1 |
+ |
20080327 |
2 |
+ |
- (dtucker) Cache selinux status earlier so we know if it's enabled after a |
3 |
+ |
chroot. Allows ChrootDirectory to work with selinux support compiled in |
4 |
+ |
but not enabled. Using it with selinux enabled will require some selinux |
5 |
+ |
support inside the chroot. "looks sane" djm@ |
6 |
+ |
- (djm) Fix RCS ident in sftp-server-main.c |
7 |
+ |
- (djm) OpenBSD CVS sync: |
8 |
+ |
- jmc@cvs.openbsd.org 2008/02/11 07:58:28 |
9 |
+ |
[ssh.1 sshd.8 sshd_config.5] |
10 |
+ |
bump Mdocdate for pages committed in "febuary", necessary because |
11 |
+ |
of a typo in rcs.c; |
12 |
+ |
- deraadt@cvs.openbsd.org 2008/03/13 01:49:53 |
13 |
+ |
[monitor_fdpass.c] |
14 |
+ |
Correct CMSG_SPACE and CMSG_LEN usage everywhere in the tree. Due to |
15 |
+ |
an extensive discussion with otto, kettenis, millert, and hshoexer |
16 |
+ |
- deraadt@cvs.openbsd.org 2008/03/15 16:19:02 |
17 |
+ |
[monitor_fdpass.c] |
18 |
+ |
Repair the simple cases for msg_controllen where it should just be |
19 |
+ |
CMSG_SIZE(sizeof(int)), not sizeof(buffer) which may be larger because |
20 |
+ |
of alignment; ok kettenis hshoexer |
21 |
+ |
- djm@cvs.openbsd.org 2008/03/23 12:54:01 |
22 |
+ |
[sftp-client.c] |
23 |
+ |
prefer POSIX-style file renaming over filexfer rename behaviour if the |
24 |
+ |
server supports the posix-rename@openssh.com extension. |
25 |
+ |
Note that the old (filexfer) behaviour would refuse to clobber an |
26 |
+ |
existing file. Users who depended on this should adjust their sftp(1) |
27 |
+ |
usage. |
28 |
+ |
ok deraadt@ markus@ |
29 |
+ |
- deraadt@cvs.openbsd.org 2008/03/24 16:11:07 |
30 |
+ |
[monitor_fdpass.c] |
31 |
+ |
msg_controllen has to be CMSG_SPACE so that the kernel can account for |
32 |
+ |
each cmsg_len (ie. msg_controllen = sum of CMSG_ALIGN(cmsg_len). This |
33 |
+ |
works now that kernel fd passing has been fixed to accept a bit of |
34 |
+ |
sloppiness because of this ABI repair. |
35 |
+ |
lots of discussion with kettenis |
36 |
+ |
- djm@cvs.openbsd.org 2008/03/25 11:58:02 |
37 |
+ |
[session.c sshd_config.5] |
38 |
+ |
ignore ~/.ssh/rc if a sshd_config ForceCommand is specified; |
39 |
+ |
from dtucker@ ok deraadt@ djm@ |
40 |
+ |
- djm@cvs.openbsd.org 2008/03/25 23:01:41 |
41 |
+ |
[session.c] |
42 |
+ |
last patch had backwards test; spotted by termim AT gmail.com |
43 |
+ |
- djm@cvs.openbsd.org 2008/03/26 21:28:14 |
44 |
+ |
[auth-options.c auth-options.h session.c sshd.8] |
45 |
+ |
add no-user-rc authorized_keys option to disable execution of ~/.ssh/rc |
46 |
+ |
- djm@cvs.openbsd.org 2008/03/27 00:16:49 |
47 |
+ |
[version.h] |
48 |
+ |
openssh-4.9 |
49 |
+ |
- djm@cvs.openbsd.org 2008/03/24 21:46:54 |
50 |
+ |
[regress/sftp-badcmds.sh] |
51 |
+ |
disable no-replace rename test now that we prefer a POSIX rename; spotted |
52 |
+ |
by dkrause@ |
53 |
+ |
- (djm) [configure.ac] fix alignment of --without-stackprotect description |
54 |
+ |
- (djm) [configure.ac] --with-selinux too |
55 |
+ |
- (djm) [regress/Makefile] cleanup PuTTY interop test droppings |
56 |
+ |
- (djm) [README] Update link to release notes |
57 |
+ |
- (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] |
58 |
+ |
[contrib/suse/openssh.spec] Crank version numbers in RPM spec files |
59 |
+ |
- (djm) Release 4.9p1 |
60 |
+ |
|
61 |
+ |
20080315 |
62 |
+ |
- (djm) [regress/test-exec.sh] Quote putty-related variables in case they are |
63 |
+ |
empty; report and patch from Peter Stuge |
64 |
+ |
- (djm) [regress/test-exec.sh] Silence noise from detection of putty |
65 |
+ |
commands; report from Peter Stuge |
66 |
+ |
- (djm) [session.c] Relocate incorrectly-placed closefrom() that was causing |
67 |
+ |
crashes when used with ChrootDirectory |
68 |
+ |
|
69 |
+ |
20080314 |
70 |
+ |
- (tim) [regress/sftp-cmds.sh] s/cd/lcd/ in lls test. Reported by |
71 |
+ |
vinschen at redhat.com. Add () to put echo commands in subshell for lls test |
72 |
+ |
I mistakenly left out of last commit. |
73 |
+ |
- (tim) [regress/localcommand.sh] Shell portability fix. Reported by imorgan at |
74 |
+ |
nas.nasa.gov |
75 |
+ |
|
76 |
+ |
20080313 |
77 |
+ |
- (djm) [Makefile.in regress/Makefile] Fix interop-tests target (note to |
78 |
+ |
self: make changes to Makefile.in next time, not the generated Makefile). |
79 |
+ |
- (djm) [Makefile.in regress/test-exec.sh] Find installed plink(1) and |
80 |
+ |
puttygen(1) by $PATH |
81 |
+ |
- (tim) [scp.c] Use poll.h if available, fall back to sys/poll.h if not. Patch |
82 |
+ |
by vinschen at redhat.com. |
83 |
+ |
- (tim) [regress/sftp-cmds.sh regress/ssh2putty.sh] Shell portability fixes |
84 |
+ |
from vinschen at redhat.com and imorgan at nas.nasa.gov |
85 |
+ |
|
86 |
+ |
20080312 |
87 |
+ |
- (djm) OpenBSD CVS Sync |
88 |
+ |
- dtucker@cvs.openbsd.org 2007/10/29 06:57:13 |
89 |
+ |
[regress/Makefile regress/localcommand.sh] |
90 |
+ |
Add simple regress test for LocalCommand; ok djm@ |
91 |
+ |
- jmc@cvs.openbsd.org 2007/11/25 15:35:09 |
92 |
+ |
[regress/agent-getpeereid.sh regress/agent.sh] |
93 |
+ |
more existant -> existent, from Martynas Venckus; |
94 |
+ |
pfctl changes: ok henning |
95 |
+ |
ssh changes: ok deraadt |
96 |
+ |
- djm@cvs.openbsd.org 2007/12/12 05:04:03 |
97 |
+ |
[regress/sftp-cmds.sh] |
98 |
+ |
unbreak lls command and add a regress test that would have caught the |
99 |
+ |
breakage; spotted by mouring@ |
100 |
+ |
NB. sftp code change already committed. |
101 |
+ |
- djm@cvs.openbsd.org 2007/12/21 04:13:53 |
102 |
+ |
[regress/Makefile regress/test-exec.sh regress/putty-ciphers.sh] |
103 |
+ |
[regress/putty-kex.sh regress/putty-transfer.sh regress/ssh2putty.sh] |
104 |
+ |
basic (crypto, kex and transfer) interop regression tests against putty |
105 |
+ |
To run these, install putty and run "make interop-tests" from the build |
106 |
+ |
directory - the tests aren't run by default yet. |
107 |
+ |
|
108 |
+ |
20080311 |
109 |
+ |
- (dtucker) [auth-pam.c monitor.c session.c sshd.c] Bug #926: Move |
110 |
+ |
pam_open_session and pam_close_session into the privsep monitor, which |
111 |
+ |
will ensure that pam_session_close is called as root. Patch from Tomas |
112 |
+ |
Mraz. |
113 |
+ |
|
114 |
+ |
20080309 |
115 |
+ |
- (dtucker) [configure.ac] It turns out gcc's -fstack-protector-all doesn't |
116 |
+ |
always work for all platforms and versions, so test what we can and |
117 |
+ |
add a configure flag to turn it of if needed. ok djm@ |
118 |
+ |
- (dtucker) [openbsd-compat/port-aix.{c,h}] Remove AIX specific initgroups |
119 |
+ |
implementation. It's not needed to fix bug #1081 and breaks the build |
120 |
+ |
on some AIX configurations. |
121 |
+ |
- (dtucker) [openbsd-compat/regress/strtonumtest.c] Bug #1347: Use platform's |
122 |
+ |
equivalent of LLONG_MAX for the compat regression tests, which makes them |
123 |
+ |
run on AIX and HP-UX. Patch from David Leonard. |
124 |
+ |
- (dtucker) [configure.ac] Run stack-protector tests with -Werror to catch |
125 |
+ |
platforms where gcc understands the option but it's not supported (and |
126 |
+ |
thus generates a warning). |
127 |
+ |
|
128 |
+ |
20080307 |
129 |
+ |
- (djm) OpenBSD CVS Sync |
130 |
+ |
- jmc@cvs.openbsd.org 2008/02/11 07:58:28 |
131 |
+ |
[ssh.1 sshd.8 sshd_config.5] |
132 |
+ |
bump Mdocdate for pages committed in "febuary", necessary because |
133 |
+ |
of a typo in rcs.c; |
134 |
+ |
- djm@cvs.openbsd.org 2008/02/13 22:38:17 |
135 |
+ |
[servconf.h session.c sshd.c] |
136 |
+ |
rekey arc4random and OpenSSL RNG in postauth child |
137 |
+ |
closefrom fds > 2 before shell/command execution |
138 |
+ |
ok markus@ |
139 |
+ |
- mbalmer@cvs.openbsd.org 2008/02/14 13:10:31 |
140 |
+ |
[sshd.c] |
141 |
+ |
When started in configuration test mode (-t) do not check that sshd is |
142 |
+ |
being started with an absolute path. |
143 |
+ |
ok djm |
144 |
+ |
- markus@cvs.openbsd.org 2008/02/20 15:25:26 |
145 |
+ |
[session.c] |
146 |
+ |
correct boolean encoding for coredump; der Mouse via dugsong |
147 |
+ |
- djm@cvs.openbsd.org 2008/02/22 05:58:56 |
148 |
+ |
[session.c] |
149 |
+ |
closefrom() call was too early, delay it until just before we execute |
150 |
+ |
the user's rc files (if any). |
151 |
+ |
- dtucker@cvs.openbsd.org 2008/02/22 20:44:02 |
152 |
+ |
[clientloop.c packet.c packet.h serverloop.c] |
153 |
+ |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the |
154 |
+ |
keepalive timer (bz #1307). ok markus@ |
155 |
+ |
- djm@cvs.openbsd.org 2008/02/27 20:21:15 |
156 |
+ |
[sftp-server.c] |
157 |
+ |
add an extension method "posix-rename@openssh.com" to perform POSIX atomic |
158 |
+ |
rename() operations. based on patch from miklos AT szeredi.hu in bz#1400; |
159 |
+ |
ok dtucker@ markus@ |
160 |
+ |
- deraadt@cvs.openbsd.org 2008/03/02 18:19:35 |
161 |
+ |
[monitor_fdpass.c] |
162 |
+ |
use a union to ensure alignment of the cmsg (pay attention: various other |
163 |
+ |
parts of the tree need this treatment too); ok djm |
164 |
+ |
- deraadt@cvs.openbsd.org 2008/03/04 21:15:42 |
165 |
+ |
[version.h] |
166 |
+ |
crank version; from djm |
167 |
+ |
- (tim) [regress/sftp-glob.sh] Shell portability fix. |
168 |
+ |
|
169 |
+ |
20080302 |
170 |
+ |
- (dtucker) [configure.ac] FreeBSD's glob() doesn't behave the way we expect |
171 |
+ |
either, so use our own. |
172 |
+ |
|
173 |
+ |
20080229 |
174 |
+ |
- (dtucker) [openbsd-compat/bsd-poll.c] We don't check for select(2) in |
175 |
+ |
configure (and there's not much point, as openssh won't work without it) |
176 |
+ |
so HAVE_SELECT is not defined and the poll(2) compat code doesn't get |
177 |
+ |
built in. Remove HAVE_SELECT so we can build on platforms without poll. |
178 |
+ |
- (dtucker) [scp.c] Include sys/poll.h inside HAVE_SYS_POLL_H. |
179 |
+ |
- (djm) [contrib/gnome-ssh-askpass2.h] Keep askpass windown on top. From |
180 |
+ |
Debian patch via bernd AT openbsd.org |
181 |
+ |
|
182 |
+ |
20080228 |
183 |
+ |
- (dtucker) [configure.ac] Add -fstack-protector to LDFLAGS too, fixes |
184 |
+ |
linking problems on AIX with gcc 4.1.x. |
185 |
+ |
- (dtucker) [includes.h ssh-add.c ssh-agent.c ssh-keygen.c ssh.c sshd.c |
186 |
+ |
openbsd-compat/openssl-compat.{c,h}] Bug #1437 Move the OpenSSL compat |
187 |
+ |
header to after OpenSSL headers, since some versions of OpenSSL have |
188 |
+ |
SSLeay_add_all_algorithms as a macro already. |
189 |
+ |
- (dtucker) [key.c defines.h openbsd-compat/openssl-compat.h] Move old OpenSSL |
190 |
+ |
compat glue into openssl-compat.h. |
191 |
+ |
- (dtucker) [configure.ac openbsd-compat/port-aix.{c,h}] Bug #1081: Implement |
192 |
+ |
getgrouplist via getgrset on AIX, rather than iterating over getgrent. |
193 |
+ |
This allows, eg, Match and AllowGroups directives to work with NIS and |
194 |
+ |
LDAP groups. |
195 |
+ |
- (dtucker) [sshd.c] Bug #1042: make log messages for tcpwrappers use the |
196 |
+ |
same SyslogFacility as the rest of sshd. Patch from William Knox, |
197 |
+ |
ok djm@. |
198 |
+ |
|
199 |
+ |
20080225 |
200 |
+ |
- (dtucker) [openbsd-compat/fake-rfc2553.h] rename ssh_gai_strerror hack |
201 |
+ |
since it now conflicts with the helper function in misc.c. From |
202 |
+ |
vinschen AT redhat.com. |
203 |
+ |
- (dtucker) [configure.ac audit-bsm.c] Bug #1420: Add a local implementation |
204 |
+ |
of aug_get_machine for systems that don't have their own (eg OS X, FreeBSD). |
205 |
+ |
Help and testing from csjp at FreeBSD org, vgiffin at apple com. ok djm@ |
206 |
+ |
- (dtucker) [includes.h openbsd-compat/openssl-compat.c] Bug #1437: reshuffle |
207 |
+ |
headers so ./configure --with-ssl-engine actually works. Patch from |
208 |
+ |
Ian Lister. |
209 |
+ |
|
210 |
+ |
20080224 |
211 |
+ |
- (tim) [contrib/cygwin/ssh-host-config] |
212 |
+ |
Grammar changes on SYSCONFDIR LOCALSTATEDIR messages. |
213 |
+ |
Check more thoroughly that it's possible to create the /var/empty directory. |
214 |
+ |
Patch by vinschen AT redhat.com |
215 |
+ |
|
216 |
+ |
20080210 |
217 |
+ |
- OpenBSD CVS Sync |
218 |
+ |
- chl@cvs.openbsd.org 2008/01/11 07:22:28 |
219 |
+ |
[sftp-client.c sftp-client.h] |
220 |
+ |
disable unused functions |
221 |
+ |
initially from tobias@, but disabled them by placing them in |
222 |
+ |
"#ifdef notyet" which was asked by djm@ |
223 |
+ |
ok djm@ tobias@ |
224 |
+ |
- djm@cvs.openbsd.org 2008/01/19 19:13:28 |
225 |
+ |
[ssh.1] |
226 |
+ |
satisfy the pedants: -q does not suppress all diagnostic messages (e.g. |
227 |
+ |
some commandline parsing warnings go unconditionally to stdout). |
228 |
+ |
- djm@cvs.openbsd.org 2008/01/19 20:48:53 |
229 |
+ |
[clientloop.c] |
230 |
+ |
fd leak on session multiplexing error path. Report and patch from |
231 |
+ |
gregory_shively AT fanniemae.com |
232 |
+ |
- djm@cvs.openbsd.org 2008/01/19 20:51:26 |
233 |
+ |
[ssh.c] |
234 |
+ |
ignore SIGPIPE in multiplex client mode - we can receive this if the |
235 |
+ |
server runs out of fds on us midway. Report and patch from |
236 |
+ |
gregory_shively AT fanniemae.com |
237 |
+ |
- djm@cvs.openbsd.org 2008/01/19 22:04:57 |
238 |
+ |
[sftp-client.c] |
239 |
+ |
fix remote handle leak in do_download() local file open error path; |
240 |
+ |
report and fix from sworley AT chkno.net |
241 |
+ |
- djm@cvs.openbsd.org 2008/01/19 22:22:58 |
242 |
+ |
[ssh-keygen.c] |
243 |
+ |
when hashing individual hosts (ssh-keygen -Hf hostname), make sure we |
244 |
+ |
hash just the specified hostname and not the entire hostspec from the |
245 |
+ |
keyfile. It may be of the form "hostname,ipaddr", which would lead to |
246 |
+ |
a hash that never matches. report and fix from jp AT devnull.cz |
247 |
+ |
- djm@cvs.openbsd.org 2008/01/19 22:37:19 |
248 |
+ |
[ssh-keygen.c] |
249 |
+ |
unbreak line numbering (broken in revision 1.164), fix error message |
250 |
+ |
- djm@cvs.openbsd.org 2008/01/19 23:02:40 |
251 |
+ |
[channels.c] |
252 |
+ |
When we added support for specified bind addresses for port forwards, we |
253 |
+ |
added a quirk SSH_OLD_FORWARD_ADDR. There is a bug in our handling of |
254 |
+ |
this for -L port forwards that causes the client to listen on both v4 |
255 |
+ |
and v6 addresses when connected to a server with this quirk, despite |
256 |
+ |
having set 0.0.0.0 as a bind_address. |
257 |
+ |
report and patch from Jan.Pechanec AT Sun.COM; ok dtucker@ |
258 |
+ |
- djm@cvs.openbsd.org 2008/01/19 23:09:49 |
259 |
+ |
[readconf.c readconf.h sshconnect2.c] |
260 |
+ |
promote rekeylimit to a int64 so it can hold the maximum useful limit |
261 |
+ |
of 2^32; report and patch from Jan.Pechanec AT Sun.COM, ok dtucker@ |
262 |
+ |
- djm@cvs.openbsd.org 2008/01/20 00:38:30 |
263 |
+ |
[sftp.c] |
264 |
+ |
When uploading, correctly handle the case of an unquoted filename with |
265 |
+ |
glob metacharacters that match a file exactly but not as a glob, e.g. a |
266 |
+ |
file called "[abcd]". report and test cases from duncan2nd AT gmx.de |
267 |
+ |
- djm@cvs.openbsd.org 2008/01/21 17:24:30 |
268 |
+ |
[sftp-server.c] |
269 |
+ |
Remove the fixed 100 handle limit in sftp-server and allocate as many |
270 |
+ |
as we have available file descriptors. Patch from miklos AT szeredi.hu; |
271 |
+ |
ok dtucker@ markus@ |
272 |
+ |
- djm@cvs.openbsd.org 2008/01/21 19:20:17 |
273 |
+ |
[sftp-client.c] |
274 |
+ |
when a remote write error occurs during an upload, ensure that ACKs for |
275 |
+ |
all issued requests are properly drained. patch from t8m AT centrum.cz |
276 |
+ |
- dtucker@cvs.openbsd.org 2008/01/23 01:56:54 |
277 |
+ |
[clientloop.c packet.c serverloop.c] |
278 |
+ |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE |
279 |
+ |
packet arrives while we're waiting in packet_read_expect (and possibly |
280 |
+ |
elsewhere). |
281 |
+ |
- jmc@cvs.openbsd.org 2008/01/31 20:06:50 |
282 |
+ |
[scp.1] |
283 |
+ |
explain how to handle local file names containing colons; |
284 |
+ |
requested by Tamas TEVESZ |
285 |
+ |
ok dtucker |
286 |
+ |
- markus@cvs.openbsd.org 2008/02/04 21:53:00 |
287 |
+ |
[session.c sftp-server.c sftp.h] |
288 |
+ |
link sftp-server into sshd; feedback and ok djm@ |
289 |
+ |
- mcbride@cvs.openbsd.org 2008/02/09 12:15:43 |
290 |
+ |
[ssh.1 sshd.8] |
291 |
+ |
Document the correct permissions for the ~/.ssh/ directory. |
292 |
+ |
ok jmc |
293 |
+ |
- djm@cvs.openbsd.org 2008/02/10 09:55:37 |
294 |
+ |
[sshd_config.5] |
295 |
+ |
mantion that "internal-sftp" is useful with ForceCommand too |
296 |
+ |
- djm@cvs.openbsd.org 2008/02/10 10:54:29 |
297 |
+ |
[servconf.c session.c] |
298 |
+ |
delay ~ expansion for ChrootDirectory so it expands to the logged-in user's |
299 |
+ |
home, rather than the user who starts sshd (probably root) |
300 |
+ |
|
301 |
+ |
20080119 |
302 |
+ |
- (djm) Silence noice from expr in ssh-copy-id; patch from |
303 |
+ |
mikel AT mikelward.com |
304 |
+ |
- (djm) Only listen for IPv6 connections on AF_INET6 sockets; patch from |
305 |
+ |
tsr2600 AT gmail.com |
306 |
+ |
|
307 |
+ |
20080102 |
308 |
+ |
- (dtucker) [configure.ac] Fix message for -fstack-protector-all test. |
309 |
+ |
|
310 |
+ |
20080101 |
311 |
+ |
- (dtucker) OpenBSD CVS Sync |
312 |
+ |
- dtucker@cvs.openbsd.org 2007/12/31 10:41:31 |
313 |
+ |
[readconf.c servconf.c] |
314 |
+ |
Prevent strict-aliasing warnings on newer gcc versions. bz #1355, patch |
315 |
+ |
from Dmitry V. Levin, ok djm@ |
316 |
+ |
- dtucker@cvs.openbsd.org 2007/12/31 15:27:04 |
317 |
+ |
[sshd.c] |
318 |
+ |
When in inetd mode, have sshd generate a Protocol 1 ephemeral server |
319 |
+ |
key only for connections where the client chooses Protocol 1 as opposed |
320 |
+ |
to when it's enabled in the server's config. Speeds up Protocol 2 |
321 |
+ |
connections to inetd-mode servers that also allow Protocol 1. bz #440, |
322 |
+ |
based on a patch from bruno at wolff.to, ok markus@ |
323 |
+ |
- dtucker@cvs.openbsd.org 2008/01/01 08:47:04 |
324 |
+ |
[misc.c] |
325 |
+ |
spaces -> tabs from my previous commit |
326 |
+ |
- dtucker@cvs.openbsd.org 2008/01/01 09:06:39 |
327 |
+ |
[scp.c] |
328 |
+ |
If scp -p encounters a pre-epoch timestamp, use the epoch which is |
329 |
+ |
as close as we can get given that it's used unsigned. Add a little |
330 |
+ |
debugging while there. bz #828, ok djm@ |
331 |
+ |
- dtucker@cvs.openbsd.org 2008/01/01 09:27:33 |
332 |
+ |
[sshd_config.5 servconf.c] |
333 |
+ |
Allow PermitRootLogin in a Match block. Allows for, eg, permitting root |
334 |
+ |
only from the local network. ok markus@, man page bit ok jmc@ |
335 |
+ |
- dtucker@cvs.openbsd.org 2008/01/01 08:51:20 |
336 |
+ |
[moduli] |
337 |
+ |
Updated moduli file; ok djm@ |
338 |
+ |
|
339 |
+ |
20071231 |
340 |
+ |
- (dtucker) [configure.ac openbsd-compat/glob.{c,h}] Bug #1407: force use of |
341 |
+ |
builtin glob implementation on Mac OS X. Based on a patch from |
342 |
+ |
vgiffin at apple. |
343 |
+ |
|
344 |
+ |
20071229 |
345 |
+ |
- (dtucker) OpenBSD CVS Sync |
346 |
+ |
- djm@cvs.openbsd.org 2007/12/12 05:04:03 |
347 |
+ |
[sftp.c] |
348 |
+ |
unbreak lls command and add a regress test that would have caught the |
349 |
+ |
breakage; spotted by mouring@ |
350 |
+ |
- dtucker@cvs.openbsd.org 2007/12/27 14:22:08 |
351 |
+ |
[servconf.c canohost.c misc.c channels.c sshconnect.c misc.h ssh-keyscan.c |
352 |
+ |
sshd.c] |
353 |
+ |
Add a small helper function to consistently handle the EAI_SYSTEM error |
354 |
+ |
code of getaddrinfo. Prompted by vgiffin at apple com via bz #1417. |
355 |
+ |
ok markus@ stevesk@ |
356 |
+ |
- dtucker@cvs.openbsd.org 2007/12/28 15:32:24 |
357 |
+ |
[clientloop.c serverloop.c packet.c] |
358 |
+ |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the |
359 |
+ |
ServerAlive and ClientAlive timers. Prevents dropping a connection |
360 |
+ |
when these are enabled but the peer does not support our keepalives. |
361 |
+ |
bz #1307, ok djm@. |
362 |
+ |
- dtucker@cvs.openbsd.org 2007/12/28 22:34:47 |
363 |
+ |
[clientloop.c] |
364 |
+ |
Use the correct packet maximum sizes for remote port and agent forwarding. |
365 |
+ |
Prevents the server from killing the connection if too much data is queued |
366 |
+ |
and an excessively large packet gets sent. bz #1360, ok djm@. |
367 |
+ |
|
368 |
+ |
20071202 |
369 |
+ |
- (dtucker) [configure.ac] Enable -fstack-protector-all on systems where |
370 |
+ |
gcc supports it. ok djm@ |
371 |
+ |
- (dtucker) [scp.c] Update $OpenBSD tag missing from rev 1.175 and remove |
372 |
+ |
leftover debug code. |
373 |
+ |
- (dtucker) OpenBSD CVS Sync |
374 |
+ |
- dtucker@cvs.openbsd.org 2007/10/29 00:52:45 |
375 |
+ |
[auth2-gss.c] |
376 |
+ |
Allow build without -DGSSAPI; ok deraadt@ |
377 |
+ |
(Id sync only, Portable already has the ifdefs) |
378 |
+ |
- dtucker@cvs.openbsd.org 2007/10/29 01:55:04 |
379 |
+ |
[ssh.c] |
380 |
+ |
Plug tiny mem leaks in ControlPath and ProxyCommand option processing; |
381 |
+ |
ok djm@ |
382 |
+ |
- dtucker@cvs.openbsd.org 2007/10/29 04:08:08 |
383 |
+ |
[monitor_wrap.c monitor.c] |
384 |
+ |
Send config block back to slave for invalid users too so options |
385 |
+ |
set by a Match block (eg Banner) behave the same for non-existent |
386 |
+ |
users. Found by and ok djm@ |
387 |
+ |
- dtucker@cvs.openbsd.org 2007/10/29 06:51:59 |
388 |
+ |
[ssh_config.5] |
389 |
+ |
ProxyCommand and LocalCommand use the user's shell, not /bin/sh; ok djm@ |
390 |
+ |
- dtucker@cvs.openbsd.org 2007/10/29 06:54:50 |
391 |
+ |
[ssh.c] |
392 |
+ |
Make LocalCommand work for Protocol 1 too; ok djm@ |
393 |
+ |
- jmc@cvs.openbsd.org 2007/10/29 07:48:19 |
394 |
+ |
[ssh_config.5] |
395 |
+ |
clean up after previous macro removal; |
396 |
+ |
- djm@cvs.openbsd.org 2007/11/03 00:36:14 |
397 |
+ |
[clientloop.c] |
398 |
+ |
fix memory leak in process_cmdline(), patch from Jan.Pechanec AT Sun.COM; |
399 |
+ |
ok dtucker@ |
400 |
+ |
- deraadt@cvs.openbsd.org 2007/11/03 01:24:06 |
401 |
+ |
[ssh.c] |
402 |
+ |
bz #1377: getpwuid results were being clobbered by another getpw* call |
403 |
+ |
inside tilde_expand_filename(); save the data we need carefully |
404 |
+ |
ok djm |
405 |
+ |
- dtucker@cvs.openbsd.org 2007/11/03 02:00:32 |
406 |
+ |
[ssh.c] |
407 |
+ |
Use xstrdup/xfree when saving pwname and pwdir; ok deraadt@ |
408 |
+ |
- deraadt@cvs.openbsd.org 2007/11/03 02:03:49 |
409 |
+ |
[ssh.c] |
410 |
+ |
avoid errno trashing in signal handler; ok dtucker |
411 |
+ |
|
412 |
+ |
20071030 |
413 |
+ |
- (djm) OpenBSD CVS Sync |
414 |
+ |
- djm@cvs.openbsd.org 2007/10/29 23:49:41 |
415 |
+ |
[openbsd-compat/sys-tree.h] |
416 |
+ |
remove extra backslash at the end of RB_PROTOTYPE, report from |
417 |
+ |
Jan.Pechanec AT Sun.COM; ok deraadt@ |
418 |
+ |
|
419 |
+ |
20071026 |
420 |
+ |
- (djm) OpenBSD CVS Sync |
421 |
+ |
- stevesk@cvs.openbsd.org 2007/09/11 23:49:09 |
422 |
+ |
[sshpty.c] |
423 |
+ |
remove #if defined block not needed; ok markus@ dtucker@ |
424 |
+ |
(NB. RCD ID sync only for portable) |
425 |
+ |
- djm@cvs.openbsd.org 2007/09/21 03:05:23 |
426 |
+ |
[ssh_config.5] |
427 |
+ |
document KbdInteractiveAuthentication in ssh_config.5; |
428 |
+ |
patch from dkg AT fifthhorseman.net |
429 |
+ |
- djm@cvs.openbsd.org 2007/09/21 08:15:29 |
430 |
+ |
[auth-bsdauth.c auth-passwd.c auth.c auth.h auth1.c auth2-chall.c] |
431 |
+ |
[monitor.c monitor_wrap.c] |
432 |
+ |
unifdef -DBSD_AUTH |
433 |
+ |
unifdef -USKEY |
434 |
+ |
These options have been in use for some years; |
435 |
+ |
ok markus@ "no objection" millert@ |
436 |
+ |
(NB. RCD ID sync only for portable) |
437 |
+ |
- canacar@cvs.openbsd.org 2007/09/25 23:48:57 |
438 |
+ |
[ssh-agent.c] |
439 |
+ |
When adding a key that already exists, update the properties |
440 |
+ |
(time, confirm, comment) instead of discarding them. ok djm@ markus@ |
441 |
+ |
- ray@cvs.openbsd.org 2007/09/27 00:15:57 |
442 |
+ |
[dh.c] |
443 |
+ |
Don't return -1 on error in dh_pub_is_valid(), since it evaluates |
444 |
+ |
to true. |
445 |
+ |
Also fix a typo. |
446 |
+ |
Initial diff from Matthew Dempsky, input from djm. |
447 |
+ |
OK djm, markus. |
448 |
+ |
- dtucker@cvs.openbsd.org 2007/09/29 00:25:51 |
449 |
+ |
[auth2.c] |
450 |
+ |
Remove unused prototype. ok djm@ |
451 |
+ |
- chl@cvs.openbsd.org 2007/10/02 17:49:58 |
452 |
+ |
[ssh-keygen.c] |
453 |
+ |
handles zero-sized strings that fgets can return |
454 |
+ |
properly removes trailing newline |
455 |
+ |
removes an unused variable |
456 |
+ |
correctly counts line number |
457 |
+ |
"looks ok" ray@ markus@ |
458 |
+ |
- markus@cvs.openbsd.org 2007/10/22 19:10:24 |
459 |
+ |
[readconf.c] |
460 |
+ |
make sure that both the local and remote port are correct when |
461 |
+ |
parsing -L; Jan Pechanec (bz #1378) |
462 |
+ |
- djm@cvs.openbsd.org 2007/10/24 03:30:02 |
463 |
+ |
[sftp.c] |
464 |
+ |
rework argument splitting and parsing to cope correctly with common |
465 |
+ |
shell escapes and make handling of escaped characters consistent |
466 |
+ |
with sh(1) and between sftp commands (especially between ones that |
467 |
+ |
glob their arguments and ones that don't). |
468 |
+ |
parse command flags using getopt(3) rather than hand-rolled parsers. |
469 |
+ |
ok dtucker@ |
470 |
+ |
- djm@cvs.openbsd.org 2007/10/24 03:44:02 |
471 |
+ |
[scp.c] |
472 |
+ |
factor out network read/write into an atomicio()-like function, and |
473 |
+ |
use it to handle short reads, apply bandwidth limits and update |
474 |
+ |
counters. make network IO non-blocking, so a small trickle of |
475 |
+ |
reads/writes has a chance of updating the progress meter; bz #799 |
476 |
+ |
ok dtucker@ |
477 |
+ |
- djm@cvs.openbsd.org 2006/08/29 09:44:00 |
478 |
+ |
[regress/sftp-cmds.sh] |
479 |
+ |
clean up our mess |
480 |
+ |
- markus@cvs.openbsd.org 2006/11/06 09:27:43 |
481 |
+ |
[regress/cfgmatch.sh] |
482 |
+ |
fix quoting for non-(c)sh login shells. |
483 |
+ |
- dtucker@cvs.openbsd.org 2006/12/13 08:36:36 |
484 |
+ |
[regress/cfgmatch.sh] |
485 |
+ |
Additional test for multiple PermitOpen entries. ok djm@ |
486 |
+ |
- pvalchev@cvs.openbsd.org 2007/06/07 19:41:46 |
487 |
+ |
[regress/cipher-speed.sh regress/try-ciphers.sh] |
488 |
+ |
test umac-64@openssh.com |
489 |
+ |
ok djm@ |
490 |
+ |
- djm@cvs.openbsd.org 2007/10/24 03:32:35 |
491 |
+ |
[regress/sftp-cmds.sh regress/sftp-glob.sh regress/test-exec.sh] |
492 |
+ |
comprehensive tests for sftp escaping its interaction with globbing; |
493 |
+ |
ok dtucker@ |
494 |
+ |
- djm@cvs.openbsd.org 2007/10/26 05:30:01 |
495 |
+ |
[regress/sftp-glob.sh regress/test-exec.sh] |
496 |
+ |
remove "echo -E" crap that I added in last commit and use printf(1) for |
497 |
+ |
cases where we strictly require echo not to reprocess escape characters. |
498 |
+ |
- deraadt@cvs.openbsd.org 2005/11/28 17:50:12 |
499 |
+ |
[openbsd-compat/glob.c] |
500 |
+ |
unused arg in internal static API |
501 |
+ |
- jakob@cvs.openbsd.org 2007/10/11 18:36:41 |
502 |
+ |
[openbsd-compat/getrrsetbyname.c openbsd-compat/getrrsetbyname.h] |
503 |
+ |
use RRSIG instead of SIG for DNSSEC. ok djm@ |
504 |
+ |
- otto@cvs.openbsd.org 2006/10/21 09:55:03 |
505 |
+ |
[openbsd-compat/base64.c] |
506 |
+ |
remove calls to abort(3) that can't happen anyway; from |
507 |
+ |
<bret dot lambert at gmail.com>; ok millert@ deraadt@ |
508 |
+ |
- frantzen@cvs.openbsd.org 2004/04/24 18:11:46 |
509 |
+ |
[openbsd-compat/sys-tree.h] |
510 |
+ |
sync to Niels Provos' version. avoid unused variable warning in |
511 |
+ |
RB_NEXT() |
512 |
+ |
- tdeval@cvs.openbsd.org 2004/11/24 18:10:42 |
513 |
+ |
[openbsd-compat/sys-tree.h] |
514 |
+ |
typo |
515 |
+ |
- grange@cvs.openbsd.org 2004/05/04 16:59:32 |
516 |
+ |
[openbsd-compat/sys-queue.h] |
517 |
+ |
Remove useless ``elm'' argument from the SIMPLEQ_REMOVE_HEAD macro. |
518 |
+ |
This matches our SLIST behaviour and NetBSD's SIMPLEQ as well. |
519 |
+ |
ok millert krw deraadt |
520 |
+ |
- deraadt@cvs.openbsd.org 2005/02/25 13:29:30 |
521 |
+ |
[openbsd-compat/sys-queue.h] |
522 |
+ |
minor white spacing |
523 |
+ |
- otto@cvs.openbsd.org 2005/10/17 20:19:42 |
524 |
+ |
[openbsd-compat/sys-queue.h] |
525 |
+ |
Performing certain operations on queue.h data structurs produced |
526 |
+ |
funny results. An example is calling LIST_REMOVE on the same |
527 |
+ |
element twice. This will not fail, but result in a data structure |
528 |
+ |
referencing who knows what. Prevent these accidents by NULLing some |
529 |
+ |
fields on remove and replace. This way, either a panic or segfault |
530 |
+ |
will be produced on the faulty operation. |
531 |
+ |
- otto@cvs.openbsd.org 2005/10/24 20:25:14 |
532 |
+ |
[openbsd-compat/sys-queue.h] |
533 |
+ |
Partly backout. NOLIST, used in LISTs is probably interfering. |
534 |
+ |
requested by deraadt@ |
535 |
+ |
- otto@cvs.openbsd.org 2005/10/25 06:37:47 |
536 |
+ |
[openbsd-compat/sys-queue.h] |
537 |
+ |
Some uvm problem is being exposed with the more strict macros. |
538 |
+ |
Revert until we've found out what's causing the panics. |
539 |
+ |
- otto@cvs.openbsd.org 2005/11/25 08:06:25 |
540 |
+ |
[openbsd-compat/sys-queue.h] |
541 |
+ |
Introduce debugging aid for queue macros. Disabled by default; but |
542 |
+ |
developers are encouraged to run with this enabled. |
543 |
+ |
ok krw@ fgsch@ deraadt@ |
544 |
+ |
- otto@cvs.openbsd.org 2007/04/30 18:42:34 |
545 |
+ |
[openbsd-compat/sys-queue.h] |
546 |
+ |
Enable QUEUE_MACRO_DEBUG on DIAGNOSTIC kernels. |
547 |
+ |
Input and okays from krw@, millert@, otto@, deraadt@, miod@. |
548 |
+ |
- millert@cvs.openbsd.org 2004/10/07 16:56:11 |
549 |
+ |
GLOB_NOESCAPE is POSIX so move it out of the #ifndef _POSIX_SOURCE |
550 |
+ |
block. |
551 |
+ |
(NB. mostly an RCS ID sync, as portable strips out the conditionals) |
552 |
+ |
- (djm) [regress/sftp-cmds.sh] |
553 |
+ |
Use more restrictive glob to pick up test files from /bin - some platforms |
554 |
+ |
ship broken symlinks there which could spoil the test. |
555 |
+ |
- (djm) [openbsd-compat/bindresvport.c] |
556 |
+ |
Sync RCS ID after irrelevant (for portable OpenSSH) header shuffling |
557 |
+ |
|
558 |
+ |
20070927 |
559 |
+ |
- (dtucker) [configure.ac atomicio.c] Fall back to including <sys/poll.h> if |
560 |
+ |
we don't have <poll.h> (eq QNX). From bacon at cs nyu edu. |
561 |
+ |
- (dtucker) [configure.ac defines.h] Shadow expiry does not work on QNX6 |
562 |
+ |
so disable it for that platform. From bacon at cs nyu edu. |
563 |
+ |
|
564 |
+ |
20070921 |
565 |
+ |
- (djm) [atomicio.c] Fix spin avoidance for platforms that define |
566 |
+ |
EWOULDBLOCK; patch from ben AT psc.edu |
567 |
+ |
|
568 |
+ |
20070917 |
569 |
+ |
- (djm) OpenBSD CVS Sync |
570 |
+ |
- djm@cvs.openbsd.org 2007/08/23 02:49:43 |
571 |
+ |
[auth-passwd.c auth.c session.c] |
572 |
+ |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@ |
573 |
+ |
NB. RCS ID sync only for portable |
574 |
+ |
- djm@cvs.openbsd.org 2007/08/23 02:55:51 |
575 |
+ |
[auth-passwd.c auth.c session.c] |
576 |
+ |
missed include bits from last commit |
577 |
+ |
NB. RCS ID sync only for portable |
578 |
+ |
- djm@cvs.openbsd.org 2007/08/23 03:06:10 |
579 |
+ |
[auth.h] |
580 |
+ |
login_cap.h doesn't belong here |
581 |
+ |
NB. RCS ID sync only for portable |
582 |
+ |
- djm@cvs.openbsd.org 2007/08/23 03:22:16 |
583 |
+ |
[auth2-none.c sshd_config sshd_config.5] |
584 |
+ |
Support "Banner=none" to disable displaying of the pre-login banner; |
585 |
+ |
ok dtucker@ deraadt@ |
586 |
+ |
- djm@cvs.openbsd.org 2007/08/23 03:23:26 |
587 |
+ |
[sshconnect.c] |
588 |
+ |
Execute ProxyCommands with $SHELL rather than /bin/sh unconditionally |
589 |
+ |
- djm@cvs.openbsd.org 2007/09/04 03:21:03 |
590 |
+ |
[clientloop.c monitor.c monitor_fdpass.c monitor_fdpass.h] |
591 |
+ |
[monitor_wrap.c ssh.c] |
592 |
+ |
make file descriptor passing code return an error rather than call fatal() |
593 |
+ |
when it encounters problems, and use this to make session multiplexing |
594 |
+ |
masters survive slaves failing to pass all stdio FDs; ok markus@ |
595 |
+ |
- djm@cvs.openbsd.org 2007/09/04 11:15:56 |
596 |
+ |
[ssh.c sshconnect.c sshconnect.h] |
597 |
+ |
make ssh(1)'s ConnectTimeout option apply to both the TCP connection and |
598 |
+ |
SSH banner exchange (previously it just covered the TCP connection). |
599 |
+ |
This allows callers of ssh(1) to better detect and deal with stuck servers |
600 |
+ |
that accept a TCP connection but don't progress the protocol, and also |
601 |
+ |
makes ConnectTimeout useful for connections via a ProxyCommand; |
602 |
+ |
feedback and "looks ok" markus@ |
603 |
+ |
- sobrado@cvs.openbsd.org 2007/09/09 11:38:01 |
604 |
+ |
[ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.c] |
605 |
+ |
sort synopsis and options in ssh-agent(1); usage is lowercase |
606 |
+ |
ok jmc@ |
607 |
+ |
- stevesk@cvs.openbsd.org 2007/09/11 04:36:29 |
608 |
+ |
[sshpty.c] |
609 |
+ |
sort #include |
610 |
+ |
NB. RCS ID sync only |
611 |
+ |
- gilles@cvs.openbsd.org 2007/09/11 15:47:17 |
612 |
+ |
[session.c ssh-keygen.c sshlogin.c] |
613 |
+ |
use strcspn to properly overwrite '\n' in fgets returned buffer |
614 |
+ |
ok pyr@, ray@, millert@, moritz@, chl@ |
615 |
+ |
- stevesk@cvs.openbsd.org 2007/09/11 23:49:09 |
616 |
+ |
[sshpty.c] |
617 |
+ |
remove #if defined block not needed; ok markus@ dtucker@ |
618 |
+ |
NB. RCS ID sync only |
619 |
+ |
- stevesk@cvs.openbsd.org 2007/09/12 19:39:19 |
620 |
+ |
[umac.c] |
621 |
+ |
use xmalloc() and xfree(); ok markus@ pvalchev@ |
622 |
+ |
- djm@cvs.openbsd.org 2007/09/13 04:39:04 |
623 |
+ |
[sftp-server.c] |
624 |
+ |
fix incorrect test when setting syslog facility; from Jan Pechanec |
625 |
+ |
- djm@cvs.openbsd.org 2007/09/16 00:55:52 |
626 |
+ |
[sftp-client.c] |
627 |
+ |
use off_t instead of u_int64_t for file offsets, matching what the |
628 |
+ |
progressmeter code expects; bz #842 |
629 |
+ |
- (tim) [defines.h] Fix regression in long password support on OpenServer 6. |
630 |
+ |
Problem report and additional testing rac AT tenzing.org. |
631 |
+ |
|
632 |
+ |
20070914 |
633 |
+ |
- (dtucker) [openbsd-compat/bsd-asprintf.c] Plug mem leak in error path. |
634 |
+ |
Patch from Jan.Pechanec at sun com. |
635 |
+ |
|
636 |
+ |
20070910 |
637 |
+ |
- (dtucker) [openbsd-compat/regress/closefromtest.c] Bug #1358: Always |
638 |
+ |
return 0 on successful test. From David.Leonard at quest com. |
639 |
+ |
- (tim) [configure.ac] Autoconf didn't define HAVE_LIBIAF because we |
640 |
+ |
did a AC_CHECK_FUNCS within the AC_CHECK_LIB test. |
641 |
+ |
|
642 |
+ |
20070817 |
643 |
+ |
- (dtucker) [sshd.8] Many Linux variants use a single "!" to denote locked |
644 |
+ |
accounts and that's what the code looks for, so make man page and code |
645 |
+ |
agree. Pointed out by Roumen Petrov. |
646 |
+ |
- (dtucker) [INSTALL] Group the parts describing random options and PAM |
647 |
+ |
implementations together which is hopefully more coherent. |
648 |
+ |
- (dtucker) [INSTALL] the pid file is sshd.pid not ssh.pid. |
649 |
+ |
- (dtucker) [INSTALL] Give PAM its own heading. |
650 |
+ |
- (dtucker) [INSTALL] Link to tcpwrappers. |
651 |
+ |
|
652 |
+ |
20070816 |
653 |
+ |
- (dtucker) [session.c] Call PAM cleanup functions for unauthenticated |
654 |
+ |
connections too. Based on a patch from Sandro Wefel, with & ok djm@ |
655 |
+ |
|
656 |
+ |
20070815 |
657 |
+ |
- (dtucker) OpenBSD CVS Sync |
658 |
+ |
- markus@cvs.openbsd.org 2007/08/15 08:14:46 |
659 |
+ |
[clientloop.c] |
660 |
+ |
do NOT fall back to the trused x11 cookie if generation of an untrusted |
661 |
+ |
cookie fails; from Jan Pechanec, via security-alert at sun.com; |
662 |
+ |
ok dtucker |
663 |
+ |
- markus@cvs.openbsd.org 2007/08/15 08:16:49 |
664 |
+ |
[version.h] |
665 |
+ |
openssh 4.7 |
666 |
+ |
- stevesk@cvs.openbsd.org 2007/08/15 12:13:41 |
667 |
+ |
[ssh_config.5] |
668 |
+ |
tun device forwarding now honours ExitOnForwardFailure; ok markus@ |
669 |
+ |
- (dtucker) [openbsd-compat/bsd-cray.c] Remove debug from signal handler. |
670 |
+ |
ok djm@ |
671 |
+ |
- (dtucker) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec |
672 |
+ |
contrib/suse/openssh.spec] Crank version. |
673 |
+ |
|
674 |
+ |
20070813 |
675 |
+ |
- (dtucker) [session.c] Bug #1339: ensure that pam_setcred() is always |
676 |
+ |
called with PAM_ESTABLISH_CRED at least once, which resolves a problem |
677 |
+ |
with pam_dhkeys. Patch from David Leonard, ok djm@ |
678 |
+ |
|
679 |
+ |
20070810 |
680 |
+ |
- (dtucker) [auth-pam.c] Use sigdie here too. ok djm@ |
681 |
+ |
- (dtucker) [configure.ac] Bug #1343: Set DISABLE_FD_PASSING for QNX6. From |
682 |
+ |
Matt Kraai, ok djm@ |
683 |
+ |
|
684 |
+ |
20070809 |
685 |
+ |
- (dtucker) [openbsd-compat/port-aix.c] Comment typo. |
686 |
+ |
- (dtucker) [README.platform] Document the interaction between PermitRootLogin |
687 |
+ |
and the AIX native login restrictions. |
688 |
+ |
- (dtucker) [defines.h] Remove _PATH_{CSHELL,SHELLS} which aren't |
689 |
+ |
used anywhere and are a potential source of warnings. |
690 |
+ |
|
691 |
+ |
20070808 |
692 |
+ |
- (djm) OpenBSD CVS Sync |
693 |
+ |
- ray@cvs.openbsd.org 2007/07/12 05:48:05 |
694 |
+ |
[key.c] |
695 |
+ |
Delint: remove some unreachable statements, from Bret Lambert. |
696 |
+ |
OK markus@ and dtucker@. |
697 |
+ |
- sobrado@cvs.openbsd.org 2007/08/06 19:16:06 |
698 |
+ |
[scp.1 scp.c] |
699 |
+ |
the ellipsis is not an optional argument; while here, sync the usage |
700 |
+ |
and synopsis of commands |
701 |
+ |
lots of good ideas by jmc@ |
702 |
+ |
ok jmc@ |
703 |
+ |
- djm@cvs.openbsd.org 2007/08/07 07:32:53 |
704 |
+ |
[clientloop.c clientloop.h ssh.c] |
705 |
+ |
bz#1232: ensure that any specified LocalCommand is executed after the |
706 |
+ |
tunnel device is opened. Also, make failures to open a tunnel device |
707 |
+ |
fatal when ExitOnForwardFailure is active. |
708 |
+ |
Reported by h.goebel AT goebel-consult.de; ok dtucker markus reyk deraadt |
709 |
+ |
|
710 |
+ |
20070724 |
711 |
+ |
- (tim) [openssh.xml.in] make FMRI match what package scripts use. |
712 |
+ |
- (tim) [openbsd-compat/regress/closefromtest.c] Bug 1345: fix open() call. |
713 |
+ |
Report/patch by David.Leonard AT quest.com (and Bernhard Simon) |
714 |
+ |
- (tim) [buildpkg.sh.in openssh.xml.in] Allow more flexibility where smf(5) |
715 |
+ |
- (tim) [buildpkg.sh.in] s|$FAKE_ROOT/${sysconfdir}|$FAKE_ROOT${sysconfdir}| |
716 |
+ |
|
717 |
+ |
20070628 |
718 |
+ |
- (djm) bz#1325: Fix SELinux in permissive mode where it would |
719 |
+ |
incorrectly fatal() on errors. patch from cjwatson AT debian.org; |
720 |
+ |
ok dtucker |
721 |
+ |
|
722 |
+ |
20070625 |
723 |
+ |
- (dtucker) OpenBSD CVS Sync |
724 |
+ |
- djm@cvs.openbsd.org 2007/06/13 00:21:27 |
725 |
+ |
[scp.c] |
726 |
+ |
don't ftruncate() non-regular files; bz#1236 reported by wood AT |
727 |
+ |
xmission.com; ok dtucker@ |
728 |
+ |
- djm@cvs.openbsd.org 2007/06/14 21:43:25 |
729 |
+ |
[ssh.c] |
730 |
+ |
handle EINTR when waiting for mux exit status properly |
731 |
+ |
- djm@cvs.openbsd.org 2007/06/14 22:48:05 |
732 |
+ |
[ssh.c] |
733 |
+ |
when waiting for the multiplex exit status, read until the master end |
734 |
+ |
writes an entire int of data *and* closes the client_fd; fixes mux |
735 |
+ |
regression spotted by dtucker, ok dtucker@ |
736 |
+ |
- djm@cvs.openbsd.org 2007/06/19 02:04:43 |
737 |
+ |
[atomicio.c] |
738 |
+ |
if the fd passed to atomicio/atomiciov() is non blocking, then poll() to |
739 |
+ |
avoid a spin if it is not yet ready for reading/writing; ok dtucker@ |
740 |
+ |
- dtucker@cvs.openbsd.org 2007/06/25 08:20:03 |
741 |
+ |
[channels.c] |
742 |
+ |
Correct test for window updates every three packets; prevents sending |
743 |
+ |
window updates for every single packet. ok markus@ |
744 |
+ |
- dtucker@cvs.openbsd.org 2007/06/25 12:02:27 |
745 |
+ |
[atomicio.c] |
746 |
+ |
Include <poll.h> like the man page says rather than <sys/poll.h>. ok djm@ |
747 |
+ |
- (dtucker) [atomicio.c] Test for EWOULDBLOCK in atomiciov to match |
748 |
+ |
atomicio. |
749 |
+ |
- (dtucker) [atomicio.c configure.ac openbsd-compat/Makefile.in |
750 |
+ |
openbsd-compat/bsd-poll.{c,h} openbsd-compat/openbsd-compat.h] |
751 |
+ |
Add an implementation of poll() built on top of select(2). Code from |
752 |
+ |
OpenNTPD with changes suggested by djm. ok djm@ |
753 |
+ |
|
754 |
+ |
20070614 |
755 |
+ |
- (dtucker) [cipher-ctr.c umac.c openbsd-compat/openssl-compat.h] Move the |
756 |
+ |
USE_BUILTIN_RIJNDAEL compat goop to openssl-compat.h so it can be |
757 |
+ |
shared with umac.c. Allows building with OpenSSL 0.9.5 again including |
758 |
+ |
umac support. With tim@ djm@, ok djm. |
759 |
+ |
- (dtucker) [openbsd-compat/openssl-compat.h] Merge USE_BUILTIN_RIJNDAEL |
760 |
+ |
sections. Fixes builds with early OpenSSL 0.9.6 versions. |
761 |
+ |
- (dtucker) [openbsd-compat/openssl-compat.h] Remove redundant definition |
762 |
+ |
of USE_BUILTIN_RIJNDAEL since the <0.9.6 test is covered by the |
763 |
+ |
subsequent <0.9.7 test. |
764 |
+ |
|
765 |
+ |
20070612 |
766 |
+ |
- (dtucker) OpenBSD CVS Sync |
767 |
+ |
- markus@cvs.openbsd.org 2007/06/11 09:14:00 |
768 |
+ |
[channels.h] |
769 |
+ |
increase default channel windows; ok djm |
770 |
+ |
- djm@cvs.openbsd.org 2007/06/12 07:41:00 |
771 |
+ |
[ssh-add.1] |
772 |
+ |
better document ssh-add's -d option (delete identies from agent), bz#1224 |
773 |
+ |
new text based on some provided by andrewmc-debian AT celt.dias.ie; |
774 |
+ |
ok dtucker@ |
775 |
+ |
- djm@cvs.openbsd.org 2007/06/12 08:20:00 |
776 |
+ |
[ssh-gss.h gss-serv.c gss-genr.c] |
777 |
+ |
relocate server-only GSSAPI code from libssh to server; bz #1225 |
778 |
+ |
patch from simon AT sxw.org.uk; ok markus@ dtucker@ |
779 |
+ |
- djm@cvs.openbsd.org 2007/06/12 08:24:20 |
780 |
+ |
[scp.c] |
781 |
+ |
make scp try to skip FIFOs rather than blocking when nothing is listening. |
782 |
+ |
depends on the platform supporting sane O_NONBLOCK semantics for open |
783 |
+ |
on FIFOs (apparently POSIX does not mandate this), which OpenBSD does. |
784 |
+ |
bz #856; report by cjwatson AT debian.org; ok markus@ |
785 |
+ |
- djm@cvs.openbsd.org 2007/06/12 11:11:08 |
786 |
+ |
[ssh.c] |
787 |
+ |
fix slave exit value when a control master goes away without passing the |
788 |
+ |
full exit status by ensuring that the slave reads a full int. bz#1261 |
789 |
+ |
reported by frekko AT gmail.com; ok markus@ dtucker@ |
790 |
+ |
- djm@cvs.openbsd.org 2007/06/12 11:15:17 |
791 |
+ |
[ssh.c ssh.1] |
792 |
+ |
Add "-K" flag for ssh to set GSSAPIAuthentication=yes and |
793 |
+ |
GSSAPIDelegateCredentials=yes. This is symmetric with -k (disable GSSAPI) |
794 |
+ |
and is useful for hosts with /home on Kerberised NFS; bz #1312 |
795 |
+ |
patch from Markus.Kuhn AT cl.cam.ac.uk; ok dtucker@ markus@ |
796 |
+ |
- djm@cvs.openbsd.org 2007/06/12 11:45:27 |
797 |
+ |
[ssh.c] |
798 |
+ |
improved exit message from multiplex slave sessions; bz #1262 |
799 |
+ |
reported by alexandre.nunes AT gmail.com; ok dtucker@ |
800 |
+ |
- dtucker@cvs.openbsd.org 2007/06/12 11:56:15 |
801 |
+ |
[gss-genr.c] |
802 |
+ |
Pass GSS OID to gss_display_status to provide better information in |
803 |
+ |
error messages. Patch from Simon Wilkinson via bz 1220. ok djm@ |
804 |
+ |
- jmc@cvs.openbsd.org 2007/06/12 13:41:03 |
805 |
+ |
[ssh-add.1] |
806 |
+ |
identies -> identities; |
807 |
+ |
- jmc@cvs.openbsd.org 2007/06/12 13:43:55 |
808 |
+ |
[ssh.1] |
809 |
+ |
add -K to SYNOPSIS; |
810 |
+ |
- dtucker@cvs.openbsd.org 2007/06/12 13:54:28 |
811 |
+ |
[scp.c] |
812 |
+ |
Encode filename with strnvis if the name contains a newline (which can't |
813 |
+ |
be represented in the scp protocol), from bz #891. ok markus@ |
814 |
+ |
|
815 |
+ |
20070611 |
816 |
+ |
- (djm) Bugzilla #1306: silence spurious error messages from hang-on-exit |
817 |
+ |
fix; tested by dtucker@ and jochen.kirn AT gmail.com |
818 |
+ |
- pvalchev@cvs.openbsd.org 2007/06/07 19:37:34 |
819 |
+ |
[kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1] |
820 |
+ |
[ssh_config.5 sshd.8 sshd_config.5] |
821 |
+ |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, |
822 |
+ |
must specify umac-64@openssh.com). Provides about 20% end-to-end speedup |
823 |
+ |
compared to hmac-md5. Represents a different approach to message |
824 |
+ |
authentication to that of HMAC that may be beneficial if HMAC based on |
825 |
+ |
one of its underlying hash algorithms is found to be vulnerable to a |
826 |
+ |
new attack. http://www.ietf.org/rfc/rfc4418.txt |
827 |
+ |
in conjunction with and OK djm@ |
828 |
+ |
- pvalchev@cvs.openbsd.org 2007/06/08 04:40:40 |
829 |
+ |
[ssh_config] |
830 |
+ |
Add a "MACs" line after "Ciphers" with the default MAC algorithms, |
831 |
+ |
to ease people who want to tweak both (eg. for performance reasons). |
832 |
+ |
ok deraadt@ djm@ dtucker@ |
833 |
+ |
- jmc@cvs.openbsd.org 2007/06/08 07:43:46 |
834 |
+ |
[ssh_config.5] |
835 |
+ |
put the MAC list into a display, like we do for ciphers, |
836 |
+ |
since groff has trouble handling wide lines; |
837 |
+ |
- jmc@cvs.openbsd.org 2007/06/08 07:48:09 |
838 |
+ |
[sshd_config.5] |
839 |
+ |
oops, here too: put the MAC list into a display, like we do for |
840 |
+ |
ciphers, since groff has trouble with wide lines; |
841 |
+ |
- markus@cvs.openbsd.org 2007/06/11 08:04:44 |
842 |
+ |
[channels.c] |
843 |
+ |
send 'window adjust' messages every tree packets and do not wait |
844 |
+ |
until 50% of the window is consumed. ok djm dtucker |
845 |
+ |
- (djm) [configure.ac umac.c] If platform doesn't provide swap32(3), then |
846 |
+ |
fallback to provided bit-swizzing functions |
847 |
+ |
- (dtucker) [openbsd-compat/bsd-misc.c] According to the spec the "remainder" |
848 |
+ |
argument to nanosleep may be NULL. Currently this never happens in OpenSSH, |
849 |
+ |
but check anyway in case this changes or the code gets used elsewhere. |
850 |
+ |
- (dtucker) [includes.h] Bug #1243: HAVE_PATHS -> HAVE_PATHS_H. Should |
851 |
+ |
prevent warnings about redefinitions of various things in paths.h. |
852 |
+ |
Spotted by cartmanltd at hotmail.com. |
853 |
+ |
|
854 |
+ |
20070605 |
855 |
+ |
- (dtucker) OpenBSD CVS Sync |
856 |
+ |
- djm@cvs.openbsd.org 2007/05/22 10:18:52 |
857 |
+ |
[sshd.c] |
858 |
+ |
zap double include; from p_nowaczyk AT o2.pl |
859 |
+ |
(not required in -portable, Id sync only) |
860 |
+ |
- djm@cvs.openbsd.org 2007/05/30 05:58:13 |
861 |
+ |
[kex.c] |
862 |
+ |
tidy: KNF, ARGSUSED and u_int |
863 |
+ |
- jmc@cvs.openbsd.org 2007/05/31 19:20:16 |
864 |
+ |
[scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1 |
865 |
+ |
ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8] |
866 |
+ |
convert to new .Dd format; |
867 |
+ |
(We will need to teach mdoc2man.awk to understand this too.) |
868 |
+ |
- djm@cvs.openbsd.org 2007/05/31 23:34:29 |
869 |
+ |
[packet.c] |
870 |
+ |
gc unreachable code; spotted by Tavis Ormandy |
871 |
+ |
- djm@cvs.openbsd.org 2007/06/02 09:04:58 |
872 |
+ |
[bufbn.c] |
873 |
+ |
memory leak on error path; from arnaud.lacombe.1 AT ulaval.ca |
874 |
+ |
- djm@cvs.openbsd.org 2007/06/05 06:52:37 |
875 |
+ |
[kex.c monitor_wrap.c packet.c mac.h kex.h mac.c] |
876 |
+ |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. |
877 |
+ |
Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5 |
878 |
+ |
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm |
879 |
+ |
committing at his request) |
880 |
+ |
- (dtucker) [mdoc2man.awk] Teach it to deal with $Mdocdate tags that |
881 |
+ |
OpenBSD's cvs now adds. |
882 |
+ |
- (dtucker) [mdoc2man.awk] Remove trailing "$" from Mdocdate regex so |
883 |
+ |
mindrot's cvs doesn't expand it on us. |
884 |
+ |
- (dtucker) [mdoc2man.awk] Add support for %R references, used for RFCs. |
885 |
+ |
|
886 |
+ |
20070520 |
887 |
+ |
- (dtucker) OpenBSD CVS Sync |
888 |
+ |
- stevesk@cvs.openbsd.org 2007/04/14 22:01:58 |
889 |
+ |
[auth2.c] |
890 |
+ |
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org> |
891 |
+ |
- stevesk@cvs.openbsd.org 2007/04/18 01:12:43 |
892 |
+ |
[sftp-server.c] |
893 |
+ |
cast "%llu" format spec to (unsigned long long); do not assume a |
894 |
+ |
u_int64_t arg is the same as 'unsigned long long'. |
895 |
+ |
from Dmitry V. Levin <ldv@altlinux.org> |
896 |
+ |
ok markus@ 'Yes, that looks correct' millert@ |
897 |
+ |
- dtucker@cvs.openbsd.org 2007/04/23 10:15:39 |
898 |
+ |
[servconf.c] |
899 |
+ |
Remove debug() left over from development. ok deraadt@ |
900 |
+ |
- djm@cvs.openbsd.org 2007/05/17 07:50:31 |
901 |
+ |
[log.c] |
902 |
+ |
save and restore errno when logging; ok deraadt@ |
903 |
+ |
- djm@cvs.openbsd.org 2007/05/17 07:55:29 |
904 |
+ |
[sftp-server.c] |
905 |
+ |
bz#1286 stop reading and processing commands when input or output buffer |
906 |
+ |
is nearly full, otherwise sftp-server would happily try to grow the |
907 |
+ |
input/output buffers past the maximum supported by the buffer API and |
908 |
+ |
promptly fatal() |
909 |
+ |
based on patch from Thue Janus Kristensen; feedback & ok dtucker@ |
910 |
+ |
- djm@cvs.openbsd.org 2007/05/17 20:48:13 |
911 |
+ |
[sshconnect2.c] |
912 |
+ |
fall back to gethostname() when the outgoing connection is not |
913 |
+ |
on a socket, such as is the case when ProxyCommand is used. |
914 |
+ |
Gives hostbased auth an opportunity to work; bz#616, report |
915 |
+ |
and feedback stuart AT kaloram.com; ok markus@ |
916 |
+ |
- djm@cvs.openbsd.org 2007/05/17 20:52:13 |
917 |
+ |
[monitor.c] |
918 |
+ |
pass received SIGINT from monitor to postauth child so it can clean |
919 |
+ |
up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; |
920 |
+ |
ok markus@ |
921 |
+ |
- jolan@cvs.openbsd.org 2007/05/17 23:53:41 |
922 |
+ |
[sshconnect2.c] |
923 |
+ |
djm owes me a vb and a tism cd for breaking ssh compilation |
924 |
+ |
- (dtucker) [auth-pam.c] malloc+memset -> calloc. Patch from |
925 |
+ |
ldv at altlinux.org. |
926 |
+ |
- (dtucker) [auth-pam.c] Return empty string if fgets fails in |
927 |
+ |
sshpam_tty_conv. Patch from ldv at altlinux.org. |
928 |
+ |
|
929 |
+ |
20070509 |
930 |
+ |
- (tim) [configure.ac] Bug #1287: Add missing test for ucred.h. |
931 |
+ |
|
932 |
+ |
20070429 |
933 |
+ |
- (dtucker) [openbsd-compat/bsd-misc.c] Include unistd.h and sys/types.h |
934 |
+ |
for select(2) prototype. |
935 |
+ |
- (dtucker) [auth-shadow.c loginrec.c] Include time.h for time(2) prototype. |
936 |
+ |
- (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Bug #1299: Use the |
937 |
+ |
platform's _res if it has one. Should fix problem of DNSSEC record lookups |
938 |
+ |
on NetBSD as reported by Curt Sampson. |
939 |
+ |
- (dtucker) [openbsd-compat/xmmap.c] Include stdlib.h for mkstemp prototype. |
940 |
+ |
- (dtucker) [configure.ac defines.h] Have configure check for MAXSYMLINKS |
941 |
+ |
so we don't get redefinition warnings. |
942 |
+ |
- (dtucker) [openbsd-compat/xmmap.c] Include stdlib.h for mkstemp prototype. |
943 |
+ |
- (dtucker) [configure.ac defines.h] Prevent warnings about __attribute__ |
944 |
+ |
__nonnull__ for versions of GCC that don't support it. |
945 |
+ |
- (dtucker) [configure.ac defines.h] Have configure check for offsetof |
946 |
+ |
to prevent redefinition warnings. |
947 |
+ |
|
948 |
+ |
20070406 |
949 |
+ |
- (dtucker) [INSTALL] Update the systems that have PAM as standard. Link |
950 |
+ |
to OpenPAM too. |
951 |
+ |
- (dtucker) [INSTALL] prngd lives at sourceforge these days. |
952 |
+ |
|
953 |
+ |
20070326 |
954 |
+ |
- (tim) [auth.c configure.ac defines.h session.c openbsd-compat/port-uw.c |
955 |
+ |
openbsd-compat/port-uw.h openbsd-compat/xcrypt.c] Rework libiaf test/defines |
956 |
+ |
to account for IRIX having libiaf but not set_id(). Patch with & ok dtucker@ |
957 |
+ |
|
958 |
+ |
20070325 |
959 |
+ |
- (dtucker) [Makefile.in configure.ac] Replace single-purpose LIBSELINUX, |
960 |
+ |
LIBWRAP and LIBPAM variables in Makefile with the general-purpose |
961 |
+ |
SSHDLIBS. "I like" djm@ |
962 |
+ |
|
963 |
+ |
20070321 |
964 |
+ |
- (dtucker) OpenBSD CVS Sync |
965 |
+ |
- dtucker@cvs.openbsd.org 2007/03/09 05:20:06 |
966 |
+ |
[servconf.c sshd.c] |
967 |
+ |
Move C/R -> kbdint special case to after the defaults have been |
968 |
+ |
loaded, which makes ChallengeResponse default to yes again. This |
969 |
+ |
was broken by the Match changes and not fixed properly subsequently. |
970 |
+ |
Found by okan at demirmen.com, ok djm@ "please do it" deraadt@ |
971 |
+ |
- djm@cvs.openbsd.org 2007/03/19 01:01:29 |
972 |
+ |
[sshd_config] |
973 |
+ |
Disable the legacy SSH protocol 1 for new installations via |
974 |
+ |
a configuration override. In the future, we will change the |
975 |
+ |
server's default itself so users who need the legacy protocol |
976 |
+ |
will need to turn it on explicitly |
977 |
+ |
- dtucker@cvs.openbsd.org 2007/03/19 12:16:42 |
978 |
+ |
[ssh-agent.c] |
979 |
+ |
Remove the signal handler that checks if the agent's parent process |
980 |
+ |
has gone away, instead check when the select loop returns. Record when |
981 |
+ |
the next key will expire when scanning for expired keys. Set the select |
982 |
+ |
timeout to whichever of these two things happens next. With djm@, with & |
983 |
+ |
ok deraadt@ markus@ |
984 |
+ |
- tedu@cvs.openbsd.org 2007/03/20 03:56:12 |
985 |
+ |
[readconf.c clientloop.c] |
986 |
+ |
remove some bogus *p tests from charles longeau |
987 |
+ |
ok deraadt millert |
988 |
+ |
- jmc@cvs.openbsd.org 2007/03/20 15:57:15 |
989 |
+ |
[sshd.8] |
990 |
+ |
- let synopsis and description agree for -f |
991 |
+ |
- sort FILES |
992 |
+ |
- +.Xr ssh-keyscan 1 , |
993 |
+ |
from Igor Sobrado |
994 |
+ |
- (dtucker) [configure.ac openbsd-compat/bsd-getpeereid.c] Bug #1287: Use |
995 |
+ |
getpeerucred to implement getpeereid (currently only Solaris 10 and up). |
996 |
+ |
Patch by Jan.Pechanec at Sun. |
997 |
+ |
- (dtucker) [regress/agent-getpeereid.sh] Do peereid test if we have |
998 |
+ |
HAVE_GETPEERUCRED too. Also from Jan Pechanec. |
999 |
+ |
|
1000 |
+ |
20070313 |
1001 |
+ |
- (dtucker) [entropy.c scard-opensc.c ssh-rand-helper.c] Bug #1294: include |
1002 |
+ |
string.h to prevent warnings, from vapier at gentoo.org. |
1003 |
+ |
- (dtucker) [LICENCE] Add Daniel Walsh as a copyright holder for the |
1004 |
+ |
selinux bits in -portable. |
1005 |
+ |
- (dtucker) [cipher-3des1.c cipher-bf1.c] The OpenSSL 0.9.8e problem in |
1006 |
+ |
bug #1291 also affects Protocol 1 3des. While at it, use compat-openssl.h |
1007 |
+ |
in cipher-bf1.c. Patch from Juan Gallego. |
1008 |
+ |
- (dtucker) [README.platform] Info about blibpath on AIX. |
1009 |
+ |
|
1010 |
|
20070306 |
1011 |
|
- (djm) OpenBSD CVS Sync |
1012 |
|
- jmc@cvs.openbsd.org 2007/03/01 16:19:33 |
3825 |
|
OpenServer 6 and add osr5bigcrypt support so when someone migrates |
3826 |
|
passwords between UnixWare and OpenServer they will still work. OK dtucker@ |
3827 |
|
|
3828 |
< |
$Id: ChangeLog,v 1.1.1.4 2007-03-13 21:36:54 laffer1 Exp $ |
3828 |
> |
$Id: ChangeLog,v 1.1.1.5 2008-04-06 04:40:38 laffer1 Exp $ |