#
296954 |
|
16-Mar-2016 |
glebius |
o Fix OpenSSH xauth(1) command injection. [SA-16:14] o Fix incorrect argument validation in sysarch(2). [SA-16:15] o Fix Hyper-V KVP (Key-Value Pair) daemon indefinite sleep. [EN-16:04]
Errata: FreeBSD-EN-16:04.hyperv Security: FreeBSD-SA-16:14.openssh-xauth, CVE-2016-3115 Security: FreeBSD-SA-16:15.sysarch, CVE-2016-1885 Approved by: so
|
#
272461 |
|
02-Oct-2014 |
gjb |
Copy stable/10@r272459 to releng/10.1 as part of the 10.1-RELEASE process.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
264377 |
|
12-Apr-2014 |
des |
MFH (r263712): upgrade openssh to 6.6p1 MFH (r264308): restore p level in debugging output
|
#
262566 |
|
27-Feb-2014 |
des |
MFH (r261320): upgrade openssh to 6.5p1 MFH (r261340): enable sandboxing by default
|
#
256281 |
|
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
#
255767 |
|
21-Sep-2013 |
des |
Upgrade to 6.3p1.
Approved by: re (gjb)
|
#
248619 |
|
22-Mar-2013 |
des |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
248231 |
|
13-Mar-2013 |
des |
Unlike OpenBSD's, our setusercontext() will intentionally ignore the user's own umask setting (from ~/.login.conf) unless running with the user's UID. Therefore, we need to call it again with LOGIN_SETUMASK after changing UID.
PR: bin/176740 Submitted by: John Marshall <john.marshall@riverwillow.com.au> MFC after: 1 week
|
#
240075 |
|
03-Sep-2012 |
des |
Upgrade OpenSSH to 6.1p1.
|
#
226046 |
|
05-Oct-2011 |
des |
Upgrade to OpenSSH 5.9p1.
MFC after: 3 months
|
#
224638 |
|
03-Aug-2011 |
brooks |
Add support for dynamically adjusted buffers to allow the full use of the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported.
Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf.
This code is a style(9) compliant version of these features extracted from the patches published at:
http://www.psc.edu/networking/projects/hpn-ssh/
Merging this patch has been a collaboration between me and Bjoern.
Reviewed by: bz Approved by: re (kib), des (maintainer)
|
#
221420 |
|
04-May-2011 |
des |
Upgrade to OpenSSH 5.8p2.
|
#
215116 |
|
11-Nov-2010 |
des |
Upgrade to OpenSSH 5.6p1.
|
#
213250 |
|
28-Sep-2010 |
emaste |
Remove copyright strings printed at login time via login(1) or sshd(8). It is not clear to what this copyright should apply, and this is in line with what other operating systems do.
For ssh specifically, printing of the copyright string is not in the upstream version so this reduces our FreeBSD-local diffs.
Approved by: core, des (ssh)
|
#
207319 |
|
28-Apr-2010 |
des |
Upgrade to OpenSSH 5.5p1.
|
#
204917 |
|
09-Mar-2010 |
des |
Upgrade to OpenSSH 5.4p1.
MFC after: 1 month
|
#
197679 |
|
01-Oct-2009 |
des |
Upgrade to OpenSSH 5.3p1.
|
#
192595 |
|
22-May-2009 |
des |
Upgrade to OpenSSH 5.2p1.
MFC after: 3 months
|
#
181111 |
|
01-Aug-2008 |
des |
Upgrade to OpenSSH 5.1p1.
I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed.
MFC after: 6 weeks
|
#
181097 |
|
31-Jul-2008 |
des |
Consistently set svn:eol-style.
|
#
164149 |
|
10-Nov-2006 |
des |
Resolve conflicts.
|
#
162856 |
|
30-Sep-2006 |
des |
Merge conflicts.
MFC after: 1 week
|
#
157019 |
|
22-Mar-2006 |
des |
Merge conflicts.
|
#
149753 |
|
03-Sep-2005 |
des |
Resolve conflicts.
|
#
147005 |
|
05-Jun-2005 |
des |
Resolve conflicts.
|
#
137019 |
|
28-Oct-2004 |
des |
Resolve conflicts
|
#
128460 |
|
20-Apr-2004 |
des |
Resolve conflicts.
|
#
126277 |
|
26-Feb-2004 |
des |
Resolve conflicts.
|
#
124211 |
|
07-Jan-2004 |
des |
Resolve conflicts and remove obsolete files.
Sponsored by: registrar.no
|
#
120161 |
|
17-Sep-2003 |
nectar |
Correct more cases of allocation size bookkeeping being updated before calling functions which can potentially fail and cause cleanups to be invoked.
Submitted by: Solar Designer <solar@openwall.com>
|
#
113911 |
|
23-Apr-2003 |
des |
Resolve conflicts.
|
#
107858 |
|
14-Dec-2002 |
des |
Back out a lastlog-related change which is no longer relevant.
|
#
106130 |
|
29-Oct-2002 |
des |
Resolve conflicts.
|
#
103134 |
|
09-Sep-2002 |
ume |
sshd didn't handle actual size of struct sockaddr correctly, and did copy it as long as just size of struct sockaddr. So, If connection is via IPv6, sshd didn't log hostname into utmp correctly. This problem occured only under FreeBSD because of our hack. However, this is potential problem of OpenSSH-portable, and they agreed to fix this. Though, there is no fixed version of OpenSSH-portable available yet, since this problem is serious for IPv6 users, I commit the fix.
Reported by: many people Reviewed by: current@ and stable@ (no objection) MFC after: 3 days
|
#
101385 |
|
05-Aug-2002 |
ache |
Do login cap calls _before_ descriptors are hardly closed because close may invalidate login cap descriptor.
Reviewed by: des
|
#
100693 |
|
26-Jul-2002 |
ache |
Problems addressed:
1) options.print_lastlog was not honored. 2) "Last login: ..." was printed twice. 3) "copyright" was not printed 4) No newline was before motd.
Reviewed by: maintainer's silence in 2 weeks (with my constant reminders)
|
#
99063 |
|
29-Jun-2002 |
des |
Resolve conflicts.
Sponsored by: DARPA, NAI Labs
|
#
99055 |
|
29-Jun-2002 |
des |
Make sure the environment variables set by setusercontext() are passed on to the child process.
Reviewed by: ache Sponsored by: DARPA, NAI Labs
|
#
98941 |
|
27-Jun-2002 |
des |
Forcibly revert to mainline.
|
#
98695 |
|
23-Jun-2002 |
des |
Correctly export the environment variables set by setusercontext().
Sponsored by: DARPA, NAI Labs
|
#
98684 |
|
23-Jun-2002 |
des |
Resolve conflicts. Known issues:
- sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated
I will have these issues resolved, and privilege separation turned on by default, in time for DP2.
Sponsored by: DARPA, NAI Labs
|
#
95312 |
|
23-Apr-2002 |
ache |
1) Proberly conditionalize PAM "last login" printout. 2) For "copyright" case #ifdef HAVE_LOGIN_CAP was placed on too big block, narrow it down. 3) Don't check the same conditions twice (for "copyright" and "welcome"), put them under single block. 4) Print \n between "copyright" and "welcome" as our login does.
Reviewed by: des (1)
|
#
95242 |
|
22-Apr-2002 |
des |
Don't report last login time in PAM case. (perforce change 10057)
Sponsored by: DARPA, NAI Labs
|
#
95207 |
|
21-Apr-2002 |
ache |
Move LOGIN_CAP calls before all file descriptors are closed hard, since some descriptors may be used by LOGIN_CAP internally, add login_close().
Use "nocheckmail" LOGIN_CAP capability too like our login does.
|
#
95120 |
|
20-Apr-2002 |
ache |
Fix TZ & TERM handling for use_login case of rev. 1.24
|
#
95119 |
|
20-Apr-2002 |
ache |
1) Surprisingly, "CheckMail" handling code completely removed from this version, so documented "CheckMail" option exists but does nothing. Bring it back to life adding code back.
2) Cosmetique. Reduce number of args in do_setusercontext()
|
#
95109 |
|
20-Apr-2002 |
ache |
1) Fix overlook in my prev. commit - forget HAVE_ prefix in one place in old code merge.
2) In addition honor "timezone" and "term" capabilities from login.conf, not overwrite them once they set (they are TZ and TERM variables).
|
#
95105 |
|
20-Apr-2002 |
ache |
Please repeat after me: setusercontext() modifies _current_ environment, but sshd uses separate child_env. So, to make setusercontext() really does something, environment must be switched before call and passed to child_env back after it.
The error here was that modified environment not passed back to child_env, so all variables that setusercontext() adds are lost, including ones from ~/.login_conf
|
#
94657 |
|
14-Apr-2002 |
des |
Fix some warnings. Don't record logins twice in USE_PAM case. Strip "/dev/" off the tty name before passing it to auth_ttyok or PAM.
Inspired by: dinoex Sponsored by: DARPA, NAI Labs
|
#
94203 |
|
08-Apr-2002 |
ru |
Align for const poisoning in -lutil.
|
#
92559 |
|
18-Mar-2002 |
des |
Fix conflicts.
|
#
91431 |
|
27-Feb-2002 |
green |
Use login_getpwclass() instead of login_getclass() so that default mapping of user login classes works.
Obtained from: TrustedBSD project Sponsored by: DARPA, NAI Labs
|
#
87255 |
|
02-Dec-2001 |
nectar |
Do not pass user-defined environmental variables to /usr/bin/login.
Obtained from: OpenBSD Approved by: green
|
#
86617 |
|
19-Nov-2001 |
dwmalone |
In the "UseLogin yes" case we need env to be NULL to make sure it will be correctly initialised.
PR: 32065 Tested by: The Anarcat <anarcat@anarcat.dyndns.org> MFC after: 3 days
|
#
77925 |
|
08-Jun-2001 |
green |
Switch to the user's uid before attempting to unlink the auth forwarding file, nullifying the effects of a race.
Obtained from: OpenBSD
|
#
76262 |
|
04-May-2001 |
green |
Fix conflicts for OpenSSH 2.9.
|
#
74090 |
|
11-Mar-2001 |
green |
Reenable the SIGPIPE signal handler default in all cases for spawned sessions.
|
#
71317 |
|
21-Jan-2001 |
green |
Actually propagate back to the rest of the application that a command was specified when using -t mode with the SSH client.
Submitted by: Dima Dorfman <dima@unixfreak.org>
|
#
69673 |
|
06-Dec-2000 |
green |
The PAM support for our OpenSSH is sponsored by Enitel ASA.
PAM support by: Eivind Eklund <eivind@FreeBSD.org>
|
#
69591 |
|
05-Dec-2000 |
green |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website.
Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too.
This requires at least the following in pam.conf:
sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so
Parts by: Eivind Eklend <eivind@FreeBSD.org>
|
#
65674 |
|
10-Sep-2000 |
kris |
Resolve conflicts and update for OpenSSH 2.2.0
Reviewed by: gshapiro, peter, green
|
#
65433 |
|
04-Sep-2000 |
kris |
ttyname was not being passed into do_login(), so we were erroneously picking up the function definition from unistd.h instead. Use s->tty instead.
Submitted by: peter
|
#
65361 |
|
02-Sep-2000 |
kris |
Err, we weren't even compiling auth1.c with LOGIN_CAP at all. Guess nobody was using this feature.
|
#
63249 |
|
16-Jul-2000 |
peter |
Forced commit. This is to try and help folks that used the international crypto repo and have slightly different files but with the same version. cvsup in 'checkout mode' has no trouble with this, but cvs can get really silly about it.
|
#
61563 |
|
11-Jun-2000 |
kris |
Fix syntax error in previous commit.
Submitted by: Udo Schweigert <ust@cert.siemens.de>
|
#
61529 |
|
10-Jun-2000 |
kris |
Fix security botch in "UseLogin Yes" case: commands are executed with uid 0.
Obtained from: OpenBSD
|
#
61203 |
|
03-Jun-2000 |
kris |
Bring vendor patches onto the main branch, and resolve conflicts.
|
#
60663 |
|
17-May-2000 |
kris |
Unbreak Kerberos5 compilation. This still remains untested.
Noticed by: obrien
|
#
60576 |
|
15-May-2000 |
kris |
Resolve conflicts and update for FreeBSD.
|
#
60574 |
|
15-May-2000 |
kris |
This commit was generated by cvs2svn to compensate for changes in r60573, which included commits to RCS files with non-trunk default branches.
|
#
60573 |
|
15-May-2000 |
kris |
Initial import of OpenSSH v2.1.
|