-01-22 20:24:34 +1100
committerDamien Miller <djm@mindrot.org>2011-01-22 20:24:34 +1100
commit4a5eb41cee4cdda9d224d575b435d6277f4cc086 (patch)
tree53922593d9c465bf8bdc2a49c19946a48c8a9f5a
parent966accc5331784f26e3231dcd3c162f581e1dce6 (diff)
trim entries older than 5.5p1
Diffstat
-rw-r--r--ChangeLog2743
1 files changed, 0 insertions, 2743 deletions
diff --git a/ChangeLog b/ChangeLog
index e5fde13b..39031f38 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1201,2746 +1201,3 @@
ok markus@
-20100410
- - (dtucker) [configure.ac] Put the check for the existence of getaddrinfo
- back so we disable the IPv6 tests if we don't have it.
-
-20100409
- - (dtucker) [contrib/cygwin/Makefile] Don't overwrite files with the wrong
- ones. Based on a patch from Roumen Petrov.
- - (dtucker) [configure.ac] Bug #1744: use pkg-config for libedit flags if we
- have it and the path is not provided to --with-libedit. Based on a patch
- from Iain Morgan.
- - (dtucker) [configure.ac defines.h loginrec.c logintest.c] Bug #1732: enable
- utmpx support on FreeBSD where possible. Patch from Ed Schouten, ok djm@
-
-20100326
- - (djm) [openbsd-compat/bsd-arc4random.c] Fix preprocessor detection
- for arc4random_buf() and arc4random_uniform(); from Josh Gilkerson
- - (dtucker) [configure.ac] Bug #1741: Add section for Haiku, patch originally
- by Ingo Weinhold via Scott McCreary, ok djm@
- - (djm) OpenBSD CVS Sync
- - djm@cvs.openbsd.org 2010/03/25 23:38:28
- [servconf.c]
- from portable: getcwd(NULL, 0) doesn't work on all platforms, so
- use a stack buffer; ok dtucker@
- - djm@cvs.openbsd.org 2010/03/26 00:26:58
- [ssh.1]
- mention that -S none disables connection sharing; from Colin Watson
- - (djm) [session.c] Allow ChrootDirectory to work on SELinux platforms -
- set up SELinux execution context before chroot() call. From Russell
- Coker via Colin watson; bz#1726 ok dtucker@
- - (djm) [channels.c] Check for EPFNOSUPPORT as a socket() errno; bz#1721
- ok dtucker@
- - (dtucker) Bug #1725: explicitly link libX11 into gnome-ssh-askpass2 using
- pkg-config, patch from Colin Watson. Needed for newer linkers (ie gold).
- - (djm) [contrib/ssh-copy-id] Don't blow up when the agent has no keys;
- bz#1723 patch from Adeodato Simóvia Colin Watson; ok dtucker@
- - (dtucker) OpenBSD CVS Sync
- - dtucker@cvs.openbsd.org 2010/03/26 01:06:13
- [ssh_config.5]
- Reformat default value of PreferredAuthentications entry (current
- formatting implies ", " is acceptable as a separator, which it's not.
- ok djm@
-
-20100324
- - (dtucker) [contrib/cygwin/ssh-host-config] Mount the Windows directory
- containing the services file explicitely case-insensitive. This allows to
- tweak the Windows services file reliably. Patch from vinschen at redhat.
-
-20100321
- - (djm) OpenBSD CVS Sync
- - jmc@cvs.openbsd.org 2010/03/08 09:41:27
- [ssh-keygen.1]
- sort the list of constraints (to -O); ok djm
- - jmc@cvs.openbsd.org 2010/03/10 07:40:35
- [ssh-keygen.1]
- typos; from Ross Richardson
- closes prs 6334 and 6335
- - djm@cvs.openbsd.org 2010/03/10 23:27:17
- [auth2-pubkey.c]
- correct certificate logging and make it more consistent between
- authorized_keys and TrustedCAKeys; ok markus@
- - djm@cvs.openbsd.org 2010/03/12 01:06:25
- [servconf.c]
- unbreak AuthorizedKeys option with a $HOME-relative path; reported by
- vinschen AT redhat.com, ok dtucker@
- - markus@cvs.openbsd.org 2010/03/12 11:37:40
- [servconf.c]
- do not prepend AuthorizedKeysFile with getcwd(), unbreaks relative paths
- free() (not xfree()) the buffer returned by getcwd()
- - djm@cvs.openbsd.org 2010/03/13 21:10:38
- [clientloop.c]
- protocol conformance fix: send language tag when disconnecting normally;
- spotted by 1.41421 AT gmail.com, ok markus@ deraadt@
- - djm@cvs.openbsd.org 2010/03/13 21:45:46
- [ssh-keygen.1]
- Certificates are named *-cert.pub, not *_cert.pub; committing a diff
- from stevesk@ ok me
- - jmc@cvs.openbsd.org 2010/03/13 23:38:13
- [ssh-keygen.1]
- fix a formatting error (args need quoted); noted by stevesk
- - stevesk@cvs.openbsd.org 2010/03/15 19:40:02
- [key.c key.h ssh-keygen.c]
- also print certificate type (user or host) for ssh-keygen -L
- ok djm kettenis
- - stevesk@cvs.openbsd.org 2010/03/16 15:46:52
- [auth-options.c]
- spelling in error message. ok djm kettenis
- - djm@cvs.openbsd.org 2010/03/16 16:36:49
- [version.h]
- crank version to openssh-5.5 since we have a few fixes since 5.4;
- requested deraadt@ kettenis@
- - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
- [contrib/suse/openssh.spec] Crank version numbers
-
-20100314
- - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix
- compilation failure when !HAVE_DLOPEN. Reported by felix-mindrot
- AT fefe.de
- - (djm) [Makefile.in] Respecify -lssh after -lopenbsd-compat for
- ssh-pkcs11-helper to repair static builds (we do the same for
- ssh-keyscan). Reported by felix-mindrot AT fefe.de
-
-20100312
- - (tim) [Makefile.in] Now that scard is gone, no need to make $(datadir)
- - (tim) [Makefile.in] Add missing $(EXEEXT) to install targets.
- Patch from Corinna Vinschen.
- - (tim) [contrib/cygwin/Makefile] Fix list of documentation files to install
- on a Cygwin installation. Patch from Corinna Vinschen.
-
-20100311
- - (tim) [contrib/suse/openssh.spec] crank version number here too.
- report by imorgan AT nas.nasa.gov
-
-20100309
- - (dtucker) [configure.ac] Use a proper AC_CHECK_DECL for BROKEN_GETADDRINFO
- so setting it in CFLAGS correctly skips IPv6 tests.
-
-20100308
- - (djm) OpenBSD CVS Sync
- - djm@cvs.openbsd.org 2010/03/07 22:16:01
- [ssh-keygen.c]
- make internal strptime string match strftime format;
- suggested by vinschen AT redhat.com and markus@
- - djm@cvs.openbsd.org 2010/03/08 00:28:55
- [ssh-keygen.1]
- document permit-agent-forwarding certificate constraint; patch from
- stevesk@
- - djm@cvs.openbsd.org 2010/03/07 22:01:32
- [version.h]
- openssh-5.4
- - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
- crank version numbers
- - (djm) Release OpenSSH-5.4p1
-
-20100307
- - (dtucker) [auth.c] Bug #1710: call setauthdb on AIX before getpwuid so that
- it gets the passwd struct from the LAM that knows about the user which is
- not necessarily the default. Patch from Alexandre Letourneau.
- - (dtucker) [session.c] Bug #1567: move setpcred call to before chroot and
- do not set real uid, since that's needed for the chroot, and will be set
- by permanently_set_uid.
- - (dtucker) [session.c] Also initialize creds to NULL for handing to
- setpcred.
- - (dtucker) OpenBSD CVS Sync
- - dtucker@cvs.openbsd.org 2010/03/07 11:57:13
- [auth-rhosts.c monitor.c monitor_wrap.c session.c auth-options.c sshd.c]
- Hold authentication debug messages until after successful authentication.
- Fixes an info leak of environment variables specified in authorized_keys,
- reported by Jacob Appelbaum. ok djm@
-
-20100305
- - OpenBSD CVS Sync
- - jmc@cvs.openbsd.org 2010/03/04 12:51:25
- [ssh.1 sshd_config.5]
- tweak previous;
- - djm@cvs.openbsd.org 2010/03/04 20:35:08
- [ssh-keygen.1 ssh-keygen.c]
- Add a -L flag to print the contents of a certificate; ok markus@
- - jmc@cvs.openbsd.org 2010/03/04 22:52:40
- [ssh-keygen.1]
- fix Bk/Ek;
- - djm@cvs.openbsd.org 2010/03/04 23:17:25
- [sshd_config.5]
- missing word; spotted by jmc@
- - djm@cvs.openbsd.org 2010/03/04 23:19:29
- [ssh.1 sshd.8]
- move section on CA and revoked keys from ssh.1 to sshd.8's known hosts
- format section and rework it a bit; requested by jmc@
- - djm@cvs.openbsd.org 2010/03/04 23:27:25
- [auth-options.c ssh-keygen.c]
- "force-command" is not spelled "forced-command"; spotted by
- imorgan AT nas.nasa.gov
- - djm@cvs.openbsd.org 2010/03/05 02:58:11
- [auth.c]
- make the warning for a revoked key louder and more noticable
- - jmc@cvs.openbsd.org 2010/03/05 06:50:35
- [ssh.1 sshd.8]
- tweak previous;
- - jmc@cvs.openbsd.org 2010/03/05 08:31:20
- [ssh.1]
- document certificate authentication; help/ok djm
- - djm@cvs.openbsd.org 2010/03/05 10:28:21
- [ssh-add.1 ssh.1 ssh_config.5]
- mention loading of certificate files from [private]-cert.pub when
- they are present; feedback and ok jmc@
- - (tim) [ssh-pkcs11.c] Fix "non-constant initializer" errors in older
- compilers. OK djm@
- - (djm) [ssh-rand-helper.c] declare optind, avoiding compilation failure
- on some platforms
- - (djm) [configure.ac] set -fno-strict-aliasing for gcc4; ok dtucker@
-
-20100304
- - (djm) [ssh-keygen.c] Use correct local variable, instead of
- maybe-undefined global "optarg"
- - (djm) [contrib/redhat/openssh.spec] Replace obsolete BuildPreReq
- on XFree86-devel with neutral /usr/include/X11/Xlib.h;
- imorgan AT nas.nasa.gov in bz#1731
- - (djm) [.cvsignore] Ignore ssh-pkcs11-helper
- - (djm) [regress/Makefile] Cleanup sshd_proxy_orig
- - OpenBSD CVS Sync
- - djm@cvs.openbsd.org 2010/03/03 01:44:36
- [auth-options.c key.c]
- reject strings with embedded ASCII nul chars in certificate key IDs,
- principal names and constraints
- - djm@cvs.openbsd.org 2010/03/03 22:49:50
- [sshd.8]
- the authorized_keys option for CA keys is "cert-authority", not
- "from=cert-authority". spotted by imorgan AT nas.nasa.gov
- - djm@cvs.openbsd.org 2010/03/03 22:50:40
- [PROTOCOL.certkeys]
- s/similar same/similar/; from imorgan AT nas.nasa.gov
- - djm@cvs.openbsd.org 2010/03/04 01:44:57
- [key.c]
- use buffer_get_string_ptr_ret() where we are checking the return
- value explicitly instead of the fatal()-causing buffer_get_string_ptr()
- - djm@cvs.openbsd.org 2010/03/04 10:36:03
- [auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c]
- [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h]
- [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5]
- Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
- are trusted to authenticate users (in addition than doing it per-user
- in authorized_keys).
-
- Add a RevokedKeys option to sshd_config and a @revoked marker to
- known_hosts to allow keys to me revoked and banned for user or host
- authentication.
-
- feedback and ok markus@
- - djm@cvs.openbsd.org 2010/03/03 00:47:23
- [regress/cert-hostkey.sh regress/cert-userkey.sh]
- add an extra test to ensure that authentication with the wrong
- certificate fails as it should (and it does)
- - djm@cvs.openbsd.org 2010/03/04 10:38:23
- [regress/cert-hostkey.sh regress/cert-userkey.sh]
- additional regression tests for revoked keys and TrustedUserCAKeys
-
-20100303
- - (djm) [PROTOCOL.certkeys] Add RCS Ident
- - OpenBSD CVS Sync
- - jmc@cvs.openbsd.org 2010/02/26 22:09:28
- [ssh-keygen.1 ssh.1 sshd.8]
- tweak previous;
- - otto@cvs.openbsd.org 2010/03/01 11:07:06
- [ssh-add.c]
- zap what seems to be a left-over debug message; ok markus@
- - djm@cvs.openbsd.org 2010/03/02 23:20:57
- [ssh-keygen.c]
- POSIX strptime is stricter than OpenBSD's so do a little dance to
- appease it.
- - (djm) [regress/cert-userkey.sh] s/echo -n/echon/ here too
-
-20100302
- - (tim) [config.guess config.sub] Bug 1722: Update to latest versions from
- http://git.savannah.gnu.org/gitweb/ (2009-12-30 and 2010-01-22
- respectively).
-
-20100301
- - (dtucker) [regress/{cert-hostkey,cfgmatch,cipher-speed}.sh} Replace
- "echo -n" with "echon" for portability.
- - (dtucker) [openbsd-compat/port-linux.c] Make failure to write to the OOM
- adjust log at verbose only, since according to cjwatson in bug #1470
- some virtualization platforms don't allow writes.
-
-20100228
- - (djm) [auth.c] On Cygwin, refuse usernames that have differences in
- case from that matched in the system password database. On this
- platform, passwords are stored case-insensitively, but sshd requires
- exact case matching for Match blocks in sshd_config(5). Based on
- a patch from vinschen AT redhat.com.
- - (tim) [ssh-pkcs11-helper.c] Move declarations before calling functions
- to make older compilers (gcc 2.95) happy.
-
-20100227
- - (djm) [ssh-pkcs11-helper.c ] Ensure RNG is initialised and seeded
- - (djm) [openbsd-compat/bsd-cygwin_util.c] Reduce the set of environment
- variables copied into sshd child processes. From vinschen AT redhat.com
-
-20100226
- - OpenBSD CVS Sync
- - djm@cvs.openbsd.org 2010/02/26 20:29:54
- [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
- [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
- [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
- [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
- [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
- [sshconnect2.c sshd.8 sshd.c sshd_config.5]
- Add support for certificate key types for users and hosts.
-
- OpenSSH certificate key types are not X.509 certificates, but a much
- simpler format that encodes a public key, identity information and
- some validity constraints and signs it with a CA key. CA keys are
- regular SSH keys. This certificate style avoids the attack surface
- of X.509 certificates and is very easy to deploy.
-
- Certified host keys allow automatic acceptance of new host keys
- when a CA certificate is marked as trusted in ~/.ssh/known_hosts.
- see VERIFYING HOST KEYS in ssh(1) for details.
-
- Certified user keys allow authentication of users when the signing
- CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
- FILE FORMAT" in sshd(8) for details.
-
- Certificates are minted using ssh-keygen(1), documentation is in
- the "CERTIFICATES" section of that manpage.
-
- Documentation on the format of certificates is in the file
- PROTOCOL.certkeys
-
- feedback and ok markus@
- - djm@cvs.openbsd.org 2010/02/26 20:33:21
- [Makefile regress/cert-hostkey.sh regress/cert-userkey.sh]
- regression tests for certified keys
-
-20100224
- - (djm) [pkcs11.h ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
- [ssh-pkcs11.h] Add $OpenBSD$ RCS idents so we can sync portable
- - (djm) OpenBSD CVS Sync
- - djm@cvs.openbsd.org 2010/02/11 20:37:47
- [pathnames.h]
- correct comment
- - dtucker@cvs.openbsd.org 2009/11/09 04:20:04
- [regress/Makefile]
- add regression test for ssh-keygen pubkey conversions
- - dtucker@cvs.openbsd.org 2010/01/11 02:53:44
- [regress/forwarding.sh]
- regress test for stdio forwarding
- - djm@cvs.openbsd.org 2010/02/09 04:57:36
- [regress/addrmatch.sh]
- clean up droppings
- - djm@cvs.openbsd.org 2010/02/09 06:29:02
- [regress/Makefile]
- turn on all the malloc(3) checking options when running regression
- tests. this has caught a few bugs for me in the past; ok dtucker@
- - djm@cvs.openbsd.org 2010/02/24 06:21:56
- [regress/test-exec.sh]
- wait for sshd to fully stop in cleanup() function; avoids races in tests
- that do multiple start_sshd/cleanup cycles; "I hate pidfiles" deraadt@
- - markus@cvs.openbsd.org 2010/02/08 10:52:47
- [regress/agent-pkcs11.sh]
- test for PKCS#11 support (currently disabled)
- - (djm) [Makefile.in ssh-pkcs11-helper.8] Add manpage for PKCS#11 helper
- - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
- [contrib/suse/openssh.spec] Add PKCS#11 helper binary and manpage
-
-20100212
- - (djm) OpenBSD CVS Sync
- - djm@cvs.openbsd.org 2010/02/02 22:49:34
- [bufaux.c]
- make buffer_get_string_ret() really non-fatal in all cases (it was
- using buffer_get_int(), which could fatal() on buffer empty);
- ok markus dtucker
- - markus@cvs.openbsd.org 2010/02/08 10:50:20
- [pathnames.h readconf.c readconf.h scp.1 sftp.1 ssh-add.1 ssh-add.c]
- [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config.5]
- replace our obsolete smartcard code with PKCS#11.
- ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf
- ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11
- provider (shared library) while ssh-agent(1) delegates PKCS#11 to
- a forked a ssh-pkcs11-helper process.
- PKCS#11 is currently a compile time option.
- feedback and ok djm@; inspired by patches from Alon Bar-Lev
- - jmc@cvs.openbsd.org 2010/02/08 22:03:05
- [ssh-add.1 ssh-keygen.1 ssh.1 ssh.c]
- tweak previous; ok markus
- - djm@cvs.openbsd.org 2010/02/09 00:50:36
- [ssh-agent.c]
- fallout from PKCS#11: unbreak -D
- - djm@cvs.openbsd.org 2010/02/09 00:50:59
- [ssh-keygen.c]
- fix -Wall
- - djm@cvs.openbsd.org 2010/02/09 03:56:28
- [buffer.c buffer.h]
- constify the arguments to buffer_len, buffer_ptr and buffer_dump
- - djm@cvs.openbsd.org 2010/02/09 06:18:46
- [auth.c]
- unbreak ChrootDirectory+internal-sftp by skipping check for executable
- shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
- - markus@cvs.openbsd.org 2010/02/10 23:20:38
- [ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5]
- pkcs#11 is no longer optional; improve wording; ok jmc@
- - jmc@cvs.openbsd.org 2010/02/11 13:23:29
- [ssh.1]
- libarary -> library;
- - (djm) [INSTALL Makefile.in README.smartcard configure.ac scard-opensc.c]
- [scard.c scard.h pkcs11.h scard/Makefile.in scard/Ssh.bin.uu scard/Ssh.java]
- Remove obsolete smartcard support
- - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
- Make it compile on OSX
- - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
- Use ssh_get_progname to fill __progname
- - (djm) [configure.ac] Enable PKCS#11 support only when we find a working
- dlopen()
-
-20100210
- - (djm) add -lselinux to LIBS before calling AC_CHECK_FUNCS for
- getseuserbyname; patch from calebcase AT gmail.com via
- cjwatson AT debian.org
-
-20100202
- - (djm) OpenBSD CVS Sync
- - djm@cvs.openbsd.org 2010/01/30 21:08:33
- [sshd.8]
- debug output goes to stderr, not "the system log"; ok markus dtucker
- - djm@cvs.openbsd.org 2010/01/30 21:12:08
- [channels.c]
- fake local addr:port when stdio fowarding as some servers (Tectia at
- least) validate that they are well-formed;
- reported by imorgan AT nas.nasa.gov
- ok dtucker
-
-20100130
- - (djm) OpenBSD CVS Sync
- - djm@cvs.openbsd.org 2010/01/28 00:21:18
- [clientloop.c]
- downgrade an error() to a debug() - this particular case can be hit in
- normal operation for certain sequences of mux slave vs session closure
- and is harmless
- - djm@cvs.openbsd.org 2010/01/29 00:20:41
- [sshd.c]
- set FD_CLOEXEC on sock_in/sock_out; bz#1706 from jchadima AT redhat.com
- ok dtucker@
- - djm@cvs.openbsd.org 2010/01/29 20:16:17
- [mux.c]
- kill correct channel (was killing already-dead mux channel, not
- its session channel)
- - djm@cvs.openbsd.org 2010/01/30 02:54:53
- [mux.c]
- don't mark channel as read failed if it is already closing; suppresses
- harmless error messages when connecting to SSH.COM Tectia server
- report by imorgan AT nas.nasa.gov
-
-20100129
- - (dtucker) [openbsd-compat/openssl-compat.c] Bug #1707: Call OPENSSL_config()
- after registering the hardware engines, which causes the openssl.cnf file to
- be processed. See OpenSSL's man page for OPENSSL_config(3) for details.
- Patch from Solomon Peachy, ok djm@.
-
-20100128
- - (djm) OpenBSD CVS Sync
- - djm@cvs.openbsd.org 2010/01/26 02:15:20
- [mux.c]
- -Wuninitialized and remove a // comment; from portable
- (Id sync only)
- - djm@cvs.openbsd.org 2010/01/27 13:26:17
- [mux.c]
- fix bug introduced in mux rewrite:
-
- In a mux master, when a socket to a mux slave closes before its server
- session (as may occur when the slave has been signalled), gracefully
- close the server session rather than deleting its channel immediately.
- A server may have more messages on that channel to send (e.g. an exit
- message) that will fatal() the client if they are sent to a channel that
- has been prematurely deleted.
-
- spotted by imorgan AT nas.nasa.gov
- - djm@cvs.openbsd.org 2010/01/27 19:21:39
- [sftp.c]
- add missing "p" flag to getopt optstring;
- bz#1704 from imorgan AT nas.nasa.gov
-
-20100126
- - (djm) OpenBSD CVS Sync
- - tedu@cvs.openbsd.org 2010/01/17 21:49:09
- [ssh-agent.1]
- Correct and clarify ssh-add's password asking behavior.
- Improved text dtucker and ok jmc
- - dtucker@cvs.openbsd.org 2010/01/18 01:50:27
- [roaming_client.c]
- s/long long unsigned/unsigned long long/, from tim via portable
- (Id sync only, change already in portable)
- - djm@cvs.openbsd.org 2010/01/26 01:28:35
- [channels.c channels.h clientloop.c clientloop.h mux.c nchan.c ssh.c]
- rewrite ssh(1) multiplexing code to a more sensible protocol.
-
- The new multiplexing code uses channels for the listener and
- accepted control sockets to make the mux master non-blocking, so
- no stalls when processing messages from a slave.
-
- avoid use of fatal() in mux master protocol parsing so an errant slave
- process cannot take down a running master.
-
- implement requesting of port-forwards over multiplexed sessions. Any
- port forwards requested by the slave are added to those the master has
- established.
-
- add support for stdio forwarding ("ssh -W host:port ...") in mux slaves.
-
- document master/slave mux protocol so that other tools can use it to
- control a running ssh(1). Note: there are no guarantees that this
- protocol won't be incompatibly changed (though it is versioned).
-
- feedback Salvador Fandino, dtucker@
- channel changes ok markus@
-
-20100122
- - (tim) [configure.ac] Due to constraints in Windows Sockets in terms of
- socket inheritance, reduce the default SO_RCVBUF/SO_SNDBUF buffer size
- in Cygwin to 65535. Patch from Corinna Vinschen.
-
-20100117
- - (tim) [configure.ac] OpenServer 5 needs BROKEN_GETADDRINFO too.
- - (tim) [configure.ac] On SVR5 systems, use the C99-conforming functions
- snprintf() and vsnprintf() named _xsnprintf() and _xvsnprintf().
-
-20100116
- - (dtucker) [openbsd-compat/pwcache.c] Pull in includes.h and thus defines.h
- so we correctly detect whether or not we have a native user_from_uid.
- - (dtucker) [openbsd-compat/openbsd-compat.h] Prototypes for user_from_uid
- and group_from_gid.
- - (dtucker) [openbsd-compat/openbsd-compat.h] Fix prototypes, spotted by
- Tim.
- - (dtucker) OpenBSD CVS Sync
- - markus@cvs.openbsd.org 2010/01/15 09:24:23
- [sftp-common.c]
- unused
- - (dtucker) [openbsd-compat/pwcache.c] Shrink ifdef area to prevent unused
- variable warnings.
- - (dtucker) [openbsd-compat/openbsd-compat.h] Typo.
- - (tim) [regress/portnum.sh] Shell portability fix.
- - (tim) [configure.ac] Define BROKEN_GETADDRINFO on SVR5 systems. The native
- getaddrinfo() is too old and limited for addr_pton() in addrmatch.c.
- - (tim) [roaming_client.c] Use of <sys/queue.h> is not really portable so we
- use "openbsd-compat/sys-queue.h". s/long long unsigned/unsigned long long/
- to keep USL compilers happy.
-
-20100115
- - (dtucker) OpenBSD CVS Sync
- - jmc@cvs.openbsd.org 2010/01/13 12:48:34
- [sftp.1 sftp.c]
- sftp.1: put ls -h in the right place
- sftp.c: as above, plus add -p to get/put, and shorten their arg names
- to keep the help usage nicely aligned
- ok djm
- - djm@cvs.openbsd.org 2010/01/13 23:47:26
- [auth.c]
- when using ChrootDirectory, make sure we test for the existence of the
- user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu;
- ok dtucker
- - dtucker@cvs.openbsd.org 2010/01/14 23:41:49
- [sftp-common.c]
- use user_from{uid,gid} to lookup up ids since it keeps a small cache.
- ok djm
- - guenther@cvs.openbsd.org 2010/01/15 00:05:22
- [sftp.c]
- Reset SIGTERM to SIG_DFL before executing ssh, so that even if sftp
- inherited SIGTERM as ignored it will still be able to kill the ssh it
- starts.
- ok dtucker@
- - (dtucker) [openbsd-compat/pwcache.c] Pull in pwcache.c from OpenBSD (no
- changes yet but there will be some to come).
- - (dtucker) [configure.ac openbsd-compat/{Makefile.in,pwcache.c} Portability
- for pwcache. Also, added caching of negative hits.
-
-20100114
- - (djm) [platform.h] Add missing prototype for
- platform_krb5_get_principal_name
-
-20100113
- - (dtucker) [monitor_fdpass.c] Wrap poll.h include in ifdefs.
- - (dtucker) [openbsd-compat/readpassphrase.c] Resync against OpenBSD's r1.18:
- missing restore of SIGTTOU and some whitespace.
- - (dtucker) [openbsd-compat/readpassphrase.c] Update to OpenBSD's r1.21.
- - (dtucker) [openbsd-compat/readpassphrase.c] Update to OpenBSD's r1.22.
- Fixes bz #1590, where sometimes you could not interrupt a connection while
- ssh was prompting for a passphrase or password.
- - (dtucker) OpenBSD CVS Sync
- - dtucker@cvs.openbsd.org 2010/01/13 00:19:04
- [sshconnect.c auth.c]
- Fix a couple of typos/mispellings in comments
- - dtucker@cvs.openbsd.org 2010/01/13 01:10:56
- [key.c]
- Ignore and log any Protocol 1 keys where the claimed size is not equal to
- the actual size. Noted by Derek Martin, ok djm@
- - dtucker@cvs.openbsd.org 2010/01/13 01:20:20
- [canohost.c ssh-keysign.c sshconnect2.c]
- Make HostBased authentication work with a ProxyCommand. bz #1569, patch
- from imorgan at nas nasa gov, ok djm@
- - djm@cvs.openbsd.org 2010/01/13 01:40:16
- [sftp.c sftp-server.c sftp.1 sftp-common.c sftp-common.h]
- support '-h' (human-readable units) for sftp's ls command, just like
- ls(1); ok dtucker@
- - djm@cvs.openbsd.org 2010/01/13 03:48:13
- [servconf.c servconf.h sshd.c]
- avoid run-time failures when specifying hostkeys via a relative
- path by prepending the cwd in these cases; bz#1290; ok dtucker@
- - djm@cvs.openbsd.org 2010/01/13 04:10:50
- [sftp.c]
- don't append a space after inserting a completion of a directory (i.e.
- a path ending in '/') for a slightly better user experience; ok dtucker@
- - (dtucker) [sftp-common.c] Wrap include of util.h in an ifdef.
- - (tim) [defines.h] openbsd-compat/readpassphrase.c now needs _NSIG.
- feedback and ok dtucker@
-
-20100112
- - (dtucker) OpenBSD CVS Sync
- - dtucker@cvs.openbsd.org 2010/01/11 01:39:46
- [ssh_config channels.c ssh.1 channels.h ssh.c]
- Add a 'netcat mode' (ssh -W). This connects stdio on the client to a
- single port forward on the server. This allows, for example, using ssh as
- a ProxyCommand to route connections via intermediate servers.
- bz #1618, man page help from jmc@, ok markus@
- - dtucker@cvs.openbsd.org 2010/01/11 04:46:45
- [authfile.c sshconnect2.c]
- Do not prompt for a passphrase if we fail to open a keyfile, and log the
- reason the open failed to debug.
- bz #1693, found by tj AT castaglia org, ok djm@
- - djm@cvs.openbsd.org 2010/01/11 10:51:07
- [ssh-keygen.c]
- when converting keys, truncate key comments at 72 chars as per RFC4716;
- bz#1630 reported by tj AT castaglia.org; ok markus@
- - dtucker@cvs.openbsd.org 2010/01/12 00:16:47
- [authfile.c]
- Fix bug introduced in r1.78 (incorrect brace location) that broke key auth.
- Patch from joachim joachimschipper nl.
- - djm@cvs.openbsd.org 2010/01/12 00:58:25
- [monitor_fdpass.c]
- avoid spinning when fd passing on nonblocking sockets by calling poll()
- in the EINTR/EAGAIN path, much like we do in atomicio; ok dtucker@
- - djm@cvs.openbsd.org 2010/01/12 00:59:29
- [roaming_common.c]
- delete with extreme prejudice a debug() that fired with every keypress;
- ok dtucker deraadt
- - dtucker@cvs.openbsd.org 2010/01/12 01:31:05
- [session.c]
- Do not allow logins if /etc/nologin exists but is not readable by the user
- logging in. Noted by Jan.Pechanec at Sun, ok djm@ deraadt@
- - djm@cvs.openbsd.org 2010/01/12 01:36:08
- [buffer.h bufaux.c]
- add a buffer_get_string_ptr_ret() that does the same as
- buffer_get_string_ptr() but does not fatal() on error; ok dtucker@
- - dtucker@cvs.openbsd.org 2010/01/12 08:33:17
- [session.c]
- Add explicit stat so we reliably detect nologin with bad perms.
- ok djm markus
-
-20100110
- - (dtucker) [configure.ac misc.c readconf.c servconf.c ssh-keyscan.c]
- Remove hacks add for RoutingDomain in preparation for its removal.
- - (dtucker) OpenBSD CVS Sync
- - dtucker@cvs.openbsd.org 2010/01/09 23:04:13
- [channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h
- ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c
- readconf.h scp.1 sftp.1 ssh_config.5 misc.h]
- Remove RoutingDomain from ssh since it's now not needed. It can be
- replaced with "route exec" or "nc -V" as a proxycommand. "route exec"
- also ensures that trafic such as DNS lookups stays withing the specified
- routingdomain. For example (from reyk):
- # route -T 2 exec /usr/sbin/sshd
- or inherited from the parent process
- $ route -T 2 exec sh
- $ ssh 10.1.2.3
- ok deraadt@ markus@ stevesk@ reyk@
- - dtucker@cvs.openbsd.org 2010/01/10 03:51:17
- [servconf.c]
- Add ChrootDirectory to sshd.c test-mode output
- - dtucker@cvs.openbsd.org 2010/01/10 07:15:56
- [auth.c]
- Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
-
-20100109
- - (dtucker) Wrap use of IPPROTO_IPV6 in an ifdef for platforms that don't
- have it.
- - (dtucker) [defines.h] define PRIu64 for platforms that don't have it.
- - (dtucker) [roaming_client.c] Wrap inttypes.h in an ifdef.
- - (dtucker) [loginrec.c] Use the SUSv3 specified name for the user name
- when using utmpx. Patch from Ed Schouten.
- - (dtucker) OpenBSD CVS Sync
- - djm@cvs.openbsd.org 2010/01/09 00:20:26
- [sftp-server.c sftp-server.8]
- add a 'read-only' mode to sftp-server(8) that disables open in write mode
- and all other fs-modifying protocol methods. bz#430 ok dtucker@
- - djm@cvs.openbsd.org 2010/01/09 00:57:10
- [PROTOCOL]
- tweak language
- - jmc@cvs.openbsd.org 2010/01/09 03:36:00
- [sftp-server.8]
- bad place to forget a comma...
- - djm@cvs.openbsd.org 2010/01/09 05:04:24
- [mux.c sshpty.h clientloop.c sshtty.c]
- quell tc[gs]etattr warnings when forcing a tty (ssh -tt), since we
- usually don't actually have a tty to read/set; bz#1686 ok dtucker@
- - dtucker@cvs.openbsd.org 2010/01/09 05:17:00
- [roaming_client.c]
- Remove a PRIu64 format string that snuck in with roaming. ok djm@
- - dtucker@cvs.openbsd.org 2010/01/09 11:13:02
- [sftp.c]
- Prevent sftp from derefing a null pointer when given a "-" without a
- command. Also, allow whitespace to follow a "-". bz#1691, path from
- Colin Watson via Debian. ok djm@ deraadt@
- - dtucker@cvs.openbsd.org 2010/01/09 11:17:56
- [sshd.c]
- Afer sshd receives a SIGHUP, ignore subsequent HUPs while sshd re-execs
- itself. Prevents two HUPs in quick succession from resulting in sshd
- dying. bz#1692, patch from Colin Watson via Ubuntu.
- - (dtucker) [defines.h] Remove now-undeeded PRIu64 define.
-
-20100108
- - (dtucker) OpenBSD CVS Sync
- - andreas@cvs.openbsd.org 2009/10/24 11:11:58
- [roaming.h]
- Declarations needed for upcoming changes.
- ok markus@
- - andreas@cvs.openbsd.org 2009/10/24 11:13:54
- [sshconnect2.c kex.h kex.c]
- Let the client detect if the server supports roaming by looking
- for the resume@appgate.com kex algorithm.
- ok markus@
- - andreas@cvs.openbsd.org 2009/10/24 11:15:29
- [clientloop.c]
- client_loop() must detect if the session has been suspended and resumed,
- and take appropriate action in that case.
- From Martin Forssen, maf at appgate dot com
- - andreas@cvs.openbsd.org 2009/10/24 11:19:17
- [ssh2.h]
- Define the KEX messages used when resuming a suspended connection.
- ok markus@
- - andreas@cvs.openbsd.org 2009/10/24 11:22:37
- [roaming_common.c]
- Do the actual suspend/resume in the client. This won't be useful until
- the server side supports roaming.
- Most code from Martin Forssen, maf at appgate dot com. Some changes by
- me and markus@
- ok markus@
- - andreas@cvs.openbsd.org 2009/10/24 11:23:42
- [ssh.c]
- Request roaming to be enabled if UseRoaming is true and the server
- supports it.
- ok markus@
- - reyk@cvs.openbsd.org 2009/10/28 16:38:18
- [ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c
- channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1
- sftp.1 sshd_config.5 readconf.c ssh.c misc.c]
- Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.
- ok markus@
- - jmc@cvs.openbsd.org 2009/10/28 21:45:08
- [sshd_config.5 sftp.1]
- tweak previous;
- - djm@cvs.openbsd.org 2009/11/10 02:56:22
- [ssh_config.5]
- explain the constraints on LocalCommand some more so people don't
- try to abuse it.
- - djm@cvs.openbsd.org 2009/11/10 02:58:56
- [sshd_config.5]
- clarify that StrictModes does not apply to ChrootDirectory. Permissions
- and ownership are always checked when chrooting. bz#1532
- - dtucker@cvs.openbsd.org 2009/11/10 04:30:45
- [sshconnect2.c channels.c sshconnect.c]
- Set close-on-exec on various descriptors so they don't get leaked to
- child processes. bz #1643, patch from jchadima at redhat, ok deraadt.
- - markus@cvs.openbsd.org 2009/11/11 21:37:03
- [channels.c channels.h]
- fix race condition in x11/agent channel allocation: don't read after
- the end of the select read/write fdset and make sure a reused FD
- is not touched before the pre-handlers are called.
- with and ok djm@
- - djm@cvs.openbsd.org 2009/11/17 05:31:44
- [clientloop.c]
- fix incorrect exit status when multiplexing and channel ID 0 is recycled
- bz#1570 reported by peter.oliver AT eon-is.co.uk; ok dtucker
- - djm@cvs.openbsd.org 2009/11/19 23:39:50
- [session.c]
- bz#1606: error when an attempt is made to connect to a server
- with ForceCommand=internal-sftp with a shell session (i.e. not a
- subsystem session). Avoids stuck client when attempting to ssh to such a
- service. ok dtucker@
- - dtucker@cvs.openbsd.org 2009/11/20 00:15:41
- [session.c]
- Warn but do not fail if stat()ing the subsystem binary fails. This helps
- with chrootdirectory+forcecommand=sftp-server and restricted shells.
- bz #1599, ok djm.
- - djm@cvs.openbsd.org 2009/11/20 00:54:01
- [sftp.c]
- bz#1588 change "Connecting to host..." message to "Connected to host."
- and delay it until after the sftp protocol connection has been established.
- Avoids confusing sequence of messages when the underlying ssh connection
- experiences problems. ok dtucker@
- - dtucker@cvs.openbsd.org 2009/11/20 00:59:36
- [sshconnect2.c]
- Use the HostKeyAlias when prompting for passwords. bz#1039, ok djm@
- - djm@cvs.openbsd.org 2009/11/20 03:24:07
- [misc.c]
- correct off-by-one in percent_expand(): we would fatal() when trying
- to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually
- work. Note that nothing in OpenSSH actually uses close to this limit at
- present. bz#1607 from Jan.Pechanec AT Sun.COM
- - halex@cvs.openbsd.org 2009/11/22 13:18:00
- [sftp.c]
- make passing of zero-length arguments to ssh safe by
- passing "-<switch>" "<value>" rather than "-<switch><value>"
- ok dtucker@, guenther@, djm@
- - dtucker@cvs.openbsd.org 2009/12/06 23:41:15
- [sshconnect2.c]
- zap unused variable and strlen; from Steve McClellan, ok djm
- - djm@cvs.openbsd.org 2009/12/06 23:53:45
- [roaming_common.c]
- use socklen_t for getsockopt optlen parameter; reported by
- Steve.McClellan AT radisys.com, ok dtucker@
- - dtucker@cvs.openbsd.org 2009/12/06 23:53:54
- [sftp.c]
- fix potential divide-by-zero in sftp's "df" output when talking to a server
- that reports zero files on the filesystem (Unix filesystems always have at
- least the root inode). From Steve McClellan at radisys, ok djm@
- - markus@cvs.openbsd.org 2009/12/11 18:16:33
- [key.c]
- switch from 35 to the more common value of RSA_F4 == (2**16)+1 == 65537
- for the RSA public exponent; discussed with provos; ok djm@
- - guenther@cvs.openbsd.org 2009/12/20 07:28:36
- [ssh.c sftp.c scp.c]
- When passing user-controlled options with arguments to other programs,
- pass the option and option argument as separate argv entries and
- not smashed into one (e.g., as -l foo and not -lfoo). Also, always
- pass a "--" argument to stop option parsing, so that a positional
- argument that starts with a '-' isn't treated as an option. This
- fixes some error cases as well as the handling of hostnames and
- filenames that start with a '-'.
- Based on a diff by halex@
- ok halex@ djm@ deraadt@
- - djm@cvs.openbsd.org 2009/12/20 23:20:40
- [PROTOCOL]
- fix an incorrect magic number and typo in PROTOCOL; bz#1688
- report and fix from ueno AT unixuser.org
- - stevesk@cvs.openbsd.org 2009/12/25 19:40:21
- [readconf.c servconf.c misc.h ssh-keyscan.c misc.c]
- validate routing domain is in range 0-RT_TABLEID_MAX.
- 'Looks right' deraadt@
- - stevesk@cvs.openbsd.org 2009/12/29 16:38:41
- [sshd_config.5 readconf.c ssh_config.5 scp.1 servconf.c sftp.1 ssh.1]
- Rename RDomain config option to RoutingDomain to be more clear and
- consistent with other options.
- NOTE: if you currently use RDomain in the ssh client or server config,
- or ssh/sshd -o, you must update to use RoutingDomain.
- ok markus@ djm@
- - jmc@cvs.openbsd.org 2009/12/29 18:03:32
- [sshd_config.5 ssh_config.5]
- sort previous;
-