- (bal) OpenBSD CVS updates:
- markus@cvs.openbsd.org 2000/11/30 22:54:31
[channels.c]
debug->warn if tried to do -R style fwd w/o client requesting this;
ok neils@
- markus@cvs.openbsd.org 2000/11/29 20:39:17
[cipher.c]
des_cbc_encrypt -> des_ncbc_encrypt since it already updates the IV
- markus@cvs.openbsd.org 2000/11/30 18:33:05
[ssh-agent.c]
agents must not dump core, ok niels@
- markus@cvs.openbsd.org 2000/11/30 07:04:02
[ssh.1]
T is for both protocols
- markus@cvs.openbsd.org 2000/12/01 00:00:51
[ssh.1]
typo; from green@FreeBSD.org
- markus@cvs.openbsd.org 2000/11/30 07:02:35
[ssh.c]
check -T before isatty()
- provos@cvs.openbsd.org 2000/11/29 13:51:27
[sshconnect.c]
show IP address and hostname when new key is encountered. okay markus@
- markus@cvs.openbsd.org 2000/11/30 22:53:35
[sshconnect.c]
disable agent/x11/port fwding if hostkey has changed; ok niels@
- marksu@cvs.openbsd.org 2000/11/29 21:11:59
[sshd.c]
sshd -D, startup w/o deamon(), for monitoring scripts or inittab;
from handler@sub-rosa.com and eric@urbanrange.com; ok niels@
- (bal) Misplaced #include "includes.h" in bsd-setproctitle.c. Patch by
Shinichi Maruyama <marya@st.jip.co.jp>
I assume the progname patch was finished. I believe stevek is on vacation,
but it passes compiling under Linux and NeXTStep.
- markus@cvs.openbsd.org 2000/11/06 16:04:56
[channels.c channels.h clientloop.c nchan.c serverloop.c]
[session.c ssh.c]
agent forwarding and -R for ssh2, based on work from
jhuuskon@messi.uku.fi
- markus@cvs.openbsd.org 2000/11/06 16:13:27
[ssh.c sshconnect.c sshd.c]
do not disabled rhosts(rsa) if server port > 1024; from
pekkas@netcore.fi
- markus@cvs.openbsd.org 2000/11/06 16:16:35
[sshconnect.c]
downgrade client to 1.3 if server is 1.4; help from mdb@juniper.net
- markus@cvs.openbsd.org 2000/11/09 18:04:40
[auth1.c]
typo; from mouring@pconline.com
- markus@cvs.openbsd.org 2000/11/12 12:03:28
[ssh-agent.c]
off-by-one when removing a key from the agent
- markus@cvs.openbsd.org 2000/11/12 12:50:39
[auth-rh-rsa.c auth2.c authfd.c authfd.h]
[authfile.c hostfile.c kex.c kex.h key.c key.h myproposal.h]
[readconf.c readconf.h rsa.c rsa.h servconf.c servconf.h ssh-add.c]
[ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config]
[sshconnect1.c sshconnect2.c sshd.8 sshd.c sshd_config ssh-dss.c]
[ssh-dss.h ssh-rsa.c ssh-rsa.h dsa.c dsa.h]
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only,
RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA
keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
- (djm) Fix up Makefile and Redhat init script to create RSA host keys
- (djm) Change to interim version
- markus@cvs.openbsd.org 2000/09/05 02:59:57
[session.c]
print hostname (not hushlogin)
- markus@cvs.openbsd.org 2000/09/05 13:18:48
[authfile.c ssh-add.c]
enable ssh-add -d for DSA keys
- markus@cvs.openbsd.org 2000/09/05 13:20:49
[sftp-server.c]
cleanup
- markus@cvs.openbsd.org 2000/09/06 03:46:41
[authfile.h]
prototype
- deraadt@cvs.openbsd.org 2000/09/07 14:27:56
[ALL]
cleanup copyright notices on all files. I have attempted to be
accurate with the details. everything is now under Tatu's licence
(which I copied from his readme), and/or the core-sdi bsd-ish thing
for deattack, or various openbsd developers under a 2-term bsd
licence. We're not changing any rules, just being accurate.
- markus@cvs.openbsd.org 2000/09/07 14:40:30
[channels.c channels.h clientloop.c serverloop.c ssh.c]
cleanup window and packet sizes for ssh2 flow control; ok niels
- markus@cvs.openbsd.org 2000/09/07 14:53:00
[scp.c]
typo
- markus@cvs.openbsd.org 2000/09/07 15:13:37
[auth-options.c auth-options.h auth-rh-rsa.c auth-rsa.c auth.c]
[authfile.h canohost.c channels.h compat.c hostfile.h log.c match.h]
[pty.c readconf.c]
some more Copyright fixes
- markus@cvs.openbsd.org 2000/09/08 03:02:51
[README.openssh2]
bye bye
- deraadt@cvs.openbsd.org 2000/09/11 18:38:33
[LICENCE cipher.c]
a few more comments about it being ARC4 not RC4
- markus@cvs.openbsd.org 2000/09/12 14:53:11
[log-client.c log-server.c log.c ssh.1 ssh.c ssh.h sshd.8 sshd.c]
multiple debug levels
- markus@cvs.openbsd.org 2000/09/14 14:25:15
[clientloop.c]
typo
- deraadt@cvs.openbsd.org 2000/09/15 01:13:51
[ssh-agent.c]
check return value for setenv(3) for failure, and deal appropriately
- OpenBSD CVS updates:
- markus@cvs.openbsd.org
[sshconnect.c]
copy only ai_addrlen bytes; misiek@pld.org.pl
[auth.c]
accept an empty shell in authentication; bug reported by
chris@tinker.ucr.edu
[serverloop.c]
we don't have stderr for interactive terminal sessions (fcntl errors)
[clientloop.c login.c serverloop.c ssh-agent.c ssh.h sshconnect.c sshd.c]
- pid_t
[session.c]
- remove bogus chan_read_failed. this could cause data
corruption (missing data) at end of a SSH2 session.
- All OpenSSL includes are now unconditionally referenced as
openssl/foo.h
- Pick up formatting changes
- Other minor changed (typecasts, etc) that I missed
[ssh.h atomicio.c]
- int atomicio -> ssize_t (for alpha). ok deraadt@
[auth-rsa.c]
- delay MD5 computation until client sends response, free() early, cleanup.
[cipher.c]
- void* -> unsigned char*, ok niels@
[hostfile.c]
- remove unused variable 'len'. fix comments.
- remove unused variable
[log-client.c log-server.c]
- rename a cpp symbol, to avoid param.h collision
[packet.c]
- missing xfree()
- getsockname() requires initialized tolen; andy@guildsoftware.com
- use getpeername() in packet_connection_is_on_socket(), fixes sshd -i;
from Holger.Trapp@Informatik.TU-Chemnitz.DE
[pty.c pty.h]
- register cleanup for pty earlier. move code for pty-owner handling to
pty.c ok provos@, dugsong@
[readconf.c]
- turn off x11-fwd for the client, too.
[rsa.c]
- PKCS#1 padding
[scp.c]
- allow '.' in usernames; from jedgar@fxp.org
[servconf.c]
- typo: ignore_user_known_hosts int->flag; naddy@mips.rhein-neckar.de
- sync with sshd_config
[ssh-keygen.c]
- enable ssh-keygen -l -f ~/.ssh/known_hosts, ok deraadt@
[ssh.1]
- Change invalid 'CHAT' loglevel to 'VERBOSE'
[ssh.c]
- suppress AAAA query host when '-4' is used; from shin@nd.net.fujitsu.co.jp
- turn off x11-fwd for the client, too.
[sshconnect.c]
- missing xfree()
- retry rresvport_af(), too. from sumikawa@ebina.hitachi.co.jp.
- read error vs. "Connection closed by remote host"
[sshd.8]
- ie. -> i.e.,
- do not link to a commercial page..
- sync with sshd_config
[sshd.c]
- no need for poll.h; from bright@wintelcom.net
- log with level log() not fatal() if peer behaves badly.
- don't panic if client behaves strange. ok deraadt@
- make no-port-forwarding for RSA keys deny both -L and -R style fwding
- delay close() of pty until the pty has been chowned back to root
- oops, fix comment, too.
- missing xfree()
- move XAUTHORITY to subdir. ok dugsong@. fixes debian bug #57907, too.
(http://cgi.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=57907)
- register cleanup for pty earlier. move code for pty-owner handling to
pty.c ok provos@, dugsong@
- create x11 cookie file
- fix pr 1113, fclose() -> pclose(), todo: remote popen()
- version 1.2.3
- Cleaned up
- [auth-rsa.c]
- fix user/1056, sshd keeps restrictions; dbt@meat.net
- [sshconnect.c]
- disable agent fwding for proto 1.3, remove abuse of auth-rsa flags.
- destroy keys earlier
- split key exchange (kex) and user authentication (user-auth), ok: provos@
- [sshd.c]
- no need for poll.h; from bright@wintelcom.net
- disable agent fwding for proto 1.3, remove abuse of auth-rsa flags.
- split key exchange (kex) and user authentication (user-auth), ok: provos@
- [sshd.c sshd.8 sshconnect.c ssh.h ssh.c servconf.h servconf.c scp.1]
[scp.c packet.h packet.c login.c log.c canohost.c channels.c]
[hostfile.c sshd_config]
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new
features: sshd allows multiple ListenAddress and Port options. note
that libwrap is not IPv6-ready. (based on patches from
fujiwara@rcac.tdi.co.jp)
- [ssh.c canohost.c]
more hints (hints.ai_socktype=SOCK_STREAM) for getaddrinfo,
from itojun@
- [channels.c]
listen on _all_ interfaces for X11-Fwd (hints.ai_flags = AI_PASSIVE)
- [packet.h]
allow auth-kerberos for IPv4 only
- [scp.1 sshd.8 servconf.h scp.c]
document -4, -6, and 'ssh -L 2022/::1/22'
- [ssh.c]
'ssh @host' is illegal (null user name), from
karsten@gedankenpolizei.de
- [sshconnect.c]
better error message
- [sshd.c]
allow auth-kerberos for IPv4 only
- Big IPv6 merge:
- Cleanup overrun in sockaddr copying on RHL 6.1
- Replacements for getaddrinfo, getnameinfo, etc based on versions
from patch from KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
- Replacement for missing structures on systems that lack IPv6
- record_login needed to know about AF_INET6 addresses
- Borrowed more code from OpenBSD: rresvport_af and requisites
- [ssh-agent.c]
cleanup_exit() for SIGTERM/SIGHUP, too. from fgsch@ and
dgaudet@arctic.org
- [sshconnect.c]
compare correct version for 1.3 compat mode
- [canohost.c]
fix get_remote_port() and friends for sshd -i;
Holger.Trapp@Informatik.TU-Chemnitz.DE
- [mpaux.c]
make code simpler. no need for memcpy. niels@ ok
- [pty.c]
namebuflen not sizeof namebuflen; bnd@ep-ag.com via djm@mindrot.org
fix proto; markus
- [ssh.1]
typo; mark.baushke@solipsa.com
- [channels.c ssh.c ssh.h sshd.c]
type conflict for 'extern Type *options' in channels.c; dot@dotat.at
- [sshconnect.c]
move checking of hostkey into own function.
- [version.h]
OpenSSH-1.2.1
- [atomicio.c authfd.c scp.c serverloop.c ssh.h sshconnect.c sshd.c]
move atomicio into it's own file. wrap all socket write()s which
were doing write(sock, buf, len) != len, with atomicio() calls.
- [auth-skey.c]
fd leak
- [authfile.c]
properly name fd variable
- [channels.c]
display great hatred towards strcpy
- [pty.c pty.h sshd.c]
use openpty() if it exists (it does on BSD4_4)
- [tildexpand.c]
check for ~ expansion past MAXPATHLEN
- Modified helper.c to use new atomicio function.
- Reformat Makefile a little
- Moved RC4 routines from rc4.[ch] into helper.c
- Added autoconf code to detect /dev/ptmx (Solaris) and /dev/ptc (AIX)
- [auth-krb4.c auth-passwd.c auth-skey.c ssh.
move skey-auth from auth-passwd.c to auth-s
- [auth-rsa.c]
warn only about mismatch if key is _used_
warn about keysize-mismatch with log() not
channels.c readconf.c readconf.h ssh.c ssh.
ports are u_short
- [hostfile.c]
indent, shorter warning
- [nchan.c]
use error() for internal errors
- [packet.c]
set loglevel for SSH_MSG_DISCONNECT to log(
serverloop.c
indent
- [ssh-add.1 ssh-add.c ssh.h]
document , reasonable default
- [ssh.1]
CheckHostIP is not available for connects v
- [sshconnect.c]
typo
easier to read client code for passwd and s
turn of checkhostip for proxy connects, sin
- Merged OpenBSD CVS changes:
- [channels.c]
report from mrwizard@psu.edu via djm@ibs.com.au
- [channels.c]
set SO_REUSEADDR and SO_LINGER for forwarded ports.
chip@valinux.com via damien@ibs.com.au
- [nchan.c]
it's not an error() if shutdown_write failes in nchan.
- [readconf.c]
remove dead #ifdef-0-code
- [readconf.c servconf.c]
strcasecmp instead of tolower
- [scp.c]
progress meter overflow fix from damien@ibs.com.au
- [ssh-add.1 ssh-add.c]
SSH_ASKPASS support
- [ssh.1 ssh.c]
postpone fork_after_authentication until command execution,
request/patch from jahakala@cc.jyu.fi via damien@ibs.com.au
plus: use daemon() for backgrounding
- OpenBSD CVS updates
- [channels.c cipher.c compat.c log-client.c scp.c serverloop.c]
[ssh.h sshd.8 sshd.c]
syslog changes:
* Unified Logmessage for all auth-types, for success and for failed
* Standard connections get only ONE line in the LOG when level==LOG:
Auth-attempts are logged only, if authentication is:
a) successfull or
b) with passwd or
c) we had more than AUTH_FAIL_LOG failues
* many log() became verbose()
* old behaviour with level=VERBOSE
- [readconf.c readconf.h ssh.1 ssh.h sshconnect.c sshd.c]
tranfer s/key challenge/response data in SSH_SMSG_AUTH_TIS_CHALLENGE
messages. allows use of s/key in windows (ttssh, securecrt) and
ssh-1.2.27 clients without 'ssh -v', ok: niels@
- [sshd.8]
-V, for fallback to openssh in SSH2 compatibility mode
- [sshd.c]
fix sigchld race; cjc5@po.cwru.edu
- [channels.c]
make this compile, bad markus
- [log.c readconf.c servconf.c ssh.h]
bugfix: loglevels are per host in clientconfig,
factor out common log-level parsing code.
- [servconf.c]
remove unused index (-Wall)
- [ssh-agent.c]
only one 'extern char *__progname'
- [sshd.8]
document SIGHUP, -Q to synopsis
- [sshconnect.c serverloop.c sshd.c packet.c packet.h]
[channels.c clientloop.c]
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@
[hope this time my ISP stays alive during commit]
- [scp.c] foregroundproc() in scp
- [sshconnect.h] include fingerprint.h
- [sshd.c] bugfix: the log() for passwd-auth escaped during logging
changes.
- Added openssh.com info to README
- [ChangeLog.Ylonen] noone needs this anymore
- [authfd.c] close-on-exec for auth-socket, ok deraadt
- [hostfile.c]
in known_hosts key lookup the entry for the bits does not need
to match, all the information is contained in n and e. This
solves the problem with buggy servers announcing the wrong
modulus length. markus and me.
- [serverloop.c]
bugfix: check for space if child has terminated, from:
iedowse@maths.tcd.ie
- [ssh-add.1 ssh-add.c ssh-keygen.1 ssh-keygen.c sshconnect.c]
[fingerprint.c fingerprint.h]
rsa key fingerprints, idea from Bjoern Groenvall <bg@sics.se>
- [ssh-agent.1] typo
- [ssh.1] add OpenSSH information to AUTHOR section. okay markus@
- [sshd.c]
force logging to stderr while loading private key file
(lost while converting to new log-levels)
- [auth-rh-rsa.c auth-rsa.c authfd.c authfd.h hostfile.c mpaux.c]
[mpaux.h ssh-add.c ssh-agent.c ssh.h ssh.c sshd.c]
the keysize of rsa-parameter 'n' is passed implizit,
a few more checks and warnings about 'pretended' keysizes.
- [cipher.c cipher.h packet.c packet.h sshd.c]
remove support for cipher RC4
- [ssh.c]
a note for legay systems about secuity issues with permanently_set_uid(),
the private hostkey and ptrace()
- [sshconnect.c]
more detailed messages about adding and checking hostkeys
[auth-krb4.c]
- disconnect if getpeername() fails
- missing xfree(*client)
[canohost.c]
- disconnect if getpeername() fails
- fix comment: we _do_ disconnect if ip-options are set
[sshd.c]
- disconnect if getpeername() fails
- move checking of remote port to central place
[auth-rhosts.c] move checking of remote port to central place
[log-server.c] avoid extra fd per sshd, from millert@
[readconf.c] print _all_ bad config-options in ssh(1), too
[readconf.h] print _all_ bad config-options in ssh(1), too
[ssh.c] print _all_ bad config-options in ssh(1), too
[sshconnect.c] disconnect if getpeername() fails
- OpenBSD's changes to sshd.c broke the PAM stuff, re-merged it.
- [auth-rh-rsa.c auth-rhosts.c auth-rsa.c channels.c clientloop.c]
[ssh.c ssh.h sshconnect.c sshd.c]
make all access to options via 'extern Options options'
and 'extern ServerOptions options' respectively;
options are no longer passed as arguments:
* make options handling more consistent
* remove #include "readconf.h" from ssh.h
* readconf.h is only included if necessary
- [mpaux.c] clear temp buffer
- [servconf.c] print _all_ bad options found in configfile
- Build fixes
- Autoconf
- Change binary names to open*
- Fixed autoconf script to detect PAM on RH6.1
- Added tests for libpwdb, and OpenBSD functions to autoconf (not used yet)