Darren Tucker | 46bbbe3 | 2009-10-07 08:21:48 +1100 | [diff] [blame] | 1 | 20091007 |
| 2 | - (dtucker) OpenBSD CVS Sync |
| 3 | - djm@cvs.openbsd.org 2009/08/12 00:13:00 |
| 4 | [sftp.c sftp.1] |
| 5 | support most of scp(1)'s commandline arguments in sftp(1), as a first |
| 6 | step towards making sftp(1) a drop-in replacement for scp(1). |
| 7 | One conflicting option (-P) has not been changed, pending further |
| 8 | discussion. |
| 9 | Patch from carlosvsilvapt@gmail.com as part of his work in the |
| 10 | Google Summer of Code |
Darren Tucker | adba1ba | 2009-10-07 08:22:20 +1100 | [diff] [blame] | 11 | - jmc@cvs.openbsd.org 2009/08/12 06:31:42 |
| 12 | [sftp.1] |
| 13 | sort options; |
Darren Tucker | 282b402 | 2009-10-07 08:23:06 +1100 | [diff] [blame] | 14 | - djm@cvs.openbsd.org 2009/08/13 01:11:19 |
| 15 | [sftp.1 sftp.c] |
| 16 | Swizzle options: "-P sftp_server_path" moves to "-D sftp_server_path", |
| 17 | add "-P port" to match scp(1). Fortunately, the -P option is only really |
| 18 | used by our regression scripts. |
| 19 | part of larger patch from carlosvsilvapt@gmail.com for his Google Summer |
| 20 | of Code work; ok deraadt markus |
Darren Tucker | c07138e | 2009-10-07 08:23:44 +1100 | [diff] [blame] | 21 | - jmc@cvs.openbsd.org 2009/08/13 13:39:54 |
| 22 | [sftp.1 sftp.c] |
| 23 | sync synopsis and usage(); |
Darren Tucker | c22f090 | 2009-10-07 08:24:19 +1100 | [diff] [blame] | 24 | - djm@cvs.openbsd.org 2009/08/14 18:17:49 |
| 25 | [sftp-client.c] |
| 26 | make the "get_handle: ..." error messages vaguely useful by allowing |
| 27 | callers to specify their own error message strings. |
Darren Tucker | e54a036 | 2009-10-07 08:35:32 +1100 | [diff] [blame] | 28 | - fgsch@cvs.openbsd.org 2009/08/15 18:56:34 |
| 29 | [auth.h] |
| 30 | remove unused define. markus@ ok. |
| 31 | (Id sync only, Portable still uses this.) |
Darren Tucker | 1477ea1 | 2009-10-07 08:36:05 +1100 | [diff] [blame] | 32 | - dtucker@cvs.openbsd.org 2009/08/16 23:29:26 |
| 33 | [sshd_config.5] |
| 34 | Add PubkeyAuthentication to the list allowed in a Match block (bz #1577) |
Darren Tucker | 1b0dd17 | 2009-10-07 08:37:48 +1100 | [diff] [blame] | 35 | - djm@cvs.openbsd.org 2009/08/18 18:36:21 |
| 36 | [sftp-client.h sftp.1 sftp-client.c sftp.c] |
| 37 | recursive transfer support for get/put and on the commandline |
| 38 | work mostly by carlosvsilvapt@gmail.com for the Google Summer of Code |
| 39 | with some tweaks by me; "go for it" deraadt@ |
Darren Tucker | 05016b2 | 2009-10-07 08:38:23 +1100 | [diff] [blame] | 40 | - djm@cvs.openbsd.org 2009/08/18 21:15:59 |
| 41 | [sftp.1] |
| 42 | fix "get" command usage, spotted by jmc@ |
Darren Tucker | b3b40a8 | 2009-10-07 08:39:09 +1100 | [diff] [blame] | 43 | - jmc@cvs.openbsd.org 2009/08/19 04:56:03 |
| 44 | [sftp.1] |
| 45 | ether -> either; |
Darren Tucker | 8ec4fd8 | 2009-10-07 08:39:57 +1100 | [diff] [blame] | 46 | - dtucker@cvs.openbsd.org 2009/08/20 23:54:28 |
| 47 | [mux.c] |
| 48 | subsystem_flag is defined in ssh.c so it's extern; ok djm |
Darren Tucker | 7dc4850 | 2009-10-07 08:44:42 +1100 | [diff] [blame] | 49 | - djm@cvs.openbsd.org 2009/08/27 17:28:52 |
| 50 | [sftp-server.c] |
| 51 | allow setting an explicit umask on the commandline to override whatever |
| 52 | default the user has. bz#1229; ok dtucker@ deraadt@ markus@ |
Darren Tucker | 9bcd25b | 2009-10-07 08:45:48 +1100 | [diff] [blame] | 53 | - djm@cvs.openbsd.org 2009/08/27 17:33:49 |
| 54 | [ssh-keygen.c] |
| 55 | force use of correct hash function for random-art signature display |
| 56 | as it was inheriting the wrong one when bubblebabble signatures were |
| 57 | activated; bz#1611 report and patch from fwojcik+openssh AT besh.com; |
| 58 | ok markus@ |
Darren Tucker | 6b286a4 | 2009-10-07 08:46:21 +1100 | [diff] [blame] | 59 | - djm@cvs.openbsd.org 2009/08/27 17:43:00 |
| 60 | [sftp-server.8] |
| 61 | allow setting an explicit umask on the commandline to override whatever |
| 62 | default the user has. bz#1229; ok dtucker@ deraadt@ markus@ |
Darren Tucker | 893d735 | 2009-10-07 08:47:02 +1100 | [diff] [blame] | 63 | - djm@cvs.openbsd.org 2009/08/27 17:44:52 |
| 64 | [authfd.c ssh-add.c authfd.h] |
| 65 | Do not fall back to adding keys without contraints (ssh-add -c / -t ...) |
| 66 | when the agent refuses the constrained add request. This was a useful |
| 67 | migration measure back in 2002 when constraints were new, but just |
| 68 | adds risk now. |
| 69 | bz #1612, report and patch from dkg AT fifthhorseman.net; ok markus@ |
Darren Tucker | 30359e1 | 2009-10-07 08:47:24 +1100 | [diff] [blame] | 70 | - djm@cvs.openbsd.org 2009/08/31 20:56:02 |
| 71 | [sftp-server.c] |
| 72 | check correct variable for error message, spotted by martynas@ |
Darren Tucker | 7bee06a | 2009-10-07 08:47:47 +1100 | [diff] [blame] | 73 | - djm@cvs.openbsd.org 2009/08/31 21:01:29 |
| 74 | [sftp-server.8] |
| 75 | document -e and -h; prodded by jmc@ |
Darren Tucker | 72473c6 | 2009-10-07 09:01:03 +1100 | [diff] [blame] | 76 | - djm@cvs.openbsd.org 2009/09/01 14:43:17 |
| 77 | [ssh-agent.c] |
| 78 | fix a race condition in ssh-agent that could result in a wedged or |
| 79 | spinning agent: don't read off the end of the allocated fd_sets, and |
| 80 | don't issue blocking read/write on agent sockets - just fall back to |
| 81 | select() on retriable read/write errors. bz#1633 reported and tested |
| 82 | by "noodle10000 AT googlemail.com"; ok dtucker@ markus@ |
Darren Tucker | 759cb2a | 2009-10-07 09:01:50 +1100 | [diff] [blame] | 83 | - grunk@cvs.openbsd.org 2009/10/01 11:37:33 |
| 84 | [dh.c] |
| 85 | fix a cast |
| 86 | ok djm@ markus@ |
Darren Tucker | 695ed39 | 2009-10-07 09:02:18 +1100 | [diff] [blame] | 87 | - djm@cvs.openbsd.org 2009/10/06 04:46:40 |
| 88 | [session.c] |
| 89 | bz#1596: fflush(NULL) before exec() to ensure that everying (motd |
| 90 | in particular) has made it out before the streams go away. |
Darren Tucker | 7023d16 | 2009-10-07 10:30:06 +1100 | [diff] [blame] | 91 | - djm@cvs.openbsd.org 2008/12/07 22:17:48 |
| 92 | [regress/addrmatch.sh] |
| 93 | match string "passwordauthentication" only at start of line, not anywhere |
| 94 | in sshd -T output |
Darren Tucker | 7988553 | 2009-10-07 10:30:57 +1100 | [diff] [blame^] | 95 | - dtucker@cvs.openbsd.org 2009/05/05 07:51:36 |
| 96 | [regress/multiplex.sh] |
| 97 | Always specify ssh_config for multiplex tests: prevents breakage caused |
| 98 | by options in ~/.ssh/config. From Dan Peterson. |
Darren Tucker | 46bbbe3 | 2009-10-07 08:21:48 +1100 | [diff] [blame] | 99 | |
Damien Miller | 350666d | 2009-10-02 11:50:55 +1000 | [diff] [blame] | 100 | 20091002 |
| 101 | - (djm) [Makefile.in] Mention readconf.o in ssh-keysign's make deps. |
| 102 | spotted by des AT des.no |
| 103 | |
Damien Miller | ea43742 | 2009-10-02 11:49:03 +1000 | [diff] [blame] | 104 | 20090926 |
| 105 | - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] |
| 106 | [contrib/suse/openssh.spec] Update for release |
| 107 | - (djm) [README] update relnotes URL |
| 108 | - (djm) [packet.c] Restore EWOULDBLOCK handling that got lost somewhere |
| 109 | - (djm) Release 5.3p1 |
| 110 | |
Darren Tucker | e02b49a | 2009-09-11 14:56:08 +1000 | [diff] [blame] | 111 | 20090911 |
| 112 | - (dtucker) [configure.ac] Change the -lresolv check so it works on Mac OS X |
| 113 | 10.6 (which doesn't have BIND8_COMPAT and thus uses res_9_query). Patch |
| 114 | from jbasney at ncsa uiuc edu. |
| 115 | |
Damien Miller | e5d5a17 | 2009-09-09 11:07:28 +1000 | [diff] [blame] | 116 | 20090908 |
| 117 | - (djm) [serverloop.c] Fix test for server-assigned remote forwarding port |
| 118 | (-R 0:...); bz#1578, spotted and fix by gavin AT emf.net; ok dtucker@ |
| 119 | |
Darren Tucker | dad48e7 | 2009-09-01 18:26:00 +1000 | [diff] [blame] | 120 | 20090901 |
| 121 | - (dtucker) [configure.ac] Bug #1639: use AC_PATH_PROG to search the path for |
| 122 | krb5-config if it's not in the location specified by --with-kerberos5. |
| 123 | Patch from jchadima at redhat. |
| 124 | |
Darren Tucker | 427adf1 | 2009-08-29 09:14:48 +1000 | [diff] [blame] | 125 | 20090829 |
| 126 | - (dtucker) [README.platform] Add text about development packages, based on |
| 127 | text from Chris Pepper in bug #1631. |
| 128 | |
Darren Tucker | 28b973e | 2009-08-28 10:16:44 +1000 | [diff] [blame] | 129 | 20090828 |
| 130 | - dtucker [auth-sia.c] Roll back the change for bug #1241 as it apparently |
| 131 | causes problems in some Tru64 configurations. |
Damien Miller | 8aac993 | 2009-08-28 10:40:30 +1000 | [diff] [blame] | 132 | - (djm) [sshd_config.5] downgrade mention of login.conf to be an example |
| 133 | and mention PAM as another provider for ChallengeResponseAuthentication; |
| 134 | bz#1408; ok dtucker@ |
Damien Miller | 0e26551 | 2009-08-28 10:43:13 +1000 | [diff] [blame] | 135 | - (djm) [sftp-server.c] bz#1535: accept ENOSYS as a fallback error when |
| 136 | attempting atomic rename(); ok dtucker@ |
Damien Miller | 7d4a268 | 2009-08-28 10:47:38 +1000 | [diff] [blame] | 137 | - (djm) [Makefile.in] bz#1505: Solaris make(1) doesn't accept make variables |
| 138 | in argv, so pass them in the environment; ok dtucker@ |
Darren Tucker | 3980b63 | 2009-08-28 11:02:37 +1000 | [diff] [blame] | 139 | - (dtucker) [channels.c configure.ac] Bug #1528: skip the tcgetattr call on |
| 140 | the pty master on Solaris, since it never succeeds and can hang if large |
| 141 | amounts of data is sent to the slave (eg a copy-paste). Based on a patch |
| 142 | originally from Doke Scott, ok djm@ |
Darren Tucker | 86e30a0 | 2009-08-28 11:21:06 +1000 | [diff] [blame] | 143 | - (dtucker) [clientloop.c configure.ac defines.h] Make the client's IO buffer |
| 144 | size a compile-time option and set it to 64k on Cygwin, since Corinna |
| 145 | reports that it makes a significant difference to performance. ok djm@ |
Darren Tucker | ac9f1b9 | 2009-08-28 15:01:20 +1000 | [diff] [blame] | 146 | - (dtucker) [configure.ac] Fix the syntax of the Solaris tcgetattr entry. |
Darren Tucker | 28b973e | 2009-08-28 10:16:44 +1000 | [diff] [blame] | 147 | |
Darren Tucker | 2a5588d | 2009-08-20 16:16:01 +1000 | [diff] [blame] | 148 | 20090820 |
| 149 | - (dtucker) [includes.h] Bug #1634: do not include system glob.h if we're not |
| 150 | using it since the type conflicts can cause problems on FreeBSD. Patch |
| 151 | from Jonathan Chen. |
Darren Tucker | 82edf23 | 2009-08-20 16:20:50 +1000 | [diff] [blame] | 152 | - (dtucker) [session.c openbsd-compat/port-aix.h] Bugs #1249 and #1567: move |
| 153 | the setpcred call on AIX to immediately before the permanently_set_uid(). |
| 154 | Ensures that we still have privileges when we call chroot and |
| 155 | pam_open_sesson. Based on a patch from David Leonard. |
Darren Tucker | 2a5588d | 2009-08-20 16:16:01 +1000 | [diff] [blame] | 156 | |
Darren Tucker | 83d8f28 | 2009-08-17 09:35:22 +1000 | [diff] [blame] | 157 | 20090817 |
| 158 | - (dtucker) [configure.ac] Check for headers before libraries for openssl an |
| 159 | zlib, which should make the errors slightly more meaningful on platforms |
| 160 | where there's separate "-devel" packages for those. |
Darren Tucker | b5d5ee1 | 2009-08-17 09:40:00 +1000 | [diff] [blame] | 161 | - (dtucker) [sshlogin.c openbsd-compat/port-aix.{c,h}] Bug #1595: make |
| 162 | PrintLastLog work on AIX. Based in part on a patch from Miguel Sanders. |
Darren Tucker | 83d8f28 | 2009-08-17 09:35:22 +1000 | [diff] [blame] | 163 | |
Tim Rice | caeb164 | 2009-07-29 07:21:13 -0700 | [diff] [blame] | 164 | 20090729 |
| 165 | - (tim) [contrib/cygwin/ssh-user-config] Change script to call correct error |
| 166 | function. Patch from Corinna Vinschen. |
| 167 | |
Darren Tucker | 440089a | 2009-07-13 11:38:23 +1000 | [diff] [blame] | 168 | 20090713 |
| 169 | - (dtucker) [openbsd-compat/getrrsetbyname.c] Reduce answer buffer size so it |
| 170 | fits into 16 bits to work around a bug in glibc's resolver where it masks |
| 171 | off the buffer size at 16 bits. Patch from Hauke Lampe, ok djm jakob. |
| 172 | |
Darren Tucker | c4b22ca | 2009-07-12 21:56:29 +1000 | [diff] [blame] | 173 | 20090712 |
| 174 | - (dtucker) [configure.ac] Include sys/param.h for the sys/mount.h test, |
| 175 | prevents configure complaining on older BSDs. |
Darren Tucker | 8fdcba5 | 2009-07-12 21:58:42 +1000 | [diff] [blame] | 176 | - (dtucker [contrib/cygwin/ssh-{host,user}-config] Add license text. Patch |
| 177 | from Corinna Vinschen. |
Darren Tucker | 622d5c5 | 2009-07-12 22:07:21 +1000 | [diff] [blame] | 178 | - (dtucker) [auth-pam.c] Bug #1534: move the deletion of PAM credentials on |
Darren Tucker | 916fdda | 2009-07-12 22:12:28 +1000 | [diff] [blame] | 179 | logout to after the session close. Patch from Anicka Bernathova, |
| 180 | originally from Andreas Schwab via Novelll ok djm. |
Darren Tucker | c4b22ca | 2009-07-12 21:56:29 +1000 | [diff] [blame] | 181 | |
Darren Tucker | 4d4fdc0 | 2009-07-07 21:19:11 +1000 | [diff] [blame] | 182 | 20090707 |
| 183 | - (dtucker) [contrib/cygwin/ssh-host-config] better support for automated |
| 184 | scripts and fix usage of eval. Patch from Corinna Vinschen. |
| 185 | |
| 186 | 20090705 |
Darren Tucker | e841eb0 | 2009-07-06 07:11:13 +1000 | [diff] [blame] | 187 | - (dtucker) OpenBSD CVS Sync |
| 188 | - andreas@cvs.openbsd.org 2009/06/27 09:29:06 |
| 189 | [packet.h packet.c] |
| 190 | packet_bacup_state() and packet_restore_state() will be used to |
| 191 | temporarily save the current state ren resuming a suspended connection. |
| 192 | ok markus@ |
Darren Tucker | 466df21 | 2009-07-06 07:11:52 +1000 | [diff] [blame] | 193 | - andreas@cvs.openbsd.org 2009/06/27 09:32:43 |
| 194 | [roaming_common.c roaming.h] |
| 195 | It may be necessary to retransmit some data when resuming, so add it |
| 196 | to a buffer when roaming is enabled. |
| 197 | Most of this code was written by Martin Forssen, maf at appgate dot com. |
| 198 | ok markus@ |
Darren Tucker | 71e4d54 | 2009-07-06 07:12:27 +1000 | [diff] [blame] | 199 | - andreas@cvs.openbsd.org 2009/06/27 09:35:06 |
| 200 | [readconf.h readconf.c] |
| 201 | Add client option UseRoaming. It doesn't do anything yet but will |
| 202 | control whether the client tries to use roaming if enabled on the |
| 203 | server. From Martin Forssen. |
| 204 | ok markus@ |
Darren Tucker | cd6b1a2 | 2009-07-06 07:13:04 +1000 | [diff] [blame] | 205 | - markus@cvs.openbsd.org 2009/06/30 14:54:40 |
| 206 | [version.h] |
| 207 | crank version; ok deraadt |
Darren Tucker | 199b134 | 2009-07-06 07:16:56 +1000 | [diff] [blame] | 208 | - dtucker@cvs.openbsd.org 2009/07/02 02:11:47 |
| 209 | [ssh.c] |
| 210 | allow for long home dir paths (bz #1615). ok deraadt |
| 211 | (based in part on a patch from jchadima at redhat) |
Darren Tucker | de0c025 | 2009-07-06 07:17:35 +1000 | [diff] [blame] | 212 | - stevesk@cvs.openbsd.org 2009/07/05 19:28:33 |
| 213 | [clientloop.c] |
| 214 | only send SSH2_MSG_DISCONNECT if we're in compat20; from dtucker@ |
| 215 | ok deraadt@ markus@ |
Darren Tucker | e841eb0 | 2009-07-06 07:11:13 +1000 | [diff] [blame] | 216 | |
Darren Tucker | 821d3db | 2009-06-22 16:11:06 +1000 | [diff] [blame] | 217 | 20090622 |
| 218 | - (dtucker) OpenBSD CVS Sync |
| 219 | - dtucker@cvs.openbsd.org 2009/06/22 05:39:28 |
| 220 | [monitor_wrap.c monitor_mm.c ssh-keygen.c auth2.c gss-genr.c sftp-client.c] |
| 221 | alphabetize includes; reduces diff vs portable and style(9). |
| 222 | ok stevesk djm |
| 223 | (Id sync only; these were already in order in -portable) |
| 224 | |
Darren Tucker | 72efd74 | 2009-06-21 17:48:00 +1000 | [diff] [blame] | 225 | 20090621 |
| 226 | - (dtucker) OpenBSD CVS Sync |
| 227 | - markus@cvs.openbsd.org 2009/03/17 21:37:00 |
| 228 | [ssh.c] |
| 229 | pass correct argv[0] to openlog(); ok djm@ |
Darren Tucker | 3a6a51f | 2009-06-21 17:48:52 +1000 | [diff] [blame] | 230 | - jmc@cvs.openbsd.org 2009/03/19 15:15:09 |
| 231 | [ssh.1] |
| 232 | for "Ciphers", just point the reader to the keyword in ssh_config(5), just |
| 233 | as we do for "MACs": this stops us getting out of sync when the lists |
| 234 | change; |
| 235 | fixes documentation/6102, submitted by Peter J. Philipp |
| 236 | alternative fix proposed by djm |
| 237 | ok markus |
Darren Tucker | a096450 | 2009-06-21 17:49:36 +1000 | [diff] [blame] | 238 | - tobias@cvs.openbsd.org 2009/03/23 08:31:19 |
| 239 | [ssh-agent.c] |
| 240 | Fixed a possible out-of-bounds memory access if the environment variable |
| 241 | SHELL is shorter than 3 characters. |
| 242 | with input by and ok dtucker |
Darren Tucker | 9013323 | 2009-06-21 17:50:15 +1000 | [diff] [blame] | 243 | - tobias@cvs.openbsd.org 2009/03/23 19:38:04 |
| 244 | [ssh-agent.c] |
| 245 | My previous commit didn't fix the problem at all, so stick at my first |
| 246 | version of the fix presented to dtucker. |
| 247 | Issue notified by Matthias Barkhoff (matthias dot barkhoff at gmx dot de). |
| 248 | ok dtucker |
Darren Tucker | 5837b51 | 2009-06-21 17:52:27 +1000 | [diff] [blame] | 249 | - sobrado@cvs.openbsd.org 2009/03/26 08:38:39 |
| 250 | [sftp-server.8 sshd.8 ssh-agent.1] |
| 251 | fix a few typographical errors found by spell(1). |
| 252 | ok dtucker@, jmc@ |
Darren Tucker | af501cf | 2009-06-21 17:53:04 +1000 | [diff] [blame] | 253 | - stevesk@cvs.openbsd.org 2009/04/13 19:07:44 |
| 254 | [sshd_config.5] |
| 255 | fix possessive; ok djm@ |
Darren Tucker | b62f1a8 | 2009-06-21 17:53:48 +1000 | [diff] [blame] | 256 | - stevesk@cvs.openbsd.org 2009/04/14 16:33:42 |
| 257 | [sftp-server.c] |
| 258 | remove unused option character from getopt() optstring; ok markus@ |
Darren Tucker | 3b59dfa | 2009-06-21 17:54:47 +1000 | [diff] [blame] | 259 | - jj@cvs.openbsd.org 2009/04/14 21:10:54 |
| 260 | [servconf.c] |
| 261 | Fixed a few the-the misspellings in comments. Skipped a bunch in |
| 262 | binutils,gcc and so on. ok jmc@ |
Darren Tucker | ac46a91 | 2009-06-21 17:55:23 +1000 | [diff] [blame] | 263 | - stevesk@cvs.openbsd.org 2009/04/17 19:23:06 |
| 264 | [session.c] |
| 265 | use INTERNAL_SFTP_NAME for setproctitle() of in-process sftp-server; |
| 266 | ok djm@ markus@ |
Darren Tucker | 00fcd71 | 2009-06-21 17:56:00 +1000 | [diff] [blame] | 267 | - stevesk@cvs.openbsd.org 2009/04/17 19:40:17 |
| 268 | [sshd_config.5] |
| 269 | clarify that even internal-sftp needs /dev/log for logging to work; ok |
| 270 | markus@ |
Darren Tucker | f92077f | 2009-06-21 17:56:25 +1000 | [diff] [blame] | 271 | - jmc@cvs.openbsd.org 2009/04/18 18:39:10 |
| 272 | [sshd_config.5] |
| 273 | tweak previous; ok stevesk |
Darren Tucker | 51dbe50 | 2009-06-21 17:56:51 +1000 | [diff] [blame] | 274 | - stevesk@cvs.openbsd.org 2009/04/21 15:13:17 |
| 275 | [sshd_config.5] |
| 276 | clarify we cd to user's home after chroot; ok markus@ on |
| 277 | earlier version; tweaks and ok jmc@ |
Darren Tucker | f7288d7 | 2009-06-21 18:12:20 +1000 | [diff] [blame] | 278 | - andreas@cvs.openbsd.org 2009/05/25 06:48:01 |
| 279 | [channels.c packet.c clientloop.c packet.h serverloop.c monitor_wrap.c |
| 280 | monitor.c] |
| 281 | Put the globals in packet.c into a struct and don't access it directly |
| 282 | from other files. No functional changes. |
| 283 | ok markus@ djm@ |
| 284 | - andreas@cvs.openbsd.org 2009/05/27 06:31:25 |
| 285 | [canohost.h canohost.c] |
| 286 | Add clear_cached_addr(), needed for upcoming changes allowing the peer |
| 287 | address to change. |
| 288 | ok markus@ |
Darren Tucker | 39c7632 | 2009-06-21 18:13:57 +1000 | [diff] [blame] | 289 | - andreas@cvs.openbsd.org 2009/05/27 06:33:39 |
| 290 | [clientloop.c] |
| 291 | Send SSH2_MSG_DISCONNECT when the client disconnects. From a larger |
| 292 | change from Martin Forssen, maf at appgate dot com. |
| 293 | ok markus@ |
Darren Tucker | 12b4a65 | 2009-06-21 18:14:48 +1000 | [diff] [blame] | 294 | - andreas@cvs.openbsd.org 2009/05/27 06:34:36 |
| 295 | [kex.c kex.h] |
| 296 | Move the KEX_COOKIE_LEN define to kex.h |
| 297 | ok markus@ |
Darren Tucker | 5b48cdd | 2009-06-21 18:15:25 +1000 | [diff] [blame] | 298 | - andreas@cvs.openbsd.org 2009/05/27 06:36:07 |
| 299 | [packet.h packet.c] |
| 300 | Add packet_put_int64() and packet_get_int64(), part of a larger change |
| 301 | from Martin Forssen. |
Darren Tucker | 761c389 | 2009-06-21 18:16:26 +1000 | [diff] [blame] | 302 | ok markus@ |
| 303 | - andreas@cvs.openbsd.org 2009/05/27 06:38:16 |
| 304 | [sshconnect.h sshconnect.c] |
| 305 | Un-static ssh_exchange_identification(), part of a larger change from |
| 306 | Martin Forssen and needed for upcoming changes. |
| 307 | ok markus@ |
Darren Tucker | 1cc55d7 | 2009-06-21 18:17:19 +1000 | [diff] [blame] | 308 | - andreas@cvs.openbsd.org 2009/05/28 16:50:16 |
| 309 | [sshd.c packet.c serverloop.c monitor_wrap.c clientloop.c sshconnect.c |
Darren Tucker | c5564e1 | 2009-06-21 18:53:53 +1000 | [diff] [blame] | 310 | monitor.c Added roaming.h roaming_common.c roaming_dummy.c] |
Darren Tucker | 1cc55d7 | 2009-06-21 18:17:19 +1000 | [diff] [blame] | 311 | Keep track of number of bytes read and written. Needed for upcoming |
| 312 | changes. Most code from Martin Forssen, maf at appgate dot com. |
| 313 | ok markus@ |
Darren Tucker | c5564e1 | 2009-06-21 18:53:53 +1000 | [diff] [blame] | 314 | Also, applied appropriate changes to Makefile.in |
Darren Tucker | b422afa | 2009-06-21 18:58:46 +1000 | [diff] [blame] | 315 | - andreas@cvs.openbsd.org 2009/06/12 20:43:22 |
| 316 | [monitor.c packet.c] |
| 317 | Fix warnings found by chl@ and djm@ and change roaming_atomicio's |
| 318 | return type to match atomicio's |
| 319 | Diff from djm@, ok markus@ |
Darren Tucker | 7b935c7 | 2009-06-21 18:59:36 +1000 | [diff] [blame] | 320 | - andreas@cvs.openbsd.org 2009/06/12 20:58:32 |
| 321 | [packet.c] |
| 322 | Move some more statics into session_state |
| 323 | ok markus@ djm@ |
Darren Tucker | 6ae35ac | 2009-06-21 19:00:20 +1000 | [diff] [blame] | 324 | - dtucker@cvs.openbsd.org 2009/06/21 07:37:15 |
| 325 | [kexdhs.c kexgexs.c] |
| 326 | abort if key_sign fails, preventing possible null deref. Based on report |
| 327 | from Paolo Ganci, ok markus@ djm@ |
Darren Tucker | e6b590e | 2009-06-21 19:08:48 +1000 | [diff] [blame] | 328 | - dtucker@cvs.openbsd.org 2009/06/21 09:04:03 |
| 329 | [roaming.h roaming_common.c roaming_dummy.c] |
| 330 | Add tags for the benefit of the sync scripts |
| 331 | Also: pull in the changes for 1.1->1.2 missed in the previous sync. |
Darren Tucker | 43e7a35 | 2009-06-21 19:50:08 +1000 | [diff] [blame] | 332 | - (dtucker) [auth2-jpake.c auth2.c canohost.h session.c] Whitespace and |
| 333 | header-order changes to reduce diff vs OpenBSD. |
Darren Tucker | 64cee36 | 2009-06-21 20:26:17 +1000 | [diff] [blame] | 334 | - (dtucker) [servconf.c sshd.c] More whitespace sync. |
Darren Tucker | 828c96d | 2009-06-21 22:22:08 +1000 | [diff] [blame] | 335 | - (dtucker) [roaming_common.c roaming_dummy.c] Wrap #include <inttypes.h> in |
| 336 | ifdef. |
Darren Tucker | 72efd74 | 2009-06-21 17:48:00 +1000 | [diff] [blame] | 337 | |
Darren Tucker | 3278062 | 2009-06-16 16:11:02 +1000 | [diff] [blame] | 338 | 20090616 |
| 339 | - (dtucker) [configure.ac defines.h] Bug #1607: handle the case where fsid_t |
| 340 | is a struct with a __val member. Fixes build on, eg, Redhat 6.2. |
| 341 | |
Darren Tucker | a422d97 | 2009-05-04 12:52:47 +1000 | [diff] [blame] | 342 | 20090504 |
| 343 | - (dtucker) [sshlogin.c] Move the NO_SSH_LASTLOG #ifndef line to include |
| 344 | variable declarations. Should prevent unused warnings anywhere it's set |
| 345 | (only Crays as far as I can tell) and be a no-op everywhere else. |
| 346 | |
Tim Rice | a74000e | 2009-03-18 11:25:02 -0700 | [diff] [blame] | 347 | 20090318 |
| 348 | - (tim) [configure.ac] Remove setting IP_TOS_IS_BROKEN for Cygwin. The problem |
| 349 | that setsockopt(IP_TOS) doesn't work on Cygwin has been fixed since 2005. |
| 350 | Based on patch from vinschen at redhat com. |
| 351 | |
Darren Tucker | 9d86e5d | 2009-03-08 11:40:27 +1100 | [diff] [blame] | 352 | 20090308 |
| 353 | - (dtucker) [auth-passwd.c auth1.c auth2-kbdint.c auth2-none.c auth2-passwd.c |
| 354 | auth2-pubkey.c session.c openbsd-compat/bsd-cygwin_util.{c,h} |
| 355 | openbsd-compat/daemon.c] Remove support for Windows 95/98/ME and very old |
| 356 | version of Cygwin. Patch from vinschen at redhat com. |
| 357 | |
Darren Tucker | 558d6ca | 2009-03-07 10:22:10 +1100 | [diff] [blame] | 358 | 20090307 |
| 359 | - (dtucker) [contrib/aix/buildbff.sh] Only try to rename ssh_prng_cmds if it |
| 360 | exists (it's not created if OpenSSL's PRNG is self-seeded, eg if the OS |
| 361 | has a /dev/random). |
Darren Tucker | 8aae6ff | 2009-03-07 12:01:47 +1100 | [diff] [blame] | 362 | - (dtucker) [schnorr.c openbsd-compat/openssl-compat.{c,h}] Add |
| 363 | EVP_DigestUpdate to the OLD_EVP compatibility functions and tell schnorr.c |
| 364 | to use them. Allows building with older OpenSSL versions. |
Darren Tucker | ccfee05 | 2009-03-07 12:32:22 +1100 | [diff] [blame] | 365 | - (dtucker) [configure.ac defines.h] Check for in_port_t and typedef if needed. |
Darren Tucker | 30ed668 | 2009-03-07 18:06:22 +1100 | [diff] [blame] | 366 | - (dtucker) [configure.ac] Missing comma in type list. |
Darren Tucker | 3e7e15f | 2009-03-07 22:22:35 +1100 | [diff] [blame] | 367 | - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] |
| 368 | EVP_DigestUpdate does not exactly match the other OLD_EVP functions (eg |
| 369 | in openssl 0.9.6) so add an explicit test for it. |
Darren Tucker | 558d6ca | 2009-03-07 10:22:10 +1100 | [diff] [blame] | 370 | |
Damien Miller | cee8523 | 2009-03-06 00:58:22 +1100 | [diff] [blame] | 371 | 20090306 |
| 372 | - (djm) OpenBSD CVS Sync |
| 373 | - djm@cvs.openbsd.org 2009/03/05 07:18:19 |
| 374 | [auth2-jpake.c jpake.c jpake.h monitor_wrap.c monitor_wrap.h schnorr.c] |
| 375 | [sshconnect2.c] |
| 376 | refactor the (disabled) Schnorr proof code to make it a little more |
| 377 | generally useful |
Damien Miller | 447e387 | 2009-03-06 00:58:39 +1100 | [diff] [blame] | 378 | - djm@cvs.openbsd.org 2009/03/05 11:30:50 |
| 379 | [uuencode.c] |
| 380 | document what these functions do so I don't ever have to recuse into |
| 381 | b64_pton/ntop to remember their return values |
Damien Miller | cee8523 | 2009-03-06 00:58:22 +1100 | [diff] [blame] | 382 | |
Damien Miller | 1991384 | 2009-02-23 10:53:58 +1100 | [diff] [blame] | 383 | 20090223 |
| 384 | - (djm) OpenBSD CVS Sync |
| 385 | - djm@cvs.openbsd.org 2009/02/22 23:50:57 |
| 386 | [ssh_config.5 sshd_config.5] |
| 387 | don't advertise experimental options |
Damien Miller | 0296ae8 | 2009-02-23 11:00:24 +1100 | [diff] [blame] | 388 | - djm@cvs.openbsd.org 2009/02/22 23:59:25 |
| 389 | [sshd_config.5] |
| 390 | missing period |
Damien Miller | 582ca6b | 2009-02-23 11:09:25 +1100 | [diff] [blame] | 391 | - djm@cvs.openbsd.org 2009/02/23 00:06:15 |
| 392 | [version.h] |
| 393 | openssh-5.2 |
Damien Miller | 5d0d530 | 2009-02-23 11:11:57 +1100 | [diff] [blame] | 394 | - (djm) [README] update for 5.2 |
Damien Miller | faec50b | 2009-02-23 11:12:29 +1100 | [diff] [blame] | 395 | - (djm) Release openssh-5.2p1 |
Damien Miller | 1991384 | 2009-02-23 10:53:58 +1100 | [diff] [blame] | 396 | |
Damien Miller | 9eab956 | 2009-02-22 08:47:02 +1100 | [diff] [blame] | 397 | 20090222 |
| 398 | - (djm) OpenBSD CVS Sync |
| 399 | - tobias@cvs.openbsd.org 2009/02/21 19:32:04 |
| 400 | [misc.c sftp-server-main.c ssh-keygen.c] |
| 401 | Added missing newlines in error messages. |
| 402 | ok dtucker |
| 403 | |
Damien Miller | e8001d4 | 2009-02-21 12:45:02 +1100 | [diff] [blame] | 404 | 20090221 |
| 405 | - (djm) OpenBSD CVS Sync |
| 406 | - djm@cvs.openbsd.org 2009/02/17 01:28:32 |
| 407 | [ssh_config] |
| 408 | sync with revised default ciphers; pointed out by dkrause@ |
Damien Miller | 2591838 | 2009-02-21 12:45:18 +1100 | [diff] [blame] | 409 | - djm@cvs.openbsd.org 2009/02/18 04:31:21 |
| 410 | [schnorr.c] |
| 411 | signature should hash over the entire group, not just the generator |
| 412 | (this is still disabled code) |
Damien Miller | 7691e5f | 2009-02-21 18:03:04 +1100 | [diff] [blame] | 413 | - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] |
| 414 | [contrib/suse/openssh.spec] Prepare for 5.2p1 |
Damien Miller | e8001d4 | 2009-02-21 12:45:02 +1100 | [diff] [blame] | 415 | |
Damien Miller | 3f94aaf | 2009-02-16 15:21:39 +1100 | [diff] [blame] | 416 | 20090216 |
| 417 | - (djm) [regress/conch-ciphers.sh regress/putty-ciphers.sh] |
| 418 | [regress/putty-kex.sh regress/putty-transfer.sh] Downgrade disabled |
| 419 | interop tests from FATAL error to a warning. Allows some interop |
| 420 | tests to proceed if others are missing necessary prerequisites. |
Damien Miller | 9055172 | 2009-02-16 15:37:03 +1100 | [diff] [blame] | 421 | - (djm) [configure.ac] support GNU/kFreeBSD and GNU/kOpensolaris |
| 422 | systems; patch from Aurelien Jarno via rmh AT aybabtu.com |
Damien Miller | 3f94aaf | 2009-02-16 15:21:39 +1100 | [diff] [blame] | 423 | |
Damien Miller | fdd66fc | 2009-02-14 16:26:19 +1100 | [diff] [blame] | 424 | 20090214 |
| 425 | - (djm) OpenBSD CVS Sync |
| 426 | - dtucker@cvs.openbsd.org 2009/02/02 11:15:14 |
| 427 | [sftp.c] |
| 428 | Initialize a few variables to prevent spurious "may be used |
| 429 | uninitialized" warnings from newer gcc's. ok djm@ |
Damien Miller | 4bf648f | 2009-02-14 16:28:21 +1100 | [diff] [blame] | 430 | - djm@cvs.openbsd.org 2009/02/12 03:00:56 |
| 431 | [canohost.c canohost.h channels.c channels.h clientloop.c readconf.c] |
| 432 | [readconf.h serverloop.c ssh.c] |
| 433 | support remote port forwarding with a zero listen port (-R0:...) to |
| 434 | dyamically allocate a listen port at runtime (this is actually |
| 435 | specified in rfc4254); bz#1003 ok markus@ |
Damien Miller | 330d585 | 2009-02-14 16:33:09 +1100 | [diff] [blame] | 436 | - djm@cvs.openbsd.org 2009/02/12 03:16:01 |
| 437 | [serverloop.c] |
| 438 | tighten check for -R0:... forwarding: only allow dynamic allocation |
| 439 | if want_reply is set in the packet |
Damien Miller | 923e8bb | 2009-02-14 16:33:31 +1100 | [diff] [blame] | 440 | - djm@cvs.openbsd.org 2009/02/12 03:26:22 |
| 441 | [monitor.c] |
| 442 | some paranoia: check that the serialised key is really KEY_RSA before |
| 443 | diddling its internals |
Damien Miller | e2f4cc5 | 2009-02-14 16:33:49 +1100 | [diff] [blame] | 444 | - djm@cvs.openbsd.org 2009/02/12 03:42:09 |
| 445 | [ssh.1] |
| 446 | document -R0:... usage |
Damien Miller | 65fa4ca | 2009-02-14 16:34:05 +1100 | [diff] [blame] | 447 | - djm@cvs.openbsd.org 2009/02/12 03:44:25 |
| 448 | [ssh.1] |
| 449 | consistency: Dq => Ql |
Damien Miller | 85c6d8a | 2009-02-14 16:34:21 +1100 | [diff] [blame] | 450 | - djm@cvs.openbsd.org 2009/02/12 03:46:17 |
| 451 | [ssh_config.5] |
| 452 | document RemoteForward usage with 0 listen port |
Damien Miller | e379e10 | 2009-02-14 16:34:39 +1100 | [diff] [blame] | 453 | - jmc@cvs.openbsd.org 2009/02/12 07:34:20 |
| 454 | [ssh_config.5] |
| 455 | kill trailing whitespace; |
Damien Miller | 61433be | 2009-02-14 16:35:01 +1100 | [diff] [blame] | 456 | - markus@cvs.openbsd.org 2009/02/13 11:50:21 |
| 457 | [packet.c] |
| 458 | check for enc !=NULL in packet_start_discard |
Damien Miller | 6385e75 | 2009-02-14 18:00:52 +1100 | [diff] [blame] | 459 | - djm@cvs.openbsd.org 2009/02/14 06:35:49 |
| 460 | [PROTOCOL] |
| 461 | mention that eow and no-more-sessions extensions are sent only to |
| 462 | OpenSSH peers |
Damien Miller | fdd66fc | 2009-02-14 16:26:19 +1100 | [diff] [blame] | 463 | |
| 464 | 20090212 |
Damien Miller | 2de7624 | 2009-02-12 12:19:20 +1100 | [diff] [blame] | 465 | - (djm) [sshpty.c] bz#1419: OSX uses cloning ptys that automagically |
| 466 | set ownership and modes, so avoid explicitly setting them |
Damien Miller | 20e231f | 2009-02-12 13:12:21 +1100 | [diff] [blame] | 467 | - (djm) [configure.ac loginrec.c] bz#1421: fix lastlog support for OSX. |
| 468 | OSX provides a getlastlogxbyname function that automates the reading of |
| 469 | a lastlog file. Also, the pututxline function will update lastlog so |
| 470 | there is no need for loginrec.c to do it explicitly. Collapse some |
| 471 | overly verbose code while I'm in there. |
Damien Miller | 2de7624 | 2009-02-12 12:19:20 +1100 | [diff] [blame] | 472 | |
Darren Tucker | 642ebe5 | 2009-02-01 22:19:54 +1100 | [diff] [blame] | 473 | 20090201 |
| 474 | - (dtucker) [defines.h sshconnect.c] INET6_ADDRSTRLEN is now needed in |
| 475 | channels.c too, so move the definition for non-IP6 platforms to defines.h |
| 476 | where it can be shared. |
| 477 | |
Tim Rice | 6a32534 | 2009-01-29 12:30:01 -0800 | [diff] [blame] | 478 | 20090129 |
| 479 | - (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen. |
| 480 | If the CYGWIN environment variable is empty, the installer script |
| 481 | should not install the service with an empty CYGWIN variable, but |
| 482 | rather without setting CYGWNI entirely. |
Tim Rice | 0d8f2f3 | 2009-01-29 12:40:30 -0800 | [diff] [blame] | 483 | - (tim) [contrib/cygwin/ssh-host-config] Whitespace cleanup. No code changes. |
Tim Rice | 6a32534 | 2009-01-29 12:30:01 -0800 | [diff] [blame] | 484 | |
Tim Rice | ca3692d | 2009-01-28 12:50:04 -0800 | [diff] [blame] | 485 | 20090128 |
| 486 | - (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen. |
| 487 | Changes to work on Cygwin 1.5.x as well as on the new Cygwin 1.7.x. |
| 488 | The information given for the setting of the CYGWIN environment variable |
| 489 | is wrong for both releases so I just removed it, together with the |
| 490 | unnecessary (Cygwin 1.5.x) or wrong (Cygwin 1.7.x) default setting. |
| 491 | |
Damien Miller | b53d8a1 | 2009-01-28 16:13:04 +1100 | [diff] [blame] | 492 | 20081228 |
| 493 | - (djm) OpenBSD CVS Sync |
| 494 | - stevesk@cvs.openbsd.org 2008/12/09 03:20:42 |
| 495 | [channels.c servconf.c] |
| 496 | channel_print_adm_permitted_opens() should deal with all the printing |
| 497 | for that config option. suggested by markus@; ok markus@ djm@ |
| 498 | dtucker@ |
Damien Miller | c30def9 | 2009-01-28 16:13:39 +1100 | [diff] [blame] | 499 | - djm@cvs.openbsd.org 2008/12/09 04:32:22 |
| 500 | [auth2-chall.c] |
| 501 | replace by-hand string building with xasprinf(); ok deraadt@ |
Damien Miller | 62fd18a | 2009-01-28 16:14:09 +1100 | [diff] [blame] | 502 | - sobrado@cvs.openbsd.org 2008/12/09 15:35:00 |
| 503 | [sftp.1 sftp.c] |
| 504 | update for the synopses displayed by the 'help' command, there are a |
| 505 | few missing flags; add 'bye' to the output of 'help'; sorting and spacing. |
| 506 | jmc@ suggested replacing .Oo/.Oc with a single .Op macro. |
| 507 | ok jmc@ |
Damien Miller | b3f2c9f | 2009-01-28 16:15:30 +1100 | [diff] [blame] | 508 | - stevesk@cvs.openbsd.org 2008/12/09 22:37:33 |
| 509 | [clientloop.c] |
| 510 | fix typo in error message |
Damien Miller | 7375fe2 | 2009-01-28 16:16:00 +1100 | [diff] [blame] | 511 | - stevesk@cvs.openbsd.org 2008/12/10 03:55:20 |
| 512 | [addrmatch.c] |
| 513 | o cannot be NULL here but use xfree() to be consistent; ok djm@ |
Damien Miller | b2c17d4 | 2009-01-28 16:18:03 +1100 | [diff] [blame] | 514 | - stevesk@cvs.openbsd.org 2008/12/29 01:12:36 |
| 515 | [ssh-keyscan.1] |
| 516 | fix example, default key type is rsa for 3+ years; from |
| 517 | frederic.perrin@resel.fr |
Damien Miller | a70ac76 | 2009-01-28 16:19:52 +1100 | [diff] [blame] | 518 | - stevesk@cvs.openbsd.org 2008/12/29 02:23:26 |
| 519 | [pathnames.h] |
| 520 | no need to escape single quotes in comments |
Damien Miller | 1781901 | 2009-01-28 16:20:17 +1100 | [diff] [blame] | 521 | - okan@cvs.openbsd.org 2008/12/30 00:46:56 |
| 522 | [sshd_config.5] |
| 523 | add AllowAgentForwarding to available Match keywords list |
| 524 | ok djm |
Damien Miller | 7a60621 | 2009-01-28 16:22:34 +1100 | [diff] [blame] | 525 | - djm@cvs.openbsd.org 2009/01/01 21:14:35 |
| 526 | [channels.c] |
| 527 | call channel destroy callbacks on receipt of open failure messages. |
| 528 | fixes client hangs when connecting to a server that has MaxSessions=0 |
| 529 | set spotted by imorgan AT nas.nasa.gov; ok markus@ |
Damien Miller | ccf7e22 | 2009-01-28 16:23:06 +1100 | [diff] [blame] | 530 | - djm@cvs.openbsd.org 2009/01/01 21:17:36 |
| 531 | [kexgexs.c] |
| 532 | fix hash calculation for KEXGEX: hash over the original client-supplied |
| 533 | values and not the sanity checked versions that we acutally use; |
| 534 | bz#1540 reported by john.smith AT arrows.demon.co.uk |
| 535 | ok markus@ |
Damien Miller | 1781f53 | 2009-01-28 16:24:41 +1100 | [diff] [blame] | 536 | - djm@cvs.openbsd.org 2009/01/14 01:38:06 |
| 537 | [channels.c] |
| 538 | support SOCKS4A protocol, from dwmw2 AT infradead.org via bz#1482; |
| 539 | "looks ok" markus@ |
Damien Miller | 5bc6aae | 2009-01-28 16:27:31 +1100 | [diff] [blame] | 540 | - stevesk@cvs.openbsd.org 2009/01/15 17:38:43 |
| 541 | [readconf.c] |
| 542 | 1) use obsolete instead of alias for consistency |
| 543 | 2) oUserKnownHostsFile not obsolete but oGlobalKnownHostsFile2 is |
| 544 | so move the comment. |
| 545 | 3) reorder so like options are together |
| 546 | ok djm@ |
Damien Miller | a1c1b6c | 2009-01-28 16:29:49 +1100 | [diff] [blame] | 547 | - djm@cvs.openbsd.org 2009/01/22 09:46:01 |
| 548 | [channels.c channels.h session.c] |
| 549 | make Channel->path an allocated string, saving a few bytes here and |
| 550 | there and fixing bz#1380 in the process; ok markus@ |
Damien Miller | 9576ac4 | 2009-01-28 16:30:33 +1100 | [diff] [blame] | 551 | - djm@cvs.openbsd.org 2009/01/22 09:49:57 |
| 552 | [channels.c] |
| 553 | oops! I committed the wrong version of the Channel->path diff, |
| 554 | it was missing some tweaks suggested by stevesk@ |
Damien Miller | 3dc71ad | 2009-01-28 16:31:22 +1100 | [diff] [blame] | 555 | - djm@cvs.openbsd.org 2009/01/22 10:02:34 |
| 556 | [clientloop.c misc.c readconf.c readconf.h servconf.c servconf.h] |
| 557 | [serverloop.c ssh-keyscan.c ssh.c sshd.c] |
| 558 | make a2port() return -1 when it encounters an invalid port number |
| 559 | rather than 0, which it will now treat as valid (needed for future work) |
| 560 | adjust current consumers of a2port() to check its return value is <= 0, |
| 561 | which in turn required some things to be converted from u_short => int |
| 562 | make use of int vs. u_short consistent in some other places too |
| 563 | feedback & ok markus@ |
Damien Miller | e37dde0 | 2009-01-28 16:33:01 +1100 | [diff] [blame] | 564 | - djm@cvs.openbsd.org 2009/01/22 10:09:16 |
| 565 | [auth-options.c] |
| 566 | another chunk of a2port() diff that got away. wtfdjm?? |
Damien Miller | 67081b5 | 2009-01-28 16:33:31 +1100 | [diff] [blame] | 567 | - djm@cvs.openbsd.org 2009/01/23 07:58:11 |
| 568 | [myproposal.h] |
| 569 | prefer CTR modes and revised arcfour (i.e w/ discard) modes to CBC |
| 570 | modes; ok markus@ |
Damien Miller | 9aa72ba | 2009-01-28 16:34:00 +1100 | [diff] [blame] | 571 | - naddy@cvs.openbsd.org 2009/01/24 17:10:22 |
| 572 | [ssh_config.5 sshd_config.5] |
| 573 | sync list of preferred ciphers; ok djm@ |
Damien Miller | 13ae44c | 2009-01-28 16:38:41 +1100 | [diff] [blame] | 574 | - markus@cvs.openbsd.org 2009/01/26 09:58:15 |
| 575 | [cipher.c cipher.h packet.c] |
| 576 | Work around the CPNI-957037 Plaintext Recovery Attack by always |
| 577 | reading 256K of data on packet size or HMAC errors (in CBC mode only). |
| 578 | Help, feedback and ok djm@ |
| 579 | Feedback from Martin Albrecht and Paterson Kenny |
Damien Miller | b53d8a1 | 2009-01-28 16:13:04 +1100 | [diff] [blame] | 580 | |
Tim Rice | 351529c | 2009-01-07 10:04:12 -0800 | [diff] [blame] | 581 | 20090107 |
Damien Miller | 1598d6b | 2009-01-21 16:04:24 +1100 | [diff] [blame] | 582 | - (djm) [uidswap.c] bz#1412: Support >16 supplemental groups in OS X. |
| 583 | Patch based on one from vgiffin AT apple.com; ok dtucker@ |
Damien Miller | 819dbb6 | 2009-01-21 16:46:26 +1100 | [diff] [blame] | 584 | - (djm) [channels.c] bz#1419: support "on demand" X11 forwarding via |
| 585 | launchd on OS X; patch from vgiffin AT apple.com, slightly tweaked; |
| 586 | ok dtucker@ |
Damien Miller | 0266677 | 2009-01-21 20:29:20 +1100 | [diff] [blame] | 587 | - (djm) [contrib/ssh-copy-id.1 contrib/ssh-copy-id] bz#1492: Make |
| 588 | ssh-copy-id copy id_rsa.pub by default (instead of the legacy "identity" |
| 589 | key). Patch from cjwatson AT debian.org |
Damien Miller | 1598d6b | 2009-01-21 16:04:24 +1100 | [diff] [blame] | 590 | |
| 591 | 20090107 |
Tim Rice | 351529c | 2009-01-07 10:04:12 -0800 | [diff] [blame] | 592 | - (tim) [configure.ac defines.h openbsd-compat/port-uw.c |
| 593 | openbsd-compat/xcrypt.c] Add SECUREWARE support to OpenServer 6 SVR5 ABI. |
| 594 | OK djm@ dtucker@ |
Tim Rice | 2676791 | 2009-01-07 20:50:08 -0800 | [diff] [blame] | 595 | - (tim) [configure.ac] Move check_for_libcrypt_later=1 in *-*-sysv5*) section. |
| 596 | OpenServer 6 doesn't need libcrypt. |
Tim Rice | 351529c | 2009-01-07 10:04:12 -0800 | [diff] [blame] | 597 | |
Damien Miller | 586b005 | 2008-12-09 14:11:32 +1100 | [diff] [blame] | 598 | 20081209 |
| 599 | - (djm) OpenBSD CVS Sync |
| 600 | - djm@cvs.openbsd.org 2008/12/09 02:38:18 |
| 601 | [clientloop.c] |
| 602 | The ~C escape handler does not work correctly for multiplexed sessions - |
| 603 | it opens a commandline on the master session, instead of on the slave |
| 604 | that requested it. Disable it on slave sessions until such time as it |
| 605 | is fixed; bz#1543 report from Adrian Bridgett via Colin Watson |
| 606 | ok markus@ |
Damien Miller | 1be2cc4 | 2008-12-09 14:11:49 +1100 | [diff] [blame] | 607 | - djm@cvs.openbsd.org 2008/12/09 02:39:59 |
| 608 | [sftp.c] |
| 609 | Deal correctly with failures in remote stat() operation in sftp, |
| 610 | correcting fail-on-error behaviour in batchmode. bz#1541 report and |
| 611 | fix from anedvedicky AT gmail.com; ok markus@ |
Damien Miller | 0d772d9 | 2008-12-09 14:12:05 +1100 | [diff] [blame] | 612 | - djm@cvs.openbsd.org 2008/12/09 02:58:16 |
| 613 | [readconf.c] |
| 614 | don't leave junk (free'd) pointers around in Forward *fwd argument on |
| 615 | failure; avoids double-free in ~C -L handler when given an invalid |
| 616 | forwarding specification; bz#1539 report from adejong AT debian.org |
| 617 | via Colin Watson; ok markus@ dtucker@ |
Damien Miller | 7ebfad7 | 2008-12-09 14:12:33 +1100 | [diff] [blame] | 618 | - djm@cvs.openbsd.org 2008/12/09 03:02:37 |
| 619 | [sftp.1 sftp.c] |
| 620 | correct sftp(1) and corresponding usage syntax; |
| 621 | bz#1518 patch from imorgan AT nas.nasa.gov; ok deraadt@ improved diff jmc@ |
Damien Miller | 586b005 | 2008-12-09 14:11:32 +1100 | [diff] [blame] | 622 | |
Damien Miller | 7df2e40 | 2008-12-08 09:35:36 +1100 | [diff] [blame] | 623 | 20081208 |
| 624 | - (djm) [configure.ac] bz#1538: better test for ProPolice/SSP: actually |
| 625 | use some stack in main(). |
| 626 | Report and suggested fix from vapier AT gentoo.org |
Damien Miller | 8533c78 | 2008-12-08 09:54:40 +1100 | [diff] [blame] | 627 | - (djm) OpenBSD CVS Sync |
| 628 | - markus@cvs.openbsd.org 2008/12/02 19:01:07 |
| 629 | [clientloop.c] |
| 630 | we have to use the recipient's channel number (RFC 4254) for |
| 631 | SSH2_MSG_CHANNEL_SUCCESS/SSH2_MSG_CHANNEL_FAILURE messages, |
| 632 | otherwise we trigger 'Non-public channel' error messages on sshd |
| 633 | systems with clientkeepalive enabled; noticed by sturm; ok djm; |
Damien Miller | 5a33ec6 | 2008-12-08 09:55:02 +1100 | [diff] [blame] | 634 | - markus@cvs.openbsd.org 2008/12/02 19:08:59 |
| 635 | [serverloop.c] |
| 636 | backout 1.149, since it's not necessary and openssh clients send |
| 637 | broken CHANNEL_FAILURE/SUCCESS messages since about 2004; ok djm@ |
Damien Miller | 16a7307 | 2008-12-08 09:55:25 +1100 | [diff] [blame] | 638 | - markus@cvs.openbsd.org 2008/12/02 19:09:38 |
| 639 | [channels.c] |
| 640 | s/remote_id/id/ to be more consistent with other code; ok djm@ |
Damien Miller | 7df2e40 | 2008-12-08 09:35:36 +1100 | [diff] [blame] | 641 | |
Darren Tucker | 83795d6 | 2008-12-01 21:34:28 +1100 | [diff] [blame] | 642 | 20081201 |
| 643 | - (dtucker) [contrib/cygwin/{Makefile,ssh-host-config}] Add new doc files |
| 644 | and tweak the is-sshd-running check in ssh-host-config. Patch from |
| 645 | vinschen at redhat com. |
Darren Tucker | 99d11a3 | 2008-12-01 21:40:48 +1100 | [diff] [blame] | 646 | - (dtucker) OpenBSD CVS Sync |
| 647 | - markus@cvs.openbsd.org 2008/11/21 15:47:38 |
| 648 | [packet.c] |
| 649 | packet_disconnect() on padding error, too. should reduce the success |
| 650 | probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 |
| 651 | ok djm@ |
Darren Tucker | 2364564 | 2008-12-01 21:42:13 +1100 | [diff] [blame] | 652 | - dtucker@cvs.openbsd.org 2008/11/30 11:59:26 |
| 653 | [monitor_fdpass.c] |
| 654 | Retry sendmsg/recvmsg on EAGAIN and EINTR; ok djm@ |
Darren Tucker | 83795d6 | 2008-12-01 21:34:28 +1100 | [diff] [blame] | 655 | |
Darren Tucker | 69087ea | 2008-11-23 14:03:19 +1100 | [diff] [blame] | 656 | 20081123 |
| 657 | - (dtucker) [monitor_fdpass.c] Reduce diff vs OpenBSD by moving some |
| 658 | declarations, removing an unnecessary union member and adding whitespace. |
Darren Tucker | d3782b4 | 2008-11-23 19:05:53 +1100 | [diff] [blame] | 659 | cmsgbuf.tmp thing spotted by des at des no, ok djm some time ago. |
Darren Tucker | 69087ea | 2008-11-23 14:03:19 +1100 | [diff] [blame] | 660 | |
Tim Rice | 0f4d2c0 | 2008-11-18 21:26:41 -0800 | [diff] [blame] | 661 | 20081118 |
| 662 | - (tim) [addrmatch.c configure.ac] Some platforms do not have sin6_scope_id |
| 663 | member of sockaddr_in6. Also reported in Bug 1491 by David Leonard. OK and |
| 664 | feedback by djm@ |
| 665 | |
Darren Tucker | ff4350e | 2008-11-11 16:31:05 +1100 | [diff] [blame] | 666 | 20081111 |
| 667 | - (dtucker) OpenBSD CVS Sync |
| 668 | - jmc@cvs.openbsd.org 2008/11/05 11:22:54 |
| 669 | [servconf.c] |
| 670 | passord -> password; |
| 671 | fixes user/5975 from Rene Maroufi |
Darren Tucker | e15fb09 | 2008-11-11 16:31:43 +1100 | [diff] [blame] | 672 | - stevesk@cvs.openbsd.org 2008/11/07 00:42:12 |
| 673 | [ssh-keygen.c] |
| 674 | spelling/typo in comment |
Darren Tucker | b57fab6 | 2008-11-11 16:32:25 +1100 | [diff] [blame] | 675 | - stevesk@cvs.openbsd.org 2008/11/07 18:50:18 |
| 676 | [nchan.c] |
| 677 | add space to some log/debug messages for readability; ok djm@ markus@ |
Darren Tucker | c6d744e | 2008-11-11 16:33:03 +1100 | [diff] [blame] | 678 | - dtucker@cvs.openbsd.org 2008/11/07 23:34:48 |
| 679 | [auth2-jpake.c] |
| 680 | Move JPAKE define to make life easier for portable. ok djm@ |
Darren Tucker | 63917bd | 2008-11-11 16:33:48 +1100 | [diff] [blame] | 681 | - tobias@cvs.openbsd.org 2008/11/09 12:34:47 |
| 682 | [session.c ssh.1] |
| 683 | typo fixed (overriden -> overridden) |
| 684 | ok espie, jmc |
Darren Tucker | 49c31c4 | 2008-11-11 16:39:44 +1100 | [diff] [blame] | 685 | - stevesk@cvs.openbsd.org 2008/11/11 02:58:09 |
| 686 | [servconf.c] |
| 687 | USE_AFS not referenced so remove #ifdef. fixes sshd -T not printing |
| 688 | kerberosgetafstoken. ok dtucker@ |
| 689 | (Id sync only, we still want the ifdef in portable) |
Darren Tucker | 22662e8 | 2008-11-11 16:40:22 +1100 | [diff] [blame] | 690 | - stevesk@cvs.openbsd.org 2008/11/11 03:55:11 |
| 691 | [channels.c] |
| 692 | for sshd -T print 'permitopen any' vs. 'permitopen' for case of no |
| 693 | permitopen's; ok and input dtucker@ |
Darren Tucker | 4a6f62d | 2008-11-11 16:55:25 +1100 | [diff] [blame] | 694 | - djm@cvs.openbsd.org 2008/11/10 02:06:35 |
| 695 | [regress/putty-ciphers.sh] |
| 696 | PuTTY supports AES CTR modes, so interop test against them too |
Darren Tucker | ff4350e | 2008-11-11 16:31:05 +1100 | [diff] [blame] | 697 | |
Damien Miller | 7fc5c0f | 2008-11-05 16:12:11 +1100 | [diff] [blame] | 698 | 20081105 |
| 699 | - OpenBSD CVS Sync |
| 700 | - djm@cvs.openbsd.org 2008/11/03 08:59:41 |
| 701 | [servconf.c] |
| 702 | include MaxSessions in sshd -T output; patch from imorgan AT nas.nasa.gov |
Damien Miller | 6f66d34 | 2008-11-05 16:12:54 +1100 | [diff] [blame] | 703 | - djm@cvs.openbsd.org 2008/11/04 07:58:09 |
| 704 | [auth.c] |
| 705 | need unistd.h for close() prototype |
| 706 | (ID sync only) |
Damien Miller | 01ed227 | 2008-11-05 16:20:46 +1100 | [diff] [blame] | 707 | - djm@cvs.openbsd.org 2008/11/04 08:22:13 |
| 708 | [auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h] |
| 709 | [readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5] |
| 710 | [sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c] |
| 711 | [Makefile.in] |
| 712 | Add support for an experimental zero-knowledge password authentication |
| 713 | method using the J-PAKE protocol described in F. Hao, P. Ryan, |
| 714 | "Password Authenticated Key Exchange by Juggling", 16th Workshop on |
| 715 | Security Protocols, Cambridge, April 2008. |
| 716 | |
| 717 | This method allows password-based authentication without exposing |
| 718 | the password to the server. Instead, the client and server exchange |
| 719 | cryptographic proofs to demonstrate of knowledge of the password while |
| 720 | revealing nothing useful to an attacker or compromised endpoint. |
| 721 | |
| 722 | This is experimental, work-in-progress code and is presently |
| 723 | compiled-time disabled (turn on -DJPAKE in Makefile.inc). |
| 724 | |
| 725 | "just commit it. It isn't too intrusive." deraadt@ |
Damien Miller | 1a0442f | 2008-11-05 16:30:06 +1100 | [diff] [blame] | 726 | - stevesk@cvs.openbsd.org 2008/11/04 19:18:00 |
| 727 | [readconf.c] |
| 728 | because parse_forward() is now used to parse all forward types (DLR), |
| 729 | and it malloc's space for host variables, we don't need to malloc |
| 730 | here. fixes small memory leaks. |
| 731 | |
| 732 | previously dynamic forwards were not parsed in parse_forward() and |
| 733 | space was not malloc'd in that case. |
| 734 | |
| 735 | ok djm@ |
Damien Miller | 0164cb8 | 2008-11-05 16:30:31 +1100 | [diff] [blame] | 736 | - stevesk@cvs.openbsd.org 2008/11/05 03:23:09 |
| 737 | [clientloop.c ssh.1] |
| 738 | add dynamic forward escape command line; ok djm@ |
Damien Miller | 7fc5c0f | 2008-11-05 16:12:11 +1100 | [diff] [blame] | 739 | |
Damien Miller | 9f6fb56 | 2008-11-03 19:15:44 +1100 | [diff] [blame] | 740 | 20081103 |
| 741 | - OpenBSD CVS Sync |
| 742 | - sthen@cvs.openbsd.org 2008/07/24 23:55:30 |
| 743 | [ssh-keygen.1] |
| 744 | Add "ssh-keygen -F -l" to synopsis (displays fingerprint from |
| 745 | known_hosts). ok djm@ |
| 746 | - grunk@cvs.openbsd.org 2008/07/25 06:56:35 |
| 747 | [ssh_config] |
| 748 | Add VisualHostKey to example file, ok djm@ |
Damien Miller | c6aadd9 | 2008-11-03 19:16:20 +1100 | [diff] [blame] | 749 | - grunk@cvs.openbsd.org 2008/07/25 07:05:16 |
| 750 | [key.c] |
| 751 | In random art visualization, make sure to use the end marker only at the |
| 752 | end. Initial diff by Dirk Loss, tweaks and ok djm@ |
Damien Miller | c674d58 | 2008-11-03 19:16:57 +1100 | [diff] [blame] | 753 | - markus@cvs.openbsd.org 2008/07/31 14:48:28 |
| 754 | [sshconnect2.c] |
| 755 | don't allocate space for empty banners; report t8m at centrum.cz; |
| 756 | ok deraadt |
Damien Miller | fa51b16 | 2008-11-03 19:17:33 +1100 | [diff] [blame] | 757 | - krw@cvs.openbsd.org 2008/08/02 04:29:51 |
| 758 | [ssh_config.5] |
| 759 | whitepsace -> whitespace. From Matthew Clarke via bugs@. |
Damien Miller | ad793d5 | 2008-11-03 19:17:57 +1100 | [diff] [blame] | 760 | - djm@cvs.openbsd.org 2008/08/21 04:09:57 |
| 761 | [session.c] |
| 762 | allow ForceCommand internal-sftp with arguments. based on patch from |
| 763 | michael.barabanov AT gmail.com; ok markus@ |
Damien Miller | 15bce6b | 2008-11-03 19:19:12 +1100 | [diff] [blame] | 764 | - djm@cvs.openbsd.org 2008/09/06 12:24:13 |
| 765 | [kex.c] |
| 766 | OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our |
| 767 | replacement anymore |
| 768 | (ID sync only for portable - we still need this) |
Damien Miller | 456e6f0 | 2008-11-03 19:20:10 +1100 | [diff] [blame] | 769 | - markus@cvs.openbsd.org 2008/09/11 14:22:37 |
| 770 | [compat.c compat.h nchan.c ssh.c] |
| 771 | only send eow and no-more-sessions requests to openssh 5 and newer; |
| 772 | fixes interop problems with broken ssh v2 implementations; ok djm@ |
Damien Miller | d58f560 | 2008-11-03 19:20:49 +1100 | [diff] [blame] | 773 | - millert@cvs.openbsd.org 2008/10/02 14:39:35 |
| 774 | [session.c] |
| 775 | Convert an unchecked strdup to xstrdup. OK deraadt@ |
Damien Miller | 49b78d4 | 2008-11-03 19:21:21 +1100 | [diff] [blame] | 776 | - jmc@cvs.openbsd.org 2008/10/03 13:08:12 |
| 777 | [sshd.8] |
| 778 | do not give an example of how to chmod files: we can presume the user |
| 779 | knows that. removes an ambiguity in the permission of authorized_keys; |
| 780 | ok deraadt |
Damien Miller | c4d1b36 | 2008-11-03 19:22:09 +1100 | [diff] [blame] | 781 | - deraadt@cvs.openbsd.org 2008/10/03 23:56:28 |
| 782 | [sshconnect2.c] |
| 783 | Repair strnvis() buffersize of 4*n+1, with termination gauranteed by the |
| 784 | function. |
| 785 | spotted by des@freebsd, who commited an incorrect fix to the freebsd tree |
| 786 | and (as is fairly typical) did not report the problem to us. But this fix |
| 787 | is correct. |
| 788 | ok djm |
Damien Miller | e272a5b | 2008-11-03 19:22:37 +1100 | [diff] [blame] | 789 | - djm@cvs.openbsd.org 2008/10/08 23:34:03 |
| 790 | [ssh.1 ssh.c] |
| 791 | Add -y option to force logging via syslog rather than stderr. |
| 792 | Useful for daemonised ssh connection (ssh -f). Patch originally from |
| 793 | and ok'd by markus@ |
Damien Miller | 51bde60 | 2008-11-03 19:23:10 +1100 | [diff] [blame] | 794 | - djm@cvs.openbsd.org 2008/10/09 03:50:54 |
| 795 | [servconf.c sshd_config.5] |
| 796 | support setting PermitEmptyPasswords in a Match block |
| 797 | requested in PR3891; ok dtucker@ |
Damien Miller | c13c3ee | 2008-11-03 19:23:28 +1100 | [diff] [blame] | 798 | - jmc@cvs.openbsd.org 2008/10/09 06:54:22 |
| 799 | [ssh.c] |
| 800 | add -y to usage(); |
Damien Miller | b4acb47 | 2008-11-03 19:23:45 +1100 | [diff] [blame] | 801 | - stevesk@cvs.openbsd.org 2008/10/10 04:55:16 |
| 802 | [scp.c] |
| 803 | spelling in comment; ok djm@ |
Damien Miller | 2f54ada | 2008-11-03 19:24:16 +1100 | [diff] [blame] | 804 | - stevesk@cvs.openbsd.org 2008/10/10 05:00:12 |
| 805 | [key.c] |
| 806 | typo in error message; ok djm@ |
Damien Miller | ece92c8 | 2008-11-03 19:25:03 +1100 | [diff] [blame] | 807 | - stevesk@cvs.openbsd.org 2008/10/10 16:43:27 |
| 808 | [ssh_config.5] |
| 809 | use 'Privileged ports can be forwarded only when logging in as root on |
| 810 | the remote machine.' for RemoteForward just like ssh.1 -R. |
| 811 | ok djm@ jmc@ |
| 812 | - stevesk@cvs.openbsd.org 2008/10/14 18:11:33 |
| 813 | [sshconnect.c] |
| 814 | use #define ROQUIET here; no binary change. ok dtucker@ |
Damien Miller | a414cd3 | 2008-11-03 19:25:21 +1100 | [diff] [blame] | 815 | - stevesk@cvs.openbsd.org 2008/10/17 18:36:24 |
| 816 | [ssh_config.5] |
| 817 | correct and clarify VisualHostKey; ok jmc@ |
Damien Miller | e7261c7 | 2008-11-03 19:25:40 +1100 | [diff] [blame] | 818 | - stevesk@cvs.openbsd.org 2008/10/30 19:31:16 |
| 819 | [clientloop.c sshd.c] |
| 820 | don't need to #include "monitor_fdpass.h" |
Damien Miller | 2b20a92 | 2008-11-03 19:26:00 +1100 | [diff] [blame] | 821 | - stevesk@cvs.openbsd.org 2008/10/31 15:05:34 |
| 822 | [dispatch.c] |
| 823 | remove unused #define DISPATCH_MIN; ok markus@ |
Damien Miller | f7475d7 | 2008-11-03 19:26:18 +1100 | [diff] [blame] | 824 | - djm@cvs.openbsd.org 2008/11/01 04:50:08 |
| 825 | [sshconnect2.c] |
| 826 | sprinkle ARGSUSED on dispatch handlers |
| 827 | nuke stale unusued prototype |
Damien Miller | a009433 | 2008-11-03 19:26:35 +1100 | [diff] [blame] | 828 | - stevesk@cvs.openbsd.org 2008/11/01 06:43:33 |
| 829 | [channels.c] |
| 830 | fix some typos in log messages; ok djm@ |
Damien Miller | c1719f7 | 2008-11-03 19:27:07 +1100 | [diff] [blame] | 831 | - sobrado@cvs.openbsd.org 2008/11/01 11:14:36 |
| 832 | [ssh-keyscan.1 ssh-keyscan.c] |
| 833 | the ellipsis is not an optional argument; while here, improve spacing. |
Damien Miller | a699d95 | 2008-11-03 19:27:34 +1100 | [diff] [blame] | 834 | - stevesk@cvs.openbsd.org 2008/11/01 17:40:33 |
| 835 | [clientloop.c readconf.c readconf.h ssh.c] |
| 836 | merge dynamic forward parsing into parse_forward(); |
| 837 | 'i think this is OK' djm@ |
Damien Miller | 660d7da | 2008-11-03 19:27:52 +1100 | [diff] [blame] | 838 | - stevesk@cvs.openbsd.org 2008/11/02 00:16:16 |
| 839 | [ttymodes.c] |
| 840 | protocol 2 tty modes support is now 7.5 years old so remove these |
| 841 | debug3()s; ok deraadt@ |
Damien Miller | a279d25 | 2008-11-03 19:28:07 +1100 | [diff] [blame] | 842 | - stevesk@cvs.openbsd.org 2008/11/03 01:07:02 |
| 843 | [readconf.c] |
| 844 | remove valueless comment |
Damien Miller | f4b3953 | 2008-11-03 19:28:21 +1100 | [diff] [blame] | 845 | - stevesk@cvs.openbsd.org 2008/11/03 02:44:41 |
| 846 | [readconf.c] |
| 847 | fix comment |
Damien Miller | 85dec73 | 2008-11-03 20:16:01 +1100 | [diff] [blame] | 848 | - (djm) [contrib/caldera/ssh-host-keygen contrib/suse/rc.sshd] |
| 849 | Make example scripts generate keys with default sizes rather than fixed, |
| 850 | non-default 1024 bits; patch from imorgan AT nas.nasa.gov |
Damien Miller | 250071f | 2008-11-03 20:18:12 +1100 | [diff] [blame] | 851 | - (djm) [contrib/sshd.pam.generic contrib/caldera/sshd.pam] |
| 852 | [contrib/redhat/sshd.pam] Move pam_nologin to account group from |
| 853 | incorrect auth group in example files; |
| 854 | patch from imorgan AT nas.nasa.gov |
Damien Miller | 9f6fb56 | 2008-11-03 19:15:44 +1100 | [diff] [blame] | 855 | |
Darren Tucker | c570ff7 | 2008-09-06 18:20:57 +1000 | [diff] [blame] | 856 | 20080906 |
| 857 | - (dtucker) [config.guess config.sub] Update to latest versions from |
| 858 | http://git.savannah.gnu.org/gitweb/ (2008-04-14 and 2008-06-16 |
| 859 | respectively). |
| 860 | |
Darren Tucker | 661f63b | 2008-08-30 07:32:37 +1000 | [diff] [blame] | 861 | 20080830 |
| 862 | - (dtucker) [openbsd-compat/bsd-poll.c] correctly check for number of FDs |
| 863 | larger than FD_SETSIZE (OpenSSH only ever uses poll with one fd). Patch |
| 864 | from Nicholas Marriott. |
| 865 | |
Damien Miller | aa5f433 | 2008-07-21 18:20:39 +1000 | [diff] [blame] | 866 | 20080721 |
| 867 | - (djm) OpenBSD CVS Sync |
Damien Miller | 6ef430d | 2008-07-23 17:40:04 +1000 | [diff] [blame] | 868 | - djm@cvs.openbsd.org 2008/07/23 07:36:55 |
| 869 | [servconf.c] |
| 870 | do not try to print options that have been compile-time disabled |
| 871 | in config test mode (sshd -T); report from nix-corp AT esperi.org.uk |
| 872 | ok dtucker@ |
Damien Miller | 212f0b0 | 2008-07-23 17:42:29 +1000 | [diff] [blame] | 873 | - (djm) [servconf.c] Print UsePAM option in config test mode (when it |
| 874 | has been compiled in); report from nix-corp AT esperi.org.uk |
| 875 | ok dtucker@ |
Damien Miller | 6ef430d | 2008-07-23 17:40:04 +1000 | [diff] [blame] | 876 | |
| 877 | 20080721 |
| 878 | - (djm) OpenBSD CVS Sync |
Damien Miller | aa5f433 | 2008-07-21 18:20:39 +1000 | [diff] [blame] | 879 | - jmc@cvs.openbsd.org 2008/07/18 22:51:01 |
| 880 | [sftp-server.8] |
| 881 | no need for .Pp before or after .Sh; |
Damien Miller | aaae43e | 2008-07-21 18:21:05 +1000 | [diff] [blame] | 882 | - djm@cvs.openbsd.org 2008/07/21 08:19:07 |
| 883 | [version.h] |
| 884 | openssh-5.1 |
Damien Miller | 1f8909c | 2008-07-21 18:21:52 +1000 | [diff] [blame] | 885 | - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] |
| 886 | [contrib/suse/openssh.spec] Update version number in README and RPM specs |
Damien Miller | 8f42e9b | 2008-07-21 18:22:25 +1000 | [diff] [blame] | 887 | - (djm) Release OpenSSH-5.1 |
Damien Miller | aa5f433 | 2008-07-21 18:20:39 +1000 | [diff] [blame] | 888 | |
Damien Miller | 7ba0ca7 | 2008-07-17 18:57:06 +1000 | [diff] [blame] | 889 | 20080717 |
| 890 | - (djm) OpenBSD CVS Sync |
| 891 | - djm@cvs.openbsd.org 2008/07/17 08:48:00 |
| 892 | [sshconnect2.c] |
| 893 | strnvis preauth banner; pointed out by mpf@ ok markus@ |
Damien Miller | a1d03a5 | 2008-07-17 18:57:19 +1000 | [diff] [blame] | 894 | - djm@cvs.openbsd.org 2008/07/17 08:51:07 |
| 895 | [auth2-hostbased.c] |
| 896 | strip trailing '.' from hostname when HostbasedUsesNameFromPacketOnly=yes |
| 897 | report and patch from res AT qoxp.net (bz#1200); ok markus@ |
Darren Tucker | 9a3f2b4 | 2008-07-17 19:03:49 +1000 | [diff] [blame] | 898 | - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Remove long-unneeded compat |
| 899 | code, replace with equivalent cygwin library call. Patch from vinschen |
Damien Miller | 2e28d86 | 2008-07-17 19:15:43 +1000 | [diff] [blame] | 900 | at redhat.com, ok djm@. |
| 901 | - (djm) [sshconnect2.c] vis.h isn't available everywhere |
Damien Miller | 7ba0ca7 | 2008-07-17 18:57:06 +1000 | [diff] [blame] | 902 | |
Damien Miller | 94717b0 | 2008-07-16 21:17:23 +1000 | [diff] [blame] | 903 | 20080716 |
| 904 | - OpenBSD CVS Sync |
| 905 | - djm@cvs.openbsd.org 2008/07/15 02:23:14 |
| 906 | [sftp.1] |
| 907 | number of pipelined requests is now 64; |
| 908 | prodded by Iain.Morgan AT nasa.gov |
Damien Miller | b9d3bee | 2008-07-16 22:40:52 +1000 | [diff] [blame] | 909 | - djm@cvs.openbsd.org 2008/07/16 11:51:14 |
| 910 | [clientloop.c] |
| 911 | rename variable first_gc -> last_gc (since it is actually the last |
| 912 | in the list). |
Damien Miller | 6ef1749 | 2008-07-16 22:42:06 +1000 | [diff] [blame] | 913 | - djm@cvs.openbsd.org 2008/07/16 11:52:19 |
| 914 | [channels.c] |
| 915 | this loop index should be automatic, not static |
Damien Miller | 94717b0 | 2008-07-16 21:17:23 +1000 | [diff] [blame] | 916 | |
Damien Miller | 81dec05 | 2008-07-14 11:28:29 +1000 | [diff] [blame] | 917 | 20080714 |
| 918 | - (djm) OpenBSD CVS Sync |
| 919 | - sthen@cvs.openbsd.org 2008/07/13 21:22:52 |
| 920 | [ssh-keygen.c] |
| 921 | Change "ssh-keygen -F [host] -l" to not display random art unless |
| 922 | -v is also specified, making it consistent with the manual and other |
| 923 | uses of -l. |
| 924 | ok grunk@ |
Damien Miller | 163886f | 2008-07-14 11:28:58 +1000 | [diff] [blame] | 925 | - djm@cvs.openbsd.org 2008/07/13 22:13:07 |
| 926 | [channels.c] |
| 927 | use struct sockaddr_storage instead of struct sockaddr for accept(2) |
| 928 | address argument. from visibilis AT yahoo.com in bz#1485; ok markus@ |
Damien Miller | 7f980d1 | 2008-07-14 11:29:24 +1000 | [diff] [blame] | 929 | - djm@cvs.openbsd.org 2008/07/13 22:16:03 |
| 930 | [sftp.c] |
| 931 | increase number of piplelined requests so they properly fill the |
| 932 | (recently increased) channel window. prompted by rapier AT psc.edu; |
| 933 | ok markus@ |
Damien Miller | 276571c | 2008-07-14 12:09:57 +1000 | [diff] [blame] | 934 | - djm@cvs.openbsd.org 2008/07/14 01:55:56 |
| 935 | [sftp-server.8] |
| 936 | mention requirement for /dev/log inside chroot when using sftp-server |
| 937 | with ChrootDirectory |
Damien Miller | ce02e5e | 2008-07-14 12:02:24 +1000 | [diff] [blame] | 938 | - (djm) [openbsd-compat/bindresvport.c] Rename variables s/sin/in/ to |
| 939 | avoid clash with sin(3) function; reported by |
| 940 | cristian.ionescu-idbohrn AT axis.com |
Damien Miller | 639ce59 | 2008-07-14 12:03:27 +1000 | [diff] [blame] | 941 | - (djm) [openbsd-compat/rresvport.c] Add unistd.h for missing close() |
| 942 | prototype; reported by cristian.ionescu-idbohrn AT axis.com |
Damien Miller | 36d7056 | 2008-07-14 12:04:43 +1000 | [diff] [blame] | 943 | - (djm) [umac.c] Rename variable s/buffer_ptr/bufp/ to avoid clash; |
| 944 | reported by cristian.ionescu-idbohrn AT axis.com |
Damien Miller | 1fc231c | 2008-07-14 12:12:52 +1000 | [diff] [blame] | 945 | - (djm) [contrib/cygwin/Makefile contrib/cygwin/ssh-host-config] |
| 946 | [contrib/cygwin/ssh-user-config contrib/cygwin/sshd-inetd] |
| 947 | Revamped and simplified Cygwin ssh-host-config script that uses |
| 948 | unified csih configuration tool. Requires recent Cygwin. |
| 949 | Patch from vinschen AT redhat.com |
Damien Miller | 81dec05 | 2008-07-14 11:28:29 +1000 | [diff] [blame] | 950 | |
Damien Miller | 2bcb866 | 2008-07-12 17:12:29 +1000 | [diff] [blame] | 951 | 20080712 |
| 952 | - (djm) OpenBSD CVS Sync |
| 953 | - djm@cvs.openbsd.org 2008/07/12 04:52:50 |
| 954 | [channels.c] |
| 955 | unbreak; move clearing of cctx struct to before first use |
| 956 | reported by dkrause@ |
Damien Miller | a034baf | 2008-07-12 17:12:49 +1000 | [diff] [blame] | 957 | - djm@cvs.openbsd.org 2008/07/12 05:33:41 |
| 958 | [scp.1] |
| 959 | better description for -i flag: |
| 960 | s/RSA authentication/public key authentication/ |
Damien Miller | c4657ef | 2008-07-14 21:37:36 +1000 | [diff] [blame] | 961 | - (djm) [openbsd-compat/fake-rfc2553.c openbsd-compat/fake-rfc2553.h] |
| 962 | return EAI_FAMILY when trying to lookup unsupported address family; |
| 963 | from vinschen AT redhat.com |
Damien Miller | 2bcb866 | 2008-07-12 17:12:29 +1000 | [diff] [blame] | 964 | |
Damien Miller | 2f7faf1 | 2008-07-11 17:34:35 +1000 | [diff] [blame] | 965 | 20080711 |
| 966 | - (djm) OpenBSD CVS Sync |
| 967 | - stevesk@cvs.openbsd.org 2008/07/07 00:31:41 |
| 968 | [ttymodes.c] |
| 969 | we don't need arg after the debug3() was removed. from lint. |
| 970 | ok djm@ |
Damien Miller | 87dd5f2 | 2008-07-11 17:35:09 +1000 | [diff] [blame] | 971 | - stevesk@cvs.openbsd.org 2008/07/07 23:32:51 |
| 972 | [key.c] |
| 973 | /*NOTREACHED*/ for lint warning: |
| 974 | warning: function key_equal falls off bottom without returning value |
| 975 | ok djm@ |
Damien Miller | dda5fff | 2008-07-11 17:35:37 +1000 | [diff] [blame] | 976 | - markus@cvs.openbsd.org 2008/07/10 18:05:58 |
| 977 | [channels.c] |
| 978 | missing bzero; from mickey; ok djm@ |
Damien Miller | b61f3fc | 2008-07-11 17:36:48 +1000 | [diff] [blame] | 979 | - markus@cvs.openbsd.org 2008/07/10 18:08:11 |
| 980 | [clientloop.c monitor.c monitor_wrap.c packet.c packet.h sshd.c] |
| 981 | sync v1 and v2 traffic accounting; add it to sshd, too; |
| 982 | ok djm@, dtucker@ |
Damien Miller | 2f7faf1 | 2008-07-11 17:34:35 +1000 | [diff] [blame] | 983 | |
Damien Miller | d9648ee | 2008-07-09 00:21:12 +1000 | [diff] [blame] | 984 | 20080709 |
| 985 | - (djm) [Makefile.in] Print "all tests passed" when all regress tests pass |
Damien Miller | 773a7b9 | 2008-07-09 20:54:05 +1000 | [diff] [blame] | 986 | - (djm) [auth1.c] Fix format string vulnerability in protocol 1 PAM |
| 987 | account check failure path. The vulnerable format buffer is supplied |
| 988 | from PAM and should not contain attacker-supplied data. |
Damien Miller | 7acf550 | 2008-07-09 20:54:37 +1000 | [diff] [blame] | 989 | - (djm) [auth.c] Missing unistd.h for close() |
Damien Miller | 73193b3 | 2008-07-09 21:07:19 +1000 | [diff] [blame] | 990 | - (djm) [configure.ac] Add -Wformat-security to CFLAGS for gcc 3.x and 4.x |
Damien Miller | d9648ee | 2008-07-09 00:21:12 +1000 | [diff] [blame] | 991 | |
Damien Miller | 22989f1 | 2008-07-05 08:59:43 +1000 | [diff] [blame] | 992 | 20080705 |
| 993 | - (djm) [auth.c] Fixed test for locked account on HP/UX with shadowed |
| 994 | passwords disabled. bz#1083 report & patch from senthilkumar_sen AT |
| 995 | hotpop.com, w/ dtucker@ |
Damien Miller | 20d1694 | 2008-07-05 09:36:58 +1000 | [diff] [blame] | 996 | - (djm) [atomicio.c configure.ac] Disable poll() fallback in atomiciov for |
| 997 | Tru64. readv doesn't seem to be a comparable object there. |
| 998 | bz#1386, patch from dtucker@ ok me |
Damien Miller | 42743cb | 2008-07-05 09:50:23 +1000 | [diff] [blame] | 999 | - (djm) [Makefile.in] Pass though pass to conch for interop tests |
Damien Miller | ff2e492 | 2008-07-05 09:52:03 +1000 | [diff] [blame] | 1000 | - (djm) [configure.ac] unbreak: remove extra closing brace |
Damien Miller | d874fa5 | 2008-07-05 09:40:56 +1000 | [diff] [blame] | 1001 | - (djm) OpenBSD CVS Sync |
| 1002 | - djm@cvs.openbsd.org 2008/07/04 23:08:25 |
| 1003 | [packet.c] |
| 1004 | handle EINTR in packet_write_poll()l ok dtucker@ |
Damien Miller | 0b4d48b | 2008-07-05 09:44:53 +1000 | [diff] [blame] | 1005 | - djm@cvs.openbsd.org 2008/07/04 23:30:16 |
| 1006 | [auth1.c auth2.c] |
| 1007 | Make protocol 1 MaxAuthTries logic match protocol 2's. |
| 1008 | Do not treat the first protocol 2 authentication attempt as |
| 1009 | a failure IFF it is for method "none". |
| 1010 | Makes MaxAuthTries' user-visible behaviour identical for |
| 1011 | protocol 1 vs 2. |
| 1012 | ok dtucker@ |
Damien Miller | c9c96f2 | 2008-07-05 15:17:48 +1000 | [diff] [blame] | 1013 | - djm@cvs.openbsd.org 2008/07/05 05:16:01 |
| 1014 | [PROTOCOL] |
| 1015 | grammar |
Damien Miller | 22989f1 | 2008-07-05 08:59:43 +1000 | [diff] [blame] | 1016 | |
Darren Tucker | 7c99b1c | 2008-07-04 12:53:23 +1000 | [diff] [blame] | 1017 | 20080704 |
| 1018 | - (dtucker) OpenBSD CVS Sync |
| 1019 | - djm@cvs.openbsd.org 2008/07/02 13:30:34 |
| 1020 | [auth2.c] |
| 1021 | really really remove the freebie "none" auth try for protocol 2 |
Darren Tucker | 9a2a609 | 2008-07-04 12:53:50 +1000 | [diff] [blame] | 1022 | - djm@cvs.openbsd.org 2008/07/02 13:47:39 |
| 1023 | [ssh.1 ssh.c] |
| 1024 | When forking after authentication ("ssh -f") with ExitOnForwardFailure |
| 1025 | enabled, delay the fork until after replies for any -R forwards have |
| 1026 | been seen. Allows for robust detection of -R forward failure when |
| 1027 | using -f (similar to bz#92); ok dtucker@ |
Darren Tucker | f5cafb0 | 2008-07-04 12:54:25 +1000 | [diff] [blame] | 1028 | - otto@cvs.openbsd.org 2008/07/03 21:46:58 |
| 1029 | [auth2-pubkey.c] |
| 1030 | avoid nasty double free; ok dtucker@ djm@ |
Darren Tucker | b03fd02 | 2008-07-04 13:51:12 +1000 | [diff] [blame] | 1031 | - djm@cvs.openbsd.org 2008/07/04 03:44:59 |
| 1032 | [servconf.c groupaccess.h groupaccess.c] |
| 1033 | support negation of groups in "Match group" block (bz#1315); ok dtucker@ |
Darren Tucker | 2784f1f | 2008-07-04 13:51:45 +1000 | [diff] [blame] | 1034 | - dtucker@cvs.openbsd.org 2008/07/04 03:47:02 |
| 1035 | [monitor.c] |
| 1036 | Make debug a little clearer. ok djm@ |
Darren Tucker | 8c7a14e | 2008-07-04 17:08:58 +1000 | [diff] [blame] | 1037 | - djm@cvs.openbsd.org 2008/06/30 08:07:34 |
| 1038 | [regress/key-options.sh] |
| 1039 | shell portability: use "=" instead of "==" in test(1) expressions, |
| 1040 | double-quote string with backslash escaped / |
Darren Tucker | 5d6d70a | 2008-07-04 17:10:30 +1000 | [diff] [blame] | 1041 | - djm@cvs.openbsd.org 2008/06/30 10:31:11 |
| 1042 | [regress/{putty-transfer,putty-kex,putty-ciphers}.sh] |
| 1043 | remove "set -e" left over from debugging |
Darren Tucker | b01bac1 | 2008-07-04 17:11:30 +1000 | [diff] [blame] | 1044 | - djm@cvs.openbsd.org 2008/06/30 10:43:03 |
| 1045 | [regress/conch-ciphers.sh] |
| 1046 | explicitly disable conch options that could interfere with the test |
Darren Tucker | f7fa706 | 2008-07-04 14:10:19 +1000 | [diff] [blame] | 1047 | - (dtucker) [sftp-server.c] Bug #1447: fall back to racy rename if link |
| 1048 | returns EXDEV. Patch from Mike Garrison, ok djm@ |
Damien Miller | d8968ad | 2008-07-04 23:10:49 +1000 | [diff] [blame] | 1049 | - (djm) [atomicio.c channels.c clientloop.c defines.h includes.h] |
| 1050 | [packet.c scp.c serverloop.c sftp-client.c ssh-agent.c ssh-keyscan.c] |
| 1051 | [sshd.c] Explicitly handle EWOULDBLOCK wherever we handle EAGAIN, on |
| 1052 | some platforms (HP nonstop) it is a distinct errno; |
| 1053 | bz#1467 reported by sconeu AT yahoo.com; ok dtucker@ |
| 1054 | |
Darren Tucker | 00f00f0 | 2008-07-02 22:31:31 +1000 | [diff] [blame] | 1055 | 20080702 |
| 1056 | - (dtucker) OpenBSD CVS Sync |
| 1057 | - djm@cvs.openbsd.org 2008/06/30 08:05:59 |
| 1058 | [PROTOCOL.agent] |
| 1059 | typo: s/constraint_date/constraint_data/ |
Darren Tucker | 8810dd4 | 2008-07-02 22:32:14 +1000 | [diff] [blame] | 1060 | - djm@cvs.openbsd.org 2008/06/30 12:15:39 |
| 1061 | [serverloop.c] |
| 1062 | only pass channel requests on session channels through to the session |
| 1063 | channel handler, avoiding spurious log messages; ok! markus@ |
Darren Tucker | 8748b96 | 2008-07-02 22:32:43 +1000 | [diff] [blame] | 1064 | - djm@cvs.openbsd.org 2008/06/30 12:16:02 |
| 1065 | [nchan.c] |
| 1066 | only send eow@openssh.com notifications for session channels; ok! markus@ |
Darren Tucker | 1f781b1 | 2008-07-02 22:33:16 +1000 | [diff] [blame] | 1067 | - djm@cvs.openbsd.org 2008/06/30 12:18:34 |
| 1068 | [PROTOCOL] |
| 1069 | clarify that eow@openssh.com is only sent on session channels |
Darren Tucker | 068e01f | 2008-07-02 22:33:55 +1000 | [diff] [blame] | 1070 | - dtucker@cvs.openbsd.org 2008/07/01 07:20:52 |
| 1071 | [sshconnect.c] |
| 1072 | Check ExitOnForwardFailure if forwardings are disabled due to a failed |
| 1073 | host key check. ok djm@ |
Darren Tucker | d7bdc0c | 2008-07-02 22:34:30 +1000 | [diff] [blame] | 1074 | - dtucker@cvs.openbsd.org 2008/07/01 07:24:22 |
| 1075 | [sshconnect.c sshd.c] |
| 1076 | Send CR LF during protocol banner exchanges, but only for Protocol 2 only, |
| 1077 | in order to comply with RFC 4253. bz #1443, ok djm@ |
Darren Tucker | f2e21de | 2008-07-02 22:35:00 +1000 | [diff] [blame] | 1078 | - stevesk@cvs.openbsd.org 2008/07/01 23:12:47 |
| 1079 | [PROTOCOL.agent] |
| 1080 | fix some typos; ok djm@ |
Darren Tucker | 7499b0c | 2008-07-02 22:35:43 +1000 | [diff] [blame] | 1081 | - djm@cvs.openbsd.org 2008/07/02 02:24:18 |
| 1082 | [sshd_config sshd_config.5 sshd.8 servconf.c] |
| 1083 | increase default size of ssh protocol 1 ephemeral key from 768 to 1024 |
| 1084 | bits; prodded by & ok dtucker@ ok deraadt@ |
Darren Tucker | 33c787f | 2008-07-02 22:37:30 +1000 | [diff] [blame] | 1085 | - dtucker@cvs.openbsd.org 2008/07/02 12:03:51 |
| 1086 | [auth-rsa.c auth.c auth2-pubkey.c auth.h] |
| 1087 | Merge duplicate host key file checks, based in part on a patch from Rob |
| 1088 | Holland via bz #1348 . Also checks for non-regular files during protocol |
| 1089 | 1 RSA auth. ok djm@ |
Darren Tucker | 4230a5d | 2008-07-02 22:56:09 +1000 | [diff] [blame] | 1090 | - djm@cvs.openbsd.org 2008/07/02 12:36:39 |
| 1091 | [auth2-none.c auth2.c] |
| 1092 | Make protocol 2 MaxAuthTries behaviour a little more sensible: |
| 1093 | Check whether client has exceeded MaxAuthTries before running |
| 1094 | an authentication method and skip it if they have, previously it |
| 1095 | would always allow one try (for "none" auth). |
| 1096 | Preincrement failure count before post-auth test - previously this |
| 1097 | checked and postincremented, also to allow one "none" try. |
| 1098 | Together, these two changes always count the "none" auth method |
| 1099 | which could be skipped by a malicious client (e.g. an SSH worm) |
| 1100 | to get an extra attempt at a real auth method. They also make |
| 1101 | MaxAuthTries=0 a useful way to block users entirely (esp. in a |
| 1102 | sshd_config Match block). |
| 1103 | Also, move sending of any preauth banner from "none" auth method |
| 1104 | to the first call to input_userauth_request(), so worms that skip |
| 1105 | the "none" method get to see it too. |
Darren Tucker | 00f00f0 | 2008-07-02 22:31:31 +1000 | [diff] [blame] | 1106 | |
Damien Miller | 2e80cf2 | 2008-06-30 08:06:25 +1000 | [diff] [blame] | 1107 | 20080630 |
| 1108 | - (djm) OpenBSD CVS Sync |
| 1109 | - dtucker@cvs.openbsd.org 2008/06/10 23:13:43 |
| 1110 | [regress/Makefile regress/key-options.sh] |
| 1111 | Add regress test for key options. ok djm@ |
Damien Miller | d9bfce8 | 2008-06-30 08:06:51 +1000 | [diff] [blame] | 1112 | - dtucker@cvs.openbsd.org 2008/06/11 23:11:40 |
Damien Miller | 4268a13 | 2008-06-30 08:07:56 +1000 | [diff] [blame] | 1113 | [regress/Makefile] |
Damien Miller | d9bfce8 | 2008-06-30 08:06:51 +1000 | [diff] [blame] | 1114 | Don't run cipher-speed test by default; mistakenly enabled by me |
Damien Miller | 4268a13 | 2008-06-30 08:07:56 +1000 | [diff] [blame] | 1115 | - djm@cvs.openbsd.org 2008/06/28 13:57:25 |
| 1116 | [regress/Makefile regress/test-exec.sh regress/conch-ciphers.sh] |
| 1117 | very basic regress test against Twisted Conch in "make interop" |
| 1118 | target (conch is available in ports/devel/py-twisted/conch); |
| 1119 | ok markus@ |
Damien Miller | a766cea | 2008-06-30 08:12:37 +1000 | [diff] [blame] | 1120 | - (djm) [regress/Makefile] search for conch by path, like we do putty |
Damien Miller | 2e80cf2 | 2008-06-30 08:06:25 +1000 | [diff] [blame] | 1121 | |
Damien Miller | f184bcf | 2008-06-29 22:45:13 +1000 | [diff] [blame] | 1122 | 20080629 |
| 1123 | - (djm) OpenBSD CVS Sync |
| 1124 | - martynas@cvs.openbsd.org 2008/06/21 07:46:46 |
| 1125 | [sftp.c] |
| 1126 | use optopt to get invalid flag, instead of return value of getopt, |
| 1127 | which is always '?'; ok djm@ |
Damien Miller | 007132a | 2008-06-29 22:45:37 +1000 | [diff] [blame] | 1128 | - otto@cvs.openbsd.org 2008/06/25 11:13:43 |
| 1129 | [key.c] |
| 1130 | add key length to visual fingerprint; zap magical constants; |
| 1131 | ok grunk@ djm@ |
Damien Miller | 9e72028 | 2008-06-29 22:46:35 +1000 | [diff] [blame] | 1132 | - djm@cvs.openbsd.org 2008/06/26 06:10:09 |
| 1133 | [sftp-client.c sftp-server.c] |
| 1134 | allow the sftp chmod(2)-equivalent operation to set set[ug]id/sticky |
| 1135 | bits. Note that this only affects explicit setting of modes (e.g. via |
| 1136 | sftp(1)'s chmod command) and not file transfers. (bz#1310) |
| 1137 | ok deraadt@ at c2k8 |
Damien Miller | 2e9cf49 | 2008-06-29 22:47:04 +1000 | [diff] [blame] | 1138 | - djm@cvs.openbsd.org 2008/06/26 09:19:40 |
| 1139 | [dh.c dh.h moduli.c] |
| 1140 | when loading moduli from /etc/moduli in sshd(8), check that they |
| 1141 | are of the expected "safe prime" structure and have had |
| 1142 | appropriate primality tests performed; |
| 1143 | feedback and ok dtucker@ |
Damien Miller | 1028824 | 2008-06-30 00:04:03 +1000 | [diff] [blame] | 1144 | - grunk@cvs.openbsd.org 2008/06/26 11:46:31 |
| 1145 | [readconf.c readconf.h ssh.1 ssh_config.5 sshconnect.c] |
| 1146 | Move SSH Fingerprint Visualization away from sharing the config option |
| 1147 | CheckHostIP to an own config option named VisualHostKey. |
| 1148 | While there, fix the behaviour that ssh would draw a random art picture |
| 1149 | on every newly seen host even when the option was not enabled. |
| 1150 | prodded by deraadt@, discussions, |
| 1151 | help and ok markus@ djm@ dtucker@ |
Damien Miller | 8639920 | 2008-06-30 00:04:31 +1000 | [diff] [blame] | 1152 | - jmc@cvs.openbsd.org 2008/06/26 21:11:46 |
| 1153 | [ssh.1] |
| 1154 | add VisualHostKey to the list of options listed in -o; |
Damien Miller | bd45afb | 2008-06-30 00:04:57 +1000 | [diff] [blame] | 1155 | - djm@cvs.openbsd.org 2008/06/28 07:25:07 |
| 1156 | [PROTOCOL] |
| 1157 | spelling fixes |
Damien Miller | 1cfadab | 2008-06-30 00:05:21 +1000 | [diff] [blame] | 1158 | - djm@cvs.openbsd.org 2008/06/28 13:58:23 |
| 1159 | [ssh-agent.c] |
| 1160 | refuse to add a key that has unknown constraints specified; |
| 1161 | ok markus |
Damien Miller | 471db5c | 2008-06-30 00:05:48 +1000 | [diff] [blame] | 1162 | - djm@cvs.openbsd.org 2008/06/28 14:05:15 |
| 1163 | [ssh-agent.c] |
| 1164 | reset global compat flag after processing a protocol 2 signature |
| 1165 | request with the legacy DSA encoding flag set; ok markus |
Damien Miller | 1e18beb | 2008-06-30 00:07:00 +1000 | [diff] [blame] | 1166 | - djm@cvs.openbsd.org 2008/06/28 14:08:30 |
| 1167 | [PROTOCOL PROTOCOL.agent] |
| 1168 | document the protocol used by ssh-agent; "looks ok" markus@ |
Damien Miller | f184bcf | 2008-06-29 22:45:13 +1000 | [diff] [blame] | 1169 | |
Damien Miller | 493f032 | 2008-06-28 16:01:35 +1000 | [diff] [blame] | 1170 | 20080628 |
| 1171 | - (djm) [RFC.nroff contrib/cygwin/Makefile contrib/suse/openssh.spec] |
| 1172 | RFC.nroff lacks a license, remove it (it is long gone in OpenBSD). |
| 1173 | |
Damien Miller | 60dcc62 | 2008-06-26 15:59:32 +1000 | [diff] [blame] | 1174 | 20080626 |
| 1175 | - (djm) [Makefile.in moduli.5] Include moduli(5) manpage from OpenBSD. |
| 1176 | (bz#1372) |
Damien Miller | f299ff8 | 2008-06-26 16:01:56 +1000 | [diff] [blame] | 1177 | - (djm) [ contrib/caldera/openssh.spec contrib/redhat/openssh.spec] |
| 1178 | [contrib/suse/openssh.spec] Include moduli.5 in RPM spec files. |
Damien Miller | 60dcc62 | 2008-06-26 15:59:32 +1000 | [diff] [blame] | 1179 | |
Darren Tucker | ed3cdc0 | 2008-06-16 23:29:18 +1000 | [diff] [blame] | 1180 | 20080616 |
| 1181 | - (dtucker) OpenBSD CVS Sync |
| 1182 | - dtucker@cvs.openbsd.org 2008/06/16 13:22:53 |
| 1183 | [session.c channels.c] |
| 1184 | Rename the isatty argument to is_tty so we don't shadow |
| 1185 | isatty(3). ok markus@ |
Darren Tucker | 1a48aec | 2008-06-16 23:35:56 +1000 | [diff] [blame] | 1186 | - (dtucker) [channels.c] isatty -> is_tty here too. |
Darren Tucker | ed3cdc0 | 2008-06-16 23:29:18 +1000 | [diff] [blame] | 1187 | |
Darren Tucker | 330c93f | 2008-06-16 02:27:48 +1000 | [diff] [blame] | 1188 | 20080615 |
| 1189 | - (dtucker) [configure.ac] Enable -fno-builtin-memset when using gcc. |
Damien Miller | 2a62847 | 2008-06-16 07:50:24 +1000 | [diff] [blame] | 1190 | - OpenBSD CVS Sync |
| 1191 | - dtucker@cvs.openbsd.org 2008/06/14 15:49:48 |
| 1192 | [sshd.c] |
| 1193 | wrap long line at 80 chars |
Damien Miller | 6ca16c6 | 2008-06-16 07:50:58 +1000 | [diff] [blame] | 1194 | - dtucker@cvs.openbsd.org 2008/06/14 17:07:11 |
| 1195 | [sshd.c] |
| 1196 | ensure default umask disallows at least group and world write; ok djm@ |
Damien Miller | 6051c94 | 2008-06-16 07:53:16 +1000 | [diff] [blame] | 1197 | - djm@cvs.openbsd.org 2008/06/14 18:33:43 |
| 1198 | [session.c] |
| 1199 | suppress the warning message from chdir(homedir) failures |
| 1200 | when chrooted (bz#1461); ok dtucker |
Damien Miller | c7ce0da | 2008-06-16 07:55:06 +1000 | [diff] [blame] | 1201 | - dtucker@cvs.openbsd.org 2008/06/14 19:42:10 |
| 1202 | [scp.1] |
| 1203 | Mention that scp follows symlinks during -r. bz #1466, |
| 1204 | from nectar at apple |
Damien Miller | c62a5af | 2008-06-16 07:55:46 +1000 | [diff] [blame] | 1205 | - dtucker@cvs.openbsd.org 2008/06/15 16:55:38 |
| 1206 | [sshd_config.5] |
| 1207 | MaxSessions is allowed in a Match block too |
Damien Miller | 307c1d1 | 2008-06-16 07:56:20 +1000 | [diff] [blame] | 1208 | - dtucker@cvs.openbsd.org 2008/06/15 16:58:40 |
| 1209 | [servconf.c sshd_config.5] |
| 1210 | Allow MaxAuthTries within a Match block. ok djm@ |
Damien Miller | d310d51 | 2008-06-16 07:59:23 +1000 | [diff] [blame] | 1211 | - djm@cvs.openbsd.org 2008/06/15 20:06:26 |
| 1212 | [channels.c channels.h session.c] |
| 1213 | don't call isatty() on a pty master, instead pass a flag down to |
| 1214 | channel_set_fds() indicating that te fds refer to a tty. Fixes a |
| 1215 | hang on exit on Solaris (bz#1463) in portable but is actually |
| 1216 | a generic bug; ok dtucker deraadt markus |
Darren Tucker | 330c93f | 2008-06-16 02:27:48 +1000 | [diff] [blame] | 1217 | |
Damien Miller | 8b7ab96 | 2008-06-15 10:55:34 +1000 | [diff] [blame] | 1218 | 20080614 |
| 1219 | - (djm) [openbsd-compat/sigact.c] Avoid NULL derefs in ancient sigaction |
| 1220 | replacement code; patch from ighighi AT gmail.com in bz#1240; |
| 1221 | ok dtucker |
| 1222 | |
Darren Tucker | 99bb761 | 2008-06-13 22:02:50 +1000 | [diff] [blame] | 1223 | 20080613 |
| 1224 | - (dtucker) OpenBSD CVS Sync |
| 1225 | - deraadt@cvs.openbsd.org 2008/06/13 09:44:36 |
| 1226 | [packet.c] |
| 1227 | compile on older gcc; no decl after code |
Darren Tucker | f2c16d3 | 2008-06-14 08:59:49 +1000 | [diff] [blame] | 1228 | - dtucker@cvs.openbsd.org 2008/06/13 13:56:59 |
| 1229 | [monitor.c] |
| 1230 | Clear key options in the monitor on failed authentication, prevents |
| 1231 | applying additional restrictions to non-pubkey authentications in |
| 1232 | the case where pubkey fails but another method subsequently succeeds. |
| 1233 | bz #1472, found by Colin Watson, ok markus@ djm@ |
Darren Tucker | d9526a5 | 2008-06-14 09:01:24 +1000 | [diff] [blame] | 1234 | - dtucker@cvs.openbsd.org 2008/06/13 14:18:51 |
| 1235 | [auth2-pubkey.c auth-rhosts.c] |
| 1236 | Include unistd.h for close(), prevents warnings in -portable |
Darren Tucker | 47e713b | 2008-06-14 09:01:54 +1000 | [diff] [blame] | 1237 | - dtucker@cvs.openbsd.org 2008/06/13 17:21:20 |
| 1238 | [mux.c] |
| 1239 | Friendlier error messages for mux fallback. ok djm@ |
Darren Tucker | 03ccc9b | 2008-06-14 09:02:25 +1000 | [diff] [blame] | 1240 | - dtucker@cvs.openbsd.org 2008/06/13 18:55:22 |
| 1241 | [scp.c] |
| 1242 | Prevent -Wsign-compare warnings on LP64 systems. bz #1192, ok deraadt@ |
Darren Tucker | f6bffb1 | 2008-06-14 09:04:26 +1000 | [diff] [blame] | 1243 | - grunk@cvs.openbsd.org 2008/06/13 20:13:26 |
| 1244 | [ssh.1] |
| 1245 | Explain the use of SSH fpr visualization using random art, and cite the |
| 1246 | original scientific paper inspiring that technique. |
| 1247 | Much help with English and nroff by jmc@, thanks. |
Darren Tucker | 30fd49e | 2008-06-14 09:14:46 +1000 | [diff] [blame] | 1248 | - (dtucker) [configure.ac] Bug #1276: avoid linking against libgssapi, which |
| 1249 | despite its name doesn't seem to implement all of GSSAPI. Patch from |
| 1250 | Jan Engelhardt, sanity checked by Simon Wilkinson. |
Darren Tucker | 99bb761 | 2008-06-13 22:02:50 +1000 | [diff] [blame] | 1251 | |
Darren Tucker | 1199673 | 2008-06-13 04:32:00 +1000 | [diff] [blame] | 1252 | 20080612 |
| 1253 | - (dtucker) OpenBSD CVS Sync |
| 1254 | - jmc@cvs.openbsd.org 2008/06/11 07:30:37 |
| 1255 | [sshd.8] |
| 1256 | kill trailing whitespace; |
Darren Tucker | 9c16ac9 | 2008-06-13 04:40:35 +1000 | [diff] [blame] | 1257 | - grunk@cvs.openbsd.org 2008/06/11 21:01:35 |
| 1258 | [ssh_config.5 key.h readconf.c readconf.h ssh-keygen.1 ssh-keygen.c key.c |
| 1259 | sshconnect.c] |
| 1260 | Introduce SSH Fingerprint ASCII Visualization, a technique inspired by the |
| 1261 | graphical hash visualization schemes known as "random art", and by |
| 1262 | Dan Kaminsky's musings on the subject during a BlackOp talk at the |
| 1263 | 23C3 in Berlin. |
| 1264 | Scientific publication (original paper): |
| 1265 | "Hash Visualization: a New Technique to improve Real-World Security", |
| 1266 | Perrig A. and Song D., 1999, International Workshop on Cryptographic |
| 1267 | Techniques and E-Commerce (CrypTEC '99) |
| 1268 | http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf |
| 1269 | The algorithm used here is a worm crawling over a discrete plane, |
| 1270 | leaving a trace (augmenting the field) everywhere it goes. |
| 1271 | Movement is taken from dgst_raw 2bit-wise. Bumping into walls |
| 1272 | makes the respective movement vector be ignored for this turn, |
| 1273 | thus switching to the other color of the chessboard. |
| 1274 | Graphs are not unambiguous for now, because circles in graphs can be |
| 1275 | walked in either direction. |
| 1276 | discussions with several people, |
| 1277 | help, corrections and ok markus@ djm@ |
Darren Tucker | a376a32 | 2008-06-13 04:42:14 +1000 | [diff] [blame] | 1278 | - grunk@cvs.openbsd.org 2008/06/11 21:38:25 |
| 1279 | [ssh-keygen.c] |
| 1280 | ssh-keygen -lv -f /etc/ssh/ssh_host_rsa_key.pub |
| 1281 | would not display you the random art as intended, spotted by canacar@ |
Darren Tucker | 35c4553 | 2008-06-13 04:43:15 +1000 | [diff] [blame] | 1282 | - grunk@cvs.openbsd.org 2008/06/11 22:20:46 |
| 1283 | [ssh-keygen.c ssh-keygen.1] |
| 1284 | ssh-keygen would write fingerprints to STDOUT, and random art to STDERR, |
| 1285 | that is not how it was envisioned. |
| 1286 | Also correct manpage saying that -v is needed along with -l for it to work. |
| 1287 | spotted by naddy@ |
Darren Tucker | 014d76f | 2008-06-13 04:43:51 +1000 | [diff] [blame] | 1288 | - otto@cvs.openbsd.org 2008/06/11 23:02:22 |
| 1289 | [key.c] |
| 1290 | simpler way of computing the augmentations; ok grunk@ |
Darren Tucker | dcc1ab5 | 2008-06-13 04:44:25 +1000 | [diff] [blame] | 1291 | - grunk@cvs.openbsd.org 2008/06/11 23:03:56 |
| 1292 | [ssh_config.5] |
| 1293 | CheckHostIP set to ``fingerprint'' will display both hex and random art |
| 1294 | spotted by naddy@ |
Darren Tucker | d32b28a | 2008-06-13 04:45:50 +1000 | [diff] [blame] | 1295 | - grunk@cvs.openbsd.org 2008/06/11 23:51:57 |
| 1296 | [key.c] |
| 1297 | #define statements that are not atoms need braces around them, else they |
| 1298 | will cause trouble in some cases. |
| 1299 | Also do a computation of -1 once, and not in a loop several times. |
| 1300 | spotted by otto@ |
Darren Tucker | 78913e0 | 2008-06-13 04:47:34 +1000 | [diff] [blame] | 1301 | - dtucker@cvs.openbsd.org 2008/06/12 00:03:49 |
| 1302 | [dns.c canohost.c sshconnect.c] |
| 1303 | Do not pass "0" strings as ports to getaddrinfo because the lookups |
| 1304 | can slow things down and we never use the service info anyway. bz |
| 1305 | #859, patch from YOSHIFUJI Hideaki and John Devitofranceschi. ok |
| 1306 | deraadt@ djm@ |
| 1307 | djm belives that the reason for the "0" strings is to ensure that |
| 1308 | it's not possible to call getaddrinfo with both host and port being |
| 1309 | NULL. In the case of canohost.c host is a local array. In the |
| 1310 | case of sshconnect.c, it's checked for null immediately before use. |
| 1311 | In dns.c it ultimately comes from ssh.c:main() and is guaranteed to |
| 1312 | be non-null but it's not obvious, so I added a warning message in |
| 1313 | case it is ever passed a null. |
| 1314 | - grunk@cvs.openbsd.org 2008/06/12 00:13:55 |
| 1315 | [sshconnect.c] |
| 1316 | Make ssh print the random art also when ssh'ing to a host using IP only. |
| 1317 | spotted by naddy@, ok and help djm@ dtucker@ |
Darren Tucker | 267e28b | 2008-06-13 04:48:11 +1000 | [diff] [blame] | 1318 | - otto@cvs.openbsd.org 2008/06/12 00:13:13 |
| 1319 | [key.c] |
| 1320 | use an odd number of rows and columns and a separate start marker, looks |
| 1321 | better; ok grunk@ |
Darren Tucker | 2fb66ca | 2008-06-13 04:49:33 +1000 | [diff] [blame] | 1322 | - djm@cvs.openbsd.org 2008/06/12 03:40:52 |
| 1323 | [clientloop.h mux.c channels.c clientloop.c channels.h] |
| 1324 | Enable ~ escapes for multiplex slave sessions; give each channel |
| 1325 | its own escape state and hook the escape filters up to muxed |
| 1326 | channels. bz #1331 |
| 1327 | Mux slaves do not currently support the ~^Z and ~& escapes. |
| 1328 | NB. this change cranks the mux protocol version, so a new ssh |
| 1329 | mux client will not be able to connect to a running old ssh |
| 1330 | mux master. |
| 1331 | ok dtucker@ |
Darren Tucker | 9f407c4 | 2008-06-13 04:50:27 +1000 | [diff] [blame] | 1332 | - djm@cvs.openbsd.org 2008/06/12 04:06:00 |
| 1333 | [clientloop.h ssh.c clientloop.c] |
| 1334 | maintain an ordered queue of outstanding global requests that we |
| 1335 | expect replies to, similar to the per-channel confirmation queue. |
| 1336 | Use this queue to verify success or failure for remote forward |
| 1337 | establishment in a race free way. |
| 1338 | ok dtucker@ |
Darren Tucker | 4d5cd33 | 2008-06-13 04:51:14 +1000 | [diff] [blame] | 1339 | - djm@cvs.openbsd.org 2008/06/12 04:17:47 |
| 1340 | [clientloop.c] |
| 1341 | thall shalt not code past the eightieth column |
Darren Tucker | d6173c0 | 2008-06-13 04:52:53 +1000 | [diff] [blame] | 1342 | - djm@cvs.openbsd.org 2008/06/12 04:24:06 |
| 1343 | [ssh.c] |
| 1344 | thal shalt not code past the eightieth column |
Darren Tucker | e5d9829 | 2008-06-13 04:53:27 +1000 | [diff] [blame] | 1345 | - djm@cvs.openbsd.org 2008/06/12 05:15:41 |
| 1346 | [PROTOCOL] |
| 1347 | document tun@openssh.com forwarding method |
Darren Tucker | ba69c7a | 2008-06-13 04:54:05 +1000 | [diff] [blame] | 1348 | - djm@cvs.openbsd.org 2008/06/12 05:32:30 |
| 1349 | [mux.c] |
| 1350 | some more TODO for me |
Darren Tucker | 4b3b977 | 2008-06-13 04:55:10 +1000 | [diff] [blame] | 1351 | - grunk@cvs.openbsd.org 2008/06/12 05:42:46 |
| 1352 | [key.c] |
| 1353 | supply the key type (rsa1, rsa, dsa) as a caption in the frame of the |
| 1354 | random art. while there, stress the fact that the field base should at |
| 1355 | least be 8 characters for the pictures to make sense. |
| 1356 | comment and ok djm@ |
| 1357 | - grunk@cvs.openbsd.org 2008/06/12 06:32:59 |
| 1358 | [key.c] |
| 1359 | We already mark the start of the worm, now also mark the end of the worm |
| 1360 | in our random art drawings. |
| 1361 | ok djm@ |
Darren Tucker | 84c56f5 | 2008-06-13 04:55:46 +1000 | [diff] [blame] | 1362 | - djm@cvs.openbsd.org 2008/06/12 15:19:17 |
| 1363 | [clientloop.h channels.h clientloop.c channels.c mux.c] |
| 1364 | The multiplexing escape char handler commit last night introduced a |
| 1365 | small memory leak per session; plug it. |
Darren Tucker | f6b01b7 | 2008-06-13 04:56:37 +1000 | [diff] [blame] | 1366 | - dtucker@cvs.openbsd.org 2008/06/12 16:35:31 |
| 1367 | [ssh_config.5 ssh.c] |
| 1368 | keyword expansion for localcommand. ok djm@ |
Darren Tucker | f09e825 | 2008-06-13 05:18:03 +1000 | [diff] [blame] | 1369 | - jmc@cvs.openbsd.org 2008/06/12 19:10:09 |
| 1370 | [ssh_config.5 ssh-keygen.1] |
| 1371 | tweak the ascii art text; ok grunk |
Darren Tucker | 3fc464e | 2008-06-13 06:42:45 +1000 | [diff] [blame] | 1372 | - dtucker@cvs.openbsd.org 2008/06/12 20:38:28 |
| 1373 | [sshd.c sshconnect.c packet.h misc.c misc.h packet.c] |
| 1374 | Make keepalive timeouts apply while waiting for a packet, particularly |
| 1375 | during key renegotiation (bz #1363). With djm and Matt Day, ok djm@ |
Darren Tucker | a64ab33 | 2008-06-13 07:01:29 +1000 | [diff] [blame] | 1376 | - djm@cvs.openbsd.org 2008/06/12 20:47:04 |
| 1377 | [sftp-client.c] |
| 1378 | print extension revisions for extensions that we understand |
Darren Tucker | babc1d5 | 2008-06-13 08:56:01 +1000 | [diff] [blame] | 1379 | - djm@cvs.openbsd.org 2008/06/12 21:06:25 |
| 1380 | [clientloop.c] |
| 1381 | I was coalescing expected global request confirmation replies at |
| 1382 | the wrong end of the queue - fix; prompted by markus@ |
Darren Tucker | b68fb4a | 2008-06-13 08:57:27 +1000 | [diff] [blame] | 1383 | - grunk@cvs.openbsd.org 2008/06/12 21:14:46 |
| 1384 | [ssh-keygen.c] |
| 1385 | make ssh-keygen -lf show the key type just as ssh-add -l would do it |
| 1386 | ok djm@ markus@ |
Darren Tucker | 0f0ef0a | 2008-06-13 08:58:05 +1000 | [diff] [blame] | 1387 | - grunk@cvs.openbsd.org 2008/06/12 22:03:36 |
| 1388 | [key.c] |
| 1389 | add my copyright, ok djm@ |
Darren Tucker | ff4454d | 2008-06-13 10:21:51 +1000 | [diff] [blame] | 1390 | - ian@cvs.openbsd.org 2008/06/12 23:24:58 |
| 1391 | [sshconnect.c] |
| 1392 | tweak wording in message, ok deraadt@ jmc@ |
Darren Tucker | f8b7eb7 | 2008-06-13 10:22:54 +1000 | [diff] [blame] | 1393 | - dtucker@cvs.openbsd.org 2008/06/13 00:12:02 |
| 1394 | [sftp.h log.h] |
| 1395 | replace __dead with __attribute__((noreturn)), makes things |
| 1396 | a little easier to port. Also, add it to sigdie(). ok djm@ |
Darren Tucker | ca19bfe | 2008-06-13 10:24:03 +1000 | [diff] [blame] | 1397 | - djm@cvs.openbsd.org 2008/06/13 00:16:49 |
| 1398 | [mux.c] |
| 1399 | fall back to creating a new TCP connection on most multiplexing errors |
| 1400 | (socket connect fail, invalid version, refused permittion, corrupted |
| 1401 | messages, etc.); bz #1329 ok dtucker@ |
Darren Tucker | 1adfd36 | 2008-06-13 10:58:10 +1000 | [diff] [blame] | 1402 | - dtucker@cvs.openbsd.org 2008/06/13 00:47:53 |
| 1403 | [mux.c] |
| 1404 | upcast size_t to u_long to match format arg; ok djm@ |
Darren Tucker | c7e030f | 2008-06-13 10:58:50 +1000 | [diff] [blame] | 1405 | - dtucker@cvs.openbsd.org 2008/06/13 00:51:47 |
| 1406 | [mac.c] |
| 1407 | upcast another size_t to u_long to match format |
Darren Tucker | 7517b5b | 2008-06-13 14:48:59 +1000 | [diff] [blame] | 1408 | - dtucker@cvs.openbsd.org 2008/06/13 01:38:23 |
| 1409 | [misc.c] |
| 1410 | upcast uid to long with matching %ld, prevents warnings in portable |
Darren Tucker | 06db584 | 2008-06-13 14:51:28 +1000 | [diff] [blame] | 1411 | - djm@cvs.openbsd.org 2008/06/13 04:40:22 |
| 1412 | [auth2-pubkey.c auth-rhosts.c] |
| 1413 | refuse to read ~/.shosts or ~/.ssh/authorized_keys that are not |
| 1414 | regular files; report from Solar Designer via Colin Watson in bz#1471 |
| 1415 | ok dtucker@ deraadt |
Darren Tucker | 1cf65ae | 2008-06-13 05:09:18 +1000 | [diff] [blame] | 1416 | - (dtucker) [clientloop.c serverloop.c] channel_register_filter now |
| 1417 | takes 2 more args. with djm@ |
Darren Tucker | 61b0695 | 2008-06-13 10:28:57 +1000 | [diff] [blame] | 1418 | - (dtucker) [defines.h] Bug #1112: __dead is, well dead. Based on a patch |
| 1419 | from Todd Vierling. |
Darren Tucker | 2c1eb82 | 2008-06-13 11:13:13 +1000 | [diff] [blame] | 1420 | - (dtucker) [auth-sia.c] Bug #1241: support password expiry on Tru64 SIA |
| 1421 | systems. Patch from R. Scott Bailey. |
Darren Tucker | 2c91b28 | 2008-06-13 12:40:55 +1000 | [diff] [blame] | 1422 | - (dtucker) [umac.c] STORE_UINT32_REVERSED and endian_convert are never used |
| 1423 | on big endian machines, so ifdef them for little-endian only to prevent |
| 1424 | unused function warnings on big-endians. |
Darren Tucker | f387e59 | 2008-06-13 15:03:14 +1000 | [diff] [blame] | 1425 | - (dtucker) [openbsd-compat/setenv.c] Make offsets size_t to prevent |
| 1426 | compiler warnings on some platforms. Based on a discussion with otto@ |
Darren Tucker | 1199673 | 2008-06-13 04:32:00 +1000 | [diff] [blame] | 1427 | |
Damien Miller | 4401e45 | 2008-06-12 06:05:12 +1000 | [diff] [blame] | 1428 | 20080611 |
| 1429 | - (djm) [channels.c configure.ac] |
| 1430 | Do not set SO_REUSEADDR on wildcard X11 listeners (X11UseLocalhost=no) |
| 1431 | bz#1464; ok dtucker |
| 1432 | |
Darren Tucker | 7a3935d | 2008-06-10 22:59:10 +1000 | [diff] [blame] | 1433 | 20080610 |
| 1434 | - (dtucker) OpenBSD CVS Sync |
| 1435 | - djm@cvs.openbsd.org 2008/06/10 03:57:27 |
| 1436 | [servconf.c match.h sshd_config.5] |
| 1437 | support CIDR address matching in sshd_config "Match address" blocks, with |
| 1438 | full support for negation and fall-back to classic wildcard matching. |
| 1439 | For example: |
| 1440 | Match address 192.0.2.0/24,3ffe:ffff::/32,!10.* |
| 1441 | PasswordAuthentication yes |
| 1442 | addrmatch.c code mostly lifted from flowd's addr.c |
| 1443 | feedback and ok dtucker@ |
Darren Tucker | b06cc4a | 2008-06-10 22:59:53 +1000 | [diff] [blame] | 1444 | - djm@cvs.openbsd.org 2008/06/10 04:17:46 |
| 1445 | [sshd_config.5] |
| 1446 | better reference for pattern-list |
Darren Tucker | e7140f2 | 2008-06-10 23:01:51 +1000 | [diff] [blame] | 1447 | - dtucker@cvs.openbsd.org 2008/06/10 04:50:25 |
| 1448 | [sshd.c channels.h channels.c log.c servconf.c log.h servconf.h sshd.8] |
| 1449 | Add extended test mode (-T) and connection parameters for test mode (-C). |
| 1450 | -T causes sshd to write its effective configuration to stdout and exit. |
| 1451 | -C causes any relevant Match rules to be applied before output. The |
| 1452 | combination allows tesing of the parser and config files. ok deraadt djm |
Darren Tucker | 6a2a400 | 2008-06-10 23:03:04 +1000 | [diff] [blame] | 1453 | - jmc@cvs.openbsd.org 2008/06/10 07:12:00 |
| 1454 | [sshd_config.5] |
| 1455 | tweak previous; |
Darren Tucker | e7f3f75 | 2008-06-10 23:06:01 +1000 | [diff] [blame] | 1456 | - jmc@cvs.openbsd.org 2008/06/10 08:17:40 |
| 1457 | [sshd.8 sshd.c] |
| 1458 | - update usage() |
| 1459 | - fix SYNOPSIS, and sort options |
| 1460 | - some minor additional fixes |
Darren Tucker | d788b7c | 2008-06-10 23:15:54 +1000 | [diff] [blame] | 1461 | - dtucker@cvs.openbsd.org 2008/06/09 18:06:32 |
| 1462 | [regress/test-exec.sh] |
| 1463 | Don't generate putty keys if we're not going to use them. ok djm |
Darren Tucker | 10f9242 | 2008-06-10 23:16:46 +1000 | [diff] [blame] | 1464 | - dtucker@cvs.openbsd.org 2008/06/10 05:23:32 |
| 1465 | [regress/addrmatch.sh regress/Makefile] |
| 1466 | Regress test for Match CIDR rules. ok djm@ |
Darren Tucker | 5f34664 | 2008-06-11 01:38:52 +1000 | [diff] [blame] | 1467 | - dtucker@cvs.openbsd.org 2008/06/10 15:21:41 |
| 1468 | [test-exec.sh] |
| 1469 | Use a more portable construct for checking if we're running a putty test |
Darren Tucker | d8bafea | 2008-06-11 01:39:38 +1000 | [diff] [blame] | 1470 | - dtucker@cvs.openbsd.org 2008/06/10 15:28:49 |
| 1471 | [test-exec.sh] |
| 1472 | Add quotes |
Darren Tucker | c9807e8 | 2008-06-11 09:33:01 +1000 | [diff] [blame] | 1473 | - dtucker@cvs.openbsd.org 2008/06/10 18:21:24 |
| 1474 | [ssh_config.5] |
| 1475 | clarify that Host patterns are space-separated. ok deraadt |
Darren Tucker | 8901fa9 | 2008-06-11 09:34:01 +1000 | [diff] [blame] | 1476 | - djm@cvs.openbsd.org 2008/06/10 22:15:23 |
| 1477 | [PROTOCOL ssh.c serverloop.c] |
| 1478 | Add a no-more-sessions@openssh.com global request extension that the |
| 1479 | client sends when it knows that it will never request another session |
| 1480 | (i.e. when session multiplexing is disabled). This allows a server to |
| 1481 | disallow further session requests and terminate the session. |
| 1482 | Why would a non-multiplexing client ever issue additional session |
| 1483 | requests? It could have been attacked with something like SSH'jack: |
| 1484 | http://www.storm.net.nz/projects/7 |
| 1485 | feedback & ok markus |
Darren Tucker | 896ad5a | 2008-06-11 09:34:46 +1000 | [diff] [blame] | 1486 | - djm@cvs.openbsd.org 2008/06/10 23:06:19 |
| 1487 | [auth-options.c match.c servconf.c addrmatch.c sshd.8] |
| 1488 | support CIDR address matching in .ssh/authorized_keys from="..." stanzas |
| 1489 | ok and extensive testing dtucker@ |
Darren Tucker | 2a8b138 | 2008-06-11 09:35:37 +1000 | [diff] [blame] | 1490 | - dtucker@cvs.openbsd.org 2008/06/10 23:21:34 |
| 1491 | [bufaux.c] |
| 1492 | Use '\0' for a nul byte rather than unadorned 0. ok djm@ |
Darren Tucker | e045e0c | 2008-06-11 09:38:12 +1000 | [diff] [blame] | 1493 | - dtucker@cvs.openbsd.org 2008/06/10 23:13:43 |
| 1494 | [Makefile regress/key-options.sh] |
| 1495 | Add regress test for key options. ok djm@ |
Darren Tucker | 5d37690 | 2008-06-11 04:15:05 +1000 | [diff] [blame] | 1496 | - (dtucker) [openbsd-compat/fake-rfc2553.h] Add sin6_scope_id to sockaddr_in6 |
| 1497 | since the new CIDR code in addmatch.c references it. |
| 1498 | - (dtucker) [Makefile.in configure.ac regress/addrmatch.sh] Skip IPv6 |
| 1499 | specific tests on platforms that don't do IPv6. |
Darren Tucker | 34f49c6 | 2008-06-11 05:15:51 +1000 | [diff] [blame] | 1500 | - (dtucker) [Makefile.in] Define TEST_SSH_IPV6 in make's arguments as well |
| 1501 | as environment. |
Darren Tucker | b8e0500 | 2008-06-11 09:47:59 +1000 | [diff] [blame] | 1502 | - (dtucker) [Makefile.in] Move addrmatch.o to libssh.a where it's needed now. |
Darren Tucker | 7a3935d | 2008-06-10 22:59:10 +1000 | [diff] [blame] | 1503 | |
Darren Tucker | 422c34c | 2008-06-09 22:48:31 +1000 | [diff] [blame] | 1504 | 20080609 |
| 1505 | - (dtucker) OpenBSD CVS Sync |
| 1506 | - dtucker@cvs.openbsd.org 2008/06/08 17:04:41 |
| 1507 | [sftp-server.c] |
| 1508 | Add case for ENOSYS in errno_to_portable; ok deraadt |
Darren Tucker | 7b59889 | 2008-06-09 22:49:36 +1000 | [diff] [blame] | 1509 | - dtucker@cvs.openbsd.org 2008/06/08 20:15:29 |
| 1510 | [sftp.c sftp-client.c sftp-client.h] |
| 1511 | Have the sftp client store the statvfs replies in wire format, |
| 1512 | which prevents problems when the server's native sizes exceed the |
| 1513 | client's. |
| 1514 | Also extends the sizes of the remaining 32bit wire format to 64bit, |
| 1515 | they're specified as unsigned long in the standard. |
Darren Tucker | 3463aca | 2008-06-09 23:06:55 +1000 | [diff] [blame] | 1516 | - dtucker@cvs.openbsd.org 2008/06/09 13:02:39 |
Darren Tucker | 588fe0e | 2008-06-09 23:52:22 +1000 | [diff] [blame] | 1517 | [sftp-server.c] |
Darren Tucker | 3463aca | 2008-06-09 23:06:55 +1000 | [diff] [blame] | 1518 | Extend 32bit -> 64bit values for statvfs extension missed in previous |
| 1519 | commit. |
Darren Tucker | 588fe0e | 2008-06-09 23:52:22 +1000 | [diff] [blame] | 1520 | - dtucker@cvs.openbsd.org 2008/06/09 13:38:46 |
| 1521 | [PROTOCOL] |
| 1522 | Use a $OpenBSD tag so our scripts will sync changes. |
Darren Tucker | 422c34c | 2008-06-09 22:48:31 +1000 | [diff] [blame] | 1523 | |
Darren Tucker | 598eaa6 | 2008-06-09 03:32:29 +1000 | [diff] [blame] | 1524 | 20080608 |
| 1525 | - (dtucker) [configure.ac defines.h sftp-client.c sftp-server.c sftp.c |
| 1526 | openbsd-compat/Makefile.in openbsd-compat/openbsd-compat.h |
| 1527 | openbsd-compat/bsd-statvfs.{c,h}] Add a null implementation of statvfs and |
| 1528 | fstatvfs and remove #defines around statvfs code. ok djm@ |
Darren Tucker | 7700138 | 2008-06-09 06:17:53 +1000 | [diff] [blame] | 1529 | - (dtucker) [configure.ac defines.h sftp-client.c M sftp-server.c] Add a |
| 1530 | macro to convert fsid to unsigned long for platforms where fsid is a |
| 1531 | 2-member array. |
Darren Tucker | 598eaa6 | 2008-06-09 03:32:29 +1000 | [diff] [blame] | 1532 | |
Darren Tucker | ce38d82 | 2008-06-07 06:25:15 +1000 | [diff] [blame] | 1533 | 20080607 |
| 1534 | - (dtucker) [mux.c] Include paths.h inside ifdef HAVE_PATHS_H. |
Darren Tucker | 5b2e2ba | 2008-06-08 09:25:28 +1000 | [diff] [blame] | 1535 | - (dtucker) [configure.ac defines.h sftp-client.c sftp-server.c sftp.c] |
| 1536 | Do not enable statvfs extensions on platforms that do not have statvfs. |
Darren Tucker | 136e56f | 2008-06-08 12:49:30 +1000 | [diff] [blame] | 1537 | - (dtucker) OpenBSD CVS Sync |
| 1538 | - djm@cvs.openbsd.org 2008/05/19 06:14:02 |
| 1539 | [packet.c] unbreak protocol keepalive timeouts bz#1465; ok dtucker@ |
Darren Tucker | dd39264 | 2008-06-08 12:53:20 +1000 | [diff] [blame] | 1540 | - djm@cvs.openbsd.org 2008/05/19 15:45:07 |
| 1541 | [sshtty.c ttymodes.c sshpty.h] |
| 1542 | Fix sending tty modes when stdin is not a tty (bz#1199). Previously |
| 1543 | we would send the modes corresponding to a zeroed struct termios, |
| 1544 | whereas we should have been sending an empty list of modes. |
| 1545 | Based on patch from daniel.ritz AT alcatel.ch; ok dtucker@ markus@ |
Darren Tucker | 0f7e910 | 2008-06-08 12:54:29 +1000 | [diff] [blame] | 1546 | - djm@cvs.openbsd.org 2008/05/19 15:46:31 |
| 1547 | [ssh-keygen.c] |
| 1548 | support -l (print fingerprint) in combination with -F (find host) to |
| 1549 | search for a host in ~/.ssh/known_hosts and display its fingerprint; |
| 1550 | ok markus@ |
Darren Tucker | df189fb | 2008-06-08 12:55:32 +1000 | [diff] [blame] | 1551 | - djm@cvs.openbsd.org 2008/05/19 20:53:52 |
| 1552 | [clientloop.c] |
| 1553 | unbreak tree by committing this bit that I missed from: |
| 1554 | Fix sending tty modes when stdin is not a tty (bz#1199). Previously |
| 1555 | we would send the modes corresponding to a zeroed struct termios, |
| 1556 | whereas we should have been sending an empty list of modes. |
| 1557 | Based on patch from daniel.ritz AT alcatel.ch; ok dtucker@ markus@ |
Darren Tucker | ce38d82 | 2008-06-07 06:25:15 +1000 | [diff] [blame] | 1558 | |
Damien Miller | 58ea61b | 2008-06-04 10:54:00 +1000 | [diff] [blame] | 1559 | 20080604 |
| 1560 | - (djm) [openbsd-compat/bsd-arc4random.c] Fix math bug that caused bias |
| 1561 | in arc4random_uniform with upper_bound in (2^30,2*31). Note that |
| 1562 | OpenSSH did not make requests with upper bounds in this range. |
| 1563 | |
Damien Miller | a7058ec | 2008-05-20 08:57:06 +1000 | [diff] [blame] | 1564 | 20080519 |
| 1565 | - (djm) [configure.ac mux.c sftp.c openbsd-compat/Makefile.in] |
| 1566 | [openbsd-compat/fmt_scaled.c openbsd-compat/openbsd-compat.h] |
| 1567 | Fix compilation on Linux, including pulling in fmt_scaled(3) |
| 1568 | implementation from OpenBSD's libutil. |
| 1569 | |
Damien Miller | 797e3d1 | 2008-05-19 14:27:42 +1000 | [diff] [blame] | 1570 | 20080518 |
| 1571 | - (djm) OpenBSD CVS Sync |
| 1572 | - djm@cvs.openbsd.org 2008/04/04 05:14:38 |
| 1573 | [sshd_config.5] |
| 1574 | ChrootDirectory is supported in Match blocks (in fact, it is most useful |
| 1575 | there). Spotted by Minstrel AT minstrel.org.uk |
Damien Miller | 56f41dd | 2008-05-19 14:28:19 +1000 | [diff] [blame] | 1576 | - djm@cvs.openbsd.org 2008/04/04 06:44:26 |
| 1577 | [sshd_config.5] |
| 1578 | oops, some unrelated stuff crept into that commit - backout. |
| 1579 | spotted by jmc@ |
Damien Miller | 25434de | 2008-05-19 14:29:08 +1000 | [diff] [blame] | 1580 | - djm@cvs.openbsd.org 2008/04/05 02:46:02 |
| 1581 | [sshd_config.5] |
| 1582 | HostbasedAuthentication is supported under Match too |
Damien Miller | a4be7c2 | 2008-05-19 14:47:37 +1000 | [diff] [blame] | 1583 | - (djm) [openbsd-compat/bsd-arc4random.c openbsd-compat/openbsd-compat.c] |
| 1584 | [configure.ac] Implement arc4random_buf(), import implementation of |
| 1585 | arc4random_uniform() from OpenBSD |
Damien Miller | caaed01 | 2008-05-19 15:26:54 +1000 | [diff] [blame] | 1586 | - (djm) [openbsd-compat/bsd-arc4random.c] Warning fixes |
Damien Miller | 9417831 | 2008-05-19 15:28:35 +1000 | [diff] [blame] | 1587 | - (djm) [openbsd-compat/port-tun.c] needs sys/queue.h |
Damien Miller | 354c48c | 2008-05-19 14:50:00 +1000 | [diff] [blame] | 1588 | - (djm) OpenBSD CVS Sync |
| 1589 | - djm@cvs.openbsd.org 2008/04/13 00:22:17 |
| 1590 | [dh.c sshd.c] |
| 1591 | Use arc4random_buf() when requesting more than a single word of output |
| 1592 | Use arc4random_uniform() when the desired random number upper bound |
| 1593 | is not a power of two |
| 1594 | ok deraadt@ millert@ |
Damien Miller | d671e5a | 2008-05-19 14:53:33 +1000 | [diff] [blame] | 1595 | - djm@cvs.openbsd.org 2008/04/18 12:32:11 |
| 1596 | [sftp-client.c sftp-client.h sftp-server.c sftp.1 sftp.c sftp.h] |
| 1597 | introduce sftp extension methods statvfs@openssh.com and |
| 1598 | fstatvfs@openssh.com that implement statvfs(2)-like operations, |
| 1599 | based on a patch from miklos AT szeredi.hu (bz#1399) |
| 1600 | also add a "df" command to the sftp client that uses the |
| 1601 | statvfs@openssh.com to produce a df(1)-like display of filesystem |
| 1602 | space and inode utilisation |
| 1603 | ok markus@ |
Damien Miller | 64058cb | 2008-05-19 14:54:25 +1000 | [diff] [blame] | 1604 | - jmc@cvs.openbsd.org 2008/04/18 17:15:47 |
| 1605 | [sftp.1] |
| 1606 | macro fixage; |
Damien Miller | ff0dd88 | 2008-05-19 14:55:02 +1000 | [diff] [blame] | 1607 | - djm@cvs.openbsd.org 2008/04/18 22:01:33 |
| 1608 | [session.c] |
| 1609 | remove unneccessary parentheses |
Damien Miller | 0b4c165 | 2008-05-19 14:55:29 +1000 | [diff] [blame] | 1610 | - otto@cvs.openbsd.org 2008/04/29 11:20:31 |
| 1611 | [monitor_mm.h] |
| 1612 | garbage collect two unused fields in struct mm_master; ok markus@ |
Damien Miller | bacb7fb | 2008-05-19 14:56:33 +1000 | [diff] [blame] | 1613 | - djm@cvs.openbsd.org 2008/04/30 10:14:03 |
| 1614 | [ssh-keyscan.1 ssh-keyscan.c] |
| 1615 | default to rsa (protocol 2) keys, instead of rsa1 keys; spotted by |
| 1616 | larsnooden AT openoffice.org |
Damien Miller | 4f755cd | 2008-05-19 14:57:41 +1000 | [diff] [blame] | 1617 | - pyr@cvs.openbsd.org 2008/05/07 05:49:37 |
| 1618 | [servconf.c servconf.h session.c sshd_config.5] |
| 1619 | Enable the AllowAgentForwarding option in sshd_config (global and match |
| 1620 | context), to specify if agents should be permitted on the server. |
| 1621 | As the man page states: |
| 1622 | ``Note that disabling Agent forwarding does not improve security |
| 1623 | unless users are also denied shell access, as they can always install |
| 1624 | their own forwarders.'' |
| 1625 | ok djm@, ok and a mild frown markus@ |
Damien Miller | ba3a659 | 2008-05-19 14:58:22 +1000 | [diff] [blame] | 1626 | - pyr@cvs.openbsd.org 2008/05/07 06:43:35 |
| 1627 | [sshd_config] |
| 1628 | push the sshd_config bits in, spotted by ajacoutot@ |
Damien Miller | e989019 | 2008-05-19 14:59:02 +1000 | [diff] [blame] | 1629 | - jmc@cvs.openbsd.org 2008/05/07 08:00:14 |
| 1630 | [sshd_config.5] |
| 1631 | sort; |
Damien Miller | db255ca | 2008-05-19 14:59:37 +1000 | [diff] [blame] | 1632 | - markus@cvs.openbsd.org 2008/05/08 06:59:01 |
| 1633 | [bufaux.c buffer.h channels.c packet.c packet.h] |
| 1634 | avoid extra malloc/copy/free when receiving data over the net; |
| 1635 | ~10% speedup for localhost-scp; ok djm@ |
Damien Miller | b84886b | 2008-05-19 15:05:07 +1000 | [diff] [blame] | 1636 | - djm@cvs.openbsd.org 2008/05/08 12:02:23 |
| 1637 | [auth-options.c auth1.c channels.c channels.h clientloop.c gss-serv.c] |
| 1638 | [monitor.c monitor_wrap.c nchan.c servconf.c serverloop.c session.c] |
| 1639 | [ssh.c sshd.c] |
| 1640 | Implement a channel success/failure status confirmation callback |
| 1641 | mechanism. Each channel maintains a queue of callbacks, which will |
| 1642 | be drained in order (RFC4253 guarantees confirm messages are not |
| 1643 | reordered within an channel). |
| 1644 | Also includes a abandonment callback to clean up if a channel is |
| 1645 | closed without sending confirmation messages. This probably |
| 1646 | shouldn't happen in compliant implementations, but it could be |
| 1647 | abused to leak memory. |
| 1648 | ok markus@ (as part of a larger diff) |
Damien Miller | 7207f64 | 2008-05-19 15:34:50 +1000 | [diff] [blame] | 1649 | - djm@cvs.openbsd.org 2008/05/08 12:21:16 |
| 1650 | [monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c] |
| 1651 | [sshd_config sshd_config.5] |
| 1652 | Make the maximum number of sessions run-time controllable via |
| 1653 | a sshd_config MaxSessions knob. This is useful for disabling |
| 1654 | login/shell/subsystem access while leaving port-forwarding working |
| 1655 | (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or |
| 1656 | simply increasing the number of allows multiplexed sessions. |
| 1657 | Because some bozos are sure to configure MaxSessions in excess of the |
| 1658 | number of available file descriptors in sshd (which, at peak, might be |
| 1659 | as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds |
| 1660 | on error paths, and make it fail gracefully on out-of-fd conditions - |
| 1661 | sending channel errors instead of than exiting with fatal(). |
| 1662 | bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com |
| 1663 | ok markus@ |
Damien Miller | 5771ed7 | 2008-05-19 15:35:33 +1000 | [diff] [blame] | 1664 | - djm@cvs.openbsd.org 2008/05/08 13:06:11 |
| 1665 | [clientloop.c clientloop.h ssh.c] |
| 1666 | Use new channel status confirmation callback system to properly deal |
| 1667 | with "important" channel requests that fail, in particular command exec, |
| 1668 | shell and subsystem requests. Previously we would optimistically assume |
| 1669 | that the requests would always succeed, which could cause hangs if they |
| 1670 | did not (e.g. when the server runs out of fds) or were unimplemented by |
| 1671 | the server (bz #1384) |
| 1672 | Also, properly report failing multiplex channel requests via the mux |
| 1673 | client stderr (subject to LogLevel in the mux master) - better than |
| 1674 | silently failing. |
| 1675 | most bits ok markus@ (as part of a larger diff) |
Damien Miller | bd74025 | 2008-05-19 15:37:09 +1000 | [diff] [blame] | 1676 | - djm@cvs.openbsd.org 2008/05/09 04:55:56 |
| 1677 | [channels.c channels.h clientloop.c serverloop.c] |
| 1678 | Try additional addresses when connecting to a port forward destination |
| 1679 | whose DNS name resolves to more than one address. The previous behaviour |
| 1680 | was to try the first address and give up. |
| 1681 | Reported by stig AT venaas.com in bz#343 |
| 1682 | great feedback and ok markus@ |
Damien Miller | b1cbfa2 | 2008-05-19 16:00:08 +1000 | [diff] [blame] | 1683 | - djm@cvs.openbsd.org 2008/05/09 14:18:44 |
| 1684 | [clientloop.c clientloop.h ssh.c mux.c] |
| 1685 | tidy up session multiplexing code, moving it into its own file and |
| 1686 | making the function names more consistent - making ssh.c and |
| 1687 | clientloop.c a fair bit more readable. |
| 1688 | ok markus@ |
Damien Miller | b3da593 | 2008-05-19 16:02:37 +1000 | [diff] [blame] | 1689 | - djm@cvs.openbsd.org 2008/05/09 14:26:08 |
| 1690 | [ssh.c] |
| 1691 | dingo stole my diff hunk |
Damien Miller | 2ff1ca5 | 2008-05-19 16:04:56 +1000 | [diff] [blame] | 1692 | - markus@cvs.openbsd.org 2008/05/09 16:16:06 |
| 1693 | [session.c] |
| 1694 | re-add the USE_PIPES code and enable it. |
| 1695 | without pipes shutdown-read from the sshd does not trigger |
| 1696 | a SIGPIPE when the forked program does a write. |
| 1697 | ok djm@ |
| 1698 | (Id sync only, USE_PIPES never left portable OpenSSH) |
Damien Miller | d654dd2 | 2008-05-19 16:05:41 +1000 | [diff] [blame] | 1699 | - markus@cvs.openbsd.org 2008/05/09 16:17:51 |
| 1700 | [channels.c] |
| 1701 | error-fd race: don't enable the error fd in the select bitmask |
| 1702 | for channels with both in- and output closed, since the channel |
| 1703 | will go away before we call select(); |
| 1704 | report, lots of debugging help and ok djm@ |
Damien Miller | bab9bd4 | 2008-05-19 16:06:47 +1000 | [diff] [blame] | 1705 | - markus@cvs.openbsd.org 2008/05/09 16:21:13 |
| 1706 | [channels.h clientloop.c nchan.c serverloop.c] |
| 1707 | unbreak |
| 1708 | ssh -2 localhost od /bin/ls | true |
| 1709 | ignoring SIGPIPE by adding a new channel message (EOW) that signals |
| 1710 | the peer that we're not interested in any data it might send. |
| 1711 | fixes bz #85; discussion, debugging and ok djm@ |
Damien Miller | 0f30c87 | 2008-05-19 16:07:45 +1000 | [diff] [blame] | 1712 | - pvalchev@cvs.openbsd.org 2008/05/12 20:52:20 |
| 1713 | [umac.c] |
| 1714 | Ensure nh_result lies on a 64-bit boundary (fixes warnings observed |
| 1715 | on Itanium on Linux); from Dale Talcott (bug #1462); ok djm@ |
Damien Miller | 5159bdd | 2008-05-19 16:08:20 +1000 | [diff] [blame] | 1716 | - djm@cvs.openbsd.org 2008/05/15 23:52:24 |
| 1717 | [nchan2.ms] |
| 1718 | document eow message in ssh protocol 2 channel state machine; |
| 1719 | feedback and ok markus@ |
Damien Miller | a7e0d5a | 2008-05-19 16:08:41 +1000 | [diff] [blame] | 1720 | - djm@cvs.openbsd.org 2008/05/18 21:29:05 |
| 1721 | [sftp-server.c] |
| 1722 | comment extension announcement |
Damien Miller | 58a8114 | 2008-05-19 16:11:56 +1000 | [diff] [blame] | 1723 | - djm@cvs.openbsd.org 2008/05/16 08:30:42 |
| 1724 | [PROTOCOL] |
| 1725 | document our protocol extensions and deviations; ok markus@ |
| 1726 | - djm@cvs.openbsd.org 2008/05/17 01:31:56 |
| 1727 | [PROTOCOL] |
| 1728 | grammar and correctness fixes from stevesk@ |
Damien Miller | 797e3d1 | 2008-05-19 14:27:42 +1000 | [diff] [blame] | 1729 | |
Damien Miller | 5f5cd74 | 2008-04-03 08:43:57 +1100 | [diff] [blame] | 1730 | 20080403 |
Damien Miller | 55754fb | 2008-04-04 16:16:35 +1100 | [diff] [blame] | 1731 | - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile- |
| 1732 | time warnings on LynxOS. Patch from ops AT iki.fi |
Damien Miller | c575022 | 2008-05-16 10:01:54 +1000 | [diff] [blame] | 1733 | - (djm) Force string arguments to replacement setproctitle() though |
| 1734 | strnvis first. Ok dtucker@ |
Damien Miller | 55754fb | 2008-04-04 16:16:35 +1100 | [diff] [blame] | 1735 | |
| 1736 | 20080403 |
Damien Miller | 5f5cd74 | 2008-04-03 08:43:57 +1100 | [diff] [blame] | 1737 | - (djm) OpenBSD CVS sync: |
| 1738 | - markus@cvs.openbsd.org 2008/04/02 15:36:51 |
| 1739 | [channels.c] |
| 1740 | avoid possible hijacking of x11-forwarded connections (back out 1.183) |
| 1741 | CVE-2008-1483; ok djm@ |
Damien Miller | 13ba9c2 | 2008-04-03 20:52:51 +1100 | [diff] [blame] | 1742 | - jmc@cvs.openbsd.org 2008/03/27 22:37:57 |
| 1743 | [sshd.8] |
| 1744 | remove trailing whitespace; |
Damien Miller | a68d31b | 2008-04-03 20:53:08 +1100 | [diff] [blame] | 1745 | - djm@cvs.openbsd.org 2008/04/03 09:50:14 |
| 1746 | [version.h] |
| 1747 | openssh-5.0 |
Damien Miller | 5a4b646 | 2008-04-03 20:55:44 +1100 | [diff] [blame] | 1748 | - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] |
| 1749 | [contrib/suse/openssh.spec] Crank version numbers in RPM spec files |
Damien Miller | ffa8302 | 2008-04-03 20:56:38 +1100 | [diff] [blame] | 1750 | - (djm) [README] Update link to release notes |
Damien Miller | 79a1bc9 | 2008-04-03 20:57:05 +1100 | [diff] [blame] | 1751 | - (djm) Release 5.0p1 |