343098 |
16-Jan-2019 |
emaste |
MFC r343043: scp: disallow empty or current directory
Obtained from: OpenBSD scp.c 1.198 Security: CVE-2018-20685 Sponsored by: The FreeBSD Foundation |
324137 |
30-Sep-2017 |
ngie |
MFC r314601: r314601 (by des):
Re-apply part of r311585 which was inadvertantly reverted in the upgrade to 7.3p1. The other part (which adds -DLIBWRAP to sshd's CFLAGS) is still in place. |
323124 |
01-Sep-2017 |
des |
Upgrade OpenSSH to 7.3p1.
This is the last version of OpenSSH which does not break compatibility more than we can live with in a stable branch. Further commits will follow to backport some bug fixes from newer versions.
The sshd breakage in the previous attempt was due to an upstream bug (a 0 was changed to a 1 while refactoring send_rexec_state() in sshd.c) which only manifested itself when sshd was built with SSH 1 support.
Approved by: re@ |
323121 |
01-Sep-2017 |
des |
Revert OpenSSH 7.3p1; something went wrong between testing and committing.
Approved by: re@ |
323120 |
01-Sep-2017 |
des |
Upgrade OpenSSH to 7.3p1.
This is the last version of OpenSSH which does not break compatibility more than we can live with in a stable branch. Further commits will follow to backport some bug fixes from newer versions.
Approved by: re@ |
322341 |
10-Aug-2017 |
delphij |
Apply upstream fix:
Skip passwords longer than 1k in length so clients can't easily DoS sshd by sending very long passwords, causing it to spend CPU hashing them. feedback djm@, ok markus@.
Brought to our attention by tomas.kuthan at oracle.com, shilei-c at 360.cn and coredump at autistici.org
Security: CVE-2016-6515 Security: FreeBSD-SA-17:06.openssh |
313234 |
04-Feb-2017 |
ngie |
MFC r311585:
Conditionalize building libwrap support into sshd
Only build libwrap support into sshd if MK_TCP_WRAPPERS != no
This will unbreak the build if libwrap has been removed from the system
PR: 210141 |
311915 |
11-Jan-2017 |
delphij |
MFC r311914: MFV r311913:
Fix multiple OpenSSH vulnerabilities.
Submitted by: des Approved by: so |
308199 |
02-Nov-2016 |
delphij |
MFC r308197: MFV r308196:
Fix OpenSSH remote Denial of Service vulnerability.
Security: CVE-2016-8858 |
296781 |
12-Mar-2016 |
des |
MFH (r296633): upgrade to 7.2p2 (fixes xauth command injection bug) MFH (r296634): re-add aes-cbc to server-side default cipher list MFH (r296651, r296657): fix gcc build of pam_ssh
PR: 207679 Security: CVE-2016-3115 |
295367 |
07-Feb-2016 |
des |
MFH (r265214, r294333, r294407, r294467): misc prop fixes MFH (r285975, r287143): register mergeinfo for security fixes MFH (r294497, r294498, r295139): internal documentation MFH (r294328): upgrade to openssh 6.7p1, re-add libwrap MFH (r294332): upgrade to openssh 6.8p1 MFH (r294367): update pam_ssh for api changes MFH (r294909): switch usedns back on MFH (r294336): upgrade to openssh 6.9p1 MFH (r294495): re-enable dsa keys MFH (r294464): upgrade to openssh 7.0p1 MFH (r294496): upgrade to openssh 7.1p2
Approved by: re (gjb) Relnotes: yes |
294693 |
24-Jan-2016 |
des |
MFH (r291198, r291260, r291261, r291375, r294325, r294335, r294563)
Remove the HPN and None cipher patches. |
294666 |
24-Jan-2016 |
des |
MFH (r263234, r263691, r266465, r290671, r290672, r290673, r290674, r294320, r294322, r294324, r294330, r294469, r294494, r294466)
Reduce diffs to head in preparation for removing HPN and None. |
294193 |
16-Jan-2016 |
des |
MFH (r292408): use correct length in calloc() call |
294049 |
14-Jan-2016 |
glebius |
Merge r294048: fix OpenSSH client information leak.
Security: SA-16:07.openssh Security: CVE-2016-0777 |
287144 |
25-Aug-2015 |
delphij |
MFC: Fix OpenSSH multiple vulnerabilities.
Security: FreeBSD-SA-15:22.openssh |
285976 |
28-Jul-2015 |
delphij |
Fix patch(1) shell injection vulnerability. [SA-15:14]
Fix resource exhaustion in TCP reassembly. [SA-15:15]
Fix OpenSSH multiple vulnerabilities. [SA-15:16] |
285750 |
21-Jul-2015 |
vangyzen |
MFC r285642
ssh: canonicize the host name before looking it up in the host file
Re-apply r99054 by des in 2002. This was accidentally dropped by the update to OpenSSH 6.5p1 (r261320).
This change is actually taken from r387082 of ports/security/openssh-portable/files/patch-ssh.c
Differential Revision: https://reviews.freebsd.org/D3103 PR: 198043 Approved by: re (gjb), kib (mentor) Sponsored by: Dell Inc. Relnotes: yes |
284950 |
30-Jun-2015 |
des |
MFH (r283578): import new moduli from upstream |
281893 |
23-Apr-2015 |
bdrewery |
MFC r280999:
Use proper CHAN_TCP_PACKET_DEFAULT for agent forwarding when HPN disabled. |
281185 |
07-Apr-2015 |
bdrewery |
MFC r280360:
Document "none" for VersionAddendum. |
280250 |
19-Mar-2015 |
rwatson |
Merge an applicable subset of r263234 from HEAD to stable/10:
Update most userspace consumers of capability.h to use capsicum.h instead.
auditdistd is not updated as I will make the change upstream and then do a vendor import sometime in the next week or two.
Note that a significant fraction does not apply, as FreeBSD 10 doesn't contain a Capsicumised ping, casperd, libcasper, etc. When these features are merged, the capsicum.h change will need to be merged with them.
Sponsored by: Google, Inc. |
264692 |
20-Apr-2014 |
des |
MFH (r264691): merge upstream patch for EC calculation bug |
264377 |
12-Apr-2014 |
des |
MFH (r263712): upgrade openssh to 6.6p1 MFH (r264308): restore p level in debugging output |
262718 |
03-Mar-2014 |
delphij |
MFC r261499 (pjd):
Fix installations that use kernels without CAPABILITIES support. |
262566 |
27-Feb-2014 |
des |
MFH (r261320): upgrade openssh to 6.5p1 MFH (r261340): enable sandboxing by default |
259073 |
07-Dec-2013 |
peter |
Hoist all the mergeinfo up to the root in preparation for enforcing merges to the root only. All MFC's were rerecorded to the root.
Going forward, if an MFC includes mergeinfo, it will need to be made to the root and committed from the root. Merges with --ignore-ancestry or diff | patch can go anywhere.
The mergeinfo in HEAD is in a bad state from years of neglect and manual tampering and this was branched into 10.x. This confuses the coalescing code and prevents it from doing its job.
Approved by: re (gjb, implicit) |
258343 |
19-Nov-2013 |
des |
MFH (r257954): upgrade to OpenSSH 6.4p1
Approved by: re (kib) |
258335 |
19-Nov-2013 |
des |
Pre-zero the MAC context.
Security: CVE-2013-4548 Security: FreeBSD-SA-13:14.openssh Approved by: re (implicit) |
256281 |
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
255829 |
23-Sep-2013 |
des |
Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a repeat performance by introducing a script that runs configure with and without Kerberos, diffs the result and generates krb5_config.h, which contains the preprocessor macros that need to be defined in the Kerberos case and undefined otherwise.
Approved by: re (marius)
|
255774 |
21-Sep-2013 |
des |
Pull in all the OpenSSH bits that we'd previously left out because we didn't use them. This will make future merges from the vendor tree much easier.
Approved by: re (gjb)
|
255767 |
21-Sep-2013 |
des |
Upgrade to 6.3p1.
Approved by: re (gjb)
|
255461 |
10-Sep-2013 |
des |
Change the default value of VerifyHostKeyDNS to "yes" if compiled with LDNS. With that setting, OpenSSH will silently accept host keys that match verified SSHFP records. If an SSHFP record exists but could not be verified, OpenSSH will print a message and prompt the user as usual.
Approved by: re (blanket)
|
255422 |
09-Sep-2013 |
des |
These three files appeared in 6.0p1, which was imported into the vendor branch but never merged to head. They were inadvertantly left out when 6.1p1 was merged to head. It didn't make any difference at the time, because they were unused, but one of them is required for DNS-based host key verification.
Approved by: re (blanket)
|
254278 |
13-Aug-2013 |
des |
Apply upstream revision 1.151 (fix relative symlinks)
MFC after: 3 days
|
252338 |
28-Jun-2013 |
des |
r251088 reverted the default value for UsePrivilegeSeparation from "sandbox" to "yes", but did not update the documentation to match.
|
251088 |
29-May-2013 |
des |
Revert a local change that sets the default for UsePrivilegeSeparation to "sandbox" instead of "yes". In sandbox mode, the privsep child is unable to load additional libraries and will therefore crash when trying to take advantage of crypto offloading on CPUs that support it.
|
250739 |
17-May-2013 |
des |
Upgrade to OpenSSH 6.2p2. Mostly a no-op since I had already patched the issues that affected us.
|
250595 |
13-May-2013 |
bdrewery |
The HPN patch added a new BUG bit for SSH_BUG_LARGEWINDOW and the update to 6.1 added SSH_BUG_DYNAMIC_RPORT with the same value.
Fix the HPN SSH_BUG_LARGEWINDOW bit so it is unique.
Approved by: des MFC after: 2 weeks
|
249839 |
24-Apr-2013 |
des |
Merge updated "no such identity file" patch.
PR: bin/178060
|
249475 |
14-Apr-2013 |
des |
Silence "received disconnect" in the common case.
|
249016 |
02-Apr-2013 |
des |
Merge upstream patch to silence spurious "no such identity file" warnings.
|
249015 |
02-Apr-2013 |
des |
Silence printf format warnings.
|
248975 |
01-Apr-2013 |
des |
Silence warnings about redefined macros.
|
248648 |
23-Mar-2013 |
des |
Revert r247892 now that this has been fixed upstream.
|
248619 |
22-Mar-2013 |
des |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
248465 |
18-Mar-2013 |
des |
Keep the default AuthorizedKeysFile setting. Although authorized_keys2 has been deprecated for a while, some people still use it and were unpleasantly surprised by this change.
I may revert this commit at a later date if I can come up with a way to give users who still have authorized_keys2 files sufficient advance warning.
MFC after: ASAP
|
248231 |
13-Mar-2013 |
des |
Unlike OpenBSD's, our setusercontext() will intentionally ignore the user's own umask setting (from ~/.login.conf) unless running with the user's UID. Therefore, we need to call it again with LOGIN_SETUMASK after changing UID.
PR: bin/176740 Submitted by: John Marshall <john.marshall@riverwillow.com.au> MFC after: 1 week
|
247916 |
07-Mar-2013 |
des |
Partially revert r247892 and r247904 since our strnvis() does not behave the way OpenSSH expects.
|
247904 |
06-Mar-2013 |
des |
Remove strnvis(), strvis(), strvisx().
|
247892 |
06-Mar-2013 |
des |
Explicitly disable lastlog, utmp and wtmp.
|
240075 |
03-Sep-2012 |
des |
Upgrade OpenSSH to 6.1p1.
|
237568 |
25-Jun-2012 |
delphij |
MFV (r237567):
Fetch both ECDSA and RSA keys by default in ssh-keyscan(1).
Approved by: des Obtained from: OpenSSH portable MFC after: 1 week
|
236139 |
27-May-2012 |
rea |
OpenSSH: allow VersionAddendum to be used again
Prior to this, setting VersionAddendum will be a no-op: one will always have BASE_VERSION + " " + VERSION_HPN for VersionAddendum set in the config and a bare BASE_VERSION + VERSION_HPN when there is no VersionAddendum is set.
HPN patch requires both parties to have the "hpn" inside their advertized versions, so we add VERSION_HPN to the VERSION_BASE if HPN is enabled and omitting it if HPN is disabled.
VersionAddendum now uses the following logics: * unset (default value): append " " and VERSION_ADDENDUM; * VersionAddendum is set and isn't empty: append " " and VersionAddendum; * VersionAddendum is set and empty: don't append anything.
Approved by: des Reviewed by: bz MFC after: 3 days
|
231852 |
17-Feb-2012 |
bz |
Merge multi-FIB IPv6 support from projects/multi-fibv6/head/:
Extend the so far IPv4-only support for multiple routing tables (FIBs) introduced in r178888 to IPv6 providing feature parity.
This includes an extended rtalloc(9) KPI for IPv6, the necessary adjustments to the network stack, and user land support as in netstat.
Sponsored by: Cisco Systems, Inc. Reviewed by: melifaro (basically) MFC after: 10 days
|
231584 |
13-Feb-2012 |
ed |
Polish diff against upstream.
- Revert unneeded whitespace changes. - Revert modifications to loginrec.c, as the upstream version already does the right thing. - Fix indentation and whitespace of local changes.
Approved by: des MFC after: 1 month
|
226103 |
07-Oct-2011 |
des |
Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected.
MFC after: 1 week
|
226046 |
05-Oct-2011 |
des |
Upgrade to OpenSSH 5.9p1.
MFC after: 3 months
|
225852 |
28-Sep-2011 |
des |
Belatedly regenerate after application of the HPN patch.
|
225614 |
16-Sep-2011 |
des |
Remove the svn:keywords property and restore the historical $FreeBSD$ tag.
Approved by: re (kib) MFC after: 3 weeks
|
224642 |
03-Aug-2011 |
brooks |
Fix two more $FreeBSD$ keywords.
Reported by: pluknet Approved by: re (implicit)
|
224640 |
03-Aug-2011 |
brooks |
Enable keyword expansion for $FreeBSD$ on files where it was added it r224638.
Submitted by: bz Approved by: re (implicit) Point hat to: brooks
|
224638 |
03-Aug-2011 |
brooks |
Add support for dynamically adjusted buffers to allow the full use of the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported.
Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf.
This code is a style(9) compliant version of these features extracted from the patches published at:
http://www.psc.edu/networking/projects/hpn-ssh/
Merging this patch has been a collaboration between me and Bjoern.
Reviewed by: bz Approved by: re (kib), des (maintainer)
|
223758 |
04-Jul-2011 |
attilio |
With retirement of cpumask_t and usage of cpuset_t for representing a mask of CPUs, pc_other_cpus and pc_cpumask become highly inefficient.
Remove them and replace their usage with custom pc_cpuid magic (as, atm, pc_cpumask can be easilly represented by (1 << pc_cpuid) and pc_other_cpus by (all_cpus & ~(1 << pc_cpuid))).
This change is not targeted for MFC because of struct pcpu members removal and dependency by cpumask_t retirement.
MD review by: marcel, marius, alc Tested by: pluknet MD testing by: marcel, marius, gonzo, andreast
|
222813 |
07-Jun-2011 |
attilio |
etire the cpumask_t type and replace it with cpuset_t usage.
This is intended to fix the bug where cpu mask objects are capped to 32. MAXCPU, then, can now arbitrarely bumped to whatever value. Anyway, as long as several structures in the kernel are statically allocated and sized as MAXCPU, it is suggested to keep it as low as possible for the time being.
Technical notes on this commit itself: - More functions to handle with cpuset_t objects are introduced. The most notable are cpusetobj_ffs() (which calculates a ffs(3) for a cpuset_t object), cpusetobj_strprint() (which prepares a string representing a cpuset_t object) and cpusetobj_strscan() (which creates a valid cpuset_t starting from a string representation). - pc_cpumask and pc_other_cpus are target to be removed soon. With the moving from cpumask_t to cpuset_t they are now inefficient and not really useful. Anyway, for the time being, please note that access to pcpu datas is protected by sched_pin() in order to avoid migrating the CPU while reading more than one (possible) word - Please note that size of cpuset_t objects may differ between kernel and userland. While this is not directly related to the patch itself, it is good to understand that concept and possibly use the patch as a reference on how to deal with cpuset_t objects in userland, when accessing kernland members. - KTR_CPUMASK is changed and now is represented through a string, to be set as the example reported in NOTES.
Please additively note that no MAXCPU is bumped in this patch, but private testing has been done until to MAXCPU=128 on a real 8x8x2(htt) machine (amd64).
Please note that the FreeBSD version is not yet bumped because of the upcoming pcpu changes. However, note that this patch is not targeted for MFC.
People to thank for the time spent on this patch: - sbruno, pluknet and Nicholas Esborn (nick AT desert DOT net) tested several revision of the patches and really helped in improving stability of this work. - marius fixed several bugs in the sparc64 implementation and reviewed patches related to ktr. - jeff and jhb discussed the basic approach followed. - kib and marcel made targeted review on some specific part of the patch. - marius, art, nwhitehorn and andreast reviewed MD specific part of the patch. - marius, andreast, gonzo, nwhitehorn and jceel tested MD specific implementations of the patch. - Other people have made contributions on other patches that have been already committed and have been listed separately.
Companies that should be mentioned for having participated at several degrees: - Yahoo! for having offered the machines used for testing on big count of CPUs. - The FreeBSD Foundation for having sponsored my devsummit attendance, which has been instrumental. - Sandvine for having offered offices and infrastructure during development.
(I really hope I didn't forget anyone, if it happened I apologize in advance).
|
221487 |
05-May-2011 |
des |
Merge two upstream patches from vendor branch. No functional changes.
|
221420 |
04-May-2011 |
des |
Upgrade to OpenSSH 5.8p2.
|
215116 |
11-Nov-2010 |
des |
Upgrade to OpenSSH 5.6p1.
|
215083 |
10-Nov-2010 |
des |
Forgot to svn rm this when I imported 5.4p1.
|
213250 |
28-Sep-2010 |
emaste |
Remove copyright strings printed at login time via login(1) or sshd(8). It is not clear to what this copyright should apply, and this is in line with what other operating systems do.
For ssh specifically, printing of the copyright string is not in the upstream version so this reduces our FreeBSD-local diffs.
Approved by: core, des (ssh)
|
208724 |
01-Jun-2010 |
des |
More commas
|
208709 |
01-Jun-2010 |
des |
Missing commas
|
208606 |
28-May-2010 |
cperciva |
Fix .Dd line: FreeBSD's mdoc code doesn't understand OpenBSD's $Mdocdate$.
MFC after: 3 days
|
207736 |
07-May-2010 |
mckusick |
Merger of the quota64 project into head.
This joint work of Dag-Erling Smørgrav and myself updates the FFS quota system to support both traditional 32-bit and new 64-bit quotas (for those of you who want to put 2+Tb quotas on your users).
By default quotas are not compiled into the kernel. To include them in your kernel configuration you need to specify:
options QUOTA # Enable FFS quotas
If you are already running with the current 32-bit quotas, they should continue to work just as they have in the past. If you wish to convert to using 64-bit quotas, use `quotacheck -c 64'; if you wish to revert from 64-bit quotas back to 32-bit quotas, use `quotacheck -c 32'.
There is a new library of functions to simplify the use of the quota system, do `man quotafile' for details. If your application is currently using the quotactl(2), it is highly recommended that you convert your application to use the quotafile interface. Note that existing binaries will continue to work.
Special thanks to John Kozubik of rsync.net for getting me interested in pursuing 64-bit quota support and for funding part of my development time on this project.
|
207319 |
28-Apr-2010 |
des |
Upgrade to OpenSSH 5.5p1.
|
206397 |
08-Apr-2010 |
kib |
Enhance r199804 by marking the daemonised child as immune to OOM instead of short-living parent. Only mark the master process that accepts connections, do not protect connection handlers spawned from inetd.
Submitted by: Mykola Dzham <i levsha me> Reviewed by: attilio MFC after: 1 week
|
204917 |
09-Mar-2010 |
des |
Upgrade to OpenSSH 5.4p1.
MFC after: 1 month
|
202231 |
13-Jan-2010 |
ed |
Add a missing $FreeBSD$ string.
I was requested to add this string to any file that was modified by my commit, which I forgot to do so.
Requested by: des
|
202213 |
13-Jan-2010 |
ed |
Make OpenSSH work with utmpx.
- Partially revert r184122 (sshd.c). Our ut_host is now big enough to fit proper hostnames.
- Change config.h to match reality.
- defines.h requires UTMPX_FILE to be set by <utmpx.h> before it allows the utmpx code to work. This makes no sense to me. I've already mentioned this upstream.
- Add our own platform-specific handling of lastlog. The version I will send to the OpenSSH folks will use proper autoconf generated definitions instead of `#if 1'.
|
199804 |
25-Nov-2009 |
attilio |
Avoid sshd, cron, syslogd and inetd to be killed under high-pressure swap environments. Please note that this can't be done while such processes run in jails.
Note: in future it would be interesting to find a way to do that selectively for any desired proccess (choosen by user himself), probabilly via a ptrace interface or whatever.
Obtained from: Sandvine Incorporated Reviewed by: emaste, arch@ Sponsored by: Sandvine Incorporated MFC: 1 month
|
199131 |
10-Nov-2009 |
des |
Fix globbing
Noticed by: delphij, David Cornejo <dave@dogwood.com> Forgotten by: des
|
197957 |
11-Oct-2009 |
des |
Remove dupe.
|
197802 |
06-Oct-2009 |
des |
Expand $FreeBSD$
|
197785 |
05-Oct-2009 |
des |
Add more symbols that need to be masked:
- initialized and uninitialized data - symbols from roaming_dummy.c which end up in pam_ssh
Update the command line used to generate the #defines.
|
197679 |
01-Oct-2009 |
des |
Upgrade to OpenSSH 5.3p1.
|
196164 |
13-Aug-2009 |
des |
Update and remove CVS-specific items
Approved by: re (kib)
|
194297 |
16-Jun-2009 |
jhb |
Use the closefrom(2) system call.
Reviewed by: des
|
192595 |
22-May-2009 |
des |
Upgrade to OpenSSH 5.2p1.
MFC after: 3 months
|
184122 |
21-Oct-2008 |
des |
At some point, construct_utmp() was changed to use realhostname() to fill in the struct utmp due to concerns about the length of the hostname buffer. However, this breaks the UseDNS option. There is a simpler and better solution: initialize utmp_len to the correct value (UT_HOSTSIZE instead of MAXHOSTNAMELEN) and let get_remote_name_or_ip() worry about the size of the buffer.
PR: bin/97499 Submitted by: Bruce Cran <bruce@cran.org.uk> MFC after: 1 week
|
183458 |
29-Sep-2008 |
des |
Our groff doesn't understand $Mdocdate$, so replace them with bare dates.
MFC after: 3 days
|
183336 |
24-Sep-2008 |
des |
MFV "xmalloc: zero size" fix.
MFC after: 1 week
|
182614 |
01-Sep-2008 |
des |
Remove some unused files.
|
182601 |
01-Sep-2008 |
des |
Set SIZEOF_LONG_INT and SIZEOF_LONG_LONG_INT to plausible values. They aren't used for anything, but that's no excuse for being silly.
|
181918 |
20-Aug-2008 |
des |
Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED. Submitted upstream, no reaction.
Submitted by: delphij@ MFC after: 2 weeks
|
181111 |
01-Aug-2008 |
des |
Upgrade to OpenSSH 5.1p1.
I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed.
MFC after: 6 weeks
|
181110 |
01-Aug-2008 |
des |
Remove svn:keywords except on files that need it. This makes diffs against the vendor branch much more readable.
|
181109 |
01-Aug-2008 |
des |
Another file with no local changes.
"This time for sure!"
|
181108 |
01-Aug-2008 |
des |
Another file with no local changes.
|
181107 |
01-Aug-2008 |
des |
Another four files without local changes. This is driving me nuts - every time I think I got them all, another one pops up.
|
181106 |
01-Aug-2008 |
des |
Yet another file with no local changes.
|
181105 |
01-Aug-2008 |
des |
Accidentally mangled this one in the previous commit.
|
181104 |
01-Aug-2008 |
des |
More files which no longer have any local changes.
|
181103 |
01-Aug-2008 |
des |
These two files have no local patches except to prevent expansion of the original $FreeBSD$ keywords. Revert those changes, and simply disable keyword expansion.
|
181101 |
01-Aug-2008 |
des |
Last remains of old OPIE patch
|
181098 |
01-Aug-2008 |
des |
We no longer have any local changes here.
|
181097 |
01-Aug-2008 |
des |
Consistently set svn:eol-style.
|
181096 |
01-Aug-2008 |
des |
Tag expansion is no longer needed (svn handles them correctly). Add svn command to diff against vendor branch.
|
181095 |
01-Aug-2008 |
des |
This is no longer needed.
|
181094 |
01-Aug-2008 |
des |
Cleanup.
|
181092 |
01-Aug-2008 |
des |
Ugh. Set svn:mergeinfo correctly.
|
181091 |
01-Aug-2008 |
des |
Catch up with reality.
|
181090 |
01-Aug-2008 |
des |
Revert an old hack I put in to replace S/Key with OPIE. We haven't used that code in ages - we use pam_opie(8) instead - so this is a NOP.
|
181087 |
31-Jul-2008 |
des |
Add missing #include for strlen()
|
181081 |
31-Jul-2008 |
des |
Advance merge point.
|
180989 |
30-Jul-2008 |
des |
Fix alignment of the cmsg buffer by placing it in a union with a struct cmsghdr. Derived from upstream patch.
Submitted by: cognet MFC after: 2 weeks
|
180765 |
23-Jul-2008 |
des |
Remove a bunch of files we don't need to build OpenSSH. They are still available in base/vendor-crypto/openssh/dist/.
|
180764 |
23-Jul-2008 |
des |
Bootstrap svn:mergeinfo.
|
176070 |
06-Feb-2008 |
des |
Fix the Xlist so it actually works with 'tar -X', and update the upgrade instructions accordingly.
|
176069 |
06-Feb-2008 |
des |
As per discussion, commit experimental metadata for my contrib packages. The idea is to have a FREEBSD-vendor file for every third-party package in the tree.
|
169966 |
24-May-2007 |
des |
s/X11R6/local/g
|
164149 |
10-Nov-2006 |
des |
Resolve conflicts.
|
164147 |
10-Nov-2006 |
des |
This commit was generated by cvs2svn to compensate for changes in r164146, which included commits to RCS files with non-trunk default branches.
|
163054 |
06-Oct-2006 |
des |
Don't define XAUTH_PATH here, we either pass it in on the compiler command line or rely on the built-in default.
|
163004 |
04-Oct-2006 |
des |
Go figure how an extra $Id$ line crept in...
|
163003 |
04-Oct-2006 |
des |
Merge vendor patch.
|
162984 |
03-Oct-2006 |
des |
Tweak ifdefs for backward compatibility.
|
162953 |
02-Oct-2006 |
des |
Regenerate; no effect on the code as it doesn't actually use the handful of conditionals that changed in this revision.
|
162952 |
02-Oct-2006 |
des |
Update configure options and add some missing steps. The section about our local changes needs reviewing, and some of those changes should probably be reconsidered (such as preferring DSA over RSA, which made sense when RSA was encumbered but probably doesn't any more)
|
162860 |
30-Sep-2006 |
des |
Regenerate.
MFC after: 1 week
|
162859 |
30-Sep-2006 |
des |
#include <errno.h>; this has the unfortunate side effect of taking the file off the vendor branch.
MFC after: 1 week
|
162858 |
30-Sep-2006 |
des |
Removed from vendor branch.
MFC after: 1 week
|
162857 |
30-Sep-2006 |
des |
Bump version addendum.
MFC after: 1 week
|
162856 |
30-Sep-2006 |
des |
Merge conflicts.
MFC after: 1 week
|
162853 |
30-Sep-2006 |
des |
This commit was generated by cvs2svn to compensate for changes in r162852, which included commits to RCS files with non-trunk default branches.
|
162360 |
16-Sep-2006 |
des |
Merge vendor patch for BSM problem in protocol version 1.
MFC after: 1 week
|
159458 |
09-Jun-2006 |
des |
Our glob(3) has all the required features.
Submitted by: ache
|
159457 |
09-Jun-2006 |
des |
Revert inadvertant commit of debugging code.
|
158519 |
13-May-2006 |
des |
Introduce a namespace munging hack inspired by NetBSD to avoid polluting the namespace of applications which inadvertantly link in libssh (usually through pam_ssh)
Suggested by: lukem@netbsd.org MFC after: 6 weeks
|
157055 |
23-Mar-2006 |
des |
Fix utmp. There is some clever logic in configure.ac which attempts to determine whether struct utmp contains the ut_host and ut_time fields. Unfortunately, it reports a false negative for both on FreeBSD, and I didn't check the resulting config.h closely enough to catch the error.
Noticed by: ache
|
157020 |
22-Mar-2006 |
des |
Regenerate.
|
157019 |
22-Mar-2006 |
des |
Merge conflicts.
|
157017 |
22-Mar-2006 |
des |
This commit was generated by cvs2svn to compensate for changes in r157016, which included commits to RCS files with non-trunk default branches.
|
156813 |
17-Mar-2006 |
ru |
Reimplementation of world/kernel build options. For details, see:
http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061725.html
The src.conf(5) manpage is to follow in a few days.
Brought to you by: imp, jhb, kris, phk, ru (all bugs are mine)
|
153838 |
29-Dec-2005 |
dfr |
Add a new extensible GSS-API layer which can support GSS-API plugins, similar the the Solaris implementation. Repackage the krb5 GSS mechanism as a plugin library for the new implementation. This also includes a comprehensive set of manpages for the GSS-API functions with text mostly taken from the RFC.
Reviewed by: Love Hörnquist Åstrand <lha@it.su.se>, ru (build system), des (openssh parts)
|
149754 |
03-Sep-2005 |
des |
Regenerate
|
149753 |
03-Sep-2005 |
des |
Resolve conflicts.
|
149750 |
03-Sep-2005 |
des |
This commit was generated by cvs2svn to compensate for changes in r149749, which included commits to RCS files with non-trunk default branches.
|
149748 |
03-Sep-2005 |
des |
fine-tune.
|
147010 |
05-Jun-2005 |
des |
Forgot to bump the version addendum.
|
147006 |
05-Jun-2005 |
des |
Regenerate.
|
147005 |
05-Jun-2005 |
des |
Resolve conflicts.
|
147004 |
05-Jun-2005 |
des |
Update for 4.1p1.
|
147002 |
05-Jun-2005 |
des |
This commit was generated by cvs2svn to compensate for changes in r147001, which included commits to RCS files with non-trunk default branches.
|
146999 |
05-Jun-2005 |
des |
This commit was generated by cvs2svn to compensate for changes in r146998, which included commits to RCS files with non-trunk default branches.
|
146981 |
04-Jun-2005 |
des |
Rewrite some of the regexps so they don't match themselves.
|
137020 |
28-Oct-2004 |
des |
Better Xlist command line.
|
137019 |
28-Oct-2004 |
des |
Resolve conflicts
|
137016 |
28-Oct-2004 |
des |
This commit was generated by cvs2svn to compensate for changes in r137015, which included commits to RCS files with non-trunk default branches.
|
136998 |
27-Oct-2004 |
des |
These are unnecessary and have been causing imp@ trouble.
|
128462 |
20-Apr-2004 |
des |
Regenerate.
|
128461 |
20-Apr-2004 |
des |
One more conflict.
|
128460 |
20-Apr-2004 |
des |
Resolve conflicts.
|
128459 |
20-Apr-2004 |
des |
Adjust version number and addendum.
|
128457 |
20-Apr-2004 |
des |
This commit was generated by cvs2svn to compensate for changes in r128456, which included commits to RCS files with non-trunk default branches.
|
127033 |
15-Mar-2004 |
des |
Correctly document the default value of UsePAM.
|
126283 |
26-Feb-2004 |
des |
Update VersionAddendum in config files and man pages.
|
126280 |
26-Feb-2004 |
des |
Define HAVE_GSSAPI_H.
|
126279 |
26-Feb-2004 |
des |
Regenerate.
|
126278 |
26-Feb-2004 |
des |
Document recently changed configuration defaults.
|
126277 |
26-Feb-2004 |
des |
Resolve conflicts.
|
126275 |
26-Feb-2004 |
des |
This commit was generated by cvs2svn to compensate for changes in r126274, which included commits to RCS files with non-trunk default branches.
|
126273 |
26-Feb-2004 |
des |
Merge OpenSSH 3.8p1.
|
126272 |
26-Feb-2004 |
des |
Prepare for upcoming 3.8p1 import.
|
126271 |
26-Feb-2004 |
des |
Pull asbesthos underpants on and disable protocol version 1 by default.
|
126009 |
19-Feb-2004 |
des |
Turn non-PAM password authentication off by default when USE_PAM is defined. Too many users are getting bitten by it.
|
124970 |
25-Jan-2004 |
des |
Update the "overview of FreeBSD changes to OpenSSH-portable" to reflect reality.
|
124696 |
18-Jan-2004 |
des |
Work around removal of EAI_NODATA from netdb.h.
|
124288 |
09-Jan-2004 |
des |
This commit was generated by cvs2svn to compensate for changes in r124287, which included commits to RCS files with non-trunk default branches.
|
124279 |
09-Jan-2004 |
des |
Egg on my face: UsePAM was off by default.
Pointed out by: Sean McNeil <sean@mcneil.com>
|
124244 |
08-Jan-2004 |
des |
Regenerate config.h; I don't know why this didn't hit CVS yesterday.
|
124213 |
07-Jan-2004 |
des |
Update to reflect changes since the last version.
|
124211 |
07-Jan-2004 |
des |
Resolve conflicts and remove obsolete files.
Sponsored by: registrar.no
|
124209 |
07-Jan-2004 |
des |
This commit was generated by cvs2svn to compensate for changes in r124208, which included commits to RCS files with non-trunk default branches.
|
124207 |
07-Jan-2004 |
des |
Merge OpenSSH 3.7.1p2.
|
121824 |
31-Oct-2003 |
simon |
Add a missing word.
Submitted by: Michel Lavondes <fox@vader.aacc.cc.md.us> Reviewed by: des MFC after: 1 week
|
121420 |
23-Oct-2003 |
des |
Plug a memory leak in the PAM child process. It is of no great consequence as the process is short-lived, and the leak occurs very rarely and always shortly before the process terminates.
MFC after: 3 days
|
120490 |
26-Sep-2003 |
joe |
This commit was generated by cvs2svn to compensate for changes in r120489, which included commits to RCS files with non-trunk default branches.
|
120489 |
26-Sep-2003 |
joe |
Additional corrections to OpenSSH buffer handling.
Obtained from: openssh.org Originally committed to head by: nectar
|
120413 |
24-Sep-2003 |
des |
Update version string.
|
120411 |
24-Sep-2003 |
des |
Remove bogus calls to xfree().
|
120406 |
24-Sep-2003 |
des |
resp is a pointer to an array of structs, not an array of pointers to structs.
|
120405 |
24-Sep-2003 |
des |
Return the correct error value when a null query fails.
|
120230 |
19-Sep-2003 |
des |
Fix broken shell code.
|
120162 |
17-Sep-2003 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r120161, which included commits to RCS files with non-trunk default branches.
|
120161 |
17-Sep-2003 |
nectar |
Correct more cases of allocation size bookkeeping being updated before calling functions which can potentially fail and cause cleanups to be invoked.
Submitted by: Solar Designer <solar@openwall.com>
|
120125 |
16-Sep-2003 |
nectar |
Update the OpenSSH addendum string for the buffer handling fix.
|
120114 |
16-Sep-2003 |
nectar |
This commit was generated by cvs2svn to compensate for changes in r120113, which included commits to RCS files with non-trunk default branches.
|
116792 |
24-Jun-2003 |
des |
This commit was generated by cvs2svn to compensate for changes in r116791, which included commits to RCS files with non-trunk default branches.
|
115372 |
28-May-2003 |
des |
Fix off-by-one and initialization errors which prevented sshd from restarting when sent a SIGHUP.
Submitted by: tegge Approved by: re (jhb)
|
114972 |
13-May-2003 |
des |
Revert unnecessary part of previous commit.
|
114955 |
12-May-2003 |
des |
Rename a few functions to avoid stealing common words (error, log, debug etc.) from the application namespace for programs that use pam_ssh(8). Use #defines to avoid changing the actual source code.
Approved by: re (rwatson)
|
114426 |
01-May-2003 |
des |
Remove RCSID from files which have no other diffs to the vendor branch.
|
113914 |
23-Apr-2003 |
des |
Nit.
|
113913 |
23-Apr-2003 |
des |
Improvements to the proposed shell code.
|
113912 |
23-Apr-2003 |
des |
Regenerate.
|
113911 |
23-Apr-2003 |
des |
Resolve conflicts.
|
113909 |
23-Apr-2003 |
des |
This commit was generated by cvs2svn to compensate for changes in r113908, which included commits to RCS files with non-trunk default branches.
|
112871 |
31-Mar-2003 |
des |
- when using a child process instead of a thread, change the child's name to reflect its role - try to handle expired passwords a little better
MFC after: 1 week
|
112870 |
31-Mar-2003 |
des |
If an ssh1 client initiated challenge-response authentication but did not respond to challenge, and later successfully authenticated itself using another method, the kbdint context would never be released, leaving the PAM child process behind even after the connection ended.
Fix this by automatically releasing the kbdint context if a packet of type SSH_CMSG_AUTH_TIS is follwed by anything but a packet of type SSH_CMSG_AUTH_TIS_RESPONSE.
MFC after: 1 week
|
110988 |
16-Feb-2003 |
des |
Paranoia: instead of a NULL conversation function, use one that always returns PAM_CONV_ERR; moreover, make sure we always have the right conversation function installed before calling PAM service functions. Also unwrap some not-so-long lines.
MFC after: 3 days
|
110692 |
11-Feb-2003 |
des |
document the current default value for VersionAddendum.
|
110506 |
07-Feb-2003 |
des |
Set the ruid to the euid at startup as a workaround for a bug in pam_ssh.
MFC after: 3 days
|
110359 |
05-Feb-2003 |
trhodes |
The manual page lists only 2 files, however it reads as `three files' which is obviously incorrect.
PR: 46841 Submitted by: Sakamoto Seiji <s-siji@hyper.ocn.ne.jp>
|
110283 |
03-Feb-2003 |
des |
Linux-PAM's pam_start(3) fails with a bogus error message if passed the pam_conv argument is NULL. OpenPAM doesn't care, but to make things easier for people porting this code to other systems (or -STABLE), use a dummy struct pam_conv instead of NULL.
Pointed out by: Damien Miller <djm@mindrot.org>
|
110282 |
03-Feb-2003 |
des |
Bump patch date to 2003-02-01 (the day after I fixed PAM authentication for ssh1)
|
110138 |
31-Jan-2003 |
des |
Fix keyboard-interactive authentication for ssh1. The problem was twofold:
- The PAM kbdint device sometimes doesn't know authentication succeeded until you re-query it. The ssh1 kbdint code would never re-query the device, so authentication would always fail. This patch has been submitted to the OpenSSH developers.
- The monitor code for PAM sometimes forgot to tell the monitor that authentication had succeeded. This caused the monitor to veto the privsep child's decision to allow the connection.
These patches have been tested with OpenSSH clients on -STABLE, NetBSD and Linux, and with ssh.com's ssh1 on Solaris.
Sponsored by: DARPA, NAI Labs
|
109683 |
22-Jan-2003 |
des |
Force early initialization of the resolver library, since the resolver configuration files will no longer be available once sshd is chrooted.
PR: 39953, 40894 Submitted by: dinoex MFC after: 3 days
|
108159 |
21-Dec-2002 |
des |
The previous commit contained a stupid mistake: ctxt->pam_[cp]sock was initialized after the call to pthread_create() instead of before. It just happened to work with threads enabled because ctxt is shared, but of course it doesn't work when we use a child process instead of threads.
|
107861 |
14-Dec-2002 |
des |
If possible, use pthreads instead of a child process for PAM.
Reimplement the necessary bits from auth_pam.c and auth2_pam.c so that they share the PAM context used by the keyboard-interactive thread. If a child process is used instead, they will (necessarily) use a separate context.
Constify do_pam_account() and do_pam_session().
Sponsored by: DARPA, NAI Labs
|
107860 |
14-Dec-2002 |
des |
Add a missing #include "canohost.h".
|
107859 |
14-Dec-2002 |
des |
Remove code related to the PAMAuthenticationViaKbdInt option (which we've disabled). This removes the only reference to auth2_pam().
|
107858 |
14-Dec-2002 |
des |
Back out a lastlog-related change which is no longer relevant.
|
107857 |
14-Dec-2002 |
des |
Fix a rounding error in the block size calculation.
Submitted by: tjr
|
107553 |
03-Dec-2002 |
des |
Since OpenSSH drops privileges before calling pam_open_session(3), pam_lastlog(8) can't possibly work, so let OpenSSH handle lastlog.
Approved by: re (rwatson)
|
106489 |
06-Nov-2002 |
des |
Add caveats regarding the effect of PAM on PasswordAuthentication and PermitRootLogin.
PR: docs/43776 MFC after: 1 week
|
106465 |
05-Nov-2002 |
des |
Document the current default for VersionAddendum.
|
106464 |
05-Nov-2002 |
des |
Accurately reflect our local changes and additions.
|
106463 |
05-Nov-2002 |
des |
Document the current default value for VersionAddendum.
|
106353 |
02-Nov-2002 |
des |
Switch to two-clause license, with NAI's permission.
|
106130 |
29-Oct-2002 |
des |
Resolve conflicts.
|
106129 |
29-Oct-2002 |
des |
Protect against tag expansion + fix some brainos.
|
106128 |
29-Oct-2002 |
des |
Some tricks I use when I upgrade.
|
106127 |
29-Oct-2002 |
des |
Correct shell code to expand globs in FREEBSD-Xlist
|
106126 |
29-Oct-2002 |
des |
More cruft.
|
106122 |
29-Oct-2002 |
des |
This commit was generated by cvs2svn to compensate for changes in r106121, which included commits to RCS files with non-trunk default branches.
|
103134 |
09-Sep-2002 |
ume |
sshd didn't handle actual size of struct sockaddr correctly, and did copy it as long as just size of struct sockaddr. So, If connection is via IPv6, sshd didn't log hostname into utmp correctly. This problem occured only under FreeBSD because of our hack. However, this is potential problem of OpenSSH-portable, and they agreed to fix this. Though, there is no fixed version of OpenSSH-portable available yet, since this problem is serious for IPv6 users, I commit the fix.
Reported by: many people Reviewed by: current@ and stable@ (no objection) MFC after: 3 days
|
103108 |
09-Sep-2002 |
kuriyama |
Fix typo (s@src/crypto/openssh-portable@src/crypto/openssh@).
|
101385 |
05-Aug-2002 |
ache |
Do login cap calls _before_ descriptors are hardly closed because close may invalidate login cap descriptor.
Reviewed by: des
|
100838 |
29-Jul-2002 |
fanf |
Use login_getpwclass() instead of login_getclass() so that the root vs. default login class distinction is made correctly.
PR: 37416 Approved by: des MFC after: 4 days
|
100715 |
26-Jul-2002 |
fanf |
FreeBSD doesn't use the host RSA key by default.
Reviewed by: des
|
100693 |
26-Jul-2002 |
ache |
Problems addressed:
1) options.print_lastlog was not honored. 2) "Last login: ..." was printed twice. 3) "copyright" was not printed 4) No newline was before motd.
Reviewed by: maintainer's silence in 2 weeks (with my constant reminders)
|
100678 |
25-Jul-2002 |
fanf |
Document the FreeBSD default for CheckHostIP, which was changed in rev 1.2 of readconf.c.
Approved by: des
|
100583 |
23-Jul-2002 |
des |
Whitespace nit.
|
100254 |
17-Jul-2002 |
des |
In pam_init_ctx(), register a cleanup function that will kill the child process if a fatal error occurs. Deregister it in pam_free_ctx().
|
99768 |
11-Jul-2002 |
des |
Use realhostname_sa(3) so the IP address will be used instead of the hostname if the latter is too long for utmp.
Submitted by: ru MFC after: 3 days
|
99748 |
10-Jul-2002 |
des |
Do not try to use PAM for password authentication, as it is already (and far better) supported by the challenge/response authentication mechanism.
|
99747 |
10-Jul-2002 |
des |
Don't forget to clear the buffer before reusing it.
|
99455 |
05-Jul-2002 |
des |
Rewrite to use the buffer API instead of roll-your-own messaging.
Suggested by: Markus Friedl <markus@openbsd.org> Sponsored by: DARPA, NAI Labs
|
99454 |
05-Jul-2002 |
des |
(forgot to commit) We don't need --with-opie since PAM takes care of it.
|
99319 |
03-Jul-2002 |
des |
- Don't enable OpenSSH's OPIE support, since we let PAM handle OPIE.
- We don't have setutent(3) etc., and I have no idea why configure ever thought we did.
|
99315 |
03-Jul-2002 |
des |
Two FreeBSD-specific nits in comments: - ChallengeResponseAuthentication controls PAM, not S/Key - We don't honor PAMAuthenticationViaKbdInt, because the code path it controls doesn't make sense for us, so don't mention it.
Sponsored by: DARPA, NAI Labs
|
99259 |
02-Jul-2002 |
des |
Version bump for mm_answer_pam_respond() fix.
|
99258 |
02-Jul-2002 |
des |
Fix a braino in mm_answer_pam_respond() which would cause sshd to abort if PAM authentication failed due to an incorrect response.
|
99132 |
30-Jun-2002 |
des |
Forgot to update the addendum in the config files.
|
99065 |
29-Jun-2002 |
des |
Regenerate.
|
99064 |
29-Jun-2002 |
des |
<sys/mman.h> requires <sys/types.h>.
|
99063 |
29-Jun-2002 |
des |
Resolve conflicts.
Sponsored by: DARPA, NAI Labs
|
99061 |
29-Jun-2002 |
des |
This commit was generated by cvs2svn to compensate for changes in r99060, which included commits to RCS files with non-trunk default branches.
|
99059 |
29-Jun-2002 |
des |
Commit config.h so we don't need autoconf to build world.
|
99057 |
29-Jun-2002 |
des |
OpenBSD lifted this code our tree. Preserve the original CVS id.
|
99056 |
29-Jun-2002 |
des |
Use our __RCSID().
|
99055 |
29-Jun-2002 |
des |
Make sure the environment variables set by setusercontext() are passed on to the child process.
Reviewed by: ache Sponsored by: DARPA, NAI Labs
|
99054 |
29-Jun-2002 |
des |
Canonicize the host name before looking it up in the host file.
Sponsored by: DARPA, NAI Labs
|
99053 |
29-Jun-2002 |
des |
Apply class-imposed login restrictions.
Sponsored by: DARPA, NAI Labs
|
99052 |
29-Jun-2002 |
des |
PAM support, the FreeBSD way.
Sponsored by: DARPA, NAI Labs
|
99051 |
29-Jun-2002 |
des |
Document FreeBSD defaults.
Sponsored by: DARPA, NAI Labs
|
99050 |
29-Jun-2002 |
des |
Document FreeBSD defaults and paths.
Sponsored by: DARPA, NAI Labs
|
99049 |
29-Jun-2002 |
des |
Remove duplicate.
|
99048 |
29-Jun-2002 |
des |
Apply FreeBSD's configuration defaults.
Sponsored by: DARPA, NAI Labs
|
99047 |
29-Jun-2002 |
des |
Add the VersionAddendum configuration variable.
Sponsored by: DARPA, NAI Labs
|
99046 |
29-Jun-2002 |
des |
Support OPIE as an alternative to S/Key.
Sponsored by: DARPA, NAI Labs
|
99045 |
29-Jun-2002 |
des |
Document the upgrade process.
|
99044 |
29-Jun-2002 |
des |
Files we don't want to import.
|
98941 |
27-Jun-2002 |
des |
Forcibly revert to mainline.
|
98938 |
27-Jun-2002 |
des |
This commit was generated by cvs2svn to compensate for changes in r98937, which included commits to RCS files with non-trunk default branches.
|
98742 |
24-Jun-2002 |
dinoex |
remove declaration of authlog use variable from_host Reviewed by: des
|
98738 |
24-Jun-2002 |
des |
IPv4or6 is already defined in libssh.
|
98706 |
23-Jun-2002 |
des |
Resolve conflicts and document local changes.
|
98695 |
23-Jun-2002 |
des |
Correctly export the environment variables set by setusercontext().
Sponsored by: DARPA, NAI Labs
|
98684 |
23-Jun-2002 |
des |
Resolve conflicts. Known issues:
- sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated
I will have these issues resolved, and privilege separation turned on by default, in time for DP2.
Sponsored by: DARPA, NAI Labs
|
98676 |
23-Jun-2002 |
des |
This commit was generated by cvs2svn to compensate for changes in r98675, which included commits to RCS files with non-trunk default branches.
|
96434 |
12-May-2002 |
jedgar |
Remove _PATH_CP now that it is defined in paths.h
Reviewed by: des
|
95894 |
01-May-2002 |
obrien |
Usual after-import fixup of SCM IDs.
|
95456 |
25-Apr-2002 |
des |
Back out previous commit.
|
95431 |
25-Apr-2002 |
jkh |
Change default challenge/response behavior of sshd by popular demand. This brings us into sync with the behavior of sshd on other Unix platforms.
Submitted by: Joshua Goodall <joshua@roughtrade.net>
|
95312 |
23-Apr-2002 |
ache |
1) Proberly conditionalize PAM "last login" printout. 2) For "copyright" case #ifdef HAVE_LOGIN_CAP was placed on too big block, narrow it down. 3) Don't check the same conditions twice (for "copyright" and "welcome"), put them under single block. 4) Print \n between "copyright" and "welcome" as our login does.
Reviewed by: des (1)
|
95242 |
22-Apr-2002 |
des |
Don't report last login time in PAM case. (perforce change 10057)
Sponsored by: DARPA, NAI Labs
|
95241 |
22-Apr-2002 |
des |
Fix warnings + wait for child so it doesn't go zombie (perforce change 10122)
|
95207 |
21-Apr-2002 |
ache |
Move LOGIN_CAP calls before all file descriptors are closed hard, since some descriptors may be used by LOGIN_CAP internally, add login_close().
Use "nocheckmail" LOGIN_CAP capability too like our login does.
|
95120 |
20-Apr-2002 |
ache |
Fix TZ & TERM handling for use_login case of rev. 1.24
|
95119 |
20-Apr-2002 |
ache |
1) Surprisingly, "CheckMail" handling code completely removed from this version, so documented "CheckMail" option exists but does nothing. Bring it back to life adding code back.
2) Cosmetique. Reduce number of args in do_setusercontext()
|
95109 |
20-Apr-2002 |
ache |
1) Fix overlook in my prev. commit - forget HAVE_ prefix in one place in old code merge.
2) In addition honor "timezone" and "term" capabilities from login.conf, not overwrite them once they set (they are TZ and TERM variables).
|
95105 |
20-Apr-2002 |
ache |
Please repeat after me: setusercontext() modifies _current_ environment, but sshd uses separate child_env. So, to make setusercontext() really does something, environment must be switched before call and passed to child_env back after it.
The error here was that modified environment not passed back to child_env, so all variables that setusercontext() adds are lost, including ones from ~/.login_conf
|
94657 |
14-Apr-2002 |
des |
Fix some warnings. Don't record logins twice in USE_PAM case. Strip "/dev/" off the tty name before passing it to auth_ttyok or PAM.
Inspired by: dinoex Sponsored by: DARPA, NAI Labs
|
94511 |
12-Apr-2002 |
des |
Back out previous backout. It seems I was right to begin with, and DSA is preferrable to RSA (not least because the SECSH draft standard requires DSA while RSA is only recommended).
|
94464 |
11-Apr-2002 |
des |
Knowledgeable persons assure me that RSA is preferable to DSA and that we should transition away from DSA.
|
94439 |
11-Apr-2002 |
des |
Prefer DSA to RSA if both are available.
|
94438 |
11-Apr-2002 |
des |
Do not attempt to load an ssh2 RSA host key by default.
|
94203 |
08-Apr-2002 |
ru |
Align for const poisoning in -lutil.
|
93927 |
06-Apr-2002 |
des |
Nuke stale copy of the pam_ssh(8) source code.
|
93704 |
02-Apr-2002 |
des |
Revert to vendor version, what little was left of our local patches here was incorrect.
Pointed out by: Markus Friedl <markus@openbsd.org>
|
93701 |
02-Apr-2002 |
des |
Change the FreeBSD version addendum to "FreeBSD-20020402". This shortens the version string to 28 characters, which is below the 40-character limit specified in the proposed SECSH standard. Some servers, however (like the one built into the Foundry BigIron line of switches) will hang when confronted with a version string longer than 24 characters, so some users may need to shorten it further.
Sponsored by: DARPA, NAI Labs
|
93698 |
02-Apr-2002 |
des |
Make the various ssh clients understand the VersionAddendum option.
Submitted by: pb
|
93221 |
26-Mar-2002 |
ru |
Switch over to using pam_login_access(8) module in sshd(8). (Fixes static compilation. Reduces diffs to OpenSSH.)
Reviewed by: bde
|
93216 |
26-Mar-2002 |
nectar |
REALLY correct typo this time.
Noticed by: roam
|
93155 |
25-Mar-2002 |
nectar |
Fix typo (missing paren) affecting KRB4 && KRB5 case.
Approved by: des
|
93042 |
23-Mar-2002 |
des |
We keep moduli(5) in /etc/ssh, not /etc.
|
92879 |
21-Mar-2002 |
des |
Correctly set PAM_RHOST so e.g. pam_login_access(8) can do its job.
Sponsored by: DARPA, NAI Labs
|
92878 |
21-Mar-2002 |
des |
Use the "sshd" service instead of "csshd". The latter was only needed because of bugs (incorrect design decisions, actually) in Linux-PAM.
Sponsored by: DARPA, NAI Labs
|
92876 |
21-Mar-2002 |
des |
Use PAM instead of S/Key (or OPIE) for SSH2.
Sponsored by: DARPA, NAI Labs
|
92836 |
20-Mar-2002 |
des |
Note that portions of this software were
Sponsored by: DARPA, NAI Labs
|
92832 |
20-Mar-2002 |
des |
- Change the prompt from "S/Key Password: " to "OPIE Password: "
- If the user doesn't have an OPIE key, don't challenge him. This is a workaround until I get PAM to work properly with ssh2.
Sponsored by: DARPA, NAI Labs
|
92708 |
19-Mar-2002 |
des |
Unbreak for KRB4 ^ KRB5 case.
Sponsored by: DARPA, NAI Labs
|
92564 |
18-Mar-2002 |
des |
Revive this file (which is used for opie rather than skey)
|
92559 |
18-Mar-2002 |
des |
Fix conflicts.
|
92556 |
18-Mar-2002 |
des |
This commit was generated by cvs2svn to compensate for changes in r92555, which included commits to RCS files with non-trunk default branches.
|
92402 |
16-Mar-2002 |
des |
Diff reduction.
Sponsored by: DARPA, NAI Labs
|
91810 |
07-Mar-2002 |
nectar |
Update version string.
|
91688 |
05-Mar-2002 |
nectar |
Fix off-by-one error.
Obtained from: OpenBSD
|
91431 |
27-Feb-2002 |
green |
Use login_getpwclass() instead of login_getclass() so that default mapping of user login classes works.
Obtained from: TrustedBSD project Sponsored by: DARPA, NAI Labs
|
89703 |
23-Jan-2002 |
ru |
Make libssh.so useable (undefined reference to IPv4or6).
Reviewed by: des, markm Approved by: markm
|
89014 |
07-Jan-2002 |
green |
Fix a coredump bug occurring if ssh-keygen attempts to change the password on a DSA key.
Submitted by: ian j hart <ianjhart@ntlworld.com>
|
87308 |
03-Dec-2001 |
nectar |
Update version string since we applied a fix for the UseLogin issue.
|
87255 |
03-Dec-2001 |
nectar |
Do not pass user-defined environmental variables to /usr/bin/login.
Obtained from: OpenBSD Approved by: green
|
86617 |
19-Nov-2001 |
dwmalone |
In the "UseLogin yes" case we need env to be NULL to make sure it will be correctly initialised.
PR: 32065 Tested by: The Anarcat <anarcat@anarcat.dyndns.org> MFC after: 3 days
|
84043 |
27-Sep-2001 |
green |
Modify a "You don't exist" message, pretty rude for transient YP failures.
|
82961 |
04-Sep-2001 |
assar |
fix renamed options in some of the code that was #ifdef AFS also print an error if krb5 ticket passing is disabled
Submitted by: Jonathan Chen <jon@spock.org>
|
82410 |
27-Aug-2001 |
ps |
Backout last change. I didnt follow the thread and made a mistake with this. localisations is a valid spelling. Oops
|
82408 |
27-Aug-2001 |
ps |
Correctly spell localizations
|
81796 |
16-Aug-2001 |
green |
Update the OpenSSH minor-version string.
Requested by: obrien Reviewed by: rwatson
|
79683 |
13-Jul-2001 |
nectar |
Bug fix: When the client connects to a server and Kerberos authentication is enabled, the client effectively ignores any error from krb5_rd_rep due to a missing branch.
In theory this could result in an ssh client using Kerberos 5 authentication accepting a spoofed AP-REP. I doubt this is a real possiblity, however, because the AP-REP is passed from the server to the client via the SSH encrypted channel. Any tampering should cause the decryption or MAC to fail.
Approved by: green MFC after: 1 week
|
79398 |
07-Jul-2001 |
green |
Fix an incorrect conflict resolution which prevented TISAuthentication from working right in 2.9.
|
78976 |
29-Jun-2001 |
green |
Also add a colon to "Bad passphrase, please try again ".
|
78975 |
29-Jun-2001 |
green |
Put in a missing colon in the "Enter passphrase" message.
|
78827 |
26-Jun-2001 |
green |
Back out the last change which is probably actually a red herring. Argh!
|
78826 |
26-Jun-2001 |
green |
Don't pointlessly kill a channel because the first (forced) non-blocking read returns 0.
Now I can finally tunnel CVSUP again...
|
78348 |
16-Jun-2001 |
assar |
(do_authloop): handle !KRB4 && KRB5
|
78263 |
15-Jun-2001 |
markm |
Unbreak OpenSSH for the KRB5-and-no-KRB4 case. Asking for KRB5 does not imply that you want, need or have kerberosIV headers.
|
78129 |
12-Jun-2001 |
green |
Enable Kerberos 5 support in sshd again.
|
77925 |
08-Jun-2001 |
green |
Switch to the user's uid before attempting to unlink the auth forwarding file, nullifying the effects of a race.
Obtained from: OpenBSD
|
77114 |
24-May-2001 |
obrien |
Fix $FreeBSD$ style committer messed up in rev 1.7 for some reason.
|
76820 |
18-May-2001 |
obrien |
Restore the RSA host key to /etc/ssh/ssh_host_key. Also fix $FreeBSD$ spamage in crypto/openssh/sshd_config rev. 1.16.
|
76607 |
15-May-2001 |
green |
If a host would exceed 16 characters in the utmp entry, record only it's IP address/base host instead.
Submitted by: brian
|
76582 |
14-May-2001 |
ru |
mdoc(7) police: finished fixing conflicts in revision 1.18.
|
76464 |
11-May-2001 |
markm |
Fix make world in the kerberosIV case.
|
76394 |
09-May-2001 |
alfred |
Fix some of the handling in the pam module, don't unregister things that were never registered. At the same time handle a failure from pam_setcreds with a bit more paranioa than the previous fix.
Sync a bit with the "Portable OpenSSH" work to make comparisons a easier.
|
76384 |
08-May-2001 |
green |
Since PAM is broken, let pam_setcred() failure be non-fatal.
|
76292 |
05-May-2001 |
green |
sshd_config should still be keeping ssh host keys in /etc/ssh, not /etc.
|
76287 |
05-May-2001 |
green |
Finish committing _more_ somehow-uncommitted OpenSSH 2.9 updates. (Missing Delta Brigade, tally-ho!)
|
76265 |
04-May-2001 |
green |
Get ssh(1) compiling with MAKE_KERBEROS5.
|
76263 |
04-May-2001 |
green |
Remove obsoleted files.
|
76262 |
04-May-2001 |
green |
Fix conflicts for OpenSSH 2.9.
|
76260 |
04-May-2001 |
green |
This commit was generated by cvs2svn to compensate for changes in r76259, which included commits to RCS files with non-trunk default branches.
|
76227 |
03-May-2001 |
green |
Add a "VersionAddendum" configuration setting for sshd which allows anyone to easily change the part of the OpenSSH version after the main version number. The FreeBSD-specific version banner could be disabled that way, for example:
# Call ourselves plain OpenSSH VersionAddendum
|
76226 |
03-May-2001 |
green |
Backout completely canonical lookup modifications.
|
74503 |
20-Mar-2001 |
green |
Suggested by kris, OpenSSH shall have a version designated to note that it's not "plain" OpenSSH 2.3.0.
|
74500 |
20-Mar-2001 |
green |
Make password attacks based on traffic analysis harder by requiring that "non-echoed" characters are still echoed back in a null packet, as well as pad passwords sent to not give hints to the length otherwise.
Obtained from: OpenBSD
|
74291 |
15-Mar-2001 |
asmodai |
Fix double mention of ssh.
This file is already off the vendorbranch, nonetheless it needs to be submitted back to the OpenSSH people.
PR: 25743 Submitted by: David Wolfskill <dhw@whistle.com>
|
74278 |
15-Mar-2001 |
green |
Don't dump core when an attempt is made to login using protocol 2 with an invalid user name.
|
74197 |
13-Mar-2001 |
assar |
(try_krb5_authentication): simplify code. from joda@netbsd.org
|
74147 |
12-Mar-2001 |
assar |
Fix LP64 problem in Kerberos 5 TGT passing.
Obtained from: NetBSD (done by thorpej@netbsd.org)
|
74090 |
11-Mar-2001 |
green |
Reenable the SIGPIPE signal handler default in all cases for spawned sessions.
|
73400 |
04-Mar-2001 |
assar |
Add code for being compatible with ssh.com's krb5 authentication. It is done by using the same ssh messages for v4 and v5 authentication (since the ssh.com does not now anything about v4) and looking at the contents after unpacking it to see if it is v4 or v5. Based on code from Björn Grönvall <bg@sics.se>
PR: misc/20504
|
72586 |
18-Feb-2001 |
ps |
Make ConnectionsPerPeriod non-fatal for real.
|
72451 |
13-Feb-2001 |
assar |
update to new heimdal libkrb5
|
72397 |
12-Feb-2001 |
kris |
Patches backported from later development version of OpenSSH which prevent (instead of just mitigating through connection limits) the Bleichenbacher attack which can lead to guessing of the server key (not host key) by regenerating it when an RSA failure is detected.
Reviewed by: rwatson
|
72023 |
04-Feb-2001 |
green |
Correctly fill in the sun_len for a sockaddr_sun.
Submitted by: Alexander Leidinger <Alexander@leidinger.net>
|
72021 |
04-Feb-2001 |
green |
MFS: Don't use the canonical hostname here, too.
|
72020 |
04-Feb-2001 |
green |
MFF: Make ConnectionsPerPeriod usage a warning, not fatal.
|
71317 |
21-Jan-2001 |
green |
Actually propagate back to the rest of the application that a command was specified when using -t mode with the SSH client.
Submitted by: Dima Dorfman <dima@unixfreak.org>
|
70990 |
13-Jan-2001 |
green |
/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it and giving a dire error to its lingering users.
|
70726 |
06-Jan-2001 |
green |
Fix a long-standing bug that resulted in a dropped session sometimes when an X11-forwarded client was closed. For some reason, sshd didn't disable the SIGPIPE exit handler and died a horrible death (well, okay, a silent death really). Set SIGPIPE's handler to SIG_IGN.
|
69591 |
05-Dec-2000 |
green |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website.
Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too.
This requires at least the following in pam.conf:
sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so
Parts by: Eivind Eklend <eivind@FreeBSD.org>
|
69590 |
05-Dec-2000 |
green |
Forgot to remove the old line in the last commit.
|
69588 |
05-Dec-2000 |
green |
This commit was generated by cvs2svn to compensate for changes in r69587, which included commits to RCS files with non-trunk default branches.
|
69584 |
04-Dec-2000 |
brian |
Remove duplicate line
Not responded to by: kris, then green
|
69130 |
25-Nov-2000 |
green |
In env_destroy(), it is a bad idea to env_swap(self, 0) to switch back to the original environ unconditionally. The setting of the variable to save the previous environ is conditional; it happens when ENV.e_committed is set. Therefore, don't try to swap the env back unless the previous env has been initialized.
PR: bin/22670 Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
|
69129 |
25-Nov-2000 |
billf |
Correct an arguement to ssh_add_identity, this matches what is currently in ports/security/openssh/files/pam_ssh.c
PR: 22164 Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp> Reviewed by: green Approved by: green
|
68704 |
14-Nov-2000 |
green |
Add login_cap and login_access support. Previously, these FreeBSD-local checks were only made when using the 1.x protocol.
|
68701 |
14-Nov-2000 |
green |
This commit was generated by cvs2svn to compensate for changes in r68700, which included commits to RCS files with non-trunk default branches.
|
65700 |
10-Sep-2000 |
green |
Fix a few style oddities.
|
65699 |
10-Sep-2000 |
green |
Fix a goof in timevaldiff.
|
65676 |
10-Sep-2000 |
kris |
Remove files no longer present in OpenSSH 2.2.0 and beyond
|
65674 |
10-Sep-2000 |
kris |
Resolve conflicts and update for OpenSSH 2.2.0
Reviewed by: gshapiro, peter, green
|
65669 |
10-Sep-2000 |
kris |
This commit was generated by cvs2svn to compensate for changes in r65668, which included commits to RCS files with non-trunk default branches.
|
65653 |
10-Sep-2000 |
kris |
Nuke RSAREF support from orbit.
It's the only way to be sure.
|
65433 |
04-Sep-2000 |
kris |
ttyname was not being passed into do_login(), so we were erroneously picking up the function definition from unistd.h instead. Use s->tty instead.
Submitted by: peter
|
65398 |
03-Sep-2000 |
kris |
bzero() the struct timeval for paranoia
Submitted by: gshapiro
|
65361 |
02-Sep-2000 |
kris |
Err, we weren't even compiling auth1.c with LOGIN_CAP at all. Guess nobody was using this feature.
|
65360 |
02-Sep-2000 |
kris |
Repair a broken conflict resolution in r1.2 which had the effect of nullifying the login_cap and login.access checks for whether a user/host is allowed access to the system for users other than root. But since we currently don't have a similar check in the ssh2 code path anyway, it's um, "okay".
Submitted by: gshapiro
|
65359 |
02-Sep-2000 |
kris |
Repair my dyslexia: s/opt/otp/ in the OPIE challenge. D'oh!
Submitted by: gshapiro
|
65358 |
02-Sep-2000 |
kris |
Re-add missing "break" which was lost during a previous patch integration. This currently has no effect.
Submitted by: gshapiro
|
65357 |
02-Sep-2000 |
kris |
Turn on X11Forwarding by default on the server. Any risk is to the client, where it is already disabled by default.
Reminded by: peter
|
65022 |
23-Aug-2000 |
kris |
Increase the default value of LoginGraceTime from 60 seconds to 120 seconds.
PR: 20488 Submitted by: rwatson
|
65020 |
23-Aug-2000 |
kris |
Respect X11BASE to derive the location of xauth(1)
PR: 17818 Submitted by: Bjoern Fischer <bfischer@Techfak.Uni-Bielefeld.DE>
|
64098 |
01-Aug-2000 |
asmodai |
Chalk up another phkmalloc victim.
It seems as if uninitialised memory was the culprit.
We may want to contribute this back to the OpenSSH project.
Submitted by: Alexander Leidinger <Alexander@Leidinger.net> on -current.
|
63919 |
27-Jul-2000 |
asmodai |
Fix a weird typo, is -> are. The OpenSSH maintainer probably want to contribute this back to the real OpenSSH guys.
Submitted by: Jon Perkin <sketchy@netcraft.com>
|
63915 |
27-Jul-2000 |
marko |
Fixed a minor typo in the header.
Pointed out by: asmodai
|
63849 |
25-Jul-2000 |
marko |
Committed, Thanks!!
PR: 20108 Submitted by: Doug Lee
|
62944 |
11-Jul-2000 |
peter |
Sync sshd_config with sshd and manapage internal defaults (Checkmail = yes)
|
62943 |
11-Jul-2000 |
peter |
Sync LoginGraceTime with sshd_config = 60 seconds by default, not 600.
|
62942 |
11-Jul-2000 |
peter |
Fix out-of-sync defaults. PermitRootLogin is supposed to be 'no' but sshd's internal default was 'yes'. (if some cracker managed to trash /etc/ssh/sshd_config, then root logins could be reactivated)
Approved by: kris
|
62940 |
11-Jul-2000 |
peter |
Make FallBackToRsh off by default. Falling back to rsh by default is silly in this day and age.
Approved by: kris
|
62567 |
04-Jul-2000 |
green |
Allow restarting on SIGHUP when the full path was not given as argv[0]. We do have /proc/curproc/file :)
|
62179 |
27-Jun-2000 |
green |
So /this/ is what has made OpenSSH's SSHv2 support never work right! In some cases, limits did not get set to the proper class, but instead always to "default", because not all passwd copies were done to completion.
|
62144 |
26-Jun-2000 |
green |
Also make sure to close the socket that exceeds your rate limit.
|
62101 |
26-Jun-2000 |
green |
Make rate limiting work per-listening-socket. Log better messages than before for this, requiring a new function (get_ipaddr()). canohost.c receives a $FreeBSD$ line.
Suggested by: Niels Provos <niels@OpenBSD.org>
|
61563 |
11-Jun-2000 |
kris |
Fix syntax error in previous commit.
Submitted by: Udo Schweigert <ust@cert.siemens.de>
|
61529 |
10-Jun-2000 |
kris |
Fix security botch in "UseLogin Yes" case: commands are executed with uid 0.
Obtained from: OpenBSD
|
61498 |
10-Jun-2000 |
ru |
Make `ssh-agent -k' work for csh(1)-like shells.
|
61320 |
06-Jun-2000 |
green |
Allow "DenyUsers" to function.
|
61212 |
03-Jun-2000 |
kris |
Resolve conflicts
|
61210 |
03-Jun-2000 |
kris |
This commit was generated by cvs2svn to compensate for changes in r61209, which included commits to RCS files with non-trunk default branches.
|
61208 |
03-Jun-2000 |
kris |
Resolve conflicts
|
61207 |
03-Jun-2000 |
kris |
This commit was generated by cvs2svn to compensate for changes in r61206, which included commits to RCS files with non-trunk default branches.
|
61203 |
03-Jun-2000 |
kris |
Bring vendor patches onto the main branch, and resolve conflicts.
|
61202 |
03-Jun-2000 |
kris |
This commit was generated by cvs2svn to compensate for changes in r61201, which included commits to RCS files with non-trunk default branches.
|
61200 |
03-Jun-2000 |
kris |
This commit was generated by cvs2svn to compensate for changes in r61199, which included commits to RCS files with non-trunk default branches.
|
61087 |
30-May-2000 |
kris |
Update to the version of pam_ssh corresponding to OpenSSH 2.1 (taken from the openssh port)
Submitted by: Hajimu UMEMOTO <ume@mahoroba.org>
|
60938 |
26-May-2000 |
jake |
Back out the previous change to the queue(3) interface. It was not discussed and should probably not happen.
Requested by: msmith and others
|
60833 |
23-May-2000 |
jake |
Change the way that the queue(3) structures are declared; don't assume that the type argument to *_HEAD and *_ENTRY is a struct.
Suggested by: phk Reviewed by: phk Approved by: mdodd
|
60813 |
23-May-2000 |
ache |
Turn on CheckMail to be more login-compatible by default
|
60785 |
22-May-2000 |
brian |
Don't USE_PIPES
Spammed by: peter Submitted by: mkn@uk.FreeBSD.org
|
60678 |
18-May-2000 |
kris |
Correct two stupid typos in the DSA key location.
Submitted by: Udo Schweigert <ust@cert.siemens.de>
|
60663 |
17-May-2000 |
kris |
Unbreak Kerberos5 compilation. This still remains untested.
Noticed by: obrien
|
60579 |
15-May-2000 |
kris |
Oops, rename S/Key to Opie in line with FreeBSD usage.
|
60578 |
15-May-2000 |
kris |
Create a DSA host key if one does not already exist, and teach sshd_config about it.
|
60576 |
15-May-2000 |
kris |
Resolve conflicts and update for FreeBSD.
|
60574 |
15-May-2000 |
kris |
This commit was generated by cvs2svn to compensate for changes in r60573, which included commits to RCS files with non-trunk default branches.
|
59803 |
30-Apr-2000 |
nik |
Note that X11 Forwarding is off by default.
PR: docs/17566 Submitted by: Keith Stevenson <ktstev01@louisville.edu>
|
58772 |
29-Mar-2000 |
kris |
Fix a memory leak.
PR: 17360 Submitted by: Andrew J. Korty <ajk@iu.edu>
|
58592 |
26-Mar-2000 |
kris |
#include <ssl/foo.h> -> #include <openssl/foo.h>
|
58585 |
26-Mar-2000 |
kris |
Resolve conflicts.
|
58583 |
26-Mar-2000 |
kris |
This commit was generated by cvs2svn to compensate for changes in r58582, which included commits to RCS files with non-trunk default branches.
|
58531 |
24-Mar-2000 |
brian |
Use pipe() instead of socketpair() in sshd when communicating with the client. This allows ppp/ssh style tunnels to function again.
Ok'd by: markk Submitted by: markk@knigma.org
|
58520 |
24-Mar-2000 |
mpp |
Fix a few spelling errors.
|
58463 |
22-Mar-2000 |
sheldonh |
IgnoreUserKnownHosts is a boolean flag, not an integer value.
The fix submitted in the attributed PR is identical to the one adopted by OpenBSD.
PR: 17027 Submitted by: David Malone <dwmalone@maths.tcd.ie> Obtained from: OpenBSD
|
57971 |
13-Mar-2000 |
kris |
Add a new function stub to libcrypto() which resolves to a symbol in the librsa* library and reports which version of the library (OpenSSL/RSAREF) is being used.
This is then used in openssh to detect the failure case of RSAREF and a RSA key >1024 bits, to print a more helpful error message than 'rsa_public_encrypt() fai led.'
This is a 4.0-RELEASE candidate.
|
57952 |
13-Mar-2000 |
kris |
Various manpage style/grammar/formatting cleanups
Submitted by: Peter Jeremy <peter.jeremy@alcatel.com.au>, jedgar PR: 17292 (remainder of)
|
57886 |
10-Mar-2000 |
nik |
- typos - Add double spaces following full stops to improve typeset output - mdoc-ification. (Though I'm uncertain whether option values and contents should be .Dq or something else). - Fix a missed /etc/ssh change - Expand wording on RandomSeed and behaviour when X11 isn't forwarded. - Change examples to literal mode. - Trim trailing whitespace
PR: docs/17292 Submitted by: Peter Jeremy <peter.jeremy@alcatel.com.au>
|
57853 |
09-Mar-2000 |
markm |
Make LOGIN_CAP work properly.
|
57811 |
08-Mar-2000 |
kris |
/etc -> /etc/ssh
Submitted by: Ben Smithurst <ben@scientia.demon.co.uk>
|
57741 |
03-Mar-2000 |
jhay |
MFI: Use krb5 functions in krb5 files.
Reviewed by: markm
|
57708 |
03-Mar-2000 |
green |
Turn off X11 forwarding in the client. X11 forwarding in the server by default should probably also get turned on, now.
Requested by: kris Obtained from: OpenBSD
|
57633 |
29-Feb-2000 |
ume |
Enable connection logging. FreeBSD's libwrap is IPv6 ready. OpenSSH is in our source tree, now. It's a time to enable it.
Reviewed by: markm, shin Approved by: jkh
|
57565 |
28-Feb-2000 |
markm |
1) Add kerberos5 functionality. by Daniel Kouril <kouril@informatics.muni.cz> 2) Add full LOGIN_CAP capability by Andrey Chernov
|
57563 |
28-Feb-2000 |
brian |
Don't put truncated hostnames in utmp
Approved by: jkh
|
57496 |
26-Feb-2000 |
peter |
Redo this with a repo copy from the original file and reset the __PREFIX__ markers.
|
57493 |
26-Feb-2000 |
peter |
oops, update path to /etc/ssh/ssh_host_key
|
57487 |
25-Feb-2000 |
peter |
Merge from internat.freebsd.org; move ssh files from /etc to /etc/ssh
|
57470 |
25-Feb-2000 |
green |
Fix a bug that crawled in pretty recently (from the port). It made sshd coredump :(
|
57467 |
25-Feb-2000 |
peter |
Fix garbage in SSH_PROGRAM (only on freefall, not internat)
|
57465 |
25-Feb-2000 |
green |
Make "CheckHostIP" default to off. This was proposed on -security and earlier IRC, but despite my inital feeling against it, this seems the more proper thing to do.
Proposed by: rwatson
|
57464 |
25-Feb-2000 |
green |
The includes must be <openssl/.*\.h>, not <ssl/.*\.h>.
|
57463 |
24-Feb-2000 |
markm |
remove more ports crud.
|
57462 |
24-Feb-2000 |
markm |
remove ports junk
|
57432 |
24-Feb-2000 |
markm |
Add the patches fom ports (QV: ports/security/openssh/patches/patch-*)
|
57430 |
24-Feb-2000 |
markm |
This commit was generated by cvs2svn to compensate for changes in r57429, which included commits to RCS files with non-trunk default branches.
|
55166 |
28-Dec-1999 |
green |
Upgrade to the pam_ssh module, version 1.1..
(From the author:) Primarily, I have added built-in functions for manipulating the environment, so putenv() is no longer used. XDM and its variants should now work without modification. Note that the new code uses the macros in <sys/queue.h>.
Submitted by: Andrew J. Korty <ajk@iu.edu>
|
53874 |
29-Nov-1999 |
green |
Add the PAM SSH RSA key authentication module. For example, you can add, "login auth sufficient pam_ssh.so" to your /etc/pam.conf, and users with a ~/.ssh/identity can login(1) with their SSH key :)
PR: 15158 Submitted by: Andrew J. Korty <ajk@waterspout.com> Reviewed by: obrien
|