forked from openssh/openssh-portable
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ChangeLog
2496 lines (2368 loc) · 109 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
20100303
- (djm) [PROTOCOL.certkeys] Add RCS Ident
20100302
- (tim) [config.guess config.sub] Bug 1722: Update to latest versions from
http://git.savannah.gnu.org/gitweb/ (2009-12-30 and 2010-01-22
respectively).
20100301
- (dtucker) [regress/{cert-hostkey,cfgmatch,cipher-speed}.sh} Replace
"echo -n" with "echon" for portability.
- (dtucker) [openbsd-compat/port-linux.c] Make failure to write to the OOM
adjust log at verbose only, since according to cjwatson in bug #1470
some virtualization platforms don't allow writes.
20100228
- (djm) [auth.c] On Cygwin, refuse usernames that have differences in
case from that matched in the system password database. On this
platform, passwords are stored case-insensitively, but sshd requires
exact case matching for Match blocks in sshd_config(5). Based on
a patch from vinschen AT redhat.com.
- (tim) [ssh-pkcs11-helper.c] Move declarations before calling functions
to make older compilers (gcc 2.95) happy.
20100227
- (djm) [ssh-pkcs11-helper.c ] Ensure RNG is initialised and seeded
- (djm) [openbsd-compat/bsd-cygwin_util.c] Reduce the set of environment
variables copied into sshd child processes. From vinschen AT redhat.com
20100226
- OpenBSD CVS Sync
- [email protected] 2010/02/26 20:29:54
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
[auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
[hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
[myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
[ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
[sshconnect2.c sshd.8 sshd.c sshd_config.5]
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much
simpler format that encodes a public key, identity information and
some validity constraints and signs it with a CA key. CA keys are
regular SSH keys. This certificate style avoids the attack surface
of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys
when a CA certificate is marked as trusted in ~/.ssh/known_hosts.
see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing
CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in
the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file
PROTOCOL.certkeys
feedback and ok markus@
- [email protected] 2010/02/26 20:33:21
[Makefile regress/cert-hostkey.sh regress/cert-userkey.sh]
regression tests for certified keys
20100224
- (djm) [pkcs11.h ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
[ssh-pkcs11.h] Add $OpenBSD$ RCS idents so we can sync portable
- (djm) OpenBSD CVS Sync
- [email protected] 2010/02/11 20:37:47
[pathnames.h]
correct comment
- [email protected] 2009/11/09 04:20:04
[regress/Makefile]
add regression test for ssh-keygen pubkey conversions
- [email protected] 2010/01/11 02:53:44
[regress/forwarding.sh]
regress test for stdio forwarding
- [email protected] 2010/02/09 04:57:36
[regress/addrmatch.sh]
clean up droppings
- [email protected] 2010/02/09 06:29:02
[regress/Makefile]
turn on all the malloc(3) checking options when running regression
tests. this has caught a few bugs for me in the past; ok dtucker@
- [email protected] 2010/02/24 06:21:56
[regress/test-exec.sh]
wait for sshd to fully stop in cleanup() function; avoids races in tests
that do multiple start_sshd/cleanup cycles; "I hate pidfiles" deraadt@
- [email protected] 2010/02/08 10:52:47
[regress/agent-pkcs11.sh]
test for PKCS#11 support (currently disabled)
- (djm) [Makefile.in ssh-pkcs11-helper.8] Add manpage for PKCS#11 helper
- (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
[contrib/suse/openssh.spec] Add PKCS#11 helper binary and manpage
20100212
- (djm) OpenBSD CVS Sync
- [email protected] 2010/02/02 22:49:34
[bufaux.c]
make buffer_get_string_ret() really non-fatal in all cases (it was
using buffer_get_int(), which could fatal() on buffer empty);
ok markus dtucker
- [email protected] 2010/02/08 10:50:20
[pathnames.h readconf.c readconf.h scp.1 sftp.1 ssh-add.1 ssh-add.c]
[ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config.5]
replace our obsolete smartcard code with PKCS#11.
ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf
ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11
provider (shared library) while ssh-agent(1) delegates PKCS#11 to
a forked a ssh-pkcs11-helper process.
PKCS#11 is currently a compile time option.
feedback and ok djm@; inspired by patches from Alon Bar-Lev
- [email protected] 2010/02/08 22:03:05
[ssh-add.1 ssh-keygen.1 ssh.1 ssh.c]
tweak previous; ok markus
- [email protected] 2010/02/09 00:50:36
[ssh-agent.c]
fallout from PKCS#11: unbreak -D
- [email protected] 2010/02/09 00:50:59
[ssh-keygen.c]
fix -Wall
- [email protected] 2010/02/09 03:56:28
[buffer.c buffer.h]
constify the arguments to buffer_len, buffer_ptr and buffer_dump
- [email protected] 2010/02/09 06:18:46
[auth.c]
unbreak ChrootDirectory+internal-sftp by skipping check for executable
shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
- [email protected] 2010/02/10 23:20:38
[ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5]
pkcs#11 is no longer optional; improve wording; ok jmc@
- [email protected] 2010/02/11 13:23:29
[ssh.1]
libarary -> library;
- (djm) [INSTALL Makefile.in README.smartcard configure.ac scard-opensc.c]
[scard.c scard.h pkcs11.h scard/Makefile.in scard/Ssh.bin.uu scard/Ssh.java]
Remove obsolete smartcard support
- (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
Make it compile on OSX
- (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
Use ssh_get_progname to fill __progname
- (djm) [configure.ac] Enable PKCS#11 support only when we find a working
dlopen()
20100210
- (djm) add -lselinux to LIBS before calling AC_CHECK_FUNCS for
getseuserbyname; patch from calebcase AT gmail.com via
cjwatson AT debian.org
20100202
- (djm) OpenBSD CVS Sync
- [email protected] 2010/01/30 21:08:33
[sshd.8]
debug output goes to stderr, not "the system log"; ok markus dtucker
- [email protected] 2010/01/30 21:12:08
[channels.c]
fake local addr:port when stdio fowarding as some servers (Tectia at
least) validate that they are well-formed;
reported by imorgan AT nas.nasa.gov
ok dtucker
20100130
- (djm) OpenBSD CVS Sync
- [email protected] 2010/01/28 00:21:18
[clientloop.c]
downgrade an error() to a debug() - this particular case can be hit in
normal operation for certain sequences of mux slave vs session closure
and is harmless
- [email protected] 2010/01/29 00:20:41
[sshd.c]
set FD_CLOEXEC on sock_in/sock_out; bz#1706 from jchadima AT redhat.com
ok dtucker@
- [email protected] 2010/01/29 20:16:17
[mux.c]
kill correct channel (was killing already-dead mux channel, not
its session channel)
- [email protected] 2010/01/30 02:54:53
[mux.c]
don't mark channel as read failed if it is already closing; suppresses
harmless error messages when connecting to SSH.COM Tectia server
report by imorgan AT nas.nasa.gov
20100129
- (dtucker) [openbsd-compat/openssl-compat.c] Bug #1707: Call OPENSSL_config()
after registering the hardware engines, which causes the openssl.cnf file to
be processed. See OpenSSL's man page for OPENSSL_config(3) for details.
Patch from Solomon Peachy, ok djm@.
20100128
- (djm) OpenBSD CVS Sync
- [email protected] 2010/01/26 02:15:20
[mux.c]
-Wuninitialized and remove a // comment; from portable
(Id sync only)
- [email protected] 2010/01/27 13:26:17
[mux.c]
fix bug introduced in mux rewrite:
In a mux master, when a socket to a mux slave closes before its server
session (as may occur when the slave has been signalled), gracefully
close the server session rather than deleting its channel immediately.
A server may have more messages on that channel to send (e.g. an exit
message) that will fatal() the client if they are sent to a channel that
has been prematurely deleted.
spotted by imorgan AT nas.nasa.gov
- [email protected] 2010/01/27 19:21:39
[sftp.c]
add missing "p" flag to getopt optstring;
bz#1704 from imorgan AT nas.nasa.gov
20100126
- (djm) OpenBSD CVS Sync
- [email protected] 2010/01/17 21:49:09
[ssh-agent.1]
Correct and clarify ssh-add's password asking behavior.
Improved text dtucker and ok jmc
- [email protected] 2010/01/18 01:50:27
[roaming_client.c]
s/long long unsigned/unsigned long long/, from tim via portable
(Id sync only, change already in portable)
- [email protected] 2010/01/26 01:28:35
[channels.c channels.h clientloop.c clientloop.h mux.c nchan.c ssh.c]
rewrite ssh(1) multiplexing code to a more sensible protocol.
The new multiplexing code uses channels for the listener and
accepted control sockets to make the mux master non-blocking, so
no stalls when processing messages from a slave.
avoid use of fatal() in mux master protocol parsing so an errant slave
process cannot take down a running master.
implement requesting of port-forwards over multiplexed sessions. Any
port forwards requested by the slave are added to those the master has
established.
add support for stdio forwarding ("ssh -W host:port ...") in mux slaves.
document master/slave mux protocol so that other tools can use it to
control a running ssh(1). Note: there are no guarantees that this
protocol won't be incompatibly changed (though it is versioned).
feedback Salvador Fandino, dtucker@
channel changes ok markus@
20100122
- (tim) [configure.ac] Due to constraints in Windows Sockets in terms of
socket inheritance, reduce the default SO_RCVBUF/SO_SNDBUF buffer size
in Cygwin to 65535. Patch from Corinna Vinschen.
20100117
- (tim) [configure.ac] OpenServer 5 needs BROKEN_GETADDRINFO too.
- (tim) [configure.ac] On SVR5 systems, use the C99-conforming functions
snprintf() and vsnprintf() named _xsnprintf() and _xvsnprintf().
20100116
- (dtucker) [openbsd-compat/pwcache.c] Pull in includes.h and thus defines.h
so we correctly detect whether or not we have a native user_from_uid.
- (dtucker) [openbsd-compat/openbsd-compat.h] Prototypes for user_from_uid
and group_from_gid.
- (dtucker) [openbsd-compat/openbsd-compat.h] Fix prototypes, spotted by
Tim.
- (dtucker) OpenBSD CVS Sync
- [email protected] 2010/01/15 09:24:23
[sftp-common.c]
unused
- (dtucker) [openbsd-compat/pwcache.c] Shrink ifdef area to prevent unused
variable warnings.
- (dtucker) [openbsd-compat/openbsd-compat.h] Typo.
- (tim) [regress/portnum.sh] Shell portability fix.
- (tim) [configure.ac] Define BROKEN_GETADDRINFO on SVR5 systems. The native
getaddrinfo() is too old and limited for addr_pton() in addrmatch.c.
- (tim) [roaming_client.c] Use of <sys/queue.h> is not really portable so we
use "openbsd-compat/sys-queue.h". s/long long unsigned/unsigned long long/
to keep USL compilers happy.
20100115
- (dtucker) OpenBSD CVS Sync
- [email protected] 2010/01/13 12:48:34
[sftp.1 sftp.c]
sftp.1: put ls -h in the right place
sftp.c: as above, plus add -p to get/put, and shorten their arg names
to keep the help usage nicely aligned
ok djm
- [email protected] 2010/01/13 23:47:26
[auth.c]
when using ChrootDirectory, make sure we test for the existence of the
user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu;
ok dtucker
- [email protected] 2010/01/14 23:41:49
[sftp-common.c]
use user_from{uid,gid} to lookup up ids since it keeps a small cache.
ok djm
- [email protected] 2010/01/15 00:05:22
[sftp.c]
Reset SIGTERM to SIG_DFL before executing ssh, so that even if sftp
inherited SIGTERM as ignored it will still be able to kill the ssh it
starts.
ok dtucker@
- (dtucker) [openbsd-compat/pwcache.c] Pull in pwcache.c from OpenBSD (no
changes yet but there will be some to come).
- (dtucker) [configure.ac openbsd-compat/{Makefile.in,pwcache.c} Portability
for pwcache. Also, added caching of negative hits.
20100114
- (djm) [platform.h] Add missing prototype for
platform_krb5_get_principal_name
20100113
- (dtucker) [monitor_fdpass.c] Wrap poll.h include in ifdefs.
- (dtucker) [openbsd-compat/readpassphrase.c] Resync against OpenBSD's r1.18:
missing restore of SIGTTOU and some whitespace.
- (dtucker) [openbsd-compat/readpassphrase.c] Update to OpenBSD's r1.21.
- (dtucker) [openbsd-compat/readpassphrase.c] Update to OpenBSD's r1.22.
Fixes bz #1590, where sometimes you could not interrupt a connection while
ssh was prompting for a passphrase or password.
- (dtucker) OpenBSD CVS Sync
- [email protected] 2010/01/13 00:19:04
[sshconnect.c auth.c]
Fix a couple of typos/mispellings in comments
- [email protected] 2010/01/13 01:10:56
[key.c]
Ignore and log any Protocol 1 keys where the claimed size is not equal to
the actual size. Noted by Derek Martin, ok djm@
- [email protected] 2010/01/13 01:20:20
[canohost.c ssh-keysign.c sshconnect2.c]
Make HostBased authentication work with a ProxyCommand. bz #1569, patch
from imorgan at nas nasa gov, ok djm@
- [email protected] 2010/01/13 01:40:16
[sftp.c sftp-server.c sftp.1 sftp-common.c sftp-common.h]
support '-h' (human-readable units) for sftp's ls command, just like
ls(1); ok dtucker@
- [email protected] 2010/01/13 03:48:13
[servconf.c servconf.h sshd.c]
avoid run-time failures when specifying hostkeys via a relative
path by prepending the cwd in these cases; bz#1290; ok dtucker@
- [email protected] 2010/01/13 04:10:50
[sftp.c]
don't append a space after inserting a completion of a directory (i.e.
a path ending in '/') for a slightly better user experience; ok dtucker@
- (dtucker) [sftp-common.c] Wrap include of util.h in an ifdef.
- (tim) [defines.h] openbsd-compat/readpassphrase.c now needs _NSIG.
feedback and ok dtucker@
20100112
- (dtucker) OpenBSD CVS Sync
- [email protected] 2010/01/11 01:39:46
[ssh_config channels.c ssh.1 channels.h ssh.c]
Add a 'netcat mode' (ssh -W). This connects stdio on the client to a
single port forward on the server. This allows, for example, using ssh as
a ProxyCommand to route connections via intermediate servers.
bz #1618, man page help from jmc@, ok markus@
- [email protected] 2010/01/11 04:46:45
[authfile.c sshconnect2.c]
Do not prompt for a passphrase if we fail to open a keyfile, and log the
reason the open failed to debug.
bz #1693, found by tj AT castaglia org, ok djm@
- [email protected] 2010/01/11 10:51:07
[ssh-keygen.c]
when converting keys, truncate key comments at 72 chars as per RFC4716;
bz#1630 reported by tj AT castaglia.org; ok markus@
- [email protected] 2010/01/12 00:16:47
[authfile.c]
Fix bug introduced in r1.78 (incorrect brace location) that broke key auth.
Patch from joachim joachimschipper nl.
- [email protected] 2010/01/12 00:58:25
[monitor_fdpass.c]
avoid spinning when fd passing on nonblocking sockets by calling poll()
in the EINTR/EAGAIN path, much like we do in atomicio; ok dtucker@
- [email protected] 2010/01/12 00:59:29
[roaming_common.c]
delete with extreme prejudice a debug() that fired with every keypress;
ok dtucker deraadt
- [email protected] 2010/01/12 01:31:05
[session.c]
Do not allow logins if /etc/nologin exists but is not readable by the user
logging in. Noted by Jan.Pechanec at Sun, ok djm@ deraadt@
- [email protected] 2010/01/12 01:36:08
[buffer.h bufaux.c]
add a buffer_get_string_ptr_ret() that does the same as
buffer_get_string_ptr() but does not fatal() on error; ok dtucker@
- [email protected] 2010/01/12 08:33:17
[session.c]
Add explicit stat so we reliably detect nologin with bad perms.
ok djm markus
20100110
- (dtucker) [configure.ac misc.c readconf.c servconf.c ssh-keyscan.c]
Remove hacks add for RoutingDomain in preparation for its removal.
- (dtucker) OpenBSD CVS Sync
- [email protected] 2010/01/09 23:04:13
[channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h
ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c
readconf.h scp.1 sftp.1 ssh_config.5 misc.h]
Remove RoutingDomain from ssh since it's now not needed. It can be
replaced with "route exec" or "nc -V" as a proxycommand. "route exec"
also ensures that trafic such as DNS lookups stays withing the specified
routingdomain. For example (from reyk):
# route -T 2 exec /usr/sbin/sshd
or inherited from the parent process
$ route -T 2 exec sh
$ ssh 10.1.2.3
ok deraadt@ markus@ stevesk@ reyk@
- [email protected] 2010/01/10 03:51:17
[servconf.c]
Add ChrootDirectory to sshd.c test-mode output
- [email protected] 2010/01/10 07:15:56
[auth.c]
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
20100109
- (dtucker) Wrap use of IPPROTO_IPV6 in an ifdef for platforms that don't
have it.
- (dtucker) [defines.h] define PRIu64 for platforms that don't have it.
- (dtucker) [roaming_client.c] Wrap inttypes.h in an ifdef.
- (dtucker) [loginrec.c] Use the SUSv3 specified name for the user name
when using utmpx. Patch from Ed Schouten.
- (dtucker) OpenBSD CVS Sync
- [email protected] 2010/01/09 00:20:26
[sftp-server.c sftp-server.8]
add a 'read-only' mode to sftp-server(8) that disables open in write mode
and all other fs-modifying protocol methods. bz#430 ok dtucker@
- [email protected] 2010/01/09 00:57:10
[PROTOCOL]
tweak language
- [email protected] 2010/01/09 03:36:00
[sftp-server.8]
bad place to forget a comma...
- [email protected] 2010/01/09 05:04:24
[mux.c sshpty.h clientloop.c sshtty.c]
quell tc[gs]etattr warnings when forcing a tty (ssh -tt), since we
usually don't actually have a tty to read/set; bz#1686 ok dtucker@
- [email protected] 2010/01/09 05:17:00
[roaming_client.c]
Remove a PRIu64 format string that snuck in with roaming. ok djm@
- [email protected] 2010/01/09 11:13:02
[sftp.c]
Prevent sftp from derefing a null pointer when given a "-" without a
command. Also, allow whitespace to follow a "-". bz#1691, path from
Colin Watson via Debian. ok djm@ deraadt@
- [email protected] 2010/01/09 11:17:56
[sshd.c]
Afer sshd receives a SIGHUP, ignore subsequent HUPs while sshd re-execs
itself. Prevents two HUPs in quick succession from resulting in sshd
dying. bz#1692, patch from Colin Watson via Ubuntu.
- (dtucker) [defines.h] Remove now-undeeded PRIu64 define.
20100108
- (dtucker) OpenBSD CVS Sync
- [email protected] 2009/10/24 11:11:58
[roaming.h]
Declarations needed for upcoming changes.
ok markus@
- [email protected] 2009/10/24 11:13:54
[sshconnect2.c kex.h kex.c]
Let the client detect if the server supports roaming by looking
for the [email protected] kex algorithm.
ok markus@
- [email protected] 2009/10/24 11:15:29
[clientloop.c]
client_loop() must detect if the session has been suspended and resumed,
and take appropriate action in that case.
From Martin Forssen, maf at appgate dot com
- [email protected] 2009/10/24 11:19:17
[ssh2.h]
Define the KEX messages used when resuming a suspended connection.
ok markus@
- [email protected] 2009/10/24 11:22:37
[roaming_common.c]
Do the actual suspend/resume in the client. This won't be useful until
the server side supports roaming.
Most code from Martin Forssen, maf at appgate dot com. Some changes by
me and markus@
ok markus@
- [email protected] 2009/10/24 11:23:42
[ssh.c]
Request roaming to be enabled if UseRoaming is true and the server
supports it.
ok markus@
- [email protected] 2009/10/28 16:38:18
[ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c
channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1
sftp.1 sshd_config.5 readconf.c ssh.c misc.c]
Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.
ok markus@
- [email protected] 2009/10/28 21:45:08
[sshd_config.5 sftp.1]
tweak previous;
- [email protected] 2009/11/10 02:56:22
[ssh_config.5]
explain the constraints on LocalCommand some more so people don't
try to abuse it.
- [email protected] 2009/11/10 02:58:56
[sshd_config.5]
clarify that StrictModes does not apply to ChrootDirectory. Permissions
and ownership are always checked when chrooting. bz#1532
- [email protected] 2009/11/10 04:30:45
[sshconnect2.c channels.c sshconnect.c]
Set close-on-exec on various descriptors so they don't get leaked to
child processes. bz #1643, patch from jchadima at redhat, ok deraadt.
- [email protected] 2009/11/11 21:37:03
[channels.c channels.h]
fix race condition in x11/agent channel allocation: don't read after
the end of the select read/write fdset and make sure a reused FD
is not touched before the pre-handlers are called.
with and ok djm@
- [email protected] 2009/11/17 05:31:44
[clientloop.c]
fix incorrect exit status when multiplexing and channel ID 0 is recycled
bz#1570 reported by peter.oliver AT eon-is.co.uk; ok dtucker
- [email protected] 2009/11/19 23:39:50
[session.c]
bz#1606: error when an attempt is made to connect to a server
with ForceCommand=internal-sftp with a shell session (i.e. not a
subsystem session). Avoids stuck client when attempting to ssh to such a
service. ok dtucker@
- [email protected] 2009/11/20 00:15:41
[session.c]
Warn but do not fail if stat()ing the subsystem binary fails. This helps
with chrootdirectory+forcecommand=sftp-server and restricted shells.
bz #1599, ok djm.
- [email protected] 2009/11/20 00:54:01
[sftp.c]
bz#1588 change "Connecting to host..." message to "Connected to host."
and delay it until after the sftp protocol connection has been established.
Avoids confusing sequence of messages when the underlying ssh connection
experiences problems. ok dtucker@
- [email protected] 2009/11/20 00:59:36
[sshconnect2.c]
Use the HostKeyAlias when prompting for passwords. bz#1039, ok djm@
- [email protected] 2009/11/20 03:24:07
[misc.c]
correct off-by-one in percent_expand(): we would fatal() when trying
to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually
work. Note that nothing in OpenSSH actually uses close to this limit at
present. bz#1607 from Jan.Pechanec AT Sun.COM
- [email protected] 2009/11/22 13:18:00
[sftp.c]
make passing of zero-length arguments to ssh safe by
passing "-<switch>" "<value>" rather than "-<switch><value>"
ok dtucker@, guenther@, djm@
- [email protected] 2009/12/06 23:41:15
[sshconnect2.c]
zap unused variable and strlen; from Steve McClellan, ok djm
- [email protected] 2009/12/06 23:53:45
[roaming_common.c]
use socklen_t for getsockopt optlen parameter; reported by
Steve.McClellan AT radisys.com, ok dtucker@
- [email protected] 2009/12/06 23:53:54
[sftp.c]
fix potential divide-by-zero in sftp's "df" output when talking to a server
that reports zero files on the filesystem (Unix filesystems always have at
least the root inode). From Steve McClellan at radisys, ok djm@
- [email protected] 2009/12/11 18:16:33
[key.c]
switch from 35 to the more common value of RSA_F4 == (2**16)+1 == 65537
for the RSA public exponent; discussed with provos; ok djm@
- [email protected] 2009/12/20 07:28:36
[ssh.c sftp.c scp.c]
When passing user-controlled options with arguments to other programs,
pass the option and option argument as separate argv entries and
not smashed into one (e.g., as -l foo and not -lfoo). Also, always
pass a "--" argument to stop option parsing, so that a positional
argument that starts with a '-' isn't treated as an option. This
fixes some error cases as well as the handling of hostnames and
filenames that start with a '-'.
Based on a diff by halex@
ok halex@ djm@ deraadt@
- [email protected] 2009/12/20 23:20:40
[PROTOCOL]
fix an incorrect magic number and typo in PROTOCOL; bz#1688
report and fix from ueno AT unixuser.org
- [email protected] 2009/12/25 19:40:21
[readconf.c servconf.c misc.h ssh-keyscan.c misc.c]
validate routing domain is in range 0-RT_TABLEID_MAX.
'Looks right' deraadt@
- [email protected] 2009/12/29 16:38:41
[sshd_config.5 readconf.c ssh_config.5 scp.1 servconf.c sftp.1 ssh.1]
Rename RDomain config option to RoutingDomain to be more clear and
consistent with other options.
NOTE: if you currently use RDomain in the ssh client or server config,
or ssh/sshd -o, you must update to use RoutingDomain.
ok markus@ djm@
- [email protected] 2009/12/29 18:03:32
[sshd_config.5 ssh_config.5]
sort previous;
- [email protected] 2010/01/04 01:45:30
[sshconnect2.c]
Don't escape backslashes in the SSH2 banner. bz#1533, patch from
Michal Gorny via Gentoo.
- [email protected] 2010/01/04 02:03:57
[sftp.c]
Implement tab-completion of commands, local and remote filenames for sftp.
Hacked on and off for some time by myself, mouring, Carlos Silva (via 2009
Google Summer of Code) and polished to a fine sheen by myself again.
It should deal more-or-less correctly with the ikky corner-cases presented
by quoted filenames, but the UI could still be slightly improved.
In particular, it is quite slow for remote completion on large directories.
bz#200; ok markus@
- [email protected] 2010/01/04 02:25:15
[sftp-server.c]
bz#1566 don't unnecessarily dup() in and out fds for sftp-server;
ok markus@
- [email protected] 2010/01/08 21:50:49
[sftp.c]
Fix two warnings: possibly used unitialized and use a nul byte instead of
NULL pointer. ok djm@
- (dtucker) [Makefile.in added roaming_client.c roaming_serv.c] Import new
files for roaming and add to Makefile.
- (dtucker) [Makefile.in] .c files do not belong in the OBJ lines.
- (dtucker) [sftp.c] ifdef out the sftp completion bits for platforms that
don't have libedit.
- (dtucker) [configure.ac misc.c readconf.c servconf.c ssh-keyscan.c] Make
RoutingDomain an unsupported option on platforms that don't have it.
- (dtucker) [sftp.c] Expand ifdef for libedit to cover complete_is_remote
too.
- (dtucker) [misc.c] Move the routingdomain ifdef to allow the socket to
be created.
- (dtucker] [misc.c] Shrink the area covered by USE_ROUTINGDOMAIN more
to eliminate an unused variable warning.
- (dtucker) [roaming_serv.c] Include includes.h for u_intXX_t types.
20091226
- (tim) [contrib/cygwin/Makefile] Install ssh-copy-id and ssh-copy-id.1
Gzip all man pages. Patch from Corinna Vinschen.
20091221
- (dtucker) [auth-krb5.c platform.{c,h} openbsd-compat/port-aix.{c,h}]
Bug #1583: Use system's kerberos principal name on AIX if it's available.
Based on a patch from and tested by Miguel Sanders
20091208
- (dtucker) Bug #1470: Disable OOM-killing of the listening sshd on Linux,
based on a patch from Vaclav Ovsik and Colin Watson. ok djm.
20091207
- (dtucker) Bug #1160: use pkg-config for opensc config if it's available.
Tested by Martin Paljak.
- (dtucker) Bug #1677: add conditionals around the source for ssh-askpass.
20091121
- (tim) [opensshd.init.in] If PidFile is set in sshd_config, use it.
Bug 1628. OK dtucker@
20091120
- (djm) [ssh-rand-helper.c] Print error and usage() when passed command-
line arguments as none are supported. Exit when passed unrecognised
commandline flags. bz#1568 from gson AT araneus.fi
20091118
- (djm) [channels.c misc.c misc.h sshd.c] add missing setsockopt() to
set IPV6_V6ONLY for local forwarding with GatwayPorts=yes. Unify
setting IPV6_V6ONLY behind a new function misc.c:sock_set_v6only()
bz#1648, report and fix from jan.kratochvil AT redhat.com
- (djm) [contrib/gnome-ssh-askpass2.c] Make askpass dialog desktop-modal.
bz#1645, patch from jchadima AT redhat.com
20091107
- (dtucker) [authfile.c] Fall back to 3DES for the encryption of private
keys when built with OpenSSL versions that don't do AES.
20091105
- (dtucker) [authfile.c] Add OpenSSL compat header so this still builds with
older versions of OpenSSL.
20091024
- (dtucker) OpenBSD CVS Sync
- [email protected] 2009/10/11 23:03:15
[hostfile.c]
mention the host name that we are looking for in check_host_in_hostfile()
- [email protected] 2009/10/17 12:10:39
[sftp-server.c]
sort flags.
- [email protected] 2009/10/22 12:35:53
[ssh.1 ssh-agent.1 ssh-add.1]
use the UNIX-related macros (.At and .Ux) where appropriate.
ok jmc@
- [email protected] 2009/10/22 15:02:12
[ssh-agent.1 ssh-add.1 ssh.1]
write UNIX-domain in a more consistent way; while here, replace a
few remaining ".Tn UNIX" macros with ".Ux" ones.
pointed out by ratchov@, thanks!
ok jmc@
- [email protected] 2009/10/22 22:26:13
[authfile.c]
switch from 3DES to AES-128 for encryption of passphrase-protected
SSH protocol 2 private keys; ok several
- [email protected] 2009/10/23 01:57:11
[sshconnect2.c]
disallow a hostile server from checking jpake auth by sending an
out-of-sequence success message. (doesn't affect code enabled by default)
- [email protected] 2009/10/24 00:48:34
[ssh-keygen.1]
ssh-keygen now uses AES-128 for private keys
- (dtucker) [mdoc2man.awk] Teach it to understand the .Ux macro.
- (dtucker) [session.c openbsd-compat/port-linux.{c,h}] Bug #1637: if selinux
is enabled set the security context to "sftpd_t" before running the
internal sftp server Based on a patch from jchadima at redhat.
20091011
- (dtucker) [configure.ac sftp-client.c] Remove the gyrations required for
dirent d_type and DTTOIF as we've switched OpenBSD to the more portable
lstat.
- (dtucker) OpenBSD CVS Sync
- [email protected] 2009/10/08 14:03:41
[sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5]
disable protocol 1 by default (after a transition period of about 10 years)
ok deraadt
- [email protected] 2009/10/08 20:42:12
[sshd_config.5 ssh_config.5 sshd.8 ssh.1]
some tweaks now that protocol 1 is not offered by default; ok markus
- [email protected] 2009/10/11 10:41:26
[sftp-client.c]
d_type isn't portable so use lstat to get dirent modes. Suggested by and
"looks sane" deraadt@
- [email protected] 2009/10/08 18:04:27
[regress/test-exec.sh]
re-enable protocol v1 for the tests.
20091007
- (dtucker) OpenBSD CVS Sync
- [email protected] 2009/08/12 00:13:00
[sftp.c sftp.1]
support most of scp(1)'s commandline arguments in sftp(1), as a first
step towards making sftp(1) a drop-in replacement for scp(1).
One conflicting option (-P) has not been changed, pending further
discussion.
Patch from [email protected] as part of his work in the
Google Summer of Code
- [email protected] 2009/08/12 06:31:42
[sftp.1]
sort options;
- [email protected] 2009/08/13 01:11:19
[sftp.1 sftp.c]
Swizzle options: "-P sftp_server_path" moves to "-D sftp_server_path",
add "-P port" to match scp(1). Fortunately, the -P option is only really
used by our regression scripts.
part of larger patch from [email protected] for his Google Summer
of Code work; ok deraadt markus
- [email protected] 2009/08/13 13:39:54
[sftp.1 sftp.c]
sync synopsis and usage();
- [email protected] 2009/08/14 18:17:49
[sftp-client.c]
make the "get_handle: ..." error messages vaguely useful by allowing
callers to specify their own error message strings.
- [email protected] 2009/08/15 18:56:34
[auth.h]
remove unused define. markus@ ok.
(Id sync only, Portable still uses this.)
- [email protected] 2009/08/16 23:29:26
[sshd_config.5]
Add PubkeyAuthentication to the list allowed in a Match block (bz #1577)
- [email protected] 2009/08/18 18:36:21
[sftp-client.h sftp.1 sftp-client.c sftp.c]
recursive transfer support for get/put and on the commandline
work mostly by [email protected] for the Google Summer of Code
with some tweaks by me; "go for it" deraadt@
- [email protected] 2009/08/18 21:15:59
[sftp.1]
fix "get" command usage, spotted by jmc@
- [email protected] 2009/08/19 04:56:03
[sftp.1]
ether -> either;
- [email protected] 2009/08/20 23:54:28
[mux.c]
subsystem_flag is defined in ssh.c so it's extern; ok djm
- [email protected] 2009/08/27 17:28:52
[sftp-server.c]
allow setting an explicit umask on the commandline to override whatever
default the user has. bz#1229; ok dtucker@ deraadt@ markus@
- [email protected] 2009/08/27 17:33:49
[ssh-keygen.c]
force use of correct hash function for random-art signature display
as it was inheriting the wrong one when bubblebabble signatures were
activated; bz#1611 report and patch from fwojcik+openssh AT besh.com;
ok markus@
- [email protected] 2009/08/27 17:43:00
[sftp-server.8]
allow setting an explicit umask on the commandline to override whatever
default the user has. bz#1229; ok dtucker@ deraadt@ markus@
- [email protected] 2009/08/27 17:44:52
[authfd.c ssh-add.c authfd.h]
Do not fall back to adding keys without contraints (ssh-add -c / -t ...)
when the agent refuses the constrained add request. This was a useful
migration measure back in 2002 when constraints were new, but just
adds risk now.
bz #1612, report and patch from dkg AT fifthhorseman.net; ok markus@
- [email protected] 2009/08/31 20:56:02
[sftp-server.c]
check correct variable for error message, spotted by martynas@
- [email protected] 2009/08/31 21:01:29
[sftp-server.8]
document -e and -h; prodded by jmc@
- [email protected] 2009/09/01 14:43:17
[ssh-agent.c]
fix a race condition in ssh-agent that could result in a wedged or
spinning agent: don't read off the end of the allocated fd_sets, and
don't issue blocking read/write on agent sockets - just fall back to
select() on retriable read/write errors. bz#1633 reported and tested
by "noodle10000 AT googlemail.com"; ok dtucker@ markus@
- [email protected] 2009/10/01 11:37:33
[dh.c]
fix a cast
ok djm@ markus@
- [email protected] 2009/10/06 04:46:40
[session.c]
bz#1596: fflush(NULL) before exec() to ensure that everying (motd
in particular) has made it out before the streams go away.
- [email protected] 2008/12/07 22:17:48
[regress/addrmatch.sh]
match string "passwordauthentication" only at start of line, not anywhere
in sshd -T output
- [email protected] 2009/05/05 07:51:36
[regress/multiplex.sh]
Always specify ssh_config for multiplex tests: prevents breakage caused
by options in ~/.ssh/config. From Dan Peterson.
- [email protected] 2009/08/13 00:57:17
[regress/Makefile]
regression test for port number parsing. written as part of the a2port
change that went into 5.2 but I forgot to commit it at the time...
- [email protected] 2009/08/13 01:11:55
[regress/sftp-batch.sh regress/sftp-badcmds.sh regress/sftp.sh
regress/sftp-cmds.sh regres/sftp-glob.sh]
date: 2009/08/13 01:11:19; author: djm; state: Exp; lines: +10 -7
Swizzle options: "-P sftp_server_path" moves to "-D sftp_server_path",
add "-P port" to match scp(1). Fortunately, the -P option is only really
used by our regression scripts.
part of larger patch from [email protected] for his Google Summer
of Code work; ok deraadt markus
- [email protected] 2009/08/20 18:43:07
[regress/ssh-com-sftp.sh]
fix one sftp -D ... => sftp -P ... conversion that I missed; from Carlos
Silva for Google Summer of Code
- [email protected] 2009/10/06 23:51:49
[regress/ssh2putty.sh]
Add OpenBSD tag to make syncs easier
- (dtucker) [regress/portnum.sh] Import new test.
- (dtucker) [configure.ac sftp-client.c] DTOTIF is in fs/ffs/dir.h on at
least dragonflybsd.
- (dtucker) d_type is not mandated by POSIX, so add fallback code using
stat(), needed on at least cygwin.
20091002
- (djm) [Makefile.in] Mention readconf.o in ssh-keysign's make deps.
spotted by des AT des.no
20090926
- (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
[contrib/suse/openssh.spec] Update for release
- (djm) [README] update relnotes URL
- (djm) [packet.c] Restore EWOULDBLOCK handling that got lost somewhere
- (djm) Release 5.3p1
20090911
- (dtucker) [configure.ac] Change the -lresolv check so it works on Mac OS X
10.6 (which doesn't have BIND8_COMPAT and thus uses res_9_query). Patch
from jbasney at ncsa uiuc edu.
20090908
- (djm) [serverloop.c] Fix test for server-assigned remote forwarding port
(-R 0:...); bz#1578, spotted and fix by gavin AT emf.net; ok dtucker@
20090901
- (dtucker) [configure.ac] Bug #1639: use AC_PATH_PROG to search the path for
krb5-config if it's not in the location specified by --with-kerberos5.
Patch from jchadima at redhat.
20090829
- (dtucker) [README.platform] Add text about development packages, based on
text from Chris Pepper in bug #1631.
20090828
- dtucker [auth-sia.c] Roll back the change for bug #1241 as it apparently
causes problems in some Tru64 configurations.
- (djm) [sshd_config.5] downgrade mention of login.conf to be an example
and mention PAM as another provider for ChallengeResponseAuthentication;
bz#1408; ok dtucker@
- (djm) [sftp-server.c] bz#1535: accept ENOSYS as a fallback error when
attempting atomic rename(); ok dtucker@
- (djm) [Makefile.in] bz#1505: Solaris make(1) doesn't accept make variables
in argv, so pass them in the environment; ok dtucker@
- (dtucker) [channels.c configure.ac] Bug #1528: skip the tcgetattr call on
the pty master on Solaris, since it never succeeds and can hang if large
amounts of data is sent to the slave (eg a copy-paste). Based on a patch
originally from Doke Scott, ok djm@
- (dtucker) [clientloop.c configure.ac defines.h] Make the client's IO buffer
size a compile-time option and set it to 64k on Cygwin, since Corinna
reports that it makes a significant difference to performance. ok djm@
- (dtucker) [configure.ac] Fix the syntax of the Solaris tcgetattr entry.
20090820
- (dtucker) [includes.h] Bug #1634: do not include system glob.h if we're not
using it since the type conflicts can cause problems on FreeBSD. Patch
from Jonathan Chen.
- (dtucker) [session.c openbsd-compat/port-aix.h] Bugs #1249 and #1567: move
the setpcred call on AIX to immediately before the permanently_set_uid().
Ensures that we still have privileges when we call chroot and
pam_open_sesson. Based on a patch from David Leonard.
20090817
- (dtucker) [configure.ac] Check for headers before libraries for openssl an
zlib, which should make the errors slightly more meaningful on platforms
where there's separate "-devel" packages for those.
- (dtucker) [sshlogin.c openbsd-compat/port-aix.{c,h}] Bug #1595: make
PrintLastLog work on AIX. Based in part on a patch from Miguel Sanders.
20090729
- (tim) [contrib/cygwin/ssh-user-config] Change script to call correct error
function. Patch from Corinna Vinschen.
20090713
- (dtucker) [openbsd-compat/getrrsetbyname.c] Reduce answer buffer size so it
fits into 16 bits to work around a bug in glibc's resolver where it masks
off the buffer size at 16 bits. Patch from Hauke Lampe, ok djm jakob.
20090712
- (dtucker) [configure.ac] Include sys/param.h for the sys/mount.h test,
prevents configure complaining on older BSDs.
- (dtucker [contrib/cygwin/ssh-{host,user}-config] Add license text. Patch
from Corinna Vinschen.
- (dtucker) [auth-pam.c] Bug #1534: move the deletion of PAM credentials on
logout to after the session close. Patch from Anicka Bernathova,
originally from Andreas Schwab via Novelll ok djm.
20090707
- (dtucker) [contrib/cygwin/ssh-host-config] better support for automated
scripts and fix usage of eval. Patch from Corinna Vinschen.
20090705
- (dtucker) OpenBSD CVS Sync
- [email protected] 2009/06/27 09:29:06
[packet.h packet.c]
packet_bacup_state() and packet_restore_state() will be used to
temporarily save the current state ren resuming a suspended connection.
ok markus@
- [email protected] 2009/06/27 09:32:43
[roaming_common.c roaming.h]
It may be necessary to retransmit some data when resuming, so add it
to a buffer when roaming is enabled.
Most of this code was written by Martin Forssen, maf at appgate dot com.
ok markus@
- [email protected] 2009/06/27 09:35:06
[readconf.h readconf.c]
Add client option UseRoaming. It doesn't do anything yet but will
control whether the client tries to use roaming if enabled on the
server. From Martin Forssen.
ok markus@
- [email protected] 2009/06/30 14:54:40
[version.h]
crank version; ok deraadt
- [email protected] 2009/07/02 02:11:47
[ssh.c]
allow for long home dir paths (bz #1615). ok deraadt
(based in part on a patch from jchadima at redhat)
- [email protected] 2009/07/05 19:28:33
[clientloop.c]
only send SSH2_MSG_DISCONNECT if we're in compat20; from dtucker@
ok deraadt@ markus@
20090622
- (dtucker) OpenBSD CVS Sync
- [email protected] 2009/06/22 05:39:28
[monitor_wrap.c monitor_mm.c ssh-keygen.c auth2.c gss-genr.c sftp-client.c]
alphabetize includes; reduces diff vs portable and style(9).
ok stevesk djm
(Id sync only; these were already in order in -portable)
20090621
- (dtucker) OpenBSD CVS Sync
- [email protected] 2009/03/17 21:37:00
[ssh.c]
pass correct argv[0] to openlog(); ok djm@
- [email protected] 2009/03/19 15:15:09
[ssh.1]
for "Ciphers", just point the reader to the keyword in ssh_config(5), just
as we do for "MACs": this stops us getting out of sync when the lists
change;
fixes documentation/6102, submitted by Peter J. Philipp
alternative fix proposed by djm
ok markus
- [email protected] 2009/03/23 08:31:19
[ssh-agent.c]
Fixed a possible out-of-bounds memory access if the environment variable
SHELL is shorter than 3 characters.
with input by and ok dtucker
- [email protected] 2009/03/23 19:38:04
[ssh-agent.c]
My previous commit didn't fix the problem at all, so stick at my first
version of the fix presented to dtucker.
Issue notified by Matthias Barkhoff (matthias dot barkhoff at gmx dot de).
ok dtucker
- [email protected] 2009/03/26 08:38:39
[sftp-server.8 sshd.8 ssh-agent.1]
fix a few typographical errors found by spell(1).
ok dtucker@, jmc@
- [email protected] 2009/04/13 19:07:44
[sshd_config.5]
fix possessive; ok djm@