This repository has been archived by the owner on Sep 20, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathChangeLog
2887 lines (2727 loc) · 127 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
20140313
- (djm) Release OpenSSH 6.6
20140304
- OpenBSD CVS Sync
- [email protected] 2014/03/03 22:22:30
[session.c]
ignore enviornment variables with embedded '=' or '\0' characters;
spotted by Jann Horn; ok deraadt@
20140301
- (djm) [regress/Makefile] Disable dhgex regress test; it breaks when
no moduli file exists at the expected location.
20140228
- OpenBSD CVS Sync
- [email protected] 2014/02/27 00:41:49
[bufbn.c]
fix unsigned overflow that could lead to reading a short ssh protocol
1 bignum value; found by Ben Hawkes; ok deraadt@
- [email protected] 2014/02/27 08:25:09
[bufbn.c]
off by one in range check
- [email protected] 2014/02/27 22:47:07
[sshd_config.5]
bz#2184 clarify behaviour of a keyword that appears in multiple
matching Match blocks; ok dtucker@
- [email protected] 2014/02/27 22:57:40
[version.h]
openssh-6.6
- [email protected] 2014/01/19 23:43:02
[regress/sftp-chroot.sh]
Don't use -q on sftp as it suppresses logging, instead redirect the
output to the regress logfile.
- [email protected] 2014/01/20 00:00:30
[sregress/ftp-chroot.sh]
append to rather than truncating the log file
- [email protected] 2014/01/25 04:35:32
[regress/Makefile regress/dhgex.sh]
Add a test for DH GEX sizes
- [email protected] 2014/01/26 10:22:10
[regress/cert-hostkey.sh]
automatically generate revoked keys from listed keys rather than
manually specifying each type; from portable
(Id sync only)
- [email protected] 2014/01/26 10:49:17
[scp-ssh-wrapper.sh scp.sh]
make sure $SCP is tested on the remote end rather than whichever one
happens to be in $PATH; from portable
(Id sync only)
- [email protected] 2014/02/27 20:04:16
[login-timeout.sh]
remove any existing LoginGraceTime from sshd_config before adding
a specific one for the test back in
- [email protected] 2014/02/27 21:21:25
[agent-ptrace.sh agent.sh]
keep return values that are printed in error messages;
from portable
(Id sync only)
- (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
[contrib/suse/openssh.spec] Crank version numbers
- (djm) [regress/host-expand.sh] Add RCS Id
20140227
- OpenBSD CVS Sync
- [email protected] 2014/02/26 20:18:37
[ssh.c]
bz#2205: avoid early hostname lookups unless canonicalisation is enabled;
ok dtucker@ markus@
- [email protected] 2014/02/26 20:28:44
[auth2-gss.c gss-serv.c ssh-gss.h sshd.c]
bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep
sandboxing, as running this code in the sandbox can cause violations;
ok markus@
- [email protected] 2014/02/26 20:29:29
[channels.c]
don't assume that the socks4 username is \0 terminated;
spotted by Ben Hawkes; ok markus@
- [email protected] 2014/02/26 21:53:37
[sshd.c]
ssh_gssapi_prepare_supported_oids needs GSSAPI
20140224
- OpenBSD CVS Sync
- [email protected] 2014/02/07 06:55:54
[cipher.c mac.c]
remove some logging that makes ssh debugging output very verbose;
ok markus
- [email protected] 2014/02/15 23:05:36
[channels.c]
avoid spurious "getsockname failed: Bad file descriptor" errors in ssh -W;
bz#2200, debian#738692 via Colin Watson; ok dtucker@
- [email protected] 2014/02/22 01:32:19
[readconf.c]
when processing Match blocks, skip 'exec' clauses if previous predicates
failed to match; ok markus@
- [email protected] 2014/02/23 20:03:42
[ssh-ed25519.c]
check for unsigned overflow; not reachable in OpenSSH but others might
copy our code...
- [email protected] 2014/02/23 20:11:36
[readconf.c readconf.h ssh.c ssh_config.5]
reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes
the hostname. This allows users to write configurations that always
refer to canonical hostnames, e.g.
CanonicalizeHostname yes
CanonicalDomains int.example.org example.org
CanonicalizeFallbackLocal no
Host *.int.example.org
Compression off
Host *.example.org
User djm
ok markus@
20140213
- (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] Add compat
code for older OpenSSL versions that don't have EVP_MD_CTX_copy_ex.
20140207
- OpenBSD CVS Sync
- [email protected] 2014/02/05 20:13:25
[ssh-keygen.1 ssh-keygen.c]
tweak synopsis: calling ssh-keygen without any arguments is fine; ok jmc@
while here, fix ordering in usage(); requested by jmc@
- [email protected] 2014/02/06 22:21:01
[sshconnect.c]
in ssh_create_socket(), only do the getaddrinfo for BindAddress when
BindAddress is actually specified. Fixes regression in 6.5 for
UsePrivilegedPort=yes; patch from Corinna Vinschen
20140206
- (dtucker) [openbsd-compat/bsd-poll.c] Don't bother checking for non-NULL
before freeing since free(NULL) is a no-op. ok djm.
- (djm) [sandbox-seccomp-filter.c] Not all Linux architectures define
__NR_shutdown; some go via the socketcall(2) multiplexer.
20140205
- (djm) [sandbox-capsicum.c] Don't fatal if Capsicum is offered by
headers/libc but not supported by the kernel. Patch from Loganaden
Velvindron @ AfriNIC
20140204
- OpenBSD CVS Sync
- [email protected] 2014/01/27 18:58:14
[Makefile.in digest.c digest.h hostfile.c kex.h mac.c hmac.c hmac.h]
replace openssl HMAC with an implementation based on our ssh_digest_*
ok and feedback djm@
- [email protected] 2014/01/27 19:18:54
[auth-rsa.c cipher.c ssh-agent.c sshconnect1.c sshd.c]
replace openssl MD5 with our ssh_digest_*; ok djm@
- [email protected] 2014/01/27 20:13:46
[digest.c digest-openssl.c digest-libc.c Makefile.in]
rename digest.c to digest-openssl.c and add libc variant; ok djm@
- [email protected] 2014/01/28 14:13:39
[ssh-keyscan.1]
kill some bad Pa;
From: Jan Stary
- [email protected] 2014/01/29 00:19:26
[sshd.c]
use kill(0, ...) instead of killpg(0, ...); on most operating systems
they are equivalent, but SUSv2 describes the latter as having undefined
behaviour; from portable; ok dtucker
(Id sync only; change is already in portable)
- [email protected] 2014/01/29 06:18:35
[Makefile.in auth.h auth2-jpake.c auth2.c jpake.c jpake.h monitor.c]
[monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h]
[schnorr.c schnorr.h servconf.c servconf.h ssh2.h sshconnect2.c]
remove experimental, never-enabled JPAKE code; ok markus@
- [email protected] 2014/01/29 14:04:51
[sshd_config.5]
document kbdinteractiveauthentication;
requested From: Ross L Richardson
dtucker/markus helped explain its workings;
- [email protected] 2014/01/30 22:26:14
[sandbox-systrace.c]
allow shutdown(2) syscall in sandbox - it may be called by packet_close()
from portable
(Id sync only; change is already in portable)
- [email protected] 2014/01/31 16:39:19
[auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c]
[channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c]
[kexc25519.c krl.c monitor.c sandbox-systrace.c session.c]
[sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c]
[openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h]
replace most bzero with explicit_bzero, except a few that cna be memset
ok djm dtucker
- [email protected] 2014/02/02 03:44:32
[auth1.c auth2-chall.c auth2-passwd.c authfile.c bufaux.c bufbn.c]
[buffer.c cipher-3des1.c cipher.c clientloop.c gss-serv.c kex.c]
[kexdhc.c kexdhs.c kexecdhc.c kexgexc.c kexecdhs.c kexgexs.c key.c]
[monitor.c monitor_wrap.c packet.c readpass.c rsa.c serverloop.c]
[ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c]
[ssh-keygen.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c]
[sshd.c]
convert memset of potentially-private data to explicit_bzero()
- [email protected] 2014/02/03 23:28:00
[ssh-ecdsa.c]
fix memory leak; ECDSA_SIG_new() allocates 'r' and 's' for us, unlike
DSA_SIG_new. Reported by Batz Spear; ok markus@
- [email protected] 2014/02/02 03:44:31
[digest-libc.c digest-openssl.c]
convert memset of potentially-private data to explicit_bzero()
- [email protected] 2014/02/04 00:24:29
[ssh.c]
delay lowercasing of hostname until right before hostname
canonicalisation to unbreak case-sensitive matching of ssh_config;
reported by Ike Devolder; ok markus@
- (djm) [openbsd-compat/Makefile.in] Add missing explicit_bzero.o
- (djm) [regress/setuid-allowed.c] Missing string.h for strerror()
20140131
- (djm) [sandbox-seccomp-filter.c sandbox-systrace.c] Allow shutdown(2)
syscall from sandboxes; it may be called by packet_close.
- (dtucker) [readconf.c] Include <arpa/inet.h> for the hton macros. Fixes
build with HP-UX's compiler. Patch from Kevin Brott.
- (tim) [Makefile.in] build regress/setuid-allow.
20140130
- (djm) [configure.ac] Only check for width-specified integer types
in headers that actually exist. patch from Tom G. Christensen;
ok dtucker@
- (djm) [configure.ac atomicio.c] Kludge around NetBSD offering
different symbols for 'read' when various compiler flags are
in use, causing atomicio.c comparisons against it to break and
read/write operations to hang; ok dtucker
- (djm) Release openssh-6.5p1
20140129
- (djm) [configure.ac] Fix broken shell test '==' vs '='; patch from
Tom G. Christensen
20140128
- (djm) [configure.ac] Search for inet_ntop in libnsl and libresovl;
ok dtucker
- (djm) [sshd.c] Use kill(0, ...) instead of killpg(0, ...); the
latter being specified to have undefined behaviour in SUSv3;
ok dtucker
- (tim) [regress/agent.sh regress/agent-ptrace.sh] Assign $? to a variable
when used as an error message inside an if statement so we display the
correct into. agent.sh patch from Petr Lautrbach.
20140127
- (dtucker) [Makefile.in] Remove trailing backslash which some make
implementations (eg older Solaris) do not cope with.
20140126
- OpenBSD CVS Sync
- [email protected] 2014/01/25 10:12:50
[cipher.c cipher.h kex.c kex.h kexgexc.c]
Add a special case for the DH group size for 3des-cbc, which has an
effective strength much lower than the key size. This causes problems
with some cryptlib implementations, which don't support group sizes larger
than 4k but also don't use the largest group size it does support as
specified in the RFC. Based on a patch from Petr Lautrbach at Redhat,
reduced by me with input from Markus. ok djm@ markus@
- [email protected] 2014/01/25 20:35:37
[kex.c]
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len)
ok dtucker@, noted by mancha
- (djm) [configure.ac sandbox-capsicum.c sandbox-rlimit.c] Disable
RLIMIT_NOFILE pseudo-sandbox on FreeBSD. In some configurations,
libc will attempt to open additional file descriptors for crypto
offload and crash if they cannot be opened.
- (djm) [configure.ac] correct AC_DEFINE for previous.
20140125
- (djm) [configure.ac] Fix detection of capsicum sandbox on FreeBSD
- (djm) [configure.ac] Do not attempt to use capsicum sandbox unless
sys/capability.h exists and cap_rights_limit is in libc. Fixes
build on FreeBSD9x which provides the header but not the libc
support.
- (djm) [configure.ac] autoconf sets finds to 'yes' not '1', so test
against the correct thing.
20140124
- (djm) [Makefile.in regress/scp-ssh-wrapper.sh regress/scp.sh] Make
the scp regress test actually test the built scp rather than the one
in $PATH. ok dtucker@
20140123
- (tim) [session.c] Improve error reporting on set_id().
- (dtucker) [configure.ac] NetBSD's (and FreeBSD's) strnvis is gratuitously
incompatible with OpenBSD's despite post-dating it by more than a decade.
Declare it as broken, and document FreeBSD's as the same. ok djm@
20140122
- (djm) [openbsd-compat/setproctitle.c] Don't fail to compile if a
platform that is expected to use the reuse-argv style setproctitle
hack surprises us by providing a setproctitle in libc; ok dtucker
- (djm) [configure.ac] Unless specifically requested, only attempt
to build Position Independent Executables on gcc >= 4.x; ok dtucker
- (djm) [configure.ac aclocal.m4] More tests to detect fallout from
platform hardening options: include some long long int arithmatic
to detect missing support functions for -ftrapv in libgcc and
equivalents, actually test linking when -ftrapv is supplied and
set either both -pie/-fPIE or neither. feedback and ok dtucker@
20140121
- (dtucker) [configure.ac] Make PIE a configure-time option which defaults
to on platforms where it's known to be reliably detected and off elsewhere.
Works around platforms such as FreeBSD 9.1 where it does not interop with
-ftrapv (it seems to work but fails when trying to link ssh). ok djm@
- (dtucker) [aclocal.m4] Differentiate between compile-time and link-time
tests in the configure output. ok djm.
- (tim) [platform.c session.c] Fix bug affecting SVR5 platforms introduced
with sftp chroot support. Move set_id call after chroot.
- (djm) [aclocal.m4] Flesh out the code run in the OSSH_CHECK_CFLAG_COMPILE
and OSSH_CHECK_LDFLAG_LINK tests to give them a better chance of
detecting toolchain-related problems; ok dtucker
20140120
- (dtucker) [gss-serv-krb5.c] Fall back to krb5_cc_gen_new if the Kerberos
implementation does not have krb5_cc_new_unique, similar to what we do
in auth-krb5.c.
- (djm) [regress/cert-hostkey.sh] Fix regress failure on platforms that
skip one or more key types (e.g. RHEL/CentOS 6.5); ok dtucker@
- (djm) OpenBSD CVS Sync
- [email protected] 2014/01/20 00:08:48
[digest.c]
memleak; found by Loganaden Velvindron @ AfriNIC; ok markus@
20140119
- (dtucker) OpenBSD CVS Sync
- [email protected] 2014/01/17 06:23:24
[sftp-server.c]
fix log message statvfs. ok djm
- [email protected] 2014/01/18 09:36:26
[session.c]
explicitly define USE_PIPES to 1 to prevent redefinition warnings in
portable on platforms that use pipes for everything. From vinschen at
redhat.
- [email protected] 2014/01/19 04:17:29
[canohost.c addrmatch.c]
Cast socklen_t when comparing to size_t and use socklen_t to iterate over
the ip options, both to prevent signed/unsigned comparison warnings.
Patch from vinschen at redhat via portable openssh, begrudging ok deraadt.
- [email protected] 2014/01/19 04:48:08
[ssh_config.5]
fix inverted meaning of 'no' and 'yes' for CanonicalizeFallbackLocal
- [email protected] 2014/01/19 11:21:51
[addrmatch.c]
Cast the sizeof to socklen_t so it'll work even if the supplied len is
negative. Suggested by and ok djm, ok deraadt.
20140118
- (dtucker) [uidswap.c] Prevent unused variable warnings on Cygwin. Patch
from vinschen at redhat.com
- (dtucker) [openbsd-compat/bsd-cygwin_util.h] Add missing function
declarations that stopped being included when we stopped including
<windows.h> from openbsd-compat/bsd-cygwin_util.h. Patch from vinschen at
redhat.com.
- (dtucker) [configure.ac] On Cygwin the getopt variables (like optargs,
optind) are defined in getopt.h already. Unfortunately they are defined as
"declspec(dllimport)" for historical reasons, because the GNU linker didn't
allow auto-import on PE/COFF targets way back when. The problem is the
dllexport attributes collide with the definitions in the various source
files in OpenSSH, which obviousy define the variables without
declspec(dllimport). The least intrusive way to get rid of these warnings
is to disable warnings for GCC compiler attributes when building on Cygwin.
Patch from vinschen at redhat.com.
- (dtucker) [sandbox-capsicum.c] Correct some error messages and make the
return value check for cap_enter() consistent with the other uses in
FreeBSD. From by Loganaden Velvindron @ AfriNIC via bz#2140.
20140117
- (dtucker) [aclocal.m4 configure.ac] Add some additional compiler/toolchain
hardening flags including -fstack-protector-strong. These default to on
if the toolchain supports them, but there is a configure-time knob
(--without-hardening) to disable them if necessary. ok djm@
- (djm) [sftp-client.c] signed/unsigned comparison fix
- (dtucker) [loginrec.c] Cast to the types specfied in the format
specification to prevent warnings.
- (dtucker) [crypto_api.h] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H.
- (dtucker) [poly1305.c] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H.
- (dtucker) [blocks.c fe25519.c ge25519.c hash.c sc25519.c verify.c] Include
includes.h to pull in all of the compatibility stuff.
- (dtucker) [openbsd-compat/bcrypt_pbkdf.c] Wrap stdlib.h include inside
#ifdef HAVE_STDINT_H.
- (dtucker) [defines.h] Add typedefs for uintXX_t types for platforms that
don't have them.
- (dtucker) [configure.ac] Split AC_CHECK_FUNCS for OpenSSL functions into
separate lines and alphabetize for easier diffing of changes.
- (dtucker) OpenBSD CVS Sync
- [email protected] 2014/01/17 00:21:06
[sftp-client.c]
signed/unsigned comparison warning fix; from portable (Id sync only)
- [email protected] 2014/01/17 05:26:41
[digest.c]
remove unused includes. ok djm@
- (djm) [Makefile.in configure.ac sandbox-capsicum.c sandbox-darwin.c]
[sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c]
[sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing
using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling
Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@
- (dtucker) [configure.ac digest.c openbsd-compat/openssl-compat.c
openbsd-compat/openssl-compat.h] Add compatibility layer for older
openssl versions. ok djm@
- (dtucker) Fix typo in #ifndef.
- (dtucker) [configure.ac openbsd-compat/bsd-statvfs.c
openbsd-compat/bsd-statvfs.h] Implement enough of statvfs on top of statfs
to be useful (and for the regression tests to pass) on platforms that
have statfs and fstatfs. ok djm@
- (dtucker) [openbsd-compat/bsd-statvfs.h] Only start including headers if we
need them to cut down on the name collisions.
- (dtucker) [configure.ac] Also look in inttypes.h for uintXX_t types.
- (dtucker) [configure.ac] Have --without-hardening not turn off
stack-protector since that has a separate flag that's been around a while.
- (dtucker) [readconf.c] Wrap paths.h inside an ifdef. Allows building on
Solaris.
- (dtucker) [defines.h] Move our definitions of uintXX_t types down to after
they're defined if we have to define them ourselves. Fixes builds on old
AIX.
20140118
- (djm) OpenBSD CVS Sync
- [email protected] 2014/01/16 07:31:09
[sftp-client.c]
needless and incorrect cast to size_t can break resumption of
large download; patch from tobias@
- [email protected] 2014/01/16 07:32:00
[version.h]
openssh-6.5
- (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
[contrib/suse/openssh.spec] Crank RPM spec version numbers.
- (djm) [README] update release notes URL.
20140112
- (djm) OpenBSD CVS Sync
- [email protected] 2014/01/10 05:59:19
[sshd_config]
the /etc/ssh/ssh_host_ed25519_key is loaded by default too
- [email protected] 2014/01/12 08:13:13
[bufaux.c buffer.h kex.c kex.h kexc25519.c kexc25519c.c kexc25519s.c]
[kexdhc.c kexdhs.c kexecdhc.c kexecdhs.c kexgexc.c kexgexs.c]
avoid use of OpenSSL BIGNUM type and functions for KEX with
Curve25519 by adding a buffer_put_bignum2_from_string() that stores
a string using the bignum encoding rules. Will make it easier to
build a reduced-feature OpenSSH without OpenSSL in the future;
ok markus@
20140110
- (djm) OpenBSD CVS Sync
- [email protected] 2014/01/04 17:50:55
[mac.c monitor_mm.c monitor_mm.h xmalloc.c]
use standard types and formats for size_t like variables. ok dtucker
- [email protected] 2014/01/09 03:26:00
[sftp-common.c]
When formating the time for "ls -l"-style output, show dates in the future
with the year, and rearrange a comparison to avoid a potentional signed
arithmetic overflow that would give the wrong result.
ok djm@
- [email protected] 2014/01/09 23:20:00
[digest.c digest.h hostfile.c kex.c kex.h kexc25519.c kexc25519c.c]
[kexc25519s.c kexdh.c kexecdh.c kexecdhc.c kexecdhs.c kexgex.c kexgexc.c]
[kexgexs.c key.c key.h roaming_client.c roaming_common.c schnorr.c]
[schnorr.h ssh-dss.c ssh-ecdsa.c ssh-rsa.c sshconnect2.c]
Introduce digest API and use it to perform all hashing operations
rather than calling OpenSSL EVP_Digest* directly. Will make it easier
to build a reduced-feature OpenSSH without OpenSSL in future;
feedback, ok markus@
- [email protected] 2014/01/09 23:26:48
[sshconnect.c sshd.c]
ban clients/servers that suffer from SSH_BUG_DERIVEKEY, they are ancient,
deranged and might make some attacks on KEX easier; ok markus@
20140108
- (djm) [regress/.cvsignore] Ignore regress test droppings; ok dtucker@
20131231
- (djm) OpenBSD CVS Sync
- [email protected] 2013/12/30 23:52:28
[auth2-hostbased.c auth2-pubkey.c compat.c compat.h ssh-rsa.c]
[sshconnect.c sshconnect2.c sshd.c]
refuse RSA keys from old proprietary clients/servers that use the
obsolete RSA+MD5 signature scheme. it will still be possible to connect
with these clients/servers but only DSA keys will be accepted, and we'll
deprecate them entirely in a future release. ok markus@
20131229
- (djm) [loginrec.c] Check for username truncation when looking up lastlog
entries
- (djm) [regress/Makefile] Add some generated files for cleaning
- (djm) OpenBSD CVS Sync
- [email protected] 2013/12/19 00:10:30
[ssh-add.c]
skip requesting smartcard PIN when removing keys from agent; bz#2187
patch from jay AT slushpupie.com; ok dtucker
- [email protected] 2013/12/19 00:19:12
[serverloop.c]
Cast client_alive_interval to u_int64_t before assinging to
max_time_milliseconds to avoid potential integer overflow in the timeout.
bz#2170, patch from Loganaden Velvindron, ok djm@
- [email protected] 2013/12/19 00:27:57
[auth-options.c]
simplify freeing of source-address certificate restriction
- [email protected] 2013/12/19 01:04:36
[channels.c]
bz#2147: fix multiple remote forwardings with dynamically assigned
listen ports. In the s->c message to open the channel we were sending
zero (the magic number to request a dynamic port) instead of the actual
listen port. The client therefore had no way of discriminating between
them.
Diagnosis and fix by ronf AT timeheart.net
- [email protected] 2013/12/19 01:19:41
[ssh-agent.c]
bz#2186: don't crash (NULL deref) when deleting PKCS#11 keys from an agent
that has a mix of normal and PKCS#11 keys; fix from jay AT slushpupie.com;
ok dtucker
- [email protected] 2013/12/19 22:57:13
[poly1305.c poly1305.h]
use full name for author, with his permission
- [email protected] 2013/12/21 07:10:47
[ssh-keygen.1]
small typo
- [email protected] 2013/12/27 22:30:17
[ssh-dss.c ssh-ecdsa.c ssh-rsa.c]
make the original RSA and DSA signing/verification code look more like
the ECDSA/Ed25519 ones: use key_type_plain() when checking the key type
rather than tediously listing all variants, use __func__ for debug/
error messages
- [email protected] 2013/12/27 22:37:18
[ssh-rsa.c]
correct comment
- [email protected] 2013/12/29 02:28:10
[key.c]
allow ed25519 keys to appear as certificate authorities
- [email protected] 2013/12/29 02:37:04
[key.c]
correct comment for key_to_certified()
- [email protected] 2013/12/29 02:49:52
[key.c]
correct comment for key_drop_cert()
- [email protected] 2013/12/29 04:20:04
[key.c]
to make sure we don't omit any key types as valid CA keys again,
factor the valid key type check into a key_type_is_valid_ca()
function
- [email protected] 2013/12/29 04:29:25
[authfd.c]
allow deletion of ed25519 keys from the agent
- [email protected] 2013/12/29 04:35:50
[authfile.c]
don't refuse to load Ed25519 certificates
- [email protected] 2013/12/29 05:42:16
[ssh.c]
don't forget to load Ed25519 certs too
- [email protected] 2013/12/29 05:57:02
[sshconnect.c]
when showing other hostkeys, don't forget Ed25519 keys
20131221
- (dtucker) [regress/keytype.sh] Actually test ecdsa key types.
20131219
- (dtucker) [configure.ac] bz#2178: Don't try to use BSM on Solaris versions
greater than 11 either rather than just 11. Patch from Tomas Kuthan.
- (dtucker) [auth-pam.c] bz#2163: check return value from pam_get_item().
Patch from Loganaden Velvindron.
20131218
- (djm) OpenBSD CVS Sync
- [email protected] 2013/12/07 08:08:26
[ssh-keygen.1]
document -a and -o wrt new key format
- [email protected] 2013/12/07 11:58:46
[ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1]
[ssh_config.5 sshd.8 sshd_config.5]
add missing mentions of ed25519; ok djm@
- [email protected] 2013/12/08 09:53:27
[sshd_config.5]
Use a literal for the default value of KEXAlgorithms. ok deraadt jmc
- [email protected] 2013/12/09 11:03:45
[blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h]
[ge25519_base.data hash.c sc25519.c sc25519.h verify.c]
Add Authors for the public domain ed25519/nacl code.
see also http://nacl.cr.yp.to/features.html
All of the NaCl software is in the public domain.
and http://ed25519.cr.yp.to/software.html
The Ed25519 software is in the public domain.
- [email protected] 2013/12/09 11:08:17
[crypto_api.h]
remove unused defines
- [email protected] 2013/12/15 18:17:26
[ssh-add.c]
Make ssh-add also add .ssh/id_ed25519; fixes lie in manual page.
ok markus@
- [email protected] 2013/12/15 21:42:35
[cipher-chachapoly.c]
add some comments and constify a constant
- [email protected] 2013/12/17 10:36:38
[crypto_api.h]
I've assempled the header file by cut&pasting from generated headers
and the source files.
20131208
- (djm) [openbsd-compat/bsd-setres_id.c] Missing header; from Corinna
Vinschen
- (djm) [Makefile.in regress/Makefile regress/agent-ptrace.sh]
[regress/setuid-allowed.c] Check that ssh-agent is not on a no-setuid
filesystem before running agent-ptrace.sh; ok dtucker
20131207
- (djm) OpenBSD CVS Sync
- [email protected] 2013/12/05 22:59:45
[sftp-client.c]
fix memory leak in error path in do_readdir(); pointed out by
Loganaden Velvindron @ AfriNIC in bz#2163
- [email protected] 2013/12/06 03:40:51
[ssh-keygen.c]
remove duplicated character ('g') in getopt() string;
document the (few) remaining option characters so we don't have to
rummage next time.
- [email protected] 2013/12/06 13:30:08
[authfd.c key.c key.h ssh-agent.c]
move private key (de)serialization to key.c; ok djm
- [email protected] 2013/12/06 13:34:54
[authfile.c authfile.h cipher.c cipher.h key.c packet.c ssh-agent.c]
[ssh-keygen.c PROTOCOL.key] new private key format, bcrypt as KDF by
default; details in PROTOCOL.key; feedback and lots help from djm;
ok djm@
- [email protected] 2013/12/06 13:39:49
[authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c]
[servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c]
[ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c]
[sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c]
[fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c]
support ed25519 keys (hostkeys and user identities) using the public
domain ed25519 reference code from SUPERCOP, see
http://ed25519.cr.yp.to/software.html
feedback, help & ok djm@
- [email protected] 2013/12/06 15:29:07
[sshd.8]
missing comma;
- [email protected] 2013/12/07 00:19:15
[key.c]
set k->cert = NULL after freeing it
- [email protected] 2013/12/06 13:52:46
[regress/Makefile regress/agent.sh regress/cert-hostkey.sh]
[regress/cert-userkey.sh regress/keytype.sh]
test ed25519 support; from djm@
- (djm) [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h]
[ge25519_base.data hash.c sc25519.c sc25519.h verify.c] Fix RCS idents
- (djm) [Makefile.in] Add ed25519 sources
- (djm) [authfile.c] Conditionalise inclusion of util.h
- (djm) [configure.ac openbsd-compat/Makefile.in openbsd-compat/bcrypt_pbkdf.c]
[openbsd-compat/blf.h openbsd-compat/blowfish.c]
[openbsd-compat/openbsd-compat.h] Start at supporting bcrypt_pbkdf in
portable.
- (djm) [ed25519.c ssh-ed25519.c openbsd-compat/Makefile.in]
[openbsd-compat/bcrypt_pbkdf.c] Make ed25519/new key format compile on
Linux
- (djm) [regress/cert-hostkey.sh] Fix merge botch
- (djm) [Makefile.in] PATHSUBS and keygen bits for Ed25519; from
Loganaden Velvindron @ AfriNIC in bz#2179
20131205
- (djm) OpenBSD CVS Sync
- [email protected] 2013/11/21 08:05:09
[ssh_config.5 sshd_config.5]
no need for .Pp before displays;
- [email protected] 2013/11/25 18:04:21
[ssh.1 ssh.c]
improve -Q usage and such. One usage change is that the option is now
case-sensitive
ok dtucker markus djm
- [email protected] 2013/11/26 12:14:54
[ssh.1 ssh.c]
- put -Q in the right place
- Ar was a poor choice for the arguments to -Q. i've chosen an
admittedly equally poor Cm, at least consistent with the rest
of the docs. also no need for multiple instances
- zap a now redundant Nm
- usage() sync
- [email protected] 2013/11/26 19:15:09
[pkcs11.h]
cleanup 1 << 31 idioms. Resurrection of this issue pointed out by
Eitan Adler ok markus for ssh, implies same change in kerberosV
- [email protected] 2013/12/01 23:19:05
[PROTOCOL]
mention [email protected] key exchange algorithm
- [email protected] 2013/12/02 02:50:27
[PROTOCOL.chacha20poly1305]
typo; from Jon Cave
- [email protected] 2013/12/02 02:56:17
[ssh-pkcs11-helper.c]
use-after-free; bz#2175 patch from Loganaden Velvindron @ AfriNIC
- [email protected] 2013/12/02 03:09:22
[key.c]
make key_to_blob() return a NULL blob on failure; part of
bz#2175 from Loganaden Velvindron @ AfriNIC
- [email protected] 2013/12/02 03:13:14
[cipher.c]
correct bzero of chacha20+poly1305 key context. bz#2177 from
Loganaden Velvindron @ AfriNIC
Also make it a memset for consistency with the rest of cipher.c
- [email protected] 2013/12/04 04:20:01
[sftp-client.c]
bz#2171: don't leak local_fd on error; from Loganaden Velvindron @
AfriNIC
- [email protected] 2013/12/05 01:16:41
[servconf.c servconf.h]
bz#2161 - fix AuthorizedKeysCommand inside a Match block and
rearrange things so the same error is harder to make next time;
with and ok dtucker@
- (dtucker) [configure.ac] bz#2173: use pkg-config --libs to include correct
-L location for libedit. Patch from Serge van den Boom.
20131121
- (djm) OpenBSD CVS Sync
- [email protected] 2013/11/08 11:15:19
[bufaux.c bufbn.c buffer.c sftp-client.c sftp-common.c sftp-glob.c]
[uidswap.c] Include stdlib.h for free() as per the man page.
- [email protected] 2013/11/13 13:48:20
[ssh-pkcs11.c]
add missing braces found by pedro
- [email protected] 2013/11/20 02:19:01
[sshd.c]
delay closure of in/out fds until after "Bad protocol version
identification..." message, as get_remote_ipaddr/get_remote_port
require them open.
- [email protected] 2013/11/20 20:53:10
[scp.c]
unsigned casts for ctype macros where neccessary
ok guenther millert markus
- [email protected] 2013/11/20 20:54:10
[canohost.c clientloop.c match.c readconf.c sftp.c]
unsigned casts for ctype macros where neccessary
ok guenther millert markus
- [email protected] 2013/11/21 00:45:44
[Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c]
[chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h]
[dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1]
[ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport
cipher "[email protected]" that combines Daniel
Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an
authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS:
http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
but differs in layout used for the MAC calculation and the use of a
second ChaCha20 instance to separately encrypt packet lengths.
Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC
ok markus@ naddy@
- [email protected] 2013/11/18 05:09:32
[regress/forward-control.sh]
bump timeout to 10 seconds to allow slow machines (e.g. Alpha PC164)
to successfully run this; ok djm@
- [email protected] 2013/11/21 03:15:46
[regress/krl.sh]
add some reminders for additional tests that I'd like to implement
- [email protected] 2013/11/21 03:16:47
[regress/modpipe.c]
use unsigned long long instead of u_int64_t here to avoid warnings
on some systems portable OpenSSH is built on.
- [email protected] 2013/11/21 03:18:51
[regress/cipher-speed.sh regress/integrity.sh regress/rekey.sh]
[regress/try-ciphers.sh]
use new "ssh -Q cipher-auth" query to obtain lists of authenticated
encryption ciphers instead of specifying them manually; ensures that
the new [email protected] mode is tested;
ok markus@ and naddy@ as part of the diff to add
20131110
- (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by
querying the ones that are compiled in.
20131109
- (dtucker) OpenBSD CVS Sync
- [email protected] 2013/11/09 05:41:34
[regress/test-exec.sh regress/rekey.sh]
Use smaller test data files to speed up tests. Grow test datafiles
where necessary for a specific test.
- (dtucker) [configure.ac kex.c key.c myproposal.h] Test for the presence of
NID_X9_62_prime256v1, NID_secp384r1 and NID_secp521r1 and test that the
latter actually works before using it. Fedora (at least) has NID_secp521r1
that doesn't work (see https://bugzilla.redhat.com/show_bug.cgi?id=1021897).
- (dtucker) [configure.ac] Fix brackets in NID_secp521r1 test.
- (dtucker) [configure.ac] Add missing "test".
- (dtucker) [key.c] Check for the correct defines for NID_secp521r1.
20131108
- (dtucker) OpenBSD CVS Sync
- [email protected] 2013/11/08 01:06:14
[regress/rekey.sh]
Rekey less frequently during tests to speed them up
- (djm) OpenBSD CVS Sync
- [email protected] 2013/11/07 11:58:27
[cipher.c cipher.h kex.c kex.h mac.c mac.h servconf.c ssh.c]
Output the effective values of Ciphers, MACs and KexAlgorithms when
the default has not been overridden. ok markus@
- [email protected] 2013/11/08 00:39:15
[auth-options.c auth2-chall.c authfd.c channels.c cipher-3des1.c]
[clientloop.c gss-genr.c monitor_mm.c packet.c schnorr.c umac.c]
[sftp-client.c sftp-glob.c]
use calloc for all structure allocations; from markus@
- [email protected] 2013/11/08 01:38:11
[version.h]
openssh-6.4
- (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
[contrib/suse/openssh.spec] Update version numbers following release.
- (dtucker) [openbsd-compat/openbsd-compat.h] Add null implementation of
arc4random_stir for platforms that have arc4random but don't have
arc4random_stir (right now this is only OpenBSD -current).
- (dtucker) [kex.c] Only enable CURVE25519_SHA256 if we actually have
EVP_sha256.
- (dtucker) [myproposal.h] Conditionally enable CURVE25519_SHA256.
- (dtucker) [openbsd-compat/bsd-poll.c] Add headers to prevent compile
warnings.
- (dtucker) [Makefile.in configure.ac] Set MALLOC_OPTIONS per platform
and pass in TEST_ENV. use stderr to get polluted
and the stderr-data test to fail.
- (dtucker) [contrib/cygwin/ssh-host-config] Simplify host key generation:
rather than testing and generating each key, call ssh-keygen -A.
Patch from vinschen at redhat.com.
- (dtucker) OpenBSD CVS Sync
- [email protected] 2013/11/09 05:41:34
[regress/test-exec.sh regress/rekey.sh]
Use smaller test data files to speed up tests. Grow test datafiles
where necessary for a specific test.
20131107
- (djm) [ssh-pkcs11.c] Bring back "non-constant initialiser" fix (rev 1.5)
that got lost in recent merge.
- (djm) [Makefile.in monitor.c] Missed chunks of curve25519 KEX diff
- (djm) [regress/modpipe.c regress/rekey.sh] Never intended to commit these
- (djm) [configure.ac defines.h] Skip arc4random_stir() calls on platforms
that lack it but have arc4random_uniform()
- (djm) OpenBSD CVS Sync
- [email protected] 2013/11/04 11:51:16
[monitor.c]
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
RCSID sync only; I thought this was a merge botch and fixed it already
- [email protected] 2013/11/06 16:52:11
[monitor_wrap.c]
fix rekeying for AES-GCM modes; ok deraadt
- [email protected] 2013/11/06 23:05:59
[ssh-pkcs11.c]
from portable: s/true/true_val/ to avoid name collisions on dump platforms
RCSID sync only
- (dtucker) OpenBSD CVS Sync
- [email protected] 2013/10/09 23:44:14
[regress/Makefile] (ID sync only)
regression test for sftp request white/blacklisting and readonly mode.
- [email protected] 2013/11/02 22:39:53
[regress/kextype.sh]
- [email protected] 2013/11/04 12:27:42
[regress/rekey.sh]
Test rekeying with all KexAlgorithms.
- [email protected] 2013/11/07 00:12:05
[regress/rekey.sh]
Test rekeying for every Cipher, MAC and KEX, plus test every KEX with
the GCM ciphers.
- [email protected] 2013/11/07 01:12:51
[regress/rekey.sh]
Factor out the data transfer rekey tests
- [email protected] 2013/11/07 02:48:38
[regress/integrity.sh regress/cipher-speed.sh regress/try-ciphers.sh]
Use ssh -Q instead of hardcoding lists of ciphers or MACs.
- [email protected] 2013/11/07 03:55:41
[regress/kextype.sh]
Use ssh -Q to get kex types instead of a static list.
- [email protected] 2013/11/07 04:26:56
[regress/kextype.sh]
trailing space
- (dtucker) [Makefile.in configure.ac] Remove TEST_SSH_SHA256 environment
variable. It's no longer used now that we get the supported MACs from
ssh -Q.
20131104
- (djm) OpenBSD CVS Sync
- [email protected] 2013/11/02 20:03:54
[ssh-pkcs11.c]
support pkcs#11 tokes that only provide x509 zerts instead of raw pubkeys;
fixes bz#1908; based on patch from Laurent Barbe; ok djm
- [email protected] 2013/11/02 21:59:15
[kex.c kex.h myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
use curve25519 for default key exchange ([email protected]);
initial patch from Aris Adamantiadis; ok djm@
- [email protected] 2013/11/02 22:10:15
[kexdhs.c kexecdhs.c]
no need to include monitor_wrap.h
- [email protected] 2013/11/02 22:24:24
[kexdhs.c kexecdhs.c]
no need to include ssh-gss.h
- [email protected] 2013/11/02 22:34:01
[auth-options.c]
no need to include monitor_wrap.h and ssh-gss.h
- [email protected] 2013/11/02 22:39:19
[ssh_config.5 sshd_config.5]
the default kex is now [email protected]
- [email protected] 2013/11/03 10:37:19
[roaming_common.c]
fix a couple of function definitions foo() -> foo(void)
(-Wold-style-definition)
- (djm) [kexc25519.c kexc25519c.c kexc25519s.c] Import missed files from
KEX/curve25519 change
20131103
- (dtucker) [openbsd-compat/bsd-misc.c] Include time.h for nanosleep.
From OpenSMTPD where it prevents "implicit declaration" warnings (it's
a no-op in OpenSSH). From chl at openbsd.
- (dtucker) [openbsd-compat/setproctitle.c] Handle error case form the 2nd
vsnprintf. From eric at openbsd via chl@.
- (dtucker) [configure.ac defines.h] Add typedefs for intmax_t and uintmax_t
for platforms that don't have them.
20131030
- (djm) OpenBSD CVS Sync
- [email protected] 2013/10/29 09:42:11
[key.c key.h]
fix potential stack exhaustion caused by nested certificates;
report by Mateusz Kocielski; ok dtucker@ markus@
- [email protected] 2013/10/29 09:48:02
[servconf.c servconf.h session.c sshd_config sshd_config.5]
shd_config PermitTTY to disallow TTY allocation, mirroring the
longstanding no-pty authorized_keys option;
bz#2070, patch from Teran McKinney; ok markus@
- [email protected] 2013/10/29 18:49:32
[sshd_config.5]
pty(4), not pty(7);
20131026
- (djm) OpenBSD CVS Sync
- [email protected] 2013/10/25 23:04:51
[ssh.c]
fix crash when using ProxyCommand caused by previous commit - was calling
freeaddrinfo(NULL); spotted by sthen@ and Tim Ruehsen, patch by sthen@
20131025
- (djm) [ssh-keygen.c ssh-keysign.c sshconnect1.c sshd.c] Remove
unnecessary arc4random_stir() calls. The only ones left are to ensure
that the PRNG gets a different state after fork() for platforms that
have broken the API.
20131024
- (djm) [auth-krb5.c] bz#2032 - use local username in krb5_kuserok check
rather than full client name which may be of form user@REALM;
patch from Miguel Sanders; ok dtucker@
- (djm) OpenBSD CVS Sync
- [email protected] 2013/10/23 05:40:58
[servconf.c]
fix comment
- [email protected] 2013/10/23 23:35:32
[sshd.c]
include local address and port in "Connection from ..." message (only
shown at loglevel>=verbose)
- [email protected] 2013/10/24 00:49:49
[moduli.c]
Periodically print progress and, if possible, expected time to completion
when screening moduli for DH groups. ok deraadt djm
- [email protected] 2013/10/24 00:51:48
[readconf.c servconf.c ssh_config.5 sshd_config.5]
Disallow empty Match statements and add "Match all" which matches
everything. ok djm, man page help jmc@
- [email protected] 2013/10/24 08:19:36
[ssh.c]
fix bug introduced in hostname canonicalisation commit: don't try to
resolve hostnames when a ProxyCommand is set unless the user has forced
canonicalisation; spotted by Iain Morgan
- (tim) [regress/sftp-perm.sh] We need a shell that understands "! somecmd"
20131023
- (djm) OpenBSD CVS Sync
- [email protected] 2013/10/20 04:39:28
[ssh_config.5]
document % expansions performed by "Match command ..."
- [email protected] 2013/10/20 06:19:28
[readconf.c ssh_config.5]
rename "command" subclause of the recently-added "Match" keyword to
"exec"; it's shorter, clearer in intent and we might want to add the
ability to match against the command being executed at the remote end in
the future.
- [email protected] 2013/10/20 09:51:26
[scp.1 sftp.1]
add canonicalisation options to -o lists
- [email protected] 2013/10/20 18:00:13
[ssh_config.5]
tweak the "exec" description, as worded by djm;
- [email protected] 2013/10/23 03:03:07
[readconf.c]
Hostname may have %h sequences that should be expanded prior to Match
evaluation; spotted by Iain Morgan
- [email protected] 2013/10/23 03:05:19
[readconf.c ssh.c]
comment
- [email protected] 2013/10/23 04:16:22
[ssh-keygen.c]
Make code match documentation: relative-specified certificate expiry time
should be relative to current time and not the validity start time.