/
ChangeLog
5445 lines (5112 loc) · 236 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
20060916
- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2006/09/16 19:53:37
[deattack.c deattack.h packet.c]
limit maximum work performed by the CRC compensation attack detector,
problem reported by Tavis Ormandy, Google Security Team;
ok markus@ deraadt@
- (djm) Add openssh.xml to .cvsignore and sort it
20060912
- (djm) [Makefile.in buildpkg.sh.in configure.ac openssh.xml.in]
Support SMF in Solaris Packages if enabled by configure. Patch from
Chad Mynhier, tested by dtucker@
20060911
- (dtucker) [cipher-aes.c] Include string.h for memcpy and friends. Noted
by Pekka Savola.
20060910
- (dtucker) [contrib/aix/buildbff.sh] Ensure that perl is available.
- (dtucker) [configure.ac] Add -lcrypt to let DragonFly build OOTB.
20060909
- (dtucker) [openbsd-compat/bsd-snprintf.c] Add stdarg.h.
- (dtucker) [contrib/aix/buildbff.sh] Always create privsep user.
- (dtucker) [buildpkg.sh.in] Always create privsep user. ok djm@
20060908
- (dtucker) [auth-sia.c] Add includes required for build on Tru64. Patch
from Chris Adams.
- (dtucker) [configure.ac] The BSM header test needs time.h in some cases.
20060907
- (djm) [sshd.c auth.c] Set up fakepw() with privsep uid/gid, so it can
be used to drop privilege to; fixes Solaris GSSAPI crash reported by
Magnus Abrante; suggestion and feedback dtucker@
NB. this change will require that the privilege separation user must
exist on all the time, not just when UsePrivilegeSeparation=yes
- (tim) [configure.ac] s/BROKEN_UPDWTMP/BROKEN_UPDWTMPX/ on SCO OSR6
- (dtucker) [loginrec.c] Wrap paths.h in HAVE_PATHS_H.
- (dtucker) [regress/cfgmatch.sh] stop_client is racy, so give us a better
chance of winning.
20060905
- (dtucker) [configure.ac] s/AC_DEFINES/AC_DEFINE/ spotted by Roumen Petrov.
- (dtucker) [loginrec.c] Include paths.h for _PATH_BTMP.
20060904
- (dtucker) [configure.ac] Define BROKEN_UPDWTMP on SCO OSR6 as the native
updwdtmp seems to generate invalid wtmp entries. From Roger Cornelius,
ok djm@
20060903
- (dtucker) [configure.ac openbsd-compat/openbsd-compat.h] Check for
declaration of writev(2) and declare it ourselves if necessary. Makes
the atomiciov() calls build on really old systems. ok djm@
20060902
- (dtucker) [openbsd-compat/port-irix.c] Add errno.h, found by Iain Morgan.
- (dtucker) [ssh-keyscan.c ssh-rand-helper.c ssh.c sshconnect.c
openbsd-compat/bindresvport.c openbsd-compat/getrrsetbyname.c
openbsd-compat/port-tun.c openbsd-compat/rresvport.c] Include <arpa/inet.h>
for hton* and ntoh* macros. Required on (at least) HP-UX since we define
_XOPEN_SOURCE_EXTENDED. Found by santhi.amirta at gmail com.
20060901
- (djm) [audit-bsm.c audit.c auth-bsdauth.c auth-chall.c auth-pam.c]
[auth-rsa.c auth-shadow.c auth-sia.c auth1.c auth2-chall.c]
[auth2-gss.c auth2-kbdint.c auth2-none.c authfd.c authfile.c]
[cipher-3des1.c cipher-aes.c cipher-bf1.c cipher-ctr.c clientloop.c]
[dh.c dns.c entropy.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
[kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c loginrec.c mac.c]
[md5crypt.c monitor.c monitor_wrap.c readconf.c rsa.c]
[scard-opensc.c scard.c session.c ssh-add.c ssh-agent.c ssh-dss.c]
[ssh-keygen.c ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c]
[sshconnect1.c sshconnect2.c sshd.c]
[openbsd-compat/bsd-cray.c openbsd-compat/port-aix.c]
[openbsd-compat/port-linux.c openbsd-compat/port-solaris.c]
[openbsd-compat/port-uw.c]
Lots of headers for SCO OSR6, mainly adding stdarg.h for log.h;
compile problems reported by rac AT tenzing.org
- (djm) [includes.h monitor.c openbsd-compat/bindresvport.c]
[openbsd-compat/rresvport.c] Some more headers: netinet/in.h
sys/socket.h and unistd.h in various places
- (dtucker) [openbsd-compat/bsd-cygwin_util.c] Fix implict declaration
warnings for binary_open and binary_close. Patch from Corinna Vinschen.
- (dtucker) [configure.ac includes.h openbsd-compat/glob.{c,h}] Explicitly
test for GLOB_NOMATCH and use our glob functions if it's not found.
Stops sftp from segfaulting when attempting to get a nonexistent file on
Cygwin (previous versions of OpenSSH didn't use the native glob). Partly
from and tested by Corinna Vinschen.
- (dtucker) [README contrib/{caldera,redhat,suse}/openssh.spec] Crank
versions.
20060831
- (djm) [CREDITS LICENCE Makefile.in auth.c configure.ac includes.h ]
[platform.c platform.h sshd.c openbsd-compat/Makefile.in]
[openbsd-compat/openbsd-compat.h openbsd-compat/port-solaris.c]
[openbsd-compat/port-solaris.h] Add support for Solaris process
contracts, enabled with --use-solaris-contracts. Patch from Chad
Mynhier, tweaked by dtucker@ and myself; ok dtucker@
- (dtucker) [contrib/cygwin/ssh-host-config] Add SeTcbPrivilege privilege
while setting up the ssh service account. Patch from Corinna Vinschen.
20060830
- (djm) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2006/08/21 08:14:01
[sshd_config.5]
Document HostbasedUsesNameFromPacketOnly. Corrections from jmc@,
ok jmc@ djm@
- dtucker@cvs.openbsd.org 2006/08/21 08:15:57
[sshd.8]
Add more detail about what permissions are and aren't accepted for
authorized_keys files. Corrections jmc@, ok djm@, "looks good" jmc@
- djm@cvs.openbsd.org 2006/08/29 10:40:19
[channels.c session.c]
normalise some inconsistent (but harmless) NULL pointer checks
spotted by the Stanford SATURN tool, via Isil Dillig;
ok markus@ deraadt@
- dtucker@cvs.openbsd.org 2006/08/29 12:02:30
[gss-genr.c]
Work around a problem in Heimdal that occurs when KRB5CCNAME file is
missing, by checking whether or not kerberos allocated us a context
before attempting to free it. Patch from Simon Wilkinson, tested by
biorn@, ok djm@
- dtucker@cvs.openbsd.org 2006/08/30 00:06:51
[sshconnect2.c]
Fix regression where SSH2 banner is printed at loglevels ERROR and FATAL
where previously it weren't. bz #1221, found by Dean Kopesky, ok djm@
- djm@cvs.openbsd.org 2006/08/30 00:14:37
[version.h]
crank to 4.4
- (djm) [openbsd-compat/xcrypt.c] needs unistd.h
- (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always call
loginsuccess on AIX immediately after authentication to clear the failed
login count. Previously this would only happen when an interactive
session starts (ie when a pty is allocated) but this means that accounts
that have primarily non-interactive sessions (eg scp's) may gradually
accumulate enough failures to lock out an account. This change may have
a side effect of creating two audit records, one with a tty of "ssh"
corresponding to the authentication and one with the allocated pty per
interactive session.
20060824
- (dtucker) [openbsd-compat/basename.c] Include errno.h.
- (dtucker) [openbsd-compat/bsd-misc.c] Add includes needed for select(2) on
older systems.
- (dtucker) [openbsd-compat/bsd-misc.c] Include <sys/select.h> for select(2)
on POSIX systems.
- (dtucker) [openbsd-compat/bsd-openpty.c] Include for ioctl(2).
- (dtucker) [openbsd-compat/rresvport.c] Include <stdlib.h> for malloc.
- (dtucker) [openbsd-compat/xmmap.c] Move #define HAVE_MMAP to prevent
unused variable warning when we have a broken or missing mmap(2).
20060822
- (dtucker) [Makefile.in] Bug #1177: fix incorrect path for sshrc in
Makefile. Patch from santhi.amirta at gmail, ok djm.
20060820
- (dtucker) [log.c] Move ifdef to prevent unused variable warning.
- (dtucker) [configure.ac] Save $LIBS during PAM library tests and restore
afterward. Removes the need to mangle $LIBS later to remove -lpam and -ldl.
- (dtucker) [configure.ac] Relocate --with-pam parts in preparation for
fixing bug #1181. No changes yet.
- (dtucker) [configure.ac] Bug #1181: Explicitly test to see if OpenSSL
(0.9.8a and presumably newer) requires -ldl to successfully link.
- (dtucker) [configure.ac] Remove errant "-".
20060819
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2006/08/18 22:41:29
[gss-genr.c]
GSSAPI error code should be 0 and not -1; from simon@sxw.org.uk
- (dtucker) [openbsd-compat/regress/Makefile.in] Add $(EXEEXT) and add a
single rule for the test progs.
20060818
- (dtucker) [configure.ac openbsd-compat/bsd-closefrom.c] Resync with
closefrom.c from sudo.
- (dtucker) [openbsd-compat/bsd-closefrom.c] Comment out rcsid.
- (dtucker) [openbsd-compat/regress/snprintftest.c] Newline on error.
- (dtucker) [openbsd-compat/regress/Makefile.in] Use implicit rules for the
test progs instead; they work better than what we have.
- (djm) OpenBSD CVS Sync
- stevesk@cvs.openbsd.org 2006/08/06 01:13:32
[compress.c monitor.c monitor_wrap.c]
"zlib.h" can be <zlib.h>; ok djm@ markus@
- miod@cvs.openbsd.org 2006/08/12 20:46:46
[monitor.c monitor_wrap.c]
Revert previous include file ordering change, for ssh to compile under
gcc2 (or until openssl include files are cleaned of parameter names
in function prototypes)
- dtucker@cvs.openbsd.org 2006/08/14 12:40:25
[servconf.c servconf.h sshd_config.5]
Add ability to match groups to Match keyword in sshd_config. Feedback
djm@, stevesk@, ok stevesk@.
- djm@cvs.openbsd.org 2006/08/16 11:47:15
[sshd.c]
factor inetd connection, TCP listen and main TCP accept loop out of
main() into separate functions to improve readability; ok markus@
- deraadt@cvs.openbsd.org 2006/08/18 09:13:26
[log.c log.h sshd.c]
make signal handler termination path shorter; risky code pointed out by
mark dowd; ok djm markus
- markus@cvs.openbsd.org 2006/08/18 09:15:20
[auth.h session.c sshd.c]
delay authentication related cleanups until we're authenticated and
all alarms have been cancelled; ok deraadt
- djm@cvs.openbsd.org 2006/08/18 10:27:16
[misc.h]
reorder so prototypes are sorted by the files they refer to; no
binary change
- djm@cvs.openbsd.org 2006/08/18 13:54:54
[gss-genr.c ssh-gss.h sshconnect2.c]
bz #1218 - disable SPNEGO as per RFC4462; diff from simon AT sxw.org.uk
ok markus@
- djm@cvs.openbsd.org 2006/08/18 14:40:34
[gss-genr.c ssh-gss.h]
constify host argument to match the rest of the GSSAPI functions and
unbreak compilation with -Werror
- (djm) Disable sigdie() for platforms that cannot safely syslog inside
a signal handler (basically all of them, excepting OpenBSD);
ok dtucker@
20060817
- (dtucker) [openbsd-compat/fake-rfc2553.c openbsd-compat/setproctitle.c]
Include stdlib.h for malloc and friends.
- (dtucker) [configure.ac openbsd-compat/bsd-closefrom.c] Use F_CLOSEM fcntl
for closefrom() on AIX. Pointed out by William Ahern.
- (dtucker) [openbsd-compat/regress/{Makefile.in,closefromtest.c}] Regress
test for closefrom() in compat code.
20060816
- (djm) [audit-bsm.c] Sprinkle in some headers
20060815
- (dtucker) [LICENCE] Add Reyk to the list for the compat dir.
20060806
- (djm) [openbsd-compat/bsd-getpeereid.c] Add some headers to quiet warnings
on Solaris 10
20060806
- (dtucker) [defines.h] With the includes.h changes we no longer get the
name clash on "YES" so we can remove the workaround for it.
- (dtucker) [openbsd-compat/{bsd-asprintf.c,bsd-openpty.c,bsd-snprintf.c,
glob.c}] Include stdlib.h for malloc and friends in compat code.
20060805
- (djm) OpenBSD CVS Sync
- stevesk@cvs.openbsd.org 2006/07/24 13:58:22
[sshconnect.c]
disable tunnel forwarding when no strict host key checking
and key changed; ok djm@ markus@ dtucker@
- stevesk@cvs.openbsd.org 2006/07/25 02:01:34
[scard.c]
need #include <string.h>
- stevesk@cvs.openbsd.org 2006/07/25 02:59:21
[channels.c clientloop.c packet.c scp.c serverloop.c sftp-client.c]
[sftp-server.c ssh-agent.c ssh-keyscan.c sshconnect.c sshd.c]
move #include <sys/time.h> out of includes.h
- stevesk@cvs.openbsd.org 2006/07/26 02:35:17
[atomicio.c auth.c dh.c authfile.c buffer.c clientloop.c kex.c]
[groupaccess.c gss-genr.c kexgexs.c misc.c monitor.c monitor_mm.c]
[packet.c scp.c serverloop.c session.c sftp-client.c sftp-common.c]
[sftp-server.c sftp.c ssh-add.c ssh-agent.c ssh-keygen.c sshlogin.c]
[uidswap.c xmalloc.c]
move #include <sys/param.h> out of includes.h
- stevesk@cvs.openbsd.org 2006/07/26 13:57:17
[authfd.c authfile.c dh.c canohost.c channels.c clientloop.c compat.c]
[hostfile.c kex.c log.c misc.c moduli.c monitor.c packet.c readpass.c]
[scp.c servconf.c session.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
[ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c sshconnect.c]
[sshconnect1.c sshd.c xmalloc.c]
move #include <stdlib.h> out of includes.h
- jmc@cvs.openbsd.org 2006/07/27 08:00:50
[ssh_config.5]
avoid confusing wording in HashKnownHosts:
originally spotted by alan amesbury;
ok deraadt
- jmc@cvs.openbsd.org 2006/07/27 08:00:50
[ssh_config.5]
avoid confusing wording in HashKnownHosts:
originally spotted by alan amesbury;
ok deraadt
- dtucker@cvs.openbsd.org 2006/08/01 11:34:36
[sshconnect.c]
Allow fallback to known_hosts entries without port qualifiers for
non-standard ports too, so that all existing known_hosts entries will be
recognised. Requested by, feedback and ok markus@
- stevesk@cvs.openbsd.org 2006/08/01 23:22:48
[auth-passwd.c auth-rhosts.c auth-rsa.c auth.c auth.h auth1.c]
[auth2-chall.c auth2-pubkey.c authfile.c buffer.c canohost.c]
[channels.c clientloop.c dh.c dns.c dns.h hostfile.c kex.c kexdhc.c]
[kexgexc.c kexgexs.c key.c key.h log.c misc.c misc.h moduli.c]
[monitor_wrap.c packet.c progressmeter.c readconf.c readpass.c scp.c]
[servconf.c session.c sftp-client.c sftp-common.c sftp-server.c sftp.c]
[ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh.c sshconnect.c]
[sshconnect1.c sshconnect2.c sshd.c sshlogin.c sshtty.c uuencode.c]
[uuencode.h xmalloc.c]
move #include <stdio.h> out of includes.h
- stevesk@cvs.openbsd.org 2006/08/01 23:36:12
[authfile.c channels.c progressmeter.c scard.c servconf.c ssh.c]
clean extra spaces
- deraadt@cvs.openbsd.org 2006/08/03 03:34:42
[OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c]
[auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
[auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c]
[auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ]
[auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c]
[buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c]
[cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
[compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c]
[groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
[kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c]
[key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c]
[monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c]
[monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c]
[readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h]
[serverloop.c session.c session.h sftp-client.c sftp-common.c]
[sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
[ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c]
[ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c]
[sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c]
[uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h]
[loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h]
almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step
NB. portable commit contains everything *except* removing includes.h, as
that will take a fair bit more work as we move headers that are required
for portability workarounds to defines.h. (also, this step wasn't "easy")
- stevesk@cvs.openbsd.org 2006/08/04 20:46:05
[monitor.c session.c ssh-agent.c]
spaces
- (djm) [auth-pam.c defines.h] Move PAM related bits to auth-pam.c
- (djm) [auth-pam.c auth.c bufaux.h entropy.c openbsd-compat/port-tun.c]
remove last traces of bufaux.h - it was merged into buffer.h in the big
includes.h commit
- (djm) [auth.c loginrec.c] Missing netinet/in.h for loginrec
- (djm) [openbsd-compat/regress/snprintftest.c]
[openbsd-compat/regress/strduptest.c] Add missing includes so they pass
compilation with "-Wall -Werror"
- (djm) [auth-pam.c auth-shadow.c auth2-none.c cleanup.c sshd.c]
[openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Sprinkle more
includes for Linux in
- (dtucker) [cleanup.c] Need defines.h for __dead.
- (dtucker) [auth2-gss.c] We still need the #ifdef GSSAPI in -portable.
- (dtucker) [openbsd-compat/{bsd-arc4random.c,port-tun.c,xmmap.c}] Lots of
#include stdarg.h, needed for log.h.
- (dtucker) [entropy.c] Needs unistd.h too.
- (dtucker) [ssh-rand-helper.c] Needs stdarg.h for log.h.
- (dtucker) [openbsd-compat/getrrsetbyname.c] Nees stdlib.h for malloc.
- (dtucker) [openbsd-compat/strtonum.c] Include stdlib.h for strtoll,
otherwise it is implicitly declared as returning an int.
- (dtucker) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2006/08/05 07:52:52
[auth2-none.c sshd.c monitor_wrap.c]
Add headers required to build with KERBEROS5=no. ok djm@
- dtucker@cvs.openbsd.org 2006/08/05 08:00:33
[auth-skey.c]
Add headers required to build with -DSKEY. ok djm@
- dtucker@cvs.openbsd.org 2006/08/05 08:28:24
[monitor_wrap.c auth-skey.c auth2-chall.c]
Zap unused variables in -DSKEY code. ok djm@
- dtucker@cvs.openbsd.org 2006/08/05 08:34:04
[packet.c]
Typo in comment
- (dtucker) [openbsd-compat/bsd-cygwin_util.c] Add headers required to compile
on Cygwin.
- (dtucker) [openbsd-compat/fake-rfc2553.c] Add headers needed for inet_ntoa.
- (dtucker) [auth-skey.c] monitor_wrap.h needs ssh-gss.h.
- (dtucker) [audit.c audit.h] Repair headers.
- (dtucker) [audit-bsm.c] Add additional headers now required.
20060804
- (dtucker) [configure.ac] The "crippled AES" test does not work on recent
versions of Solaris, so use AC_LINK_IFELSE to actually link the test program
rather than just compiling it. Spotted by dlg@.
20060802
- (dtucker) [openbsd-compat/daemon.c] Add unistd.h for fork() prototype.
20060725
- (dtucker) [openbsd-compat/xmmap.c] Need fcntl.h for O_RDRW.
20060724
- (djm) OpenBSD CVS Sync
- jmc@cvs.openbsd.org 2006/07/12 13:39:55
[sshd_config.5]
- new sentence, new line
- s/The the/The/
- kill a bad comma
- stevesk@cvs.openbsd.org 2006/07/12 22:28:52
[auth-options.c canohost.c channels.c includes.h readconf.c]
[servconf.c ssh-keyscan.c ssh.c sshconnect.c sshd.c]
move #include <netdb.h> out of includes.h; ok djm@
- stevesk@cvs.openbsd.org 2006/07/12 22:42:32
[includes.h ssh.c ssh-rand-helper.c]
move #include <stddef.h> out of includes.h
- stevesk@cvs.openbsd.org 2006/07/14 01:15:28
[monitor_wrap.h]
don't need incompletely-typed 'struct passwd' now with
#include <pwd.h>; ok markus@
- stevesk@cvs.openbsd.org 2006/07/17 01:31:10
[authfd.c authfile.c channels.c cleanup.c clientloop.c groupaccess.c]
[includes.h log.c misc.c msg.c packet.c progressmeter.c readconf.c]
[readpass.c scp.c servconf.c sftp-client.c sftp-server.c sftp.c]
[ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c]
[sshconnect.c sshlogin.c sshpty.c uidswap.c]
move #include <unistd.h> out of includes.h
- dtucker@cvs.openbsd.org 2006/07/17 12:02:24
[auth-options.c]
Use '\0' rather than 0 to terminates strings; ok djm@
- dtucker@cvs.openbsd.org 2006/07/17 12:06:00
[channels.c channels.h servconf.c sshd_config.5]
Add PermitOpen directive to sshd_config which is equivalent to the
"permitopen" key option. Allows server admin to allow TCP port
forwarding only two specific host/port pairs. Useful when combined
with Match.
If permitopen is used in both sshd_config and a key option, both
must allow a given connection before it will be permitted.
Note that users can still use external forwarders such as netcat,
so to be those must be controlled too for the limits to be effective.
Feedback & ok djm@, man page corrections & ok jmc@.
- jmc@cvs.openbsd.org 2006/07/18 07:50:40
[sshd_config.5]
tweak; ok dtucker
- jmc@cvs.openbsd.org 2006/07/18 07:56:28
[scp.1]
replace DIAGNOSTICS with .Ex;
- jmc@cvs.openbsd.org 2006/07/18 08:03:09
[ssh-agent.1 sshd_config.5]
mark up angle brackets;
- dtucker@cvs.openbsd.org 2006/07/18 08:22:23
[sshd_config.5]
Clarify description of Match, with minor correction from jmc@
- stevesk@cvs.openbsd.org 2006/07/18 22:27:55
[dh.c]
remove unneeded includes; ok djm@
- dtucker@cvs.openbsd.org 2006/07/19 08:56:41
[servconf.c sshd_config.5]
Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to
Match. ok djm@
- dtucker@cvs.openbsd.org 2006/07/19 13:07:10
[servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5]
Add ForceCommand keyword to sshd_config, equivalent to the "command="
key option, man page entry and example in sshd_config.
Feedback & ok djm@, man page corrections & ok jmc@
- stevesk@cvs.openbsd.org 2006/07/20 15:26:15
[auth1.c serverloop.c session.c sshconnect2.c]
missed some needed #include <unistd.h> when KERBEROS5=no; issue from
massimo@cedoc.mo.it
- dtucker@cvs.openbsd.org 2006/07/21 12:43:36
[channels.c channels.h servconf.c servconf.h sshd_config.5]
Make PermitOpen take a list of permitted ports and act more like most
other keywords (ie the first match is the effective setting). This
also makes it easier to override a previously set PermitOpen. ok djm@
- stevesk@cvs.openbsd.org 2006/07/21 21:13:30
[channels.c]
more ARGSUSED (lint) for dispatch table-driven functions; ok djm@
- stevesk@cvs.openbsd.org 2006/07/21 21:26:55
[progressmeter.c]
ARGSUSED for signal handler
- stevesk@cvs.openbsd.org 2006/07/22 19:08:54
[includes.h moduli.c progressmeter.c scp.c sftp-common.c]
[sftp-server.c ssh-agent.c sshlogin.c]
move #include <time.h> out of includes.h
- stevesk@cvs.openbsd.org 2006/07/22 20:48:23
[atomicio.c auth-options.c auth-passwd.c auth-rhosts.c auth-rsa.c]
[auth.c auth1.c auth2-chall.c auth2-hostbased.c auth2-passwd.c auth2.c]
[authfd.c authfile.c bufaux.c bufbn.c buffer.c canohost.c channels.c]
[cipher-3des1.c cipher-bf1.c cipher-ctr.c cipher.c clientloop.c]
[compat.c deattack.c dh.c dns.c gss-genr.c gss-serv.c hostfile.c]
[includes.h kex.c kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c log.c]
[mac.c match.c md-sha256.c misc.c moduli.c monitor.c monitor_fdpass.c]
[monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c rsa.c]
[progressmeter.c readconf.c readpass.c scp.c servconf.c serverloop.c]
[session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c sftp.c]
[ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
[ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c sshconnect2.c]
[sshd.c sshlogin.c sshpty.c ttymodes.c uidswap.c xmalloc.c]
move #include <string.h> out of includes.h
- stevesk@cvs.openbsd.org 2006/07/23 01:11:05
[auth.h dispatch.c kex.h sftp-client.c]
#include <signal.h> for sig_atomic_t; need this prior to <sys/param.h>
move
- (djm) [acss.c auth-krb5.c auth-options.c auth-pam.c auth-shadow.c]
[canohost.c channels.c cipher-acss.c defines.h dns.c gss-genr.c]
[gss-serv-krb5.c gss-serv.c log.h loginrec.c logintest.c readconf.c]
[servconf.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rand-helper.c]
[ssh.c sshconnect.c sshd.c openbsd-compat/bindresvport.c]
[openbsd-compat/bsd-arc4random.c openbsd-compat/bsd-misc.c]
[openbsd-compat/getrrsetbyname.c openbsd-compat/glob.c]
[openbsd-compat/mktemp.c openbsd-compat/port-linux.c]
[openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c]
[openbsd-compat/setproctitle.c openbsd-compat/xmmap.c]
make the portable tree compile again - sprinkle unistd.h and string.h
back in. Don't redefine __unused, as it turned out to be used in
headers on Linux, and replace its use in auth-pam.c with ARGSUSED
- (djm) [openbsd-compat/glob.c]
Move get_arg_max() into the ifdef HAVE_GLOB block so that it compiles
on OpenBSD (or other platforms with a decent glob implementation) with
-Werror
- (djm) [uuencode.c]
Add resolv.h, is it contains the prototypes for __b64_ntop/__b64_pton on
some platforms
- (djm) [session.c]
fix compile error with -Werror -Wall: 'path' is only used in
do_setup_env() if HAVE_LOGIN_CAP is not defined
- (djm) [openbsd-compat/basename.c openbsd-compat/bsd-closefrom.c]
[openbsd-compat/bsd-cray.c openbsd-compat/bsd-openpty.c]
[openbsd-compat/bsd-snprintf.c openbsd-compat/fake-rfc2553.c]
[openbsd-compat/port-aix.c openbsd-compat/port-irix.c]
[openbsd-compat/rresvport.c]
These look to need string.h and/or unistd.h (based on a grep for function
names)
- (djm) [Makefile.in]
Remove generated openbsd-compat/regress/Makefile in distclean target
- (djm) [regress/Makefile regress/agent-getpeereid.sh regress/cfgmatch.sh]
[regress/cipher-speed.sh regress/forcecommand.sh regress/forwarding.sh]
Sync regress tests to -current; include dtucker@'s new cfgmatch and
forcecommand tests. Add cipher-speed.sh test (not linked in yet)
- (dtucker) [cleanup.c] Since config.h defines _LARGE_FILES on AIX, including
system headers before defines.h will cause conflicting definitions.
- (dtucker) [regress/forcecommand.sh] Portablize.
20060713
- (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h
20060712
- (dtucker) [configure.ac defines.h] Only define SHUT_RD (and friends) and
O_NONBLOCK if they're really needed. Fixes build errors on HP-UX, old
Linuxes and probably more.
- (dtucker) [configure.ac] OpenBSD needs <sys/types.h> before <sys/socket.h>
for SHUT_RD.
- (dtucker) [openbsd-compat/port-tun.c] OpenBSD needs <netinet/in.h> before
<netinet/ip.h>.
- (dtucker) OpenBSD CVS Sync
- stevesk@cvs.openbsd.org 2006/07/10 16:01:57
[sftp-glob.c sftp-common.h sftp.c]
buffer.h only needed in sftp-common.h and remove some unneeded
user includes; ok djm@
- jmc@cvs.openbsd.org 2006/07/10 16:04:21
[sshd.8]
s/and and/and/
- stevesk@cvs.openbsd.org 2006/07/10 16:37:36
[readpass.c log.h scp.c fatal.c xmalloc.c includes.h ssh-keyscan.c misc.c
auth.c packet.c log.c]
move #include <stdarg.h> out of includes.h; ok markus@
- dtucker@cvs.openbsd.org 2006/07/11 10:12:07
[ssh.c]
Only copy the part of environment variable that we actually use. Prevents
ssh bailing when SendEnv is used and an environment variable with a really
long value exists. ok djm@
- markus@cvs.openbsd.org 2006/07/11 18:50:48
[clientloop.c ssh.1 ssh.c channels.c ssh_config.5 readconf.h session.c
channels.h readconf.c]
add ExitOnForwardFailure: terminate the connection if ssh(1)
cannot set up all requested dynamic, local, and remote port
forwardings. ok djm, dtucker, stevesk, jmc
- stevesk@cvs.openbsd.org 2006/07/11 20:07:25
[scp.c auth.c monitor.c serverloop.c sftp-server.c sshpty.c readpass.c
sshd.c monitor_wrap.c monitor_fdpass.c ssh-agent.c ttymodes.c atomicio.c
includes.h session.c sshlogin.c monitor_mm.c packet.c sshconnect2.c
sftp-client.c nchan.c clientloop.c sftp.c misc.c canohost.c channels.c
ssh-keygen.c progressmeter.c uidswap.c msg.c readconf.c sshconnect.c]
move #include <errno.h> out of includes.h; ok markus@
- stevesk@cvs.openbsd.org 2006/07/11 20:16:43
[ssh.c]
cast asterisk field precision argument to int to remove warning;
ok markus@
- stevesk@cvs.openbsd.org 2006/07/11 20:27:56
[authfile.c ssh.c]
need <errno.h> here also (it's also included in <openssl/err.h>)
- dtucker@cvs.openbsd.org 2006/07/12 11:34:58
[sshd.c servconf.h servconf.c sshd_config.5 auth.c]
Add support for conditional directives to sshd_config via a "Match"
keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section
if the condition on the Match line is true, eg
AllowTcpForwarding yes
Match User anoncvs
AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
- (dtucker) [loginrec.c openbsd-compat/xmmap.c openbsd-compat/bindresvport.c
openbsd-compat/glob.c openbsd-compat/mktemp.c openbsd-compat/port-tun.c
openbsd-compat/readpassphrase.c openbsd-compat/strtonum.c] Include <errno.h>.
- (dtucker) [openbsd-compat/setproctitle.c] Include stdarg.h.
- (dtucker) [ssh-keyscan.c ssh-rand-helper.c] More errno.h here too.
- (dtucker) [openbsd-compat/openbsd-compat.h] v*printf needs stdarg.h.
- (dtucker) [openbsd-compat/bsd-asprintf.c openbsd-compat/port-aix.c
openbsd-compat/rresvport.c] More errno.h.
20060711
- (dtucker) [configure.ac ssh-keygen.c openbsd-compat/bsd-openpty.c
openbsd-compat/daemon.c] Add includes needed by open(2). Conditionally
include paths.h. Fixes build error on Solaris.
- (dtucker) [entropy.c] More fcntl.h, this time on AIX (and probably
others).
20060710
- (dtucker) [INSTALL] New autoconf version: 2.60.
- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2006/06/14 10:50:42
[sshconnect.c]
limit the number of pre-banner characters we will accept; ok markus@
- djm@cvs.openbsd.org 2006/06/26 10:36:15
[clientloop.c]
mention optional bind_address in runtime port forwarding setup
command-line help. patch from santhi.amirta AT gmail.com
- stevesk@cvs.openbsd.org 2006/07/02 17:12:58
[ssh.1 ssh.c ssh_config.5 sshd_config.5]
more details and clarity for tun(4) device forwarding; ok and help
jmc@
- stevesk@cvs.openbsd.org 2006/07/02 18:36:47
[gss-serv-krb5.c gss-serv.c]
no "servconf.h" needed here
(gss-serv-krb5.c change not applied, portable needs the server options)
- stevesk@cvs.openbsd.org 2006/07/02 22:45:59
[groupaccess.c groupaccess.h includes.h session.c sftp-common.c sshpty.c]
move #include <grp.h> out of includes.h
(portable needed uidswap.c too)
- stevesk@cvs.openbsd.org 2006/07/02 23:01:55
[clientloop.c ssh.1]
use -KR[bind_address:]port here; ok djm@
- stevesk@cvs.openbsd.org 2006/07/03 08:54:20
[includes.h ssh.c sshconnect.c sshd.c]
move #include "version.h" out of includes.h; ok markus@
- stevesk@cvs.openbsd.org 2006/07/03 17:59:32
[channels.c includes.h]
move #include <arpa/inet.h> out of includes.h; old ok djm@
(portable needed session.c too)
- stevesk@cvs.openbsd.org 2006/07/05 02:42:09
[canohost.c hostfile.c includes.h misc.c packet.c readconf.c]
[serverloop.c sshconnect.c uuencode.c]
move #include <netinet/in.h> out of includes.h; ok deraadt@
(also ssh-rand-helper.c logintest.c loginrec.c)
- djm@cvs.openbsd.org 2006/07/06 10:47:05
[servconf.c servconf.h session.c sshd_config.5]
support arguments to Subsystem commands; ok markus@
- djm@cvs.openbsd.org 2006/07/06 10:47:57
[sftp-server.8 sftp-server.c]
add commandline options to enable logging of transactions; ok markus@
- stevesk@cvs.openbsd.org 2006/07/06 16:03:53
[auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c]
[auth-rhosts.c auth-rsa.c auth.c auth.h auth2-hostbased.c]
[auth2-pubkey.c auth2.c includes.h misc.c misc.h monitor.c]
[monitor_wrap.c monitor_wrap.h scp.c serverloop.c session.c]
[session.h sftp-common.c ssh-add.c ssh-keygen.c ssh-keysign.c]
[ssh.c sshconnect.c sshconnect.h sshd.c sshpty.c sshpty.h uidswap.c]
[uidswap.h]
move #include <pwd.h> out of includes.h; ok markus@
- stevesk@cvs.openbsd.org 2006/07/06 16:22:39
[ssh-keygen.c]
move #include "dns.h" up
- stevesk@cvs.openbsd.org 2006/07/06 17:36:37
[monitor_wrap.h]
typo in comment
- stevesk@cvs.openbsd.org 2006/07/08 21:47:12
[authfd.c canohost.c clientloop.c dns.c dns.h includes.h]
[monitor_fdpass.c nchan.c packet.c servconf.c sftp.c ssh-agent.c]
[ssh-keyscan.c ssh.c sshconnect.h sshd.c sshlogin.h]
move #include <sys/socket.h> out of includes.h
- stevesk@cvs.openbsd.org 2006/07/08 21:48:53
[monitor.c session.c]
missed these from last commit:
move #include <sys/socket.h> out of includes.h
- stevesk@cvs.openbsd.org 2006/07/08 23:30:06
[log.c]
move user includes after /usr/include files
- stevesk@cvs.openbsd.org 2006/07/09 15:15:11
[auth2-none.c authfd.c authfile.c includes.h misc.c monitor.c]
[readpass.c scp.c serverloop.c sftp-client.c sftp-server.c]
[ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c]
[sshlogin.c sshpty.c]
move #include <fcntl.h> out of includes.h
- stevesk@cvs.openbsd.org 2006/07/09 15:27:59
[ssh-add.c]
use O_RDONLY vs. 0 in open(); no binary change
- djm@cvs.openbsd.org 2006/07/10 11:24:54
[sftp-server.c]
remove optind - it isn't used here
- djm@cvs.openbsd.org 2006/07/10 11:25:53
[sftp-server.c]
don't log variables that aren't yet set
- (djm) [loginrec.c ssh-rand-helper.c sshd.c openbsd-compat/glob.c]
[openbsd-compat/mktemp.c openbsd-compat/openbsd-compat.h]
[openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c]
[openbsd-compat/xcrypt.c] Fix includes.h fallout, mainly fcntl.h
- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2006/07/10 12:03:20
[scp.c]
duplicate argv at the start of main() because it gets modified later;
pointed out by deraadt@ ok markus@
- djm@cvs.openbsd.org 2006/07/10 12:08:08
[channels.c]
fix misparsing of SOCKS 5 packets that could result in a crash;
reported by mk@ ok markus@
- dtucker@cvs.openbsd.org 2006/07/10 12:46:51
[misc.c misc.h sshd.8 sshconnect.c]
Add port identifier to known_hosts for non-default ports, based originally
on a patch from Devin Nate in bz#910.
For any connection using the default port or using a HostKeyAlias the
format is unchanged, otherwise the host name or address is enclosed
within square brackets in the same format as sshd's ListenAddress.
Tested by many, ok markus@.
- (dtucker) [openbsd-compat/openbsd-compat.h] Need to include <sys/socket.h>
for struct sockaddr on platforms that use the fake-rfc stuff.
20060706
- (dtucker) [configure.ac] Try AIX blibpath test in different order when
compiling with gcc. gcc 4.1.x will accept (but ignore) -b flags so
configure would not select the correct libpath linker flags.
- (dtucker) [INSTALL] A bit more info on autoconf.
20060705
- (dtucker) [ssh-rand-helper.c] Don't exit if mkdir fails because the
target already exists.
20060630
- (dtucker) [openbsd-compat/openbsd-compat.h] SNPRINTF_CONST for snprintf
declaration too. Patch from russ at sludge.net.
- (dtucker) [openbsd-compat/getrrsetbyname.c] Undef _res before defining it,
prevents warnings on platforms where _res is in the system headers.
- (dtucker) [INSTALL] Bug #1202: Note when autoconf is required and which
version.
20060627
- (dtucker) [configure.ac] Bug #1203: Add missing '[', which causes problems
with autoconf 2.60. Patch from vapier at gentoo.org.
20060625
- (dtucker) [channels.c serverloop.c] Apply the bug #1102 workaround to ptys
only, otherwise sshd can hang exiting non-interactive sessions.
20060624
- (dtucker) [configure.ac] Bug #1193: Define PASSWD_NEEDS_USERNAME on Solaris.
Works around limitation in Solaris' passwd program for changing passwords
where the username is longer than 8 characters. ok djm@
- (dtucker) [serverloop.c] Get ifdef/ifndef the right way around for the bug
#1102 workaround.
20060623
- (dtucker) [README.platform configure.ac openbsd-compat/port-tun.c] Add
tunnel support for Mac OS X/Darwin via a third-party tun driver. Patch
from reyk@, tested by anil@
- (dtucker) [channels.c configure.ac serverloop.c] Bug #1102: Around AIX
4.3.3 ML3 or so, the AIX pty layer starting passing zero-length writes
on the pty slave as zero-length reads on the pty master, which sshd
interprets as the descriptor closing. Since most things don't do zero
length writes this rarely matters, but occasionally it happens, and when
it does the SSH pty session appears to hang, so we add a special case for
this condition. ok djm@
20060613
- (djm) [getput.h] This file has been replaced by functions in misc.c
- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2006/05/08 10:49:48
[sshconnect2.c]
uint32_t -> u_int32_t (which we use everywhere else)
(Id sync only - portable already had this)
- markus@cvs.openbsd.org 2006/05/16 09:00:00
[clientloop.c]
missing free; from Kylene Hall
- markus@cvs.openbsd.org 2006/05/17 12:43:34
[scp.c sftp.c ssh-agent.c ssh-keygen.c sshconnect.c]
fix leak; coverity via Kylene Jo Hall
- miod@cvs.openbsd.org 2006/05/18 21:27:25
[kexdhc.c kexgexc.c]
paramter -> parameter
- dtucker@cvs.openbsd.org 2006/05/29 12:54:08
[ssh_config.5]
Add gssapi-with-mic to PreferredAuthentications default list; ok jmc
- dtucker@cvs.openbsd.org 2006/05/29 12:56:33
[ssh_config]
Add GSSAPIAuthentication and GSSAPIDelegateCredentials to examples in
sample ssh_config. ok markus@
- jmc@cvs.openbsd.org 2006/05/29 16:10:03
[ssh_config.5]
oops - previous was too long; split the list of auths up
- mk@cvs.openbsd.org 2006/05/30 11:46:38
[ssh-add.c]
Sync usage() with man page and reality.
ok deraadt dtucker
- jmc@cvs.openbsd.org 2006/05/29 16:13:23
[ssh.1]
add GSSAPI to the list of authentication methods supported;
- mk@cvs.openbsd.org 2006/05/30 11:46:38
[ssh-add.c]
Sync usage() with man page and reality.
ok deraadt dtucker
- markus@cvs.openbsd.org 2006/06/01 09:21:48
[sshd.c]
call get_remote_ipaddr() early; fixes logging after client disconnects;
report mpf@; ok dtucker@
- markus@cvs.openbsd.org 2006/06/06 10:20:20
[readpass.c sshconnect.c sshconnect.h sshconnect2.c uidswap.c]
replace remaining setuid() calls with permanently_set_uid() and
check seteuid() return values; report Marcus Meissner; ok dtucker djm
- markus@cvs.openbsd.org 2006/06/08 14:45:49
[readpass.c sshconnect.c sshconnect2.c uidswap.c uidswap.h]
do not set the gid, noted by solar; ok djm
- djm@cvs.openbsd.org 2006/06/13 01:18:36
[ssh-agent.c]
always use a format string, even when printing a constant
- djm@cvs.openbsd.org 2006/06/13 02:17:07
[ssh-agent.c]
revert; i am on drugs. spotted by alexander AT beard.se
20060521
- (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor
and slave, we can remove the special-case handling in the audit hook in
auth_log.
20060517
- (dtucker) [ssh-rand-helper.c] Check return code of mkdir and fix file
pointer leak. From kjhall at us.ibm.com, found by coverity.
20060515
- (dtucker) [openbsd-compat/getrrsetbyname.c] Use _compat_res instead of
_res, prevents problems on some platforms that have _res as a global but
don't have getrrsetbyname(), eg IRIX 5.3. Found and tested by
georg.schwarz at freenet.de, ok djm@.
- (dtucker) [defines.h] Find a value for IOV_MAX or use a conservative
default. Patch originally from tim@, ok djm
- (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and
do not allow kbdint again after the PAM account check fails. ok djm@
20060506
- (dtucker) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2006/04/25 08:02:27
[authfile.c authfile.h sshconnect2.c ssh.c sshconnect1.c]
Prevent ssh from trying to open private keys with bad permissions more than
once or prompting for their passphrases (which it subsequently ignores
anyway), similar to a previous change in ssh-add. bz #1186, ok djm@
- djm@cvs.openbsd.org 2006/05/04 14:55:23
[dh.c]
tighter DH exponent checks here too; feedback and ok markus@
- djm@cvs.openbsd.org 2006/04/01 05:37:46
[OVERVIEW]
$OpenBSD$ in here too
- dtucker@cvs.openbsd.org 2006/05/06 08:35:40
[auth-krb5.c]
Add $OpenBSD$ in comment here too
20060504
- (dtucker) [auth-pam.c groupaccess.c monitor.c monitor_wrap.c scard-opensc.c
session.c ssh-rand-helper.c sshd.c openbsd-compat/bsd-cygwin_util.c
openbsd-compat/setproctitle.c] Convert malloc(foo*bar) -> calloc(foo,bar)
in Portable-only code; since calloc zeros, remove now-redundant memsets.
Also add a couple of sanity checks. With & ok djm@
20060503
- (dtucker) [packet.c] Remove in_systm.h since it's also in includes.h
and double including it on IRIX 5.3 causes problems. From Georg Schwarz,
"no objections" tim@
20060423
- (djm) OpenBSD CVS Sync
- deraadt@cvs.openbsd.org 2006/04/01 05:42:20
[scp.c]
minimal lint cleanup (unused crud, and some size_t); ok djm
- djm@cvs.openbsd.org 2006/04/01 05:50:29
[scp.c]
xasprintification; ok deraadt@
- djm@cvs.openbsd.org 2006/04/01 05:51:34
[atomicio.c]
ANSIfy; requested deraadt@
- dtucker@cvs.openbsd.org 2006/04/02 08:34:52
[ssh-keysign.c]
sessionid can be 32 bytes now too when sha256 kex is used; ok djm@
- djm@cvs.openbsd.org 2006/04/03 07:10:38
[gss-genr.c]
GSSAPI buffers shouldn't be nul-terminated, spotted in bugzilla #1066
by dleonard AT vintela.com. use xasprintf() to simplify code while in
there; "looks right" deraadt@
- djm@cvs.openbsd.org 2006/04/16 00:48:52
[buffer.c buffer.h channels.c]
Fix condition where we could exit with a fatal error when an input
buffer became too large and the remote end had advertised a big window.
The problem was a mismatch in the backoff math between the channels code
and the buffer code, so make a buffer_check_alloc() function that the
channels code can use to propsectivly check whether an incremental
allocation will succeed. bz #1131, debugged with the assistance of
cove AT wildpackets.com; ok dtucker@ deraadt@
- djm@cvs.openbsd.org 2006/04/16 00:52:55
[atomicio.c atomicio.h]
introduce atomiciov() function that wraps readv/writev to retry
interrupted transfers like atomicio() does for read/write;
feedback deraadt@ dtucker@ stevesk@ ok deraadt@
- djm@cvs.openbsd.org 2006/04/16 00:54:10
[sftp-client.c]
avoid making a tiny 4-byte write to send the packet length of sftp
commands, which would result in a separate tiny packet on the wire by
using atomiciov(writev, ...) to write the length and the command in one
pass; ok deraadt@
- djm@cvs.openbsd.org 2006/04/16 07:59:00
[atomicio.c]
reorder sanity test so that it cannot dereference past the end of the
iov array; well spotted canacar@!
- dtucker@cvs.openbsd.org 2006/04/18 10:44:28
[bufaux.c bufbn.c Makefile.in]
Move Buffer bignum functions into their own file, bufbn.c. This means
that sftp and sftp-server (which use the Buffer functions in bufaux.c
but not the bignum ones) no longer need to be linked with libcrypto.
ok markus@
- djm@cvs.openbsd.org 2006/04/20 09:27:09
[auth.h clientloop.c dispatch.c dispatch.h kex.h]
replace the last non-sig_atomic_t flag used in a signal handler with a
sig_atomic_t, unfortunately with some knock-on effects in other (non-
signal) contexts in which it is used; ok markus@
- markus@cvs.openbsd.org 2006/04/20 09:47:59
[sshconnect.c]
simplify; ok djm@
- djm@cvs.openbsd.org 2006/04/20 21:53:44
[includes.h session.c sftp.c]
Switch from using pipes to socketpairs for communication between
sftp/scp and ssh, and between sshd and its subprocesses. This saves
a file descriptor per session and apparently makes userland ppp over
ssh work; ok markus@ deraadt@ (ID Sync only - portable makes this
decision on a per-platform basis)
- djm@cvs.openbsd.org 2006/04/22 04:06:51
[uidswap.c]
use setres[ug]id() to permanently revoke privileges; ok deraadt@
(ID Sync only - portable already uses setres[ug]id() whenever possible)
- stevesk@cvs.openbsd.org 2006/04/22 18:29:33
[crc32.c]
remove extra spaces
- (djm) [auth.h dispatch.h kex.h] sprinkle in signal.h to get
sig_atomic_t
20060421
- (djm) [Makefile.in configure.ac session.c sshpty.c]
[contrib/redhat/sshd.init openbsd-compat/Makefile.in]
[openbsd-compat/openbsd-compat.h openbsd-compat/port-linux.c]
[openbsd-compat/port-linux.h] Add support for SELinux, setting
the execution and TTY contexts. based on patch from Daniel Walsh,
bz #880; ok dtucker@
20060418
- (djm) [canohost.c] Reorder IP options check so that it isn't broken
by mapped addresses; bz #1179 reported by markw wtech-llc.com;
ok dtucker@
20060331
- OpenBSD CVS Sync
- deraadt@cvs.openbsd.org 2006/03/27 01:21:18
[xmalloc.c]
we can do the size & nmemb check before the integer overflow check;
evol
- deraadt@cvs.openbsd.org 2006/03/27 13:03:54
[dh.c]
use strtonum() instead of atoi(), limit dhg size to 64k; ok djm
- djm@cvs.openbsd.org 2006/03/27 23:15:46
[sftp.c]
always use a format string for addargs; spotted by mouring@
- deraadt@cvs.openbsd.org 2006/03/28 00:12:31
[README.tun ssh.c]
spacing
- deraadt@cvs.openbsd.org 2006/03/28 01:52:28
[channels.c]
do not accept unreasonable X ports numbers; ok djm
- deraadt@cvs.openbsd.org 2006/03/28 01:53:43
[ssh-agent.c]
use strtonum() to parse the pid from the file, and range check it
better; ok djm
- djm@cvs.openbsd.org 2006/03/30 09:41:25
[channels.c]
ARGSUSED for dispatch table-driven functions
- djm@cvs.openbsd.org 2006/03/30 09:58:16
[authfd.c bufaux.c deattack.c gss-serv.c mac.c misc.c misc.h]
[monitor_wrap.c msg.c packet.c sftp-client.c sftp-server.c ssh-agent.c]
replace {GET,PUT}_XXBIT macros with functionally similar functions,
silencing a heap of lint warnings. also allows them to use
__bounded__ checking which can't be applied to macros; requested
by and feedback from deraadt@
- djm@cvs.openbsd.org 2006/03/30 10:41:25
[ssh.c ssh_config.5]
add percent escape chars to the IdentityFile option, bz #1159 based
on a patch by imaging AT math.ualberta.ca; feedback and ok dtucker@
- dtucker@cvs.openbsd.org 2006/03/30 11:05:17
[ssh-keygen.c]
Correctly handle truncated files while converting keys; ok djm@
- dtucker@cvs.openbsd.org 2006/03/30 11:40:21
[auth.c monitor.c]
Prevent duplicate log messages when privsep=yes; ok djm@
- jmc@cvs.openbsd.org 2006/03/31 09:09:30
[ssh_config.5]
kill trailing whitespace;
- djm@cvs.openbsd.org 2006/03/31 09:13:56
[ssh_config.5]
remote user escape is %r not %h; spotted by jmc@
20060326
- OpenBSD CVS Sync
- jakob@cvs.openbsd.org 2006/03/15 08:46:44
[ssh-keygen.c]