/
ChangeLog
4163 lines (3902 loc) · 181 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
20131110
- (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by
querying the ones that are compiled in.
20131109
- (dtucker) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2013/11/09 05:41:34
[regress/test-exec.sh regress/rekey.sh]
Use smaller test data files to speed up tests. Grow test datafiles
where necessary for a specific test.
- (dtucker) [configure.ac kex.c key.c myproposal.h] Test for the presence of
NID_X9_62_prime256v1, NID_secp384r1 and NID_secp521r1 and test that the
latter actually works before using it. Fedora (at least) has NID_secp521r1
that doesn't work (see https://bugzilla.redhat.com/show_bug.cgi?id=1021897).
- (dtucker) [configure.ac] Fix brackets in NID_secp521r1 test.
- (dtucker) [configure.ac] Add missing "test".
- (dtucker) [key.c] Check for the correct defines for NID_secp521r1.
20131108
- (dtucker) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2013/11/08 01:06:14
[regress/rekey.sh]
Rekey less frequently during tests to speed them up
- (djm) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2013/11/07 11:58:27
[cipher.c cipher.h kex.c kex.h mac.c mac.h servconf.c ssh.c]
Output the effective values of Ciphers, MACs and KexAlgorithms when
the default has not been overridden. ok markus@
- djm@cvs.openbsd.org 2013/11/08 00:39:15
[auth-options.c auth2-chall.c authfd.c channels.c cipher-3des1.c]
[clientloop.c gss-genr.c monitor_mm.c packet.c schnorr.c umac.c]
[sftp-client.c sftp-glob.c]
use calloc for all structure allocations; from markus@
- djm@cvs.openbsd.org 2013/11/08 01:38:11
[version.h]
openssh-6.4
- (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
[contrib/suse/openssh.spec] Update version numbers following release.
- (dtucker) [openbsd-compat/openbsd-compat.h] Add null implementation of
arc4random_stir for platforms that have arc4random but don't have
arc4random_stir (right now this is only OpenBSD -current).
- (dtucker) [kex.c] Only enable CURVE25519_SHA256 if we actually have
EVP_sha256.
- (dtucker) [myproposal.h] Conditionally enable CURVE25519_SHA256.
- (dtucker) [openbsd-compat/bsd-poll.c] Add headers to prevent compile
warnings.
- (dtucker) [Makefile.in configure.ac] Set MALLOC_OPTIONS per platform
and pass in TEST_ENV. use stderr to get polluted
and the stderr-data test to fail.
- (dtucker) [contrib/cygwin/ssh-host-config] Simplify host key generation:
rather than testing and generating each key, call ssh-keygen -A.
Patch from vinschen at redhat.com.
- (dtucker) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2013/11/09 05:41:34
[regress/test-exec.sh regress/rekey.sh]
Use smaller test data files to speed up tests. Grow test datafiles
where necessary for a specific test.
20131107
- (djm) [ssh-pkcs11.c] Bring back "non-constant initialiser" fix (rev 1.5)
that got lost in recent merge.
- (djm) [Makefile.in monitor.c] Missed chunks of curve25519 KEX diff
- (djm) [regress/modpipe.c regress/rekey.sh] Never intended to commit these
- (djm) [configure.ac defines.h] Skip arc4random_stir() calls on platforms
that lack it but have arc4random_uniform()
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2013/11/04 11:51:16
[monitor.c]
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
RCSID sync only; I thought this was a merge botch and fixed it already
- markus@cvs.openbsd.org 2013/11/06 16:52:11
[monitor_wrap.c]
fix rekeying for AES-GCM modes; ok deraadt
- djm@cvs.openbsd.org 2013/11/06 23:05:59
[ssh-pkcs11.c]
from portable: s/true/true_val/ to avoid name collisions on dump platforms
RCSID sync only
- (dtucker) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2013/10/09 23:44:14
[regress/Makefile] (ID sync only)
regression test for sftp request white/blacklisting and readonly mode.
- markus@cvs.openbsd.org 2013/11/02 22:39:53
[regress/kextype.sh]
add curve25519-sha256@libssh.org
- dtucker@cvs.openbsd.org 2013/11/04 12:27:42
[regress/rekey.sh]
Test rekeying with all KexAlgorithms.
- dtucker@cvs.openbsd.org 2013/11/07 00:12:05
[regress/rekey.sh]
Test rekeying for every Cipher, MAC and KEX, plus test every KEX with
the GCM ciphers.
- dtucker@cvs.openbsd.org 2013/11/07 01:12:51
[regress/rekey.sh]
Factor out the data transfer rekey tests
- dtucker@cvs.openbsd.org 2013/11/07 02:48:38
[regress/integrity.sh regress/cipher-speed.sh regress/try-ciphers.sh]
Use ssh -Q instead of hardcoding lists of ciphers or MACs.
- dtucker@cvs.openbsd.org 2013/11/07 03:55:41
[regress/kextype.sh]
Use ssh -Q to get kex types instead of a static list.
- dtucker@cvs.openbsd.org 2013/11/07 04:26:56
[regress/kextype.sh]
trailing space
- (dtucker) [Makefile.in configure.ac] Remove TEST_SSH_SHA256 environment
variable. It's no longer used now that we get the supported MACs from
ssh -Q.
20131104
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2013/11/02 20:03:54
[ssh-pkcs11.c]
support pkcs#11 tokes that only provide x509 zerts instead of raw pubkeys;
fixes bz#1908; based on patch from Laurent Barbe; ok djm
- markus@cvs.openbsd.org 2013/11/02 21:59:15
[kex.c kex.h myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
use curve25519 for default key exchange (curve25519-sha256@libssh.org);
initial patch from Aris Adamantiadis; ok djm@
- markus@cvs.openbsd.org 2013/11/02 22:10:15
[kexdhs.c kexecdhs.c]
no need to include monitor_wrap.h
- markus@cvs.openbsd.org 2013/11/02 22:24:24
[kexdhs.c kexecdhs.c]
no need to include ssh-gss.h
- markus@cvs.openbsd.org 2013/11/02 22:34:01
[auth-options.c]
no need to include monitor_wrap.h and ssh-gss.h
- markus@cvs.openbsd.org 2013/11/02 22:39:19
[ssh_config.5 sshd_config.5]
the default kex is now curve25519-sha256@libssh.org
- djm@cvs.openbsd.org 2013/11/03 10:37:19
[roaming_common.c]
fix a couple of function definitions foo() -> foo(void)
(-Wold-style-definition)
- (djm) [kexc25519.c kexc25519c.c kexc25519s.c] Import missed files from
KEX/curve25519 change
20131103
- (dtucker) [openbsd-compat/bsd-misc.c] Include time.h for nanosleep.
From OpenSMTPD where it prevents "implicit declaration" warnings (it's
a no-op in OpenSSH). From chl at openbsd.
- (dtucker) [openbsd-compat/setproctitle.c] Handle error case form the 2nd
vsnprintf. From eric at openbsd via chl@.
- (dtucker) [configure.ac defines.h] Add typedefs for intmax_t and uintmax_t
for platforms that don't have them.
20131030
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2013/10/29 09:42:11
[key.c key.h]
fix potential stack exhaustion caused by nested certificates;
report by Mateusz Kocielski; ok dtucker@ markus@
- djm@cvs.openbsd.org 2013/10/29 09:48:02
[servconf.c servconf.h session.c sshd_config sshd_config.5]
shd_config PermitTTY to disallow TTY allocation, mirroring the
longstanding no-pty authorized_keys option;
bz#2070, patch from Teran McKinney; ok markus@
- jmc@cvs.openbsd.org 2013/10/29 18:49:32
[sshd_config.5]
pty(4), not pty(7);
20131026
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2013/10/25 23:04:51
[ssh.c]
fix crash when using ProxyCommand caused by previous commit - was calling
freeaddrinfo(NULL); spotted by sthen@ and Tim Ruehsen, patch by sthen@
20131025
- (djm) [ssh-keygen.c ssh-keysign.c sshconnect1.c sshd.c] Remove
unnecessary arc4random_stir() calls. The only ones left are to ensure
that the PRNG gets a different state after fork() for platforms that
have broken the API.
20131024
- (djm) [auth-krb5.c] bz#2032 - use local username in krb5_kuserok check
rather than full client name which may be of form user@REALM;
patch from Miguel Sanders; ok dtucker@
- (djm) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2013/10/23 05:40:58
[servconf.c]
fix comment
- djm@cvs.openbsd.org 2013/10/23 23:35:32
[sshd.c]
include local address and port in "Connection from ..." message (only
shown at loglevel>=verbose)
- dtucker@cvs.openbsd.org 2013/10/24 00:49:49
[moduli.c]
Periodically print progress and, if possible, expected time to completion
when screening moduli for DH groups. ok deraadt djm
- dtucker@cvs.openbsd.org 2013/10/24 00:51:48
[readconf.c servconf.c ssh_config.5 sshd_config.5]
Disallow empty Match statements and add "Match all" which matches
everything. ok djm, man page help jmc@
- djm@cvs.openbsd.org 2013/10/24 08:19:36
[ssh.c]
fix bug introduced in hostname canonicalisation commit: don't try to
resolve hostnames when a ProxyCommand is set unless the user has forced
canonicalisation; spotted by Iain Morgan
- (tim) [regress/sftp-perm.sh] We need a shell that understands "! somecmd"
20131023
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2013/10/20 04:39:28
[ssh_config.5]
document % expansions performed by "Match command ..."
- djm@cvs.openbsd.org 2013/10/20 06:19:28
[readconf.c ssh_config.5]
rename "command" subclause of the recently-added "Match" keyword to
"exec"; it's shorter, clearer in intent and we might want to add the
ability to match against the command being executed at the remote end in
the future.
- djm@cvs.openbsd.org 2013/10/20 09:51:26
[scp.1 sftp.1]
add canonicalisation options to -o lists
- jmc@cvs.openbsd.org 2013/10/20 18:00:13
[ssh_config.5]
tweak the "exec" description, as worded by djm;
- djm@cvs.openbsd.org 2013/10/23 03:03:07
[readconf.c]
Hostname may have %h sequences that should be expanded prior to Match
evaluation; spotted by Iain Morgan
- djm@cvs.openbsd.org 2013/10/23 03:05:19
[readconf.c ssh.c]
comment
- djm@cvs.openbsd.org 2013/10/23 04:16:22
[ssh-keygen.c]
Make code match documentation: relative-specified certificate expiry time
should be relative to current time and not the validity start time.
Reported by Petr Lautrbach; ok deraadt@
20131018
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2013/10/09 23:44:14
[regress/Makefile regress/sftp-perm.sh]
regression test for sftp request white/blacklisting and readonly mode.
- jmc@cvs.openbsd.org 2013/10/17 07:35:48
[sftp.1 sftp.c]
tweak previous;
- djm@cvs.openbsd.org 2013/10/17 22:08:04
[sshd.c]
include remote port in bad banner message; bz#2162
20131017
- (djm) OpenBSD CVS Sync
- jmc@cvs.openbsd.org 2013/10/15 14:10:25
[ssh.1 ssh_config.5]
tweak previous;
- djm@cvs.openbsd.org 2013/10/16 02:31:47
[readconf.c readconf.h roaming_client.c ssh.1 ssh.c ssh_config.5]
[sshconnect.c sshconnect.h]
Implement client-side hostname canonicalisation to allow an explicit
search path of domain suffixes to use to convert unqualified host names
to fully-qualified ones for host key matching.
This is particularly useful for host certificates, which would otherwise
need to list unqualified names alongside fully-qualified ones (and this
causes a number of problems).
"looks fine" markus@
- jmc@cvs.openbsd.org 2013/10/16 06:42:25
[ssh_config.5]
tweak previous;
- djm@cvs.openbsd.org 2013/10/16 22:49:39
[readconf.c readconf.h ssh.1 ssh.c ssh_config.5]
s/canonicalise/canonicalize/ for consistency with existing spelling,
e.g. authorized_keys; pointed out by naddy@
- djm@cvs.openbsd.org 2013/10/16 22:58:01
[ssh.c ssh_config.5]
one I missed in previous: s/isation/ization/
- djm@cvs.openbsd.org 2013/10/17 00:30:13
[PROTOCOL sftp-client.c sftp-client.h sftp-server.c sftp.1 sftp.c]
fsync@openssh.com protocol extension for sftp-server
client support to allow calling fsync() faster successful transfer
patch mostly by imorgan AT nas.nasa.gov; bz#1798
"fine" markus@ "grumble OK" deraadt@ "doesn't sound bad to me" millert@
- djm@cvs.openbsd.org 2013/10/17 00:46:49
[ssh.c]
rearrange check to reduce diff against -portable
(Id sync only)
20131015
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2013/10/09 23:42:17
[sftp-server.8 sftp-server.c]
Add ability to whitelist and/or blacklist sftp protocol requests by name.
Refactor dispatch loop and consolidate read-only mode checks.
Make global variables static, since sftp-server is linked into sshd(8).
ok dtucker@
- djm@cvs.openbsd.org 2013/10/10 00:53:25
[sftp-server.c]
add -Q, -P and -p to usage() before jmc@ catches me
- djm@cvs.openbsd.org 2013/10/10 01:43:03
[sshd.c]
bz#2139: fix re-exec fallback by ensuring that startup_pipe is correctly
updated; ok dtucker@
- djm@cvs.openbsd.org 2013/10/11 02:45:36
[sftp-client.c]
rename flag arguments to be more clear and consistent.
reorder some internal function arguments to make adding additional flags
easier.
no functional change
- djm@cvs.openbsd.org 2013/10/11 02:52:23
[sftp-client.c]
missed one arg reorder
- djm@cvs.openbsd.org 2013/10/11 02:53:45
[sftp-client.h]
obsolete comment
- jmc@cvs.openbsd.org 2013/10/14 14:18:56
[sftp-server.8 sftp-server.c]
tweak previous;
ok djm
- djm@cvs.openbsd.org 2013/10/14 21:20:52
[session.c session.h]
Add logging of session starts in a useful format; ok markus@ feedback and
ok dtucker@
- djm@cvs.openbsd.org 2013/10/14 22:22:05
[readconf.c readconf.h ssh-keysign.c ssh.c ssh_config.5]
add a "Match" keyword to ssh_config that allows matching on hostname,
user and result of arbitrary commands. "nice work" markus@
- djm@cvs.openbsd.org 2013/10/14 23:28:23
[canohost.c misc.c misc.h readconf.c sftp-server.c ssh.c]
refactor client config code a little:
add multistate option partsing to readconf.c, similar to servconf.c's
existing code.
move checking of options that accept "none" as an argument to readconf.c
add a lowercase() function and use it instead of explicit tolower() in
loops
part of a larger diff that was ok markus@
- djm@cvs.openbsd.org 2013/10/14 23:31:01
[ssh.c]
whitespace at EOL; pointed out by markus@
- [ssh.c] g/c unused variable.
20131010
- (dtucker) OpenBSD CVS Sync
- sthen@cvs.openbsd.org 2013/09/16 11:35:43
[ssh_config]
Remove gssapi config parts from ssh_config, as was already done for
sshd_config. Req by/ok ajacoutot@
ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular
- djm@cvs.openbsd.org 2013/09/19 00:24:52
[progressmeter.c]
store the initial file offset so the progress meter doesn't freak out
when resuming sftp transfers. bz#2137; patch from Iain Morgan; ok dtucker@`
- djm@cvs.openbsd.org 2013/09/19 00:49:12
[sftp-client.c]
fix swapped pflag and printflag in sftp upload_dir; from Iain Morgan
- djm@cvs.openbsd.org 2013/09/19 01:24:46
[channels.c]
bz#1297 - tell the client (via packet_send_debug) when their preferred
listen address has been overridden by the server's GatewayPorts;
ok dtucker@
- djm@cvs.openbsd.org 2013/09/19 01:26:29
[sshconnect.c]
bz#1211: make BindAddress work with UsePrivilegedPort=yes; patch from
swp AT swp.pp.ru; ok dtucker@
- dtucker@cvs.openbsd.org 2013/10/08 11:42:13
[dh.c dh.h]
Increase the size of the Diffie-Hellman groups requested for a each
symmetric key size. New values from NIST Special Publication 800-57 with
the upper limit specified by RFC4419. Pointed out by Peter Backes, ok
djm@.
20131009
- (djm) [openbsd-compat/arc4random.c openbsd-compat/chacha_private.h] Pull
in OpenBSD implementation of arc4random, shortly to replace the existing
bsd-arc4random.c
- (djm) [openbsd-compat/Makefile.in openbsd-compat/arc4random.c]
[openbsd-compat/bsd-arc4random.c] Replace old RC4-based arc4random
implementation with recent OpenBSD's ChaCha-based PRNG. ok dtucker@,
tested tim@
20130922
- (dtucker) [platform.c platform.h sshd.c] bz#2156: restore Linux oom_adj
setting when handling SIGHUP to maintain behaviour over retart. Patch
from Matthew Ife.
20130918
- (dtucker) [sshd_config] Trailing whitespace; from jstjohn at purdue edu.
20130914
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2013/08/22 19:02:21
[sshd.c]
Stir PRNG after post-accept fork. The child gets a different PRNG state
anyway via rexec and explicit privsep reseeds, but it's good to be sure.
ok markus@
- mikeb@cvs.openbsd.org 2013/08/28 12:34:27
[ssh-keygen.c]
improve batch processing a bit by making use of the quite flag a bit
more often and exit with a non zero code if asked to find a hostname
in a known_hosts file and it wasn't there;
originally from reyk@, ok djm
- djm@cvs.openbsd.org 2013/08/31 00:13:54
[sftp.c]
make ^w match ksh behaviour (delete previous word instead of entire line)
- deraadt@cvs.openbsd.org 2013/09/02 22:00:34
[ssh-keygen.c sshconnect1.c sshd.c]
All the instances of arc4random_stir() are bogus, since arc4random()
does this itself, inside itself, and has for a very long time.. Actually,
this was probably reducing the entropy available.
ok djm
ID SYNC ONLY for portable; we don't trust other arc4random implementations
to do this right.
- sthen@cvs.openbsd.org 2013/09/07 13:53:11
[sshd_config]
Remove commented-out kerberos/gssapi config options from sample config,
kerberos support is currently not enabled in ssh in OpenBSD. Discussed with
various people; ok deraadt@
ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular
- djm@cvs.openbsd.org 2013/09/12 01:41:12
[clientloop.c]
fix connection crash when sending break (~B) on ControlPersist'd session;
ok dtucker@
- djm@cvs.openbsd.org 2013/09/13 06:54:34
[channels.c]
avoid unaligned access in code that reused a buffer to send a
struct in_addr in a reply; simpler just use use buffer_put_int();
from portable; spotted by and ok dtucker@
20130828
- (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the
'j' (intmax_t/uintmax_t) and 'z' (size_t/ssize_t) conversions in case we
start to use them in the future.
- (djm) [openbsd-compat/bsd-snprintf.c] #ifdef noytet for intmax_t bits
until we have configure support.
20130821
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2013/08/06 23:03:49
[sftp.c]
fix some whitespace at EOL
make list of commands an enum rather than a long list of defines
add -a to usage()
- djm@cvs.openbsd.org 2013/08/06 23:05:01
[sftp.1]
document top-level -a option (the -a option to 'get' was already
documented)
- djm@cvs.openbsd.org 2013/08/06 23:06:01
[servconf.c]
add cast to avoid format warning; from portable
- jmc@cvs.openbsd.org 2013/08/07 06:24:51
[sftp.1 sftp.c]
sort -a;
- djm@cvs.openbsd.org 2013/08/08 04:52:04
[sftp.c]
fix two year old regression: symlinking a file would incorrectly
canonicalise the target path. bz#2129 report from delphij AT freebsd.org
- djm@cvs.openbsd.org 2013/08/08 05:04:03
[sftp-client.c sftp-client.h sftp.c]
add a "-l" flag for the rename command to force it to use the silly
standard SSH_FXP_RENAME command instead of the POSIX-rename- like
posix-rename@openssh.com extension.
intended for use in regress tests, so no documentation.
- djm@cvs.openbsd.org 2013/08/09 03:37:25
[sftp.c]
do getopt parsing for all sftp commands (with an empty optstring for
commands without arguments) to ensure consistent behaviour
- djm@cvs.openbsd.org 2013/08/09 03:39:13
[sftp-client.c]
two problems found by a to-be-committed regress test: 1) msg_id was not
being initialised so was starting at a random value from the heap
(harmless, but confusing). 2) some error conditions were not being
propagated back to the caller
- djm@cvs.openbsd.org 2013/08/09 03:56:42
[sftp.c]
enable ctrl-left-arrow and ctrl-right-arrow to move forward/back a word;
matching ksh's relatively recent change.
- djm@cvs.openbsd.org 2013/08/13 18:32:08
[ssh-keygen.c]
typo in error message; from Stephan Rickauer
- djm@cvs.openbsd.org 2013/08/13 18:33:08
[ssh-keygen.c]
another of the same typo
- jmc@cvs.openbsd.org 2013/08/14 08:39:27
[scp.1 ssh.1]
some Bx/Ox conversion;
From: Jan Stary
- djm@cvs.openbsd.org 2013/08/20 00:11:38
[readconf.c readconf.h ssh_config.5 sshconnect.c]
Add a ssh_config ProxyUseFDPass option that supports the use of
ProxyCommands that establish a connection and then pass a connected
file descriptor back to ssh(1). This allows the ProxyCommand to exit
rather than have to shuffle data back and forth and enables ssh to use
getpeername, etc. to obtain address information just like it does with
regular directly-connected sockets. ok markus@
- jmc@cvs.openbsd.org 2013/08/20 06:56:07
[ssh.1 ssh_config.5]
some proxyusefdpass tweaks;
20130808
- (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt
since some platforms (eg really old FreeBSD) don't have it. Instead,
run "make clean" before a complete regress run. ok djm.
- (dtucker) [misc.c] Fall back to time(2) at runtime if clock_gettime(
CLOCK_MONOTONIC...) fails. Some older versions of RHEL have the
CLOCK_MONOTONIC define but don't actually support it. Found and tested
by Kevin Brott, ok djm.
- (dtucker) [misc.c] Remove define added for fallback testing that was
mistakenly included in the previous commit.
- (dtucker) [regress/Makefile regress/test-exec.sh] Roll back the -nt
removal. The "make clean" removes modpipe which is built by the top-level
directory before running the tests. Spotted by tim@
- (djm) Release 6.3p1
20130804
- (dtucker) [auth-krb5.c configure.ac openbsd-compat/bsd-misc.h] Add support
for building with older Heimdal versions. ok djm.
20130801
- (djm) [channels.c channels.h] bz#2135: On Solaris, isatty() on a non-
blocking connecting socket will clear any stored errno that might
otherwise have been retrievable via getsockopt(). A hack to limit writes
to TTYs on AIX was triggering this. Since only AIX needs the hack, wrap
it in an #ifdef. Diagnosis and patch from Ivo Raisr.
- (djm) [sshlogin.h] Fix prototype merge botch from 2006; bz#2134
20130725
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2013/07/20 22:20:42
[krl.c]
fix verification error in (as-yet usused) KRL signature checking path
- djm@cvs.openbsd.org 2013/07/22 05:00:17
[umac.c]
make MAC key, data to be hashed and nonce for final hash const;
checked with -Wcast-qual
- djm@cvs.openbsd.org 2013/07/22 12:20:02
[umac.h]
oops, forgot to commit corresponding header change;
spotted by jsg and jasper
- djm@cvs.openbsd.org 2013/07/25 00:29:10
[ssh.c]
daemonise backgrounded (ControlPersist'ed) multiplexing master to ensure
it is fully detached from its controlling terminal. based on debugging
- djm@cvs.openbsd.org 2013/07/25 00:56:52
[sftp-client.c sftp-client.h sftp.1 sftp.c]
sftp support for resuming partial downloads; patch mostly by Loganaden
Velvindron/AfriNIC with some tweaks by me; feedback and ok dtucker@
"Just be careful" deraadt@
- djm@cvs.openbsd.org 2013/07/25 00:57:37
[version.h]
openssh-6.3 for release
- dtucker@cvs.openbsd.org 2013/05/30 20:12:32
[regress/test-exec.sh]
use ssh and sshd as testdata since it needs to be >256k for the rekey test
- dtucker@cvs.openbsd.org 2013/06/10 21:56:43
[regress/forwarding.sh]
Add test for forward config parsing
- djm@cvs.openbsd.org 2013/06/21 02:26:26
[regress/sftp-cmds.sh regress/test-exec.sh]
unbreak sftp-cmds for renamed test data (s/ls/data/)
- (tim) [sftp-client.c] Use of a gcc extension trips up native compilers on
Solaris and UnixWare. Feedback and OK djm@
- (tim) [regress/forwarding.sh] Fix for building outside source tree.
20130720
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2013/07/19 07:37:48
[auth.h kex.h kexdhs.c kexecdhs.c kexgexs.c monitor.c servconf.c]
[servconf.h session.c sshd.c sshd_config.5]
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys,
or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974
ok djm@
- djm@cvs.openbsd.org 2013/07/20 01:43:46
[umac.c]
use a union to ensure correct alignment; ok deraadt
- djm@cvs.openbsd.org 2013/07/20 01:44:37
[ssh-keygen.c ssh.c]
More useful error message on missing current user in /etc/passwd
- djm@cvs.openbsd.org 2013/07/20 01:50:20
[ssh-agent.c]
call cleanup_handler on SIGINT when in debug mode to ensure sockets
are cleaned up on manual exit; bz#2120
- djm@cvs.openbsd.org 2013/07/20 01:55:13
[auth-krb5.c gss-serv-krb5.c gss-serv.c]
fix kerberos/GSSAPI deprecation warnings and linking; "looks okay" millert@
20130718
- (djm) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2013/06/10 19:19:44
[readconf.c]
revert 1.203 while we investigate crashes reported by okan@
- guenther@cvs.openbsd.org 2013/06/17 04:48:42
[scp.c]
Handle time_t values as long long's when formatting them and when
parsing them from remote servers.
Improve error checking in parsing of 'T' lines.
ok dtucker@ deraadt@
- markus@cvs.openbsd.org 2013/06/20 19:15:06
[krl.c]
don't leak the rdata blob on errors; ok djm@
- djm@cvs.openbsd.org 2013/06/21 00:34:49
[auth-rsa.c auth.h auth2-hostbased.c auth2-pubkey.c monitor.c]
for hostbased authentication, print the client host and user on
the auth success/failure line; bz#2064, ok dtucker@
- djm@cvs.openbsd.org 2013/06/21 00:37:49
[ssh_config.5]
explicitly mention that IdentitiesOnly can be used with IdentityFile
to control which keys are offered from an agent.
- djm@cvs.openbsd.org 2013/06/21 05:42:32
[dh.c]
sprinkle in some error() to explain moduli(5) parse failures
- djm@cvs.openbsd.org 2013/06/21 05:43:10
[scp.c]
make this -Wsign-compare clean after time_t conversion
- djm@cvs.openbsd.org 2013/06/22 06:31:57
[scp.c]
improved time_t overflow check suggested by guenther@
- jmc@cvs.openbsd.org 2013/06/27 14:05:37
[ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5]
do not use Sx for sections outwith the man page - ingo informs me that
stuff like html will render with broken links;
issue reported by Eric S. Raymond, via djm
- markus@cvs.openbsd.org 2013/07/02 12:31:43
[dh.c]
remove extra whitespace
- djm@cvs.openbsd.org 2013/07/12 00:19:59
[auth-options.c auth-rsa.c bufaux.c buffer.h channels.c hostfile.c]
[hostfile.h mux.c packet.c packet.h roaming_common.c serverloop.c]
fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
- djm@cvs.openbsd.org 2013/07/12 00:20:00
[sftp.c ssh-keygen.c ssh-pkcs11.c]
fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
- djm@cvs.openbsd.org 2013/07/12 00:43:50
[misc.c]
in ssh_gai_strerror() don't fallback to strerror for EAI_SYSTEM when
errno == 0. Avoids confusing error message in some broken resolver
cases. bz#2122 patch from plautrba AT redhat.com; ok dtucker
- djm@cvs.openbsd.org 2013/07/12 05:42:03
[ssh-keygen.c]
do_print_resource_record() can never be called with a NULL filename, so
don't attempt (and bungle) asking for one if it has not been specified
bz#2127 ok dtucker@
- djm@cvs.openbsd.org 2013/07/12 05:48:55
[ssh.c]
set TCP nodelay for connections started with -N; bz#2124 ok dtucker@
- schwarze@cvs.openbsd.org 2013/07/16 00:07:52
[scp.1 sftp-server.8 ssh-keyscan.1 ssh-keysign.8 ssh-pkcs11-helper.8]
use .Mt for email addresses; from Jan Stary <hans at stare dot cz>; ok jmc@
- djm@cvs.openbsd.org 2013/07/18 01:12:26
[ssh.1]
be more exact wrt perms for ~/.ssh/config; bz#2078
20130702
- (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config
contrib/cygwin/ssh-user-config] Modernizes and improve readability of
the Cygwin README file (which hasn't been updated for ages), drop
unsupported OSes from the ssh-host-config help text, and drop an
unneeded option from ssh-user-config. Patch from vinschen at redhat com.
20130610
- (djm) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2013/06/07 15:37:52
[channels.c channels.h clientloop.c]
Add an "ABANDONED" channel state and use for mux sessions that are
disconnected via the ~. escape sequence. Channels in this state will
be able to close if the server responds, but do not count as active channels.
This means that if you ~. all of the mux clients when using ControlPersist
on a broken network, the backgrounded mux master will exit when the
Control Persist time expires rather than hanging around indefinitely.
bz#1917, also reported and tested by tedu@. ok djm@ markus@.
- (dtucker) [Makefile.in configure.ac fixalgorithms] Remove unsupported
algorithms (Ciphers, MACs and HostKeyAlgorithms) from man pages.
- (dtucker) [myproposal.h] Do not advertise AES GSM ciphers if we don't have
the required OpenSSL support. Patch from naddy at freebsd.
- (dtucker) [myproposal.h] Make the conditional algorithm support consistent
and add some comments so it's clear what goes where.
20130605
- (dtucker) [myproposal.h] Enable sha256 kex methods based on the presence of
the necessary functions, not from the openssl version.
- (dtucker) [contrib/ssh-copy-id] bz#2117: Use portable operator in test.
Patch from cjwatson at debian.
- (dtucker) [regress/forwarding.sh] For (as yet unknown) reason, the
forwarding test is extremely slow copying data on some machines so switch
back to copying the much smaller ls binary until we can figure out why
this is.
- (dtucker) [Makefile.in] append $CFLAGS to compiler options when building
modpipe in case there's anything in there we need.
- (dtucker) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2013/06/02 21:01:51
[channels.h]
typo in comment
- dtucker@cvs.openbsd.org 2013/06/02 23:36:29
[clientloop.h clientloop.c mux.c]
No need for the mux cleanup callback to be visible so restore it to static
and call it through the detach_user function pointer. ok djm@
- dtucker@cvs.openbsd.org 2013/06/03 00:03:18
[mac.c]
force the MAC output to be 64-bit aligned so umac won't see unaligned
accesses on strict-alignment architectures. bz#2101, patch from
tomas.kuthan at oracle.com, ok djm@
- dtucker@cvs.openbsd.org 2013/06/04 19:12:23
[scp.c]
use MAXPATHLEN for buffer size instead of fixed value. ok markus
- dtucker@cvs.openbsd.org 2013/06/04 20:42:36
[sftp.c]
Make sftp's libedit interface marginally multibyte aware by building up
the quoted string by character instead of by byte. Prevents failures
when linked against a libedit built with wide character support (bz#1990).
"looks ok" djm
- dtucker@cvs.openbsd.org 2013/06/05 02:07:29
[mux.c]
fix leaks in mux error paths, from Zhenbo Xu, found by Melton. bz#1967,
ok djm
- dtucker@cvs.openbsd.org 2013/06/05 02:27:50
[sshd.c]
When running sshd -D, close stderr unless we have explicitly requesting
logging to stderr. From james.hunt at ubuntu.com via bz#1976, djm's patch
so, err, ok dtucker.
- dtucker@cvs.openbsd.org 2013/06/05 12:52:38
[sshconnect2.c]
Fix memory leaks found by Zhenbo Xu and the Melton tool. bz#1967, ok djm
- dtucker@cvs.openbsd.org 2013/06/05 22:00:28
[readconf.c]
plug another memleak. bz#1967, from Zhenbo Xu, detected by Melton, ok djm
- (dtucker) [configure.ac sftp.c openbsd-compat/openbsd-compat.h] Cater for
platforms that don't have multibyte character support (specifically,
mblen).
20130602
- (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy
linking regress/modpipe.
- (dtucker) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2013/06/02 13:33:05
[progressmeter.c]
Add misc.h for monotime prototype. (ID sync only).
- dtucker@cvs.openbsd.org 2013/06/02 13:35:58
[ssh-agent.c]
Make parent_alive_interval time_t to avoid signed/unsigned comparison
- (dtucker) [configure.ac] sys/un.h needs sys/socket.h on some platforms
to prevent noise from configure. Patch from Nathan Osman. (bz#2114).
- (dtucker) [configure.ac] bz#2111: don't try to use lastlog on Android.
Patch from Nathan Osman.
- (tim) [configure.ac regress/Makefile] With rev 1.47 of test-exec.sh we
need a shell that can handle "[ file1 -nt file2 ]". Rather than keep
dealing with shell portability issues in regression tests, we let
configure find us a capable shell on those platforms with an old /bin/sh.
- (tim) [aclocal.m4] Enhance OSSH_CHECK_CFLAG_COMPILE to check stderr.
feedback and ok dtucker
- (tim) [regress/sftp-chroot.sh] skip if no sudo. ok dtucker
- (dtucker) [configure.ac] Some platforms need sys/types.h before sys/un.h.
- (dtucker) [configure.ac] Some other platforms need sys/types.h before
sys/socket.h.
20130601
- (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to
using openssl's DES_crypt function on platorms that don't have a native
one, eg Android. Based on a patch from Nathan Osman.
- (dtucker) [configure.ac defines.h] Test for fd_mask, howmany and NFDBITS
rather than trying to enumerate the plaforms that don't have them.
Based on a patch from Nathan Osman, with help from tim@.
- (dtucker) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2013/05/17 00:13:13
[xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c
ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c
gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c
auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c
servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c
auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c
sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c
kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c
kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c
monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c
ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c
sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c
ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c
dns.c packet.c readpass.c authfd.c moduli.c]
bye, bye xfree(); ok markus@
- djm@cvs.openbsd.org 2013/05/19 02:38:28
[auth2-pubkey.c]
fix failure to recognise cert-authority keys if a key of a different type
appeared in authorized_keys before it; ok markus@
- djm@cvs.openbsd.org 2013/05/19 02:42:42
[auth.h auth.c key.c monitor.c auth-rsa.c auth2.c auth1.c key.h]
Standardise logging of supplemental information during userauth. Keys
and ruser is now logged in the auth success/failure message alongside
the local username, remote host/port and protocol in use. Certificates
contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is
no longer necessary to relate information scattered across multiple log
entries. "I like it" markus@
- dtucker@cvs.openbsd.org 2013/05/31 12:28:10
[ssh-agent.c]
Use time_t where appropriate. ok djm
- dtucker@cvs.openbsd.org 2013/06/01 13:15:52
[ssh-agent.c clientloop.c misc.h packet.c progressmeter.c misc.c
channels.c sandbox-systrace.c]
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like
keepalives and rekeying will work properly over clock steps. Suggested by
markus@, "looks good" djm@.
- dtucker@cvs.openbsd.org 2013/06/01 20:59:25
[scp.c sftp-client.c]
Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is. Patch
from Nathan Osman via bz#2085. ok deraadt.
- dtucker@cvs.openbsd.org 2013/06/01 22:34:50
[sftp-client.c]
Update progressmeter when data is acked, not when it's sent. bz#2108, from
Debian via Colin Watson, ok djm@
- (dtucker) [M auth-chall.c auth-krb5.c auth-pam.c cipher-aes.c cipher-ctr.c
groupaccess.c loginrec.c monitor.c monitor_wrap.c session.c sshd.c
sshlogin.c uidswap.c openbsd-compat/bsd-cygwin_util.c
openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/port-aix.c
openbsd-compat/port-linux.c] Replace portable-specific instances of xfree
with the equivalent calls to free.
- (dtucker) [configure.ac misc.c] Look for clock_gettime in librt and fall
back to time(NULL) if we can't find it anywhere.
- (dtucker) [sandbox-seccomp-filter.c] Allow clock_gettimeofday.
20130529
- (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null
implementation of endgrent for platforms that don't have it (eg Android).
Loosely based on a patch from Nathan Osman, ok djm
20130517
- (dtucker) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2013/03/07 00:20:34
[regress/proxy-connect.sh]
repeat test with a style appended to the username
- dtucker@cvs.openbsd.org 2013/03/23 11:09:43
[regress/test-exec.sh]
Only regenerate host keys if they don't exist or if ssh-keygen has changed
since they were. Reduces test runtime by 5-30% depending on machine
speed.
- dtucker@cvs.openbsd.org 2013/04/06 06:00:22
[regress/rekey.sh regress/test-exec.sh regress/integrity.sh
regress/multiplex.sh Makefile regress/cfgmatch.sh]
Split the regress log into 3 parts: the debug output from ssh, the debug
log from sshd and the output from the client command (ssh, scp or sftp).
Somewhat functional now, will become more useful when ssh/sshd -E is added.
- dtucker@cvs.openbsd.org 2013/04/07 02:16:03
[regress/Makefile regress/rekey.sh regress/integrity.sh
regress/sshd-log-wrapper.sh regress/forwarding.sh regress/test-exec.sh]
use -E option for ssh and sshd to write debuging logs to ssh{,d}.log and
save the output from any failing tests. If a test fails the debug output
from ssh and sshd for the failing tests (and only the failing tests) should
be available in failed-ssh{,d}.log.
- djm@cvs.openbsd.org 2013/04/18 02:46:12
[regress/Makefile regress/sftp-chroot.sh]
test sshd ChrootDirectory+internal-sftp; feedback & ok dtucker@
- dtucker@cvs.openbsd.org 2013/04/22 07:23:08
[regress/multiplex.sh]
Write mux master logs to regress.log instead of ssh.log to keep separate
- djm@cvs.openbsd.org 2013/05/10 03:46:14
[regress/modpipe.c]
sync some portability changes from portable OpenSSH (id sync only)
- dtucker@cvs.openbsd.org 2013/05/16 02:10:35
[regress/rekey.sh]
Add test for time-based rekeying
- dtucker@cvs.openbsd.org 2013/05/16 03:33:30
[regress/rekey.sh]
test rekeying when there's no data being transferred
- dtucker@cvs.openbsd.org 2013/05/16 04:26:10
[regress/rekey.sh]
add server-side rekey test
- dtucker@cvs.openbsd.org 2013/05/16 05:48:31
[regress/rekey.sh]
add tests for RekeyLimit parsing
- dtucker@cvs.openbsd.org 2013/05/17 00:37:40
[regress/agent.sh regress/keytype.sh regress/cfgmatch.sh
regress/forcecommand.sh regress/proto-version.sh regress/test-exec.sh
regress/cipher-speed.sh regress/cert-hostkey.sh regress/cert-userkey.sh
regress/ssh-com.sh]
replace 'echo -n' with 'printf' since it's more portable
also remove "echon" hack.
- dtucker@cvs.openbsd.org 2013/05/17 01:16:09
[regress/agent-timeout.sh]
Pull back some portability changes from -portable:
- TIMEOUT is a read-only variable in some shells
- not all greps have -q so redirect to /dev/null instead.
(ID sync only)
- dtucker@cvs.openbsd.org 2013/05/17 01:32:11
[regress/integrity.sh]
don't print output from ssh before getting it (it's available in ssh.log)
- dtucker@cvs.openbsd.org 2013/05/17 04:29:14
[regress/sftp.sh regress/putty-ciphers.sh regress/cipher-speed.sh
regress/test-exec.sh regress/sftp-batch.sh regress/dynamic-forward.sh
regress/putty-transfer.sh regress/conch-ciphers.sh regress/sftp-cmds.sh
regress/scp.sh regress/ssh-com-sftp.sh regress/rekey.sh
regress/putty-kex.sh regress/stderr-data.sh regress/stderr-after-eof.sh
regress/sftp-badcmds.sh regress/reexec.sh regress/ssh-com-client.sh
regress/sftp-chroot.sh regress/forwarding.sh regress/transfer.sh
regress/multiplex.sh]
Move the setting of DATA and COPY into test-exec.sh
- dtucker@cvs.openbsd.org 2013/05/17 10:16:26
[regress/try-ciphers.sh]
use expr for math to keep diffs vs portable down
(id sync only)
- dtucker@cvs.openbsd.org 2013/05/17 10:23:52
[regress/login-timeout.sh regress/reexec.sh regress/test-exec.sh]
Use SUDO when cat'ing pid files and running the sshd log wrapper so that
it works with a restrictive umask and the pid files are not world readable.
Changes from -portable. (id sync only)
- dtucker@cvs.openbsd.org 2013/05/17 10:24:48
[regress/localcommand.sh]
use backticks for portability. (id sync only)
- dtucker@cvs.openbsd.org 2013/05/17 10:26:26
[regress/sftp-badcmds.sh]
remove unused BATCH variable. (id sync only)
- dtucker@cvs.openbsd.org 2013/05/17 10:28:11
[regress/sftp.sh]
only compare copied data if sftp succeeds. from portable (id sync only)
- dtucker@cvs.openbsd.org 2013/05/17 10:30:07
[regress/test-exec.sh]
wait a bit longer for startup and use case for absolute path.
from portable (id sync only)
- dtucker@cvs.openbsd.org 2013/05/17 10:33:09
[regress/agent-getpeereid.sh]
don't redirect stdout from sudo. from portable (id sync only)
- dtucker@cvs.openbsd.org 2013/05/17 10:34:30
[regress/portnum.sh]
use a more portable negated if structure. from portable (id sync only)
- dtucker@cvs.openbsd.org 2013/05/17 10:35:43
[regress/scp.sh]
use a file extention that's not special on some platforms. from portable
(id sync only)
- (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it
in portable and it's long gone in openbsd.
- (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange
methods. When the openssl version doesn't support ECDH then next one on
the list is DH group exchange, but that causes a bit more traffic which can
mean that the tests flip bits in the initial exchange rather than the MACed
traffic and we get different errors to what the tests look for.
- (dtucker) [openbsd-compat/getopt.h] Remove unneeded bits.
- (dtucker) [regress/cfgmatch.sh] Resync config file setup with openbsd.
- (dtucker) [regress/agent-getpeereid.sh] Resync spaces with openbsd.
- (dtucker) [regress/integrity.sh regress/krl.sh regress/test-exec.sh]
Move the jot helper function to portable-specific part of test-exec.sh.
- (dtucker) [regress/test-exec.sh] Move the portable-specific functions
together and add a couple of missing lines from openbsd.
- (dtucker) [regress/stderr-after-eof.sh regress/test-exec.sh] Move the md5
helper function to the portable part of test-exec.sh.
- (dtucker) [regress/runtests.sh] Remove obsolete test driver script.
- (dtucker) [regress/cfgmatch.sh] Remove unneeded sleep renderd obsolete by
rev 1.6 which calls wait.
20130516
- (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be
executed if mktemp failed; bz#2105 ok dtucker@
- (dtucker) OpenBSD CVS Sync
- tedu@cvs.openbsd.org 2013/04/23 17:49:45
[misc.c]
use xasprintf instead of a series of strlcats and strdup. ok djm
- tedu@cvs.openbsd.org 2013/04/24 16:01:46
[misc.c]
remove extra parens noticed by nicm
- dtucker@cvs.openbsd.org 2013/05/06 07:35:12
[sftp-server.8]
Reference the version of the sftp draft we actually implement. ok djm@
- djm@cvs.openbsd.org 2013/05/10 03:40:07
[sshconnect2.c]
fix bzero(ptr_to_struct, sizeof(ptr_to_struct)); bz#2100 from
Colin Watson
- djm@cvs.openbsd.org 2013/05/10 04:08:01
[key.c]
memleak in cert_free(), wasn't actually freeing the struct;
bz#2096 from shm AT digitalsun.pl
- dtucker@cvs.openbsd.org 2013/05/10 10:13:50
[ssh-pkcs11-helper.c]
remove unused extern optarg. ok markus@
- dtucker@cvs.openbsd.org 2013/05/16 02:00:34
[ssh_config sshconnect2.c packet.c readconf.h readconf.c clientloop.c
ssh_config.5 packet.h]
Add an optional second argument to RekeyLimit in the client to allow
rekeying based on elapsed time in addition to amount of traffic.
with djm@ jmc@, ok djm
- dtucker@cvs.openbsd.org 2013/05/16 04:09:14
[sshd_config.5 servconf.c servconf.h packet.c serverloop.c monitor.c sshd_config
sshd.c] Add RekeyLimit to sshd with the same syntax as the client allowing
rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man
page.
- djm@cvs.openbsd.org 2013/05/16 04:27:50
[ssh_config.5 readconf.h readconf.c]
add the ability to ignore specific unrecognised ssh_config options;
bz#866; ok markus@
- jmc@cvs.openbsd.org 2013/05/16 06:28:45
[ssh_config.5]
put IgnoreUnknown in the right place;
- jmc@cvs.openbsd.org 2013/05/16 06:30:06
[sshd_config.5]
oops! avoid Xr to self;
- dtucker@cvs.openbsd.org 2013/05/16 09:08:41
[log.c scp.c sshd.c serverloop.c schnorr.c sftp.c]
Fix some "unused result" warnings found via clang and -portable.
ok markus@
- dtucker@cvs.openbsd.org 2013/05/16 09:12:31
[readconf.c servconf.c]
switch RekeyLimit traffic volume parsing to scan_scaled. ok djm@
- dtucker@cvs.openbsd.org 2013/05/16 10:43:34
[servconf.c readconf.c]
remove now-unused variables
- dtucker@cvs.openbsd.org 2013/05/16 10:44:06
[servconf.c]
remove another now-unused variable
- (dtucker) [configure.ac readconf.c servconf.c
openbsd-compat/openbsd-compat.h] Add compat bits for scan_scaled.
20130510
- (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler
supports it. Mentioned by Colin Watson in bz#2100, ok djm.
- (dtucker) [openbsd-compat/getopt.c] Factor out portibility changes to