summaryrefslogtreecommitdiff
path: root/usr/src/cmd/ssh/doc
diff options
context:
space:
mode:
Diffstat (limited to 'usr/src/cmd/ssh/doc')
-rw-r--r--usr/src/cmd/ssh/doc/COPYING.Ylonen70
-rw-r--r--usr/src/cmd/ssh/doc/CREDITS87
-rw-r--r--usr/src/cmd/ssh/doc/ChangeLog2590
-rw-r--r--usr/src/cmd/ssh/doc/INSTALL199
-rw-r--r--usr/src/cmd/ssh/doc/LICENCE194
-rw-r--r--usr/src/cmd/ssh/doc/OVERVIEW164
-rw-r--r--usr/src/cmd/ssh/doc/README70
-rw-r--r--usr/src/cmd/ssh/doc/README.Ylonen567
-rw-r--r--usr/src/cmd/ssh/doc/WARNING.RNG79
-rw-r--r--usr/src/cmd/ssh/doc/nchan.ms97
-rw-r--r--usr/src/cmd/ssh/doc/nchan2.ms64
11 files changed, 0 insertions, 4181 deletions
diff --git a/usr/src/cmd/ssh/doc/COPYING.Ylonen b/usr/src/cmd/ssh/doc/COPYING.Ylonen
deleted file mode 100644
index ad17df17a0..0000000000
--- a/usr/src/cmd/ssh/doc/COPYING.Ylonen
+++ /dev/null
@@ -1,70 +0,0 @@
-This file is part of the ssh software, Copyright (c) 1995 Tatu Ylonen, Finland
-
-
-COPYING POLICY AND OTHER LEGAL ISSUES
-
-As far as I am concerned, the code I have written for this software
-can be used freely for any purpose. Any derived versions of this
-software must be clearly marked as such, and if the derived work is
-incompatible with the protocol description in the RFC file, it must be
-called by a name other than "ssh" or "Secure Shell".
-
-However, I am not implying to give any licenses to any patents or
-copyrights held by third parties, and the software includes parts that
-are not under my direct control. As far as I know, all included
-source code is used in accordance with the relevant license agreements
-and can be used freely for any purpose (the GNU license being the most
-restrictive); see below for details.
-
-[ RSA is no longer included. ]
-[ IDEA is no longer included. ]
-[ DES is now external. ]
-[ GMP is now external. No more GNU licence. ]
-[ Zlib is now external. ]
-[ The make-ssh-known-hosts script is no longer included. ]
-[ TSS has been removed. ]
-[ MD5 is now external. ]
-[ RC4 support has been removed (RC4 is used internally for arc4random). ]
-[ Blowfish is now external. ]
-
-The 32-bit CRC implementation in crc32.c is due to Gary S. Brown.
-Comments in the file indicate it may be used for any purpose without
-restrictions.
-
-The 32-bit CRC compensation attack detector in deattack.c was
-contributed by CORE SDI S.A. under a BSD-style license. See
-http://www.core-sdi.com/english/ssh/ for details.
-
-Note that any information and cryptographic algorithms used in this
-software are publicly available on the Internet and at any major
-bookstore, scientific library, and patent office worldwide. More
-information can be found e.g. at "http://www.cs.hut.fi/crypto".
-
-The legal status of this program is some combination of all these
-permissions and restrictions. Use only at your own responsibility.
-You will be responsible for any legal consequences yourself; I am not
-making any claims whether possessing or using this is legal or not in
-your country, and I am not taking any responsibility on your behalf.
-
-
- NO WARRANTY
-
-BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
-IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
diff --git a/usr/src/cmd/ssh/doc/CREDITS b/usr/src/cmd/ssh/doc/CREDITS
deleted file mode 100644
index 8831cdd5ac..0000000000
--- a/usr/src/cmd/ssh/doc/CREDITS
+++ /dev/null
@@ -1,87 +0,0 @@
-Tatu Ylonen <ylo@cs.hut.fi> - Creator of SSH
-
-Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
-Theo de Raadt, and Dug Song - Creators of OpenSSH
-
-Alain St-Denis <Alain.St-Denis@ec.gc.ca> - Irix fix
-Alexandre Oliva <oliva@lsd.ic.unicamp.br> - AIX fixes
-Andre Lucas <andre.lucas@dial.pipex.com> - new login code, many fixes
-Andreas Steinmetz <ast@domdv.de> - Shadow password expiry support
-Andrew McGill <andrewm@datrix.co.za> - SCO fixes
-Andrew Stribblehill <a.d.stribblehill@durham.ac.uk> - Bugfixes
-Andy Sloane <andy@guildsoftware.com> - bugfixes
-Aran Cox <acox@cv.telegroup.com> - SCO bugfixes
-Arkadiusz Miskiewicz <misiek@pld.org.pl> - IPv6 compat fixes
-Ben Lindstrom <mouring@pconline.com> - NeXT support
-Ben Taylor <bent@clark.net> - Solaris debugging and fixes
-Bratislav ILICH <bilic@zepter.ru> - Configure fix
-Charles Levert <charles@comm.polymtl.ca> - SunOS 4 & bug fixes
-Chip Salzenberg <chip@valinux.com> - Assorted patches
-Chris Adams <cmadams@hiwaay.net> - OSF SIA support
-Chris Saia <csaia@wtower.com> - SuSE packaging
-Chris, the Young One <cky@pobox.com> - Password auth fixes
-Christos Zoulas <christos@zoulas.com> - Autoconf fixes
-Chun-Chung Chen <cjj@u.washington.edu> - RPM fixes
-Corinna Vinschen <vinschen@cygnus.com> - Cygwin support
-Dan Brosemer <odin@linuxfreak.com> - Autoconf support, build fixes
-Darren Hall <dhall@virage.org> - AIX patches
-David Agraz <dagraz@jahoopa.com> - Build fixes
-David Del Piero <David.DelPiero@qed.qld.gov.au> - bug fixes
-David Hesprich <darkgrue@gue-tech.org> - Configure fixes
-David Rankin <drankin@bohemians.lexington.ky.us> - libwrap, AIX, NetBSD fixes
-Ed Eden <ede370@stl.rural.usda.gov> - configure fixes
-Garrick James <garrick@james.net> - configure fixes
-Gary E. Miller <gem@rellim.com> - SCO support
-Ged Lodder <lodder@yacc.com.au> - HPUX fixes and enhancements
-Gert Doering <gd@hilb1.medat.de> - bug and portability fixes
-HARUYAMA Seigo <haruyama@nt.phys.s.u-tokyo.ac.jp> - Translations & doc fixes
-Hideaki YOSHIFUJI <yoshfuji@ecei.tohoku.ac.jp> - IPv6 and bug fixes
-Hiroshi Takekawa <takekawa@sr3.t.u-tokyo.ac.jp> - Configure fixes
-Holger Trapp <Holger.Trapp@Informatik.TU-Chemnitz.DE> - KRB4/AFS config patch
-IWAMURO Motonori <iwa@mmp.fujitsu.co.jp> - bugfixes
-Jani Hakala <jahakala@cc.jyu.fi> - Patches
-Jarno Huuskonen <jhuuskon@hytti.uku.fi> - Bugfixes
-Jim Knoble <jmknoble@pobox.com> - Many patches
-Jonchen (email unknown) - the original author of PAM support of SSH
-Juergen Keil <jk@tools.de> - scp bugfixing
-KAMAHARA Junzo <kamahara@cc.kshosen.ac.jp> - Configure fixes
-Kees Cook <cook@cpoint.net> - scp fixes
-Kenji Miyake <kenji@miyake.org> - Configure fixes
-Kevin O'Connor <kevin_oconnor@standardandpoors.com> - RSAless operation
-Kevin Steves <stevesk@sweden.hp.com> - HP support, bugfixes, improvements
-Kiyokazu SUTO <suto@ks-and-ks.ne.jp> - Bugfixes
-Larry Jones <larry.jones@sdrc.com> - Bugfixes
-Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> - Bugfixes
-Marc G. Fournier <marc.fournier@acadiau.ca> - Solaris patches
-Martin Johansson <fatbob@acc.umu.se> - Linux fixes
-Mark Miller <markm@swoon.net> - Bugfixes
-Matt Richards <v2matt@btv.ibm.com> - AIX patches
-Michael Stone <mstone@cs.loyola.edu> - Irix enhancements
-Nakaji Hiroyuki <nakaji@tutrp.tut.ac.jp> - Sony News-OS patch
-Nalin Dahyabhai <nalin.dahyabhai@pobox.com> - PAM environment patch
-Nate Itkin <nitkin@europa.com> - SunOS 4.1.x fixes
-Niels Kristian Bech Jensen <nkbj@image.dk> - Assorted patches
-Pavel Kankovsky <peak@argo.troja.mff.cuni.cz> - Security fixes
-Pavel Troller <patrol@omni.sinus.cz> - Bugfixes
-Pekka Savola <pekkas@netcore.fi> - Bugfixes
-Peter Kocks <peter.kocks@baygate.com> - Makefile fixes
-Phil Hands <phil@hands.com> - Debian scripts, assorted patches
-Phil Karn <karn@ka9q.ampr.org> - Autoconf fixes
-Philippe WILLEM <Philippe.WILLEM@urssaf.fr> - Bugfixes
-Phill Camp <P.S.S.Camp@ukc.ac.uk> - login code fix
-Rip Loomis <loomisg@cist.saic.com> - Solaris package support, fixes
-SAKAI Kiyotaka <ksakai@kso.netwk.ntt-at.co.jp> - Multiple bugfixes
-Simon Wilkinson <sxw@dcs.ed.ac.uk> - PAM fixes
-Svante Signell <svante.signell@telia.com> - Bugfixes
-Thomas Neumann <tom@smart.ruhr.de> - Shadow passwords
-Tim Rice <tim@multitalents.net> - Portability & SCO fixes
-Tobias Oetiker <oetiker@ee.ethz.ch> - Bugfixes
-Tom Bertelson's <tbert@abac.com> - AIX auth fixes
-Tor-Ake Fransson <torake@hotmail.com> - AIX support
-Tudor Bosman <tudorb@jm.nu> - MD5 password support
-Udo Schweigert <ust@cert.siemens.de> - ReliantUNIX support
-Zack Weinberg <zack@wolery.cumb.org> - GNOME askpass enhancement
-
-Apologies to anyone I have missed.
-
-Damien Miller <djm@mindrot.org>
diff --git a/usr/src/cmd/ssh/doc/ChangeLog b/usr/src/cmd/ssh/doc/ChangeLog
deleted file mode 100644
index 7333c81a3e..0000000000
--- a/usr/src/cmd/ssh/doc/ChangeLog
+++ /dev/null
@@ -1,2590 +0,0 @@
-20001106
- - (djm) Use Jim's new 1.0.3 askpass in Redhat RPMs
- - (djm) Manually fix up missed diff hunks (mainly RCS idents)
- - (djm) Remove UPGRADING document in favour of a link to the better
- maintained FAQ on www.openssh.com
- - (djm) Fix multiple dependancy on gnome-libs from Pekka Savola
- <pekkas@netcore.fi>
- - (djm) Don't need X11-askpass in RPM spec file if building without it
- from Pekka Savola <pekkas@netcore.fi>
- - (djm) Release 2.3.0p1
-
-20001105
- - (bal) Sync with OpenBSD:
- - markus@cvs.openbsd.org 2000/10/31 9:31:58
- [compat.c]
- handle all old openssh versions
- - markus@cvs.openbsd.org 2000/10/31 13:1853
- [deattack.c]
- so that large packets do not wrap "n"; from netbsd
- - (bal) rijndel.c - fix up RCSID to match OpenBSD tree
- - (bal) auth2-skey.c - Checked in. Missing from portable tree.
- - (bal) Reworked NEWS-OS and NeXT ports to extract waitpid() and
- setsid() into more common files
- - (stevesk) pty.c: use __hpux to identify HP-UX.
- - (bal) Missed auth-skey.o in Makefile.in and minor correction to
- bsd-waitpid.c
-
-20001029
- - (stevesk) Fix typo in auth.c: USE_PAM not PAM
- - (stevesk) Create contrib/cygwin/ directory; patch from
- Corinna Vinschen <vinschen@redhat.com>
- - (bal) Resolved more $xno and $xyes issues in configure.in
- - (bal) next-posix.h - spelling and forgot a prototype
-
-20001028
- - (djm) fix select hack in serverloop.c from Philippe WILLEM
- <Philippe.WILLEM@urssaf.fr>
- - (djm) Fix mangled AIXAUTHENTICATE code
- - (djm) authctxt->pw may be NULL. Fix from Markus Friedl
- <markus.friedl@informatik.uni-erlangen.de>
- - (djm) Sync with OpenBSD:
- - markus@cvs.openbsd.org 2000/10/16 15:46:32
- [ssh.1]
- fixes from pekkas@netcore.fi
- - markus@cvs.openbsd.org 2000/10/17 14:28:11
- [atomicio.c]
- return number of characters processed; ok deraadt@
- - markus@cvs.openbsd.org 2000/10/18 12:04:02
- [atomicio.c]
- undo
- - markus@cvs.openbsd.org 2000/10/18 12:23:02
- [scp.c]
- replace atomicio(read,...) with read(); ok deraadt@
- - markus@cvs.openbsd.org 2000/10/18 12:42:00
- [session.c]
- restore old record login behaviour
- - deraadt@cvs.openbsd.org 2000/10/19 10:41:13
- [auth-skey.c]
- fmt string problem in unused code
- - provos@cvs.openbsd.org 2000/10/19 10:45:16
- [sshconnect2.c]
- don't reference freed memory. okay deraadt@
- - markus@cvs.openbsd.org 2000/10/21 11:04:23
- [canohost.c]
- typo, eramore@era-t.ericsson.se; ok niels@
- - markus@cvs.openbsd.org 2000/10/23 13:31:55
- [cipher.c]
- non-alignment dependent swap_bytes(); from
- simonb@wasabisystems.com/netbsd
- - markus@cvs.openbsd.org 2000/10/26 12:38:28
- [compat.c]
- add older vandyke products
- - markus@cvs.openbsd.org 2000/10/27 01:32:19
- [channels.c channels.h clientloop.c serverloop.c session.c]
- [ssh.c util.c]
- enable non-blocking IO on channels, and tty's (except for the
- client ttys).
-
-20001027
- - (djm) Increase REKEY_BYTES to 2^24 for arc4random
-
-20001025
- - (djm) Added WARNING.RNG file and modified configure to ask users of the
- builtin entropy code to read it.
- - (djm) Prefer builtin regex to PCRE.
- - (bal) Added USE_PIPS defined to NeXT configure.in since scp hangs randomly.
- - (bal) Apply fixes to configure.in pointed out by Pavel Roskin
- <proski@gnu.org>
-
-20001020
- - (djm) Don't define _REENTRANT for SNI/Reliant Unix
- - (bal) Imported NEWS-OS waitpid() macros into NeXT. Since implementation
- is more correct then current version.
-
-20001018
- - (stevesk) Add initial support for setproctitle(). Current
- support is for the HP-UX pstat(PSTAT_SETCMD, ...) method.
- - (stevesk) Add egd startup scripts to contrib/hpux/
-
-20001017
- - (djm) Add -lregex to cywin libs from Corinna Vinschen
- <vinschen@cygnus.com>
- - (djm) Don't rely on atomicio's retval to determine length of askpass
- supplied passphrase. Problem report from Lutz Jaenicke
- <Lutz.Jaenicke@aet.TU-Cottbus.DE>
- - (bal) Changed from GNU rx to PCRE on suggestion from djm.
- - (bal) Integrated Sony NEWS-OS patches from NAKAJI Hirouyuki
- <nakaji@tutrp.tut.ac.jp>
-
-20001016
- - (djm) Sync with OpenBSD:
- - markus@cvs.openbsd.org 2000/10/14 04:01:15
- [cipher.c]
- debug3
- - markus@cvs.openbsd.org 2000/10/14 04:07:23
- [scp.c]
- remove spaces from arguments; from djm@mindrot.org
- - markus@cvs.openbsd.org 2000/10/14 06:09:46
- [ssh.1]
- Cipher is for SSH-1 only
- - markus@cvs.openbsd.org 2000/10/14 06:12:09
- [servconf.c servconf.h serverloop.c session.c sshd.8]
- AllowTcpForwarding; from naddy@
- - markus@cvs.openbsd.org 2000/10/14 06:16:56
- [auth2.c compat.c compat.h sshconnect2.c version.h]
- OpenSSH_2.3; note that is is not complete, but the version number
- needs to be changed for interoperability reasons
- - markus@cvs.openbsd.org 2000/10/14 06:19:45
- [auth-rsa.c]
- do not send RSA challenge if key is not allowed by key-options; from
- eivind@ThinkSec.com
- - markus@cvs.openbsd.org 2000/10/15 08:14:01
- [rijndael.c session.c]
- typos; from stevesk@sweden.hp.com
- - markus@cvs.openbsd.org 2000/10/15 08:18:31
- [rijndael.c]
- typo
- - (djm) Copy manpages back over from OpenBSD - too tedious to wade
- through diffs
- - (djm) Added condrestart to Redhat init script. Patch from Pekka Savola
- <pekkas@netcore.fi>
- - (djm) Update version in Redhat spec file
- - (djm) Merge some of Nalin Dahyabhai <nalin@redhat.com> changes from the
- Redhat 7.0 spec file
- - (djm) Make inability to read/write PRNG seedfile non-fatal
-
-
-20001015
- - (djm) Fix ssh2 hang on background processes at logout.
-
-20001014
- - (bal) Add support for realpath and getcwd for platforms with broken
- or missing realpath implementations for sftp-server.
- - (bal) Corrected mistake in INSTALL in regards to GNU rx library
- - (bal) Add support for GNU rx library for those lacking regexp support
- - (djm) Don't accept PAM_PROMPT_ECHO_ON messages during initial auth
- - (djm) Revert SSH2 serverloop hack, will find a better way.
- - (djm) Add workaround for Linux 2.4's gratuitious errno change. Patch
- from Martin Johansson <fatbob@acc.umu.se>
- - (djm) Big OpenBSD sync:
- - markus@cvs.openbsd.org 2000/09/30 10:27:44
- [log.c]
- allow loglevel debug
- - markus@cvs.openbsd.org 2000/10/03 11:59:57
- [packet.c]
- hmac->mac
- - markus@cvs.openbsd.org 2000/10/03 12:03:03
- [auth-krb4.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth1.c]
- move fake-auth from auth1.c to individual auth methods, disables s/key in
- debug-msg
- - markus@cvs.openbsd.org 2000/10/03 12:16:48
- ssh.c
- do not resolve canonname, i have no idea why this was added oin ossh
- - markus@cvs.openbsd.org 2000/10/09 15:30:44
- ssh-keygen.1 ssh-keygen.c
- -X now reads private ssh.com DSA keys, too.
- - markus@cvs.openbsd.org 2000/10/09 15:32:34
- auth-options.c
- clear options on every call.
- - markus@cvs.openbsd.org 2000/10/09 15:51:00
- authfd.c authfd.h
- interop with ssh-agent2, from <res@shore.net>
- - markus@cvs.openbsd.org 2000/10/10 14:20:45
- compat.c
- use rexexp for version string matching
- - provos@cvs.openbsd.org 2000/10/10 22:02:18
- [kex.c kex.h myproposal.h ssh.h ssh2.h sshconnect2.c sshd.c dh.c dh.h]
- First rough implementation of the diffie-hellman group exchange. The
- client can ask the server for bigger groups to perform the diffie-hellman
- in, thus increasing the attack complexity when using ciphers with longer
- keys. University of Windsor provided network, T the company.
- - markus@cvs.openbsd.org 2000/10/11 13:59:52
- [auth-rsa.c auth2.c]
- clear auth options unless auth sucessfull
- - markus@cvs.openbsd.org 2000/10/11 14:00:27
- [auth-options.h]
- clear auth options unless auth sucessfull
- - markus@cvs.openbsd.org 2000/10/11 14:03:27
- [scp.1 scp.c]
- support 'scp -o' with help from mouring@pconline.com
- - markus@cvs.openbsd.org 2000/10/11 14:11:35
- [dh.c]
- Wall
- - markus@cvs.openbsd.org 2000/10/11 14:14:40
- [auth.h auth2.c readconf.c readconf.h readpass.c servconf.c servconf.h]
- [ssh.h sshconnect2.c sshd_config auth2-skey.c cli.c cli.h]
- add support for s/key (kbd-interactive) to ssh2, based on work by
- mkiernan@avantgo.com and me
- - markus@cvs.openbsd.org 2000/10/11 14:27:24
- [auth.c auth1.c auth2.c authfile.c cipher.c cipher.h kex.c kex.h]
- [myproposal.h packet.c readconf.c session.c ssh.c ssh.h sshconnect1.c]
- [sshconnect2.c sshd.c]
- new cipher framework
- - markus@cvs.openbsd.org 2000/10/11 14:45:21
- [cipher.c]
- remove DES
- - markus@cvs.openbsd.org 2000/10/12 03:59:20
- [cipher.c cipher.h sshconnect1.c sshconnect2.c sshd.c]
- enable DES in SSH-1 clients only
- - markus@cvs.openbsd.org 2000/10/12 08:21:13
- [kex.h packet.c]
- remove unused
- - markus@cvs.openbsd.org 2000/10/13 12:34:46
- [sshd.c]
- Kludge for F-Secure Macintosh < 1.0.2; appro@fy.chalmers.se
- - markus@cvs.openbsd.org 2000/10/13 12:59:15
- [cipher.c cipher.h myproposal.h rijndael.c rijndael.h]
- rijndael/aes support
- - markus@cvs.openbsd.org 2000/10/13 13:10:54
- [sshd.8]
- more info about -V
- - markus@cvs.openbsd.org 2000/10/13 13:12:02
- [myproposal.h]
- prefer no compression
- - (djm) Fix scp user@host handling
- - (djm) Don't clobber ssh_prng_cmds on install
- - (stevesk) Include config.h in rijndael.c so we define intXX_t and
- u_intXX_t types on all platforms.
- - (stevesk) rijndael.c: cleanup missing declaration warnings.
- - (stevesk) ~/.hushlogin shouldn't cause required password change to
- be bypassed.
- - (stevesk) Display correct path to ssh-askpass in configure output.
- Report from Lutz Jaenicke.
-
-20001007
- - (stevesk) Print PAM return value in PAM log messages to aid
- with debugging.
- - (stevesk) Fix detection of pw_class struct member in configure;
- patch from KAMAHARA Junzo <kamahara@cc.kshosen.ac.jp>
-
-20001002
- - (djm) Fix USER_PATH, report from Kevin Steves <stevesk@sweden.hp.com>
- - (djm) Add host system and CC to end-of-configure report. Suggested by
- Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>
-
-20000931
- - (djm) Cygwin fixes from Corinna Vinschen <vinschen@cygnus.com>
-
-20000930
- - (djm) Irix ssh_prng_cmds path fix from Pekka Savola <pekkas@netcore.fi>
- - (djm) Support in bsd-snprintf.c for long long conversions from
- Ben Lindstrom <mouring@pconline.com>
- - (djm) Cleanup NeXT support from Ben Lindstrom <mouring@pconline.com>
- - (djm) Ignore SIGPIPEs from serverloop to child. Fixes crashes with
- very short lived X connections. Bug report from Tobias Oetiker
- <oetiker@ee.ethz.ch>. Fix from Markus Friedl <markus@cvs.openbsd.org>
- - (djm) Add recent InitScripts as a RPM dependancy for openssh-server
- patch from Pekka Savola <pekkas@netcore.fi>
- - (djm) Forgot to cvs add LICENSE file
- - (djm) Add LICENSE to RPM spec files
- - (djm) CVS OpenBSD sync:
- - markus@cvs.openbsd.org 2000/09/26 13:59:59
- [clientloop.c]
- use debug2
- - markus@cvs.openbsd.org 2000/09/27 15:41:34
- [auth2.c sshconnect2.c]
- use key_type()
- - markus@cvs.openbsd.org 2000/09/28 12:03:18
- [channels.c]
- debug -> debug2 cleanup
- - (djm) Irix strips "/dev/tty" from [uw]tmp entries (other systems only
- strip "/dev/"). Fix loginrec.c based on patch from Alain St-Denis
- <Alain.St-Denis@ec.gc.ca>
- - (djm) Fix 9 character passphrase failure with gnome-ssh-askpass.
- Problem was caused by interrupted read in ssh-add. Report from Donald
- J. Barry <don@astro.cornell.edu>
-
-20000929
- - (djm) Fix SSH2 not terminating until all background tasks done problem.
- - (djm) Another off-by-one fix from Pavel Kankovsky
- <peak@argo.troja.mff.cuni.cz>
- - (djm) Clean up. Strip some unnecessary differences with OpenBSD's code,
- tidy necessary differences. Use Markus' new debugN() in entropy.c
- - (djm) Merged big SCO portability patch from Tim Rice
- <tim@multitalents.net>
-
-20000926
- - (djm) Update X11-askpass to 1.0.2 in RPM spec file
- - (djm) Define _REENTRANT to pickup strtok_r() on HP/UX
- - (djm) Security: fix off-by-one buffer overrun in fake-getnameinfo.c.
- Report and fix from Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>
-
-20000924
- - (djm) Merged cleanup patch from Mark Miller <markm@swoon.net>
- - (djm) A bit more cleanup - created cygwin_util.h
- - (djm) Include strtok_r() from OpenBSD libc. Fixes report from Mark Miller
- <markm@swoon.net>
-
-20000923
- - (djm) Fix address logging in utmp from Kevin Steves
- <stevesk@sweden.hp.com>
- - (djm) Redhat spec and manpage fixes from Pekka Savola <pekkas@netcore.fi>
- - (djm) Seperate tests for int64_t and u_int64_t types
- - (djm) Tweak password expiry checking at suggestion of Kevin Steves
- <stevesk@sweden.hp.com>
- - (djm) NeXT patch from Ben Lindstrom <mouring@pconline.com>
- - (djm) Use printf %lld instead of %qd in sftp-server.c. Fix from
- Michael Stone <mstone@cs.loyola.edu>
- - (djm) OpenBSD CVS sync:
- - markus@cvs.openbsd.org 2000/09/17 09:38:59
- [sshconnect2.c sshd.c]
- fix DEBUG_KEXDH
- - markus@cvs.openbsd.org 2000/09/17 09:52:51
- [sshconnect.c]
- yes no; ok niels@
- - markus@cvs.openbsd.org 2000/09/21 04:55:11
- [sshd.8]
- typo
- - markus@cvs.openbsd.org 2000/09/21 05:03:54
- [serverloop.c]
- typo
- - markus@cvs.openbsd.org 2000/09/21 05:11:42
- scp.c
- utime() to utimes(); mouring@pconline.com
- - markus@cvs.openbsd.org 2000/09/21 05:25:08
- sshconnect2.c
- change login logic in ssh2, allows plugin of other auth methods
- - markus@cvs.openbsd.org 2000/09/21 05:25:35
- [auth2.c channels.c channels.h clientloop.c dispatch.c dispatch.h]
- [serverloop.c]
- add context to dispatch_run
- - markus@cvs.openbsd.org 2000/09/21 05:07:52
- authfd.c authfd.h ssh-agent.c
- bug compat for old ssh.com software
-
-20000920
- - (djm) Fix bad path substitution. Report from Andrew Miner
- <asminer@cs.iastate.edu>
-
-20000916
- - (djm) Fix SSL search order from Lutz Jaenicke
- <Lutz.Jaenicke@aet.TU-Cottbus.DE>
- - (djm) New SuSE spec from Corinna Vinschen <corinna@vinschen.de>
- - (djm) Update CygWin support from Corinna Vinschen <vinschen@cygnus.com>
- - (djm) Use a real struct sockaddr inside the fake struct sockaddr_storage.
- Patch from Larry Jones <larry.jones@sdrc.com>
- - (djm) Add Steve VanDevender's <stevev@darkwing.uoregon.edu> PAM
- password change patch.
- - (djm) Bring licenses on my stuff in line with OpenBSD's
- - (djm) Cleanup auth-passwd.c and unify HP/UX authentication. Patch from
- Kevin Steves <stevesk@sweden.hp.com>
- - (djm) Shadow expiry check fix from Pavel Troller <patrol@omni.sinus.cz>
- - (djm) Re-enable int64_t types - we need them for sftp
- - (djm) Use libexecdir from configure , rather than libexecdir/ssh
- - (djm) Update Redhat SPEC file accordingly
- - (djm) Add Kevin Steves <stevesk@sweden.hp.com> HP/UX contrib files
- - (djm) Add Charles Levert <charles@comm.polymtl.ca> getpgrp patch
- - (djm) Fix password auth on HP/UX 10.20. Patch from Dirk De Wachter
- <Dirk.DeWachter@rug.ac.be>
- - (djm) Fixprogs and entropy list fixes from Larry Jones
- <larry.jones@sdrc.com>
- - (djm) Fix for SuSE spec file from Takashi YOSHIDA
- <tyoshida@gemini.rc.kyushu-u.ac.jp>
- - (djm) Merge OpenBSD changes:
- - markus@cvs.openbsd.org 2000/09/05 02:59:57
- [session.c]
- print hostname (not hushlogin)
- - markus@cvs.openbsd.org 2000/09/05 13:18:48
- [authfile.c ssh-add.c]
- enable ssh-add -d for DSA keys
- - markus@cvs.openbsd.org 2000/09/05 13:20:49
- [sftp-server.c]
- cleanup
- - markus@cvs.openbsd.org 2000/09/06 03:46:41
- [authfile.h]
- prototype
- - deraadt@cvs.openbsd.org 2000/09/07 14:27:56
- [ALL]
- cleanup copyright notices on all files. I have attempted to be
- accurate with the details. everything is now under Tatu's licence
- (which I copied from his readme), and/or the core-sdi bsd-ish thing
- for deattack, or various openbsd developers under a 2-term bsd
- licence. We're not changing any rules, just being accurate.
- - markus@cvs.openbsd.org 2000/09/07 14:40:30
- [channels.c channels.h clientloop.c serverloop.c ssh.c]
- cleanup window and packet sizes for ssh2 flow control; ok niels
- - markus@cvs.openbsd.org 2000/09/07 14:53:00
- [scp.c]
- typo
- - markus@cvs.openbsd.org 2000/09/07 15:13:37
- [auth-options.c auth-options.h auth-rh-rsa.c auth-rsa.c auth.c]
- [authfile.h canohost.c channels.h compat.c hostfile.h log.c match.h]
- [pty.c readconf.c]
- some more Copyright fixes
- - markus@cvs.openbsd.org 2000/09/08 03:02:51
- [README.openssh2]
- bye bye
- - deraadt@cvs.openbsd.org 2000/09/11 18:38:33
- [LICENCE cipher.c]
- a few more comments about it being ARC4 not RC4
- - markus@cvs.openbsd.org 2000/09/12 14:53:11
- [log-client.c log-server.c log.c ssh.1 ssh.c ssh.h sshd.8 sshd.c]
- multiple debug levels
- - markus@cvs.openbsd.org 2000/09/14 14:25:15
- [clientloop.c]
- typo
- - deraadt@cvs.openbsd.org 2000/09/15 01:13:51
- [ssh-agent.c]
- check return value for setenv(3) for failure, and deal appropriately
-
-20000913
- - (djm) Fix server not exiting with jobs in background.
-
-20000905
- - (djm) Import OpenBSD CVS changes
- - markus@cvs.openbsd.org 2000/08/31 15:52:24
- [Makefile sshd.8 sshd_config sftp-server.8 sftp-server.c]
- implement a SFTP server. interops with sftp2, scp2 and the windows
- client from ssh.com
- - markus@cvs.openbsd.org 2000/08/31 15:56:03
- [README.openssh2]
- sync
- - markus@cvs.openbsd.org 2000/08/31 16:05:42
- [session.c]
- Wall
- - markus@cvs.openbsd.org 2000/08/31 16:09:34
- [authfd.c ssh-agent.c]
- add a flag to SSH2_AGENTC_SIGN_REQUEST for future extensions
- - deraadt@cvs.openbsd.org 2000/09/01 09:25:13
- [scp.1 scp.c]
- cleanup and fix -S support; stevesk@sweden.hp.com
- - markus@cvs.openbsd.org 2000/09/01 16:29:32
- [sftp-server.c]
- portability fixes
- - markus@cvs.openbsd.org 2000/09/01 16:32:41
- [sftp-server.c]
- fix cast; mouring@pconline.com
- - itojun@cvs.openbsd.org 2000/09/03 09:23:28
- [ssh-add.1 ssh.1]
- add missing .El against .Bl.
- - markus@cvs.openbsd.org 2000/09/04 13:03:41
- [session.c]
- missing close; ok theo
- - markus@cvs.openbsd.org 2000/09/04 13:07:21
- [session.c]
- fix get_last_login_time order; from andre@van-veen.de
- - markus@cvs.openbsd.org 2000/09/04 13:10:09
- [sftp-server.c]
- more cast fixes; from mouring@pconline.com
- - markus@cvs.openbsd.org 2000/09/04 13:06:04
- [session.c]
- set SSH_ORIGINAL_COMMAND; from Leakin@dfw.nostrum.com, bet@rahul.net
- - (djm) Cleanup after import. Fix sftp-server compilation, Makefile
- - (djm) Merge cygwin support from Corinna Vinschen <vinschen@cygnus.com>
-
-20000903
- - (djm) Fix Redhat init script
-
-20000901
- - (djm) Pick up Jim's new X11-askpass
- - (djm) Release 2.2.0p1
-
-20000831
- - (djm) Workaround SIGPIPE problems on SCO. Fix from Aran Cox
- <acox@cv.telegroup.com>
- - (djm) Pick up new version (2.2.0) from OpenBSD CVS
-
-20000830
- - (djm) Compile warning fixes from Mark Miller <markm@swoon.net>
- - (djm) Periodically rekey arc4random
- - (djm) Clean up diff against OpenBSD.
- - (djm) HPUX 11 needs USE_PIPES as well: Kevin Steves
- <stevesk@sweden.hp.com>
- - (djm) Quieten the pam delete credentials error message
- - (djm) Fix printing of $DISPLAY hack if set by system type. Report from
- Kevin Steves <stevesk@sweden.hp.com>
- - (djm) NeXT patch from Ben Lindstrom <mouring@pconline.com>
- - (djm) Fix doh in bsd-arc4random.c
-
-20000829
- - (djm) Fix ^C ignored issue on Solaris. Diagnosis from Gert
- Doering <gert@greenie.muc.de>, John Horne <J.Horne@plymouth.ac.uk> and
- Garrick James <garrick@james.net>
- - (djm) Check for SCO pty naming style (ptyp%d/ttyp%d). Based on fix from
- Bastian Trompetter <btrompetter@firemail.de>
- - (djm) NeXT tweaks from Ben Lindstrom <mouring@pconline.com>
- - More OpenBSD updates:
- - deraadt@cvs.openbsd.org 2000/08/24 15:46:59
- [scp.c]
- off_t in sink, to fix files > 2GB, i think, test is still running ;-)
- - deraadt@cvs.openbsd.org 2000/08/25 10:10:06
- [session.c]
- Wall
- - markus@cvs.openbsd.org 2000/08/26 04:33:43
- [compat.c]
- ssh.com-2.3.0
- - markus@cvs.openbsd.org 2000/08/27 12:18:05
- [compat.c]
- compatibility with future ssh.com versions
- - deraadt@cvs.openbsd.org 2000/08/27 21:50:55
- [auth-krb4.c session.c ssh-add.c sshconnect.c uidswap.c]
- print uid/gid as unsigned
- - markus@cvs.openbsd.org 2000/08/28 13:51:00
- [ssh.c]
- enable -n and -f for ssh2
- - markus@cvs.openbsd.org 2000/08/28 14:19:53
- [ssh.c]
- allow combination of -N and -f
- - markus@cvs.openbsd.org 2000/08/28 14:20:56
- [util.c]
- util.c
- - markus@cvs.openbsd.org 2000/08/28 14:22:02
- [util.c]
- undo
- - markus@cvs.openbsd.org 2000/08/28 14:23:38
- [util.c]
- don't complain if setting NONBLOCK fails with ENODEV
-
-20000823
- - (djm) Define USE_PIPES to avoid socketpair problems on HPUX 10 and SunOS 4
- Avoids "scp never exits" problem. Reports from Lutz Jaenicke
- <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Tamito KAJIYAMA
- <kajiyama@grad.sccs.chukyo-u.ac.jp>
- - (djm) Pick up LOGIN_PROGRAM from environment or PATH if not set by headers
- - (djm) Add local version to version.h
- - (djm) Don't reseed arc4random everytime it is used
- - (djm) OpenBSD CVS updates:
- - deraadt@cvs.openbsd.org 2000/08/18 20:07:23
- [ssh.c]
- accept remsh as a valid name as well; roman@buildpoint.com
- - deraadt@cvs.openbsd.org 2000/08/18 20:17:13
- [deattack.c crc32.c packet.c]
- rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to
- libz crc32 function yet, because it has ugly "long"'s in it;
- oneill@cs.sfu.ca
- - deraadt@cvs.openbsd.org 2000/08/18 20:26:08
- [scp.1 scp.c]
- -S prog support; tv@debian.org
- - deraadt@cvs.openbsd.org 2000/08/18 20:50:07
- [scp.c]
- knf
- - deraadt@cvs.openbsd.org 2000/08/18 20:57:33
- [log-client.c]
- shorten
- - markus@cvs.openbsd.org 2000/08/19 12:48:11
- [channels.c channels.h clientloop.c ssh.c ssh.h]
- support for ~. in ssh2
- - deraadt@cvs.openbsd.org 2000/08/19 15:29:40
- [crc32.h]
- proper prototype
- - markus@cvs.openbsd.org 2000/08/19 15:34:44
- [authfd.c authfd.h key.c key.h ssh-add.1 ssh-add.c ssh-agent.1]
- [ssh-agent.c ssh-keygen.c sshconnect1.c sshconnect2.c Makefile]
- [fingerprint.c fingerprint.h]
- add SSH2/DSA support to the agent and some other DSA related cleanups.
- (note that we cannot talk to ssh.com's ssh2 agents)
- - markus@cvs.openbsd.org 2000/08/19 15:55:52
- [channels.c channels.h clientloop.c]
- more ~ support for ssh2
- - markus@cvs.openbsd.org 2000/08/19 16:21:19
- [clientloop.c]
- oops
- - millert@cvs.openbsd.org 2000/08/20 12:25:53
- [session.c]
- We have to stash the result of get_remote_name_or_ip() before we
- close our socket or getpeername() will get EBADF and the process
- will exit. Only a problem for "UseLogin yes".
- - millert@cvs.openbsd.org 2000/08/20 12:30:59
- [session.c]
- Only check /etc/nologin if "UseLogin no" since login(1) may have its
- own policy on determining who is allowed to login when /etc/nologin
- is present. Also use the _PATH_NOLOGIN define.
- - millert@cvs.openbsd.org 2000/08/20 12:42:43
- [auth1.c auth2.c session.c ssh.c]
- Add calls to setusercontext() and login_get*(). We basically call
- setusercontext() in most places where previously we did a setlogin().
- Add default login.conf file and put root in the "daemon" login class.
- - millert@cvs.openbsd.org 2000/08/21 10:23:31
- [session.c]
- Fix incorrect PATH setting; noted by Markus.
-
-20000818
- - (djm) OpenBSD CVS changes:
- - markus@cvs.openbsd.org 2000/07/22 03:14:37
- [servconf.c servconf.h sshd.8 sshd.c sshd_config]
- random early drop; ok theo, niels
- - deraadt@cvs.openbsd.org 2000/07/26 11:46:51
- [ssh.1]
- typo
- - deraadt@cvs.openbsd.org 2000/08/01 11:46:11
- [sshd.8]
- many fixes from pepper@mail.reppep.com
- - provos@cvs.openbsd.org 2000/08/01 13:01:42
- [Makefile.in util.c aux.c]
- rename aux.c to util.c to help with cygwin port
- - deraadt@cvs.openbsd.org 2000/08/02 00:23:31
- [authfd.c]
- correct sun_len; Alexander@Leidinger.net
- - provos@cvs.openbsd.org 2000/08/02 10:27:17
- [readconf.c sshd.8]
- disable kerberos authentication by default
- - provos@cvs.openbsd.org 2000/08/02 11:27:05
- [sshd.8 readconf.c auth-krb4.c]
- disallow kerberos authentication if we can't verify the TGT; from
- dugsong@
- kerberos authentication is on by default only if you have a srvtab.
- - markus@cvs.openbsd.org 2000/08/04 14:30:07
- [auth.c]
- unused
- - markus@cvs.openbsd.org 2000/08/04 14:30:35
- [sshd_config]
- MaxStartups
- - markus@cvs.openbsd.org 2000/08/15 13:20:46
- [authfd.c]
- cleanup; ok niels@
- - markus@cvs.openbsd.org 2000/08/17 14:05:10
- [session.c]
- cleanup login(1)-like jobs, no duplicate utmp entries
- - markus@cvs.openbsd.org 2000/08/17 14:06:34
- [session.c sshd.8 sshd.c]
- sshd -u len, similar to telnetd
- - (djm) Lastlog was not getting closed after writing login entry
- - (djm) Add Solaris package support from Rip Loomis <loomisg@cist.saic.com>
-
-20000816
- - (djm) Replacement for inet_ntoa for Irix (which breaks on gcc)
- - (djm) Fix strerror replacement for old SunOS. Based on patch from
- Charles Levert <charles@comm.polymtl.ca>
- - (djm) Seperate arc4random into seperate file and use OpenSSL's RC4
- implementation.
- - (djm) SUN_LEN macro for systems which lack it
-
-20000815
- - (djm) More SunOS 4.1.x fixes from Nate Itkin <nitkin@europa.com>
- - (djm) Avoid failures on Irix when ssh is not setuid. Fix from
- Michael Stone <mstone@cs.loyola.edu>
- - (djm) Don't seek in directory based lastlogs
- - (djm) Fix --with-ipaddr-display configure option test. Patch from
- Jarno Huuskonen <jhuuskon@messi.uku.fi>
- - (djm) Fix AIX limits from Alexandre Oliva <oliva@lsd.ic.unicamp.br>
-
-20000813
- - (djm) Add $(srcdir) to includes when compiling (for VPATH). Report from
- Fabrice bacchella <fabrice.bacchella@marchfirst.fr>
-
-20000809
- - (djm) Define AIX hard limits if headers don't. Report from
- Bill Painter <william.t.painter@lmco.com>
- - (djm) utmp direct write & SunOS 4 patch from Charles Levert
- <charles@comm.polymtl.ca>
-
-20000808
- - (djm) Cleanup Redhat RPMs. Generate keys at runtime rather than install
- time, spec file cleanup.
-
-20000807
- - (djm) Set 0755 on binaries during install. Report from Lutz Jaenicke
- - (djm) Suppress error messages on channel close shutdown() failurs
- works around Linux bug. Patch from Zack Weinberg <zack@wolery.cumb.org>
- - (djm) Add some more entropy collection commands from Lutz Jaenicke
-
-20000725
- - (djm) Fix autoconf typo: HAVE_BINRESVPORT_AF -> HAVE_BINDRESVPORT_AF
-
-20000721
- - (djm) OpenBSD CVS updates:
- - markus@cvs.openbsd.org 2000/07/16 02:27:22
- [authfd.c authfd.h channels.c clientloop.c ssh-add.c ssh-agent.c ssh.c]
- [sshconnect1.c sshconnect2.c]
- make ssh-add accept dsa keys (the agent does not)
- - djm@cvs.openbsd.org 2000/07/17 19:25:02
- [sshd.c]
- Another closing of stdin; ok deraadt
- - markus@cvs.openbsd.org 2000/07/19 18:33:12
- [dsa.c]
- missing free, reorder
- - markus@cvs.openbsd.org 2000/07/20 16:23:14
- [ssh-keygen.1]
- document input and output files
-
-20000720
- - (djm) Spec file fix from Petr Novotny <Petr.Novotny@antek.cz>
-
-20000716
- - (djm) Release 2.1.1p4
-
-20000715
- - (djm) OpenBSD CVS updates
- - provos@cvs.openbsd.org 2000/07/13 16:53:22
- [aux.c readconf.c servconf.c ssh.h]
- allow multiple whitespace but only one '=' between tokens, bug report from
- Ralf S. Engelschall <rse@engelschall.com> but different fix. okay deraadt@
- - provos@cvs.openbsd.org 2000/07/13 17:14:09
- [clientloop.c]
- typo; todd@fries.net
- - provos@cvs.openbsd.org 2000/07/13 17:19:31
- [scp.c]
- close can fail on AFS, report error; from Greg Hudson <ghudson@mit.edu>
- - markus@cvs.openbsd.org 2000/07/14 16:59:46
- [readconf.c servconf.c]
- allow leading whitespace. ok niels
- - djm@cvs.openbsd.org 2000/07/14 22:01:38
- [ssh-keygen.c ssh.c]
- Always create ~/.ssh with mode 700; ok Markus
- - Fixes for SunOS 4.1.4 from Gordon Atwood <gordon@cs.ualberta.ca>
- - Include floatingpoint.h for entropy.c
- - strerror replacement
-
-20000712
- - (djm) Remove -lresolve for Reliant Unix
- - (djm) OpenBSD CVS Updates:
- - deraadt@cvs.openbsd.org 2000/07/11 02:11:34
- [session.c sshd.c ]
- make MaxStartups code still work with -d; djm
- - deraadt@cvs.openbsd.org 2000/07/11 13:17:45
- [readconf.c ssh_config]
- disable FallBackToRsh by default
- - (djm) Replace in_addr_t with u_int32_t in bsd-inet_aton.c. Report from
- Ben Lindstrom <mouring@pconline.com>
- - (djm) Make building of X11-Askpass and GNOME-Askpass optional in RPM
- spec file.
- - (djm) Released 2.1.1p3
-
-20000711
- - (djm) Fixup for AIX getuserattr() support from Tom Bertelson
- <tbert@abac.com>
- - (djm) ReliantUNIX support from Udo Schweigert <ust@cert.siemens.de>
- - (djm) NeXT: dirent structures to get scp working from Ben Lindstrom
- <mouring@pconline.com>
- - (djm) Fix broken inet_ntoa check and ut_user/ut_name confusion, report
- from Jim Watt <jimw@peisj.pebio.com>
- - (djm) Replaced bsd-snprintf.c with one from Mutt source tree, it is known
- to compile on more platforms (incl NeXT).
- - (djm) Added bsd-inet_aton and configure support for NeXT
- - (djm) Misc NeXT fixes from Ben Lindstrom <mouring@pconline.com>
- - (djm) OpenBSD CVS updates:
- - markus@cvs.openbsd.org 2000/06/26 03:22:29
- [authfd.c]
- cleanup, less cut&paste
- - markus@cvs.openbsd.org 2000/06/26 15:59:19
- [servconf.c servconf.h session.c sshd.8 sshd.c]
- MaxStartups: limit number of unauthenticated connections, work by
- theo and me
- - deraadt@cvs.openbsd.org 2000/07/05 14:18:07
- [session.c]
- use no_x11_forwarding_flag correctly; provos ok
- - provos@cvs.openbsd.org 2000/07/05 15:35:57
- [sshd.c]
- typo
- - aaron@cvs.openbsd.org 2000/07/05 22:06:58
- [scp.1 ssh-agent.1 ssh-keygen.1 sshd.8]
- Insert more missing .El directives. Our troff really should identify
- these and spit out a warning.
- - todd@cvs.openbsd.org 2000/07/06 21:55:04
- [auth-rsa.c auth2.c ssh-keygen.c]
- clean code is good code
- - deraadt@cvs.openbsd.org 2000/07/07 02:14:29
- [serverloop.c]
- sense of port forwarding flag test was backwards
- - provos@cvs.openbsd.org 2000/07/08 17:17:31
- [compat.c readconf.c]
- replace strtok with strsep; from David Young <dyoung@onthejob.net>
- - deraadt@cvs.openbsd.org 2000/07/08 19:21:15
- [auth.h]
- KNF
- - ho@cvs.openbsd.org 2000/07/08 19:27:33
- [compat.c readconf.c]
- Better conditions for strsep() ending.
- - ho@cvs.openbsd.org 2000/07/10 10:27:05
- [readconf.c]
- Get the correct message on errors. (niels@ ok)
- - ho@cvs.openbsd.org 2000/07/10 10:30:25
- [cipher.c kex.c servconf.c]
- strtok() --> strsep(). (niels@ ok)
- - (djm) Fix problem with debug mode and MaxStartups
- - (djm) Don't generate host keys when $(DESTDIR) is set (e.g. during RPM
- builds)
- - (djm) Add strsep function from OpenBSD libc for systems that lack it
-
-20000709
- - (djm) Only enable PAM_TTY kludge for Linux. Problem report from
- Kevin Steves <stevesk@sweden.hp.com>
- - (djm) Match prototype and function declaration for rresvport_af.
- Problem report from Niklas Edmundsson <nikke@ing.umu.se>
- - (djm) Missing $(DESTDIR) on host-key target causing problems with RPM
- builds. Problem report from Gregory Leblanc <GLeblanc@cu-portland.edu>
- - (djm) Replace ut_name with ut_user. Patch from Jim Watt
- <jimw@peisj.pebio.com>
- - (djm) Fix pam sprintf fix
- - (djm) Cleanup entropy collection code a little more. Split initialisation
- from seeding, perform intialisation immediatly at start, be careful with
- uids. Based on problem report from Jim Watt <jimw@peisj.pebio.com>
- - (djm) More NeXT compatibility from Ben Lindstrom <mouring@pconline.com>
- Including sigaction() et al. replacements
- - (djm) AIX getuserattr() session initialisation from Tom Bertelson
- <tbert@abac.com>
-
-20000708
- - (djm) Fix bad fprintf format handling in auth-pam.c. Patch from
- Aaron Hopkins <aaron@die.net>
- - (djm) Fix incorrect configure handling of --with-rsh-path option. Fix from
- Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>
- - (djm) Fixed undefined variables for OSF SIA. Report from
- Baars, Henk <Hendrik.Baars@nl.origin-it.com>
- - (djm) Handle EWOULDBLOCK returns from read() and write() in atomicio.c
- Fix from Marquess, Steve Mr JMLFDC <Steve.Marquess@DET.AMEDD.ARMY.MIL>
- - (djm) Don't use inet_addr.
-
-20000702
- - (djm) Fix brace mismatch from Corinna Vinschen <vinschen@cygnus.com>
- - (djm) Stop shadow expiry checking from preventing logins with NIS. Based
- on fix from HARUYAMA Seigo <haruyama@nt.phys.s.u-tokyo.ac.jp>
- - (djm) Use standard OpenSSL functions in auth-skey.c. Patch from
- Chris, the Young One <cky@pobox.com>
- - (djm) Fix scp progress meter on really wide terminals. Based on patch
- from James H. Cloos Jr. <cloos@jhcloos.com>
-
-20000701
- - (djm) Fix Tru64 SIA problems reported by John P Speno <speno@isc.upenn.edu>
- - (djm) Login fixes from Tom Bertelson <tbert@abac.com>
- - (djm) Replace "/bin/sh" with _PATH_BSHELL. Report from Corinna Vinschen
- <vinschen@cygnus.com>
- - (djm) Replace "/usr/bin/login" with LOGIN_PROGRAM
- - (djm) Added check for broken snprintf() functions which do not correctly
- terminate output string and attempt to use replacement.
- - (djm) Released 2.1.1p2
-
-20000628
- - (djm) Fixes to lastlog code for Irix
- - (djm) Use atomicio in loginrec
- - (djm) Patch from Michael Stone <mstone@cs.loyola.edu> to add support for
- Irix 6.x array sessions, project id's, and system audit trail id.
- - (djm) Added 'distprep' make target to simplify packaging
- - (djm) Added patch from Chris Adams <cmadams@hiwaay.net> to add OSF SIA
- support. Enable using "USE_SIA=1 ./configure [options]"
-
-20000627
- - (djm) Fixes to login code - not setting li->uid, cleanups
- - (djm) Formatting
-
-20000626
- - (djm) Better fix to aclocal tests from Garrick James <garrick@james.net>
- - (djm) Account expiry support from Andreas Steinmetz <ast@domdv.de>
- - (djm) Added password expiry checking (no password change support)
- - (djm) Make EGD failures non-fatal if OpenSSL's entropy pool is still OK
- based on patch from Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>
- - (djm) Fix fixed EGD code.
- - OpenBSD CVS update
- - provos@cvs.openbsd.org 2000/06/25 14:17:58
- [channels.c]
- correct check for bad channel ids; from Wei Dai <weidai@eskimo.com>
-
-20000623
- - (djm) Use sa_family_t in prototype for rresvport_af. Patch from
- Svante Signell <svante.signell@telia.com>
- - (djm) Autoconf logic to define sa_family_t if it is missing
- - OpenBSD CVS Updates:
- - markus@cvs.openbsd.org 2000/06/22 10:32:27
- [sshd.c]
- missing atomicio; report from Steve.Marquess@DET.AMEDD.ARMY.MIL
- - djm@cvs.openbsd.org 2000/06/22 17:55:00
- [auth-krb4.c key.c radix.c uuencode.c]
- Missing CVS idents; ok markus
-
-20000622
- - (djm) Automatically generate host key during "make install". Suggested
- by Gary E. Miller <gem@rellim.com>
- - (djm) Paranoia before kill() system call
- - OpenBSD CVS Updates:
- - markus@cvs.openbsd.org 2000/06/18 18:50:11
- [auth2.c compat.c compat.h sshconnect2.c]
- make userauth+pubkey interop with ssh.com-2.2.0
- - markus@cvs.openbsd.org 2000/06/18 20:56:17
- [dsa.c]
- mem leak + be more paranoid in dsa_verify.
- - markus@cvs.openbsd.org 2000/06/18 21:29:50
- [key.c]
- cleanup fingerprinting, less hardcoded sizes
- - markus@cvs.openbsd.org 2000/06/19 19:39:45
- [atomicio.c auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
- [auth-rsa.c auth-skey.c authfd.c authfd.h authfile.c bufaux.c bufaux.h]
- [buffer.c buffer.h canohost.c channels.c channels.h cipher.c cipher.h]
- [clientloop.c compat.c compat.h compress.c compress.h crc32.c crc32.h]
- [deattack.c dispatch.c dsa.c fingerprint.c fingerprint.h getput.h hmac.c]
- [kex.c log-client.c log-server.c login.c match.c mpaux.c mpaux.h nchan.c]
- [nchan.h packet.c packet.h pty.c pty.h readconf.c readconf.h readpass.c]
- [rsa.c rsa.h scp.c servconf.c servconf.h ssh-add.c ssh-keygen.c ssh.c]
- [ssh.h tildexpand.c ttymodes.c ttymodes.h uidswap.c xmalloc.c xmalloc.h]
- OpenBSD tag
- - markus@cvs.openbsd.org 2000/06/21 10:46:10
- sshconnect2.c missing free; nuke old comment
-
-20000620
- - (djm) Replace use of '-o' and '-a' logical operators in configure tests
- with '||' and '&&'. As suggested by Jim Knoble <jmknoble@pint-stowp.cx>
- to fix SCO Unixware problem reported by Gary E. Miller <gem@rellim.com>
- - (djm) Typo in loginrec.c
-
-20000618
- - (djm) Add summary of configure options to end of ./configure run
- - (djm) Not all systems define RUSAGE_SELF & RUSAGE_CHILDREN. Report from
- Michael Stone <mstone@cs.loyola.edu>
- - (djm) rusage is a privileged operation on some Unices (incl.
- Solaris 2.5.1). Report from Paul D. Smith <pausmith@nortelnetworks.com>
- - (djm) Avoid PAM failures when running without a TTY. Report from
- Martin Petrak <petrak@spsknm.schools.sk>
- - (djm) Include sys/types.h when including netinet/in.h in configure tests.
- Patch from Jun-ichiro itojun Hagino <itojun@iijlab.net>
- - (djm) Started merge of Ben Lindstrom's <mouring@pconline.com> NeXT support
- - OpenBSD CVS updates:
- - deraadt@cvs.openbsd.org 2000/06/17 09:58:46
- [channels.c]
- everyone says "nix it" (remove protocol 2 debugging message)
- - markus@cvs.openbsd.org 2000/06/17 13:24:34
- [sshconnect.c]
- allow extended server banners
- - markus@cvs.openbsd.org 2000/06/17 14:30:10
- [sshconnect.c]
- missing atomicio, typo
- - jakob@cvs.openbsd.org 2000/06/17 16:52:34
- [servconf.c servconf.h session.c sshd.8 sshd_config]
- add support for ssh v2 subsystems. ok markus@.
- - deraadt@cvs.openbsd.org 2000/06/17 18:57:48
- [readconf.c servconf.c]
- include = in WHITESPACE; markus ok
- - markus@cvs.openbsd.org 2000/06/17 19:09:10
- [auth2.c]
- implement bug compatibility with ssh-2.0.13 pubkey, server side
- - markus@cvs.openbsd.org 2000/06/17 21:00:28
- [compat.c]
- initial support for ssh.com's 2.2.0
- - markus@cvs.openbsd.org 2000/06/17 21:16:09
- [scp.c]
- typo
- - markus@cvs.openbsd.org 2000/06/17 22:05:02
- [auth-rsa.c auth2.c serverloop.c session.c auth-options.c auth-options.h]
- split auth-rsa option parsing into auth-options
- add options support to authorized_keys2
- - markus@cvs.openbsd.org 2000/06/17 22:42:54
- [session.c]
- typo
-
-20000613
- - (djm) Fixes from Andrew McGill <andrewm@datrix.co.za>:
- - Platform define for SCO 3.x which breaks on /dev/ptmx
- - Detect and try to fix missing MAXPATHLEN
- - (djm) Fix short copy in loginrec.c (based on patch from Phill Camp
- <P.S.S.Camp@ukc.ac.uk>
-
-20000612
- - (djm) Glob manpages in RPM spec files to catch compressed files
- - (djm) Full license in auth-pam.c
- - (djm) Configure fixes from SAKAI Kiyotaka <ksakai@kso.netwk.ntt-at.co.jp>
- - (andre) AIX, lastlog, configure fixes from Tom Bertelson <tbert@abac.com>:
- - Don't try to retrieve lastlog from wtmp/wtmpx if DISABLE_LASTLOG is
- def'd
- - Set AIX to use preformatted manpages
-
-20000610
- - (djm) Minor doc tweaks
- - (djm) Fix for configure on bash2 from Jim Knoble <jmknoble@jmknoble.cx>
-
-20000609
- - (djm) Patch from Kenji Miyake <kenji@miyake.org> to disable utmp usage
- (in favour of utmpx) on Solaris 8
-
-20000606
- - (djm) Cleanup of entropy.c. Reorganised code, removed second pass through
- list of commands (by default). Removed verbose debugging (by default).
- - (djm) Increased command entropy estimates and default entropy collection
- timeout
- - (djm) Remove duplicate headers from loginrec.c
- - (djm) Don't add /usr/local/lib to library search path on Irix
- - (djm) Fix rsh path in RPMs. Report from Jason L Tibbitts III
- <tibbs@math.uh.edu>
- - (djm) Warn user if grabs fail in GNOME askpass. Patch from Zack Weinberg
- <zack@wolery.cumb.org>
- - (djm) OpenBSD CVS updates:
- - todd@cvs.openbsd.org
- [sshconnect2.c]
- teach protocol v2 to count login failures properly and also enable an
- explanation of why the password prompt comes up again like v1; this is NOT
- crypto
- - markus@cvs.openbsd.org
- [readconf.c readconf.h servconf.c servconf.h session.c ssh.1 ssh.c sshd.8]
- xauth_location support; pr 1234
- [readconf.c sshconnect2.c]
- typo, unused
- [session.c]
- allow use_login only for login sessions, otherwise remote commands are
- execed with uid==0
- [sshd.8]
- document UseLogin better
- [version.h]
- OpenSSH 2.1.1
- [auth-rsa.c]
- fix match_hostname() logic for auth-rsa: deny access if we have a
- negative match or no match at all
- [channels.c hostfile.c match.c]
- don't panic if mkdtemp fails for authfwd; jkb@yahoo-inc.com via
- kris@FreeBSD.org
-
-20000606
- - (djm) Added --with-cflags, --with-ldflags and --with-libs options to
- configure.
-
-20000604
- - Configure tweaking for new login code on Irix 5.3
- - (andre) login code changes based on djm feedback
-
-20000603
- - (andre) New login code
- - Remove bsd-login.[ch] and all the OpenBSD-derived code in login.c
- - Add loginrec.[ch], logintest.c and autoconf code
-
-20000531
- - Cleanup of auth.c, login.c and fake-*
- - Cleanup of auth-pam.c, save and print "account expired" error messages
- - Fix EGD read bug by IWAMURO Motonori <iwa@mmp.fujitsu.co.jp>
- - Rewrote bsd-login to use proper utmp API if available. Major cleanup
- of fallback DIY code.
-
-20000530
- - Define atexit for old Solaris
- - Fix buffer overrun in login.c for systems which use syslen in utmpx.
- patch from YOSHIFUJI Hideaki <yoshfuji@cerberus.nemoto.ecei.tohoku.ac.jp>
- - OpenBSD CVS updates:
- - markus@cvs.openbsd.org
- [session.c]
- make x11-fwd work w/ localhost (xauth add host/unix:11)
- [cipher.c compat.c readconf.c servconf.c]
- check strtok() != NULL; ok niels@
- [key.c]
- fix key_read() for uuencoded keys w/o '='
- [serverloop.c]
- group ssh1 vs. ssh2 in serverloop
- [kex.c kex.h myproposal.h sshconnect2.c sshd.c]
- split kexinit/kexdh, factor out common code
- [readconf.c ssh.1 ssh.c]
- forwardagent defaults to no, add ssh -A
- - theo@cvs.openbsd.org
- [session.c]
- just some line shortening
- - Released 2.1.0p3
-
-20000520
- - Xauth fix from Markus Friedl <markus.friedl@informatik.uni-erlangen.de>
- - Don't touch utmp if USE_UTMPX defined
- - SunOS 4.x support from Todd C. Miller <Todd.Miller@courtesan.com>
- - SIGCHLD fix for AIX and HPUX from Tom Bertelson <tbert@abac.com>
- - HPUX and Configure fixes from Lutz Jaenicke
- <Lutz.Jaenicke@aet.TU-Cottbus.DE>
- - Use mkinstalldirs script to make directories instead of non-portable
- "install -d". Suggested by Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>
- - Doc cleanup
-
-20000518
- - Include Andre Lucas' fixprogs script. Forgot to "cvs add" it yesterday
- - OpenBSD CVS updates:
- - markus@cvs.openbsd.org
- [sshconnect.c]
- copy only ai_addrlen bytes; misiek@pld.org.pl
- [auth.c]
- accept an empty shell in authentication; bug reported by
- chris@tinker.ucr.edu
- [serverloop.c]
- we don't have stderr for interactive terminal sessions (fcntl errors)
-
-20000517
- - Fix from Andre Lucas <andre.lucas@dial.pipex.com>
- - Fixes command line printing segfaults (spotter: Bladt Norbert)
- - Fixes erroneous printing of debug messages to syslog
- - Fixes utmp for MacOS X (spotter: Aristedes Maniatis)
- - Gives useful error message if PRNG initialisation fails
- - Reduced ssh startup delay
- - Measures cumulative command time rather than the time between reads
- after select()
- - 'fixprogs' perl script to eliminate non-working entropy commands, and
- optionally run 'ent' to measure command entropy
- - Applied Tom Bertelson's <tbert@abac.com> AIX authentication fix
- - Avoid WCOREDUMP complation errors for systems that lack it
- - Avoid SIGCHLD warnings from entropy commands
- - Fix HAVE_PAM_GETENVLIST setting from Simon Wilkinson <sxw@dcs.ed.ac.uk>
- - OpenBSD CVS update:
- - markus@cvs.openbsd.org
- [ssh.c]
- fix usage()
- [ssh2.h]
- draft-ietf-secsh-architecture-05.txt
- [ssh.1]
- document ssh -T -N (ssh2 only)
- [channels.c serverloop.c ssh.h sshconnect.c sshd.c aux.c]
- enable nonblocking IO for sshd w/ proto 1, too; split out common code
- [aux.c]
- missing include
- - Several patches from SAKAI Kiyotaka <ksakai@kso.netwk.ntt-at.co.jp>
- - INSTALL typo and URL fix
- - Makefile fix
- - Solaris fixes
- - Checking for ssize_t and memmove. Based on patch from SAKAI Kiyotaka
- <ksakai@kso.netwk.ntt-at.co.jp>
- - RSAless operation patch from kevin_oconnor@standardandpoors.com
- - Detect OpenSSL seperatly from RSA
- - Better test for RSA (more compatible with RSAref). Based on work by
- Ed Eden <ede370@stl.rural.usda.gov>
-
-20000513
- - Fix for non-recognised DSA keys from Arkadiusz Miskiewicz
- <misiek@pld.org.pl>
-
-20000511
- - Fix for prng_seed permissions checking from Lutz Jaenicke
- <Lutz.Jaenicke@aet.TU-Cottbus.DE>
- - "make host-key" fix for Irix
-
-20000509
- - OpenBSD CVS update
- - markus@cvs.openbsd.org
- [cipher.h myproposal.h readconf.c readconf.h servconf.c ssh.1 ssh.c]
- [ssh.h sshconnect1.c sshconnect2.c sshd.8]
- - complain about invalid ciphers in SSH1 (e.g. arcfour is SSH2 only)
- - hugh@cvs.openbsd.org
- [ssh.1]
- - zap typo
- [ssh-keygen.1]
- - One last nit fix. (markus approved)
- [sshd.8]
- - some markus certified spelling adjustments
- - markus@cvs.openbsd.org
- [auth2.c channels.c clientloop.c compat compat.h dsa.c kex.c]
- [sshconnect2.c ]
- - bug compat w/ ssh-2.0.13 x11, split out bugs
- [nchan.c]
- - no drain if ibuf_empty, fixes x11fwd problems; tests by fries@
- [ssh-keygen.c]
- - handle escapes in real and original key format, ok millert@
- [version.h]
- - OpenSSH-2.1
- - Moved all the bsd-* and fake-* stuff into new libopenbsd-compat.a
- - Doc updates
- - Cleanup of bsd-base64 headers, bugfix definitions of __b64_*. Reported
- by Andre Lucas <andre.lucas@dial.pipex.com>
-
-20000508
- - Makefile and RPM spec fixes
- - Generate DSA host keys during "make key" or RPM installs
- - OpenBSD CVS update
- - markus@cvs.openbsd.org
- [clientloop.c sshconnect2.c]
- - make x11-fwd interop w/ ssh-2.0.13
- [README.openssh2]
- - interop w/ SecureFX
- - Release 2.0.0beta2
-
- - Configure caching and cleanup patch from Andre Lucas'
- <andre.lucas@dial.pipex.com>
-
-20000507
- - Remove references to SSLeay.
- - Big OpenBSD CVS update
- - markus@cvs.openbsd.org
- [clientloop.c]
- - typo
- [session.c]
- - update proctitle on pty alloc/dealloc, e.g. w/ windows client
- [session.c]
- - update proctitle for proto 1, too
- [channels.h nchan.c serverloop.c session.c sshd.c]
- - use c-style comments
- - deraadt@cvs.openbsd.org
- [scp.c]
- - more atomicio
- - markus@cvs.openbsd.org
- [channels.c]
- - set O_NONBLOCK
- [ssh.1]
- - update AUTHOR
- [readconf.c ssh-keygen.c ssh.h]
- - default DSA key file ~/.ssh/id_dsa
- [clientloop.c]
- - typo, rm verbose debug
- - deraadt@cvs.openbsd.org
- [ssh-keygen.1]
- - document DSA use of ssh-keygen
- [sshd.8]
- - a start at describing what i understand of the DSA side
- [ssh-keygen.1]
- - document -X and -x
- [ssh-keygen.c]
- - simplify usage
- - markus@cvs.openbsd.org
- [sshd.8]
- - there is no rhosts_dsa
- [ssh-keygen.1]
- - document -y, update -X,-x
- [nchan.c]
- - fix close for non-open ssh1 channels
- [servconf.c servconf.h ssh.h sshd.8 sshd.c ]
- - s/DsaKey/HostDSAKey/, document option
- [sshconnect2.c]
- - respect number_of_password_prompts
- [channels.c channels.h servconf.c servconf.h session.c sshd.8]
- - GatewayPorts for sshd, ok deraadt@
- [ssh-add.1 ssh-agent.1 ssh.1]
- - more doc on: DSA, id_dsa, known_hosts2, authorized_keys2
- [ssh.1]
- - more info on proto 2
- [sshd.8]
- - sync AUTHOR w/ ssh.1
- [key.c key.h sshconnect.c]
- - print key type when talking about host keys
- [packet.c]
- - clear padding in ssh2
- [dsa.c key.c radix.c ssh.h sshconnect1.c uuencode.c uuencode.h]
- - replace broken uuencode w/ libc b64_ntop
- [auth2.c]
- - log failure before sending the reply
- [key.c radix.c uuencode.c]
- - remote trailing comments before calling __b64_pton
- [auth2.c readconf.c readconf.h servconf.c servconf.h ssh.1]
- [sshconnect2.c sshd.8]
- - add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
- - Bring in b64_ntop and b64_pton from OpenBSD libc (bsd-base64.[ch])
-
-20000502
- - OpenBSD CVS update
- [channels.c]
- - init all fds, close all fds.
- [sshconnect2.c]
- - check whether file exists before asking for passphrase
- [servconf.c servconf.h sshd.8 sshd.c]
- - PidFile, pr 1210
- [channels.c]
- - EINTR
- [channels.c]
- - unbreak, ok niels@
- [sshd.c]
- - unlink pid file, ok niels@
- [auth2.c]
- - Add missing #ifdefs; ok - markus
- - Add Andre Lucas' <andre.lucas@dial.pipex.com> patch to read entropy
- gathering commands from a text file
- - Release 2.0.0beta1
-
-20000501
- - OpenBSD CVS update
- [packet.c]
- - send debug messages in SSH2 format
- [scp.c]
- - fix very rare EAGAIN/EINTR issues; based on work by djm
- [packet.c]
- - less debug, rm unused
- [auth2.c]
- - disable kerb,s/key in ssh2
- [sshd.8]
- - Minor tweaks and typo fixes.
- [ssh-keygen.c]
- - Put -d into usage and reorder. markus ok.
- - Include missing headers for OpenSSL tests. Fix from Phil Karn
- <karn@ka9q.ampr.org>
- - Fixed __progname symbol collisions reported by Andre Lucas
- <andre.lucas@dial.pipex.com>
- - Merged bsd-login ttyslot and AIX utmp patch from Gert Doering
- <gd@hilb1.medat.de>
- - Add some missing ifdefs to auth2.c
- - Deprecate perl-tk askpass.
- - Irix portability fixes - don't include netinet headers more than once
- - Make sure we don't save PRNG seed more than once
-
-20000430
- - Merge HP-UX fixes and TCB support from Ged Lodder <lodder@yacc.com.au>
- - Integrate Andre Lucas' <andre.lucas@dial.pipex.com> entropy collection
- patch.
- - Adds timeout to entropy collection
- - Disables slow entropy sources
- - Load and save seed file
- - Changed entropy seed code to user per-user seeds only (server seed is
- saved in root's .ssh directory)
- - Use atexit() and fatal cleanups to save seed on exit
- - More OpenBSD updates:
- [session.c]
- - don't call chan_write_failed() if we are not writing
- [auth-rsa.c auth1.c authfd.c hostfile.c ssh-agent.c]
- - keysize warnings error() -> log()
-
-20000429
- - Merge big update to OpenSSH-2.0 from OpenBSD CVS
- [README.openssh2]
- - interop w/ F-secure windows client
- - sync documentation
- - ssh_host_dsa_key not ssh_dsa_key
- [auth-rsa.c]
- - missing fclose
- [auth.c authfile.c compat.c dsa.c dsa.h hostfile.c key.c key.h radix.c]
- [readconf.c readconf.h ssh-add.c ssh-keygen.c ssh.c ssh.h sshconnect.c]
- [sshd.c uuencode.c uuencode.h authfile.h]
- - add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX]
- for trading keys with the real and the original SSH, directly from the
- people who invented the SSH protocol.
- [auth.c auth.h authfile.c sshconnect.c auth1.c auth2.c sshconnect.h]
- [sshconnect1.c sshconnect2.c]
- - split auth/sshconnect in one file per protocol version
- [sshconnect2.c]
- - remove debug
- [uuencode.c]
- - add trailing =
- [version.h]
- - OpenSSH-2.0
- [ssh-keygen.1 ssh-keygen.c]
- - add -R flag: exit code indicates if RSA is alive
- [sshd.c]
- - remove unused
- silent if -Q is specified
- [ssh.h]
- - host key becomes /etc/ssh_host_dsa_key
- [readconf.c servconf.c ]
- - ssh/sshd default to proto 1 and 2
- [uuencode.c]
- - remove debug
- [auth2.c ssh-keygen.c sshconnect2.c sshd.c]
- - xfree DSA blobs
- [auth2.c serverloop.c session.c]
- - cleanup logging for sshd/2, respect PasswordAuth no
- [sshconnect2.c]
- - less debug, respect .ssh/config
- [README.openssh2 channels.c channels.h]
- - clientloop.c session.c ssh.c
- - support for x11-fwding, client+server
-
-20000421
- - Merge fix from OpenBSD CVS
- [ssh-agent.c]
- - Fix memory leak per connection. Report from Andy Spiegl <Andy@Spiegl.de>
- via Debian bug #59926
- - Define __progname in session.c if libc doesn't
- - Remove indentation on autoconf #include statements to avoid bug in
- DEC Tru64 compiler. Report and fix from David Del Piero
- <David.DelPiero@qed.qld.gov.au>
-
-20000420
- - Make fixpaths work with perl4, patch from Andre Lucas
- <andre.lucas@dial.pipex.com>
- - Sync with OpenBSD CVS:
- [clientloop.c login.c serverloop.c ssh-agent.c ssh.h sshconnect.c sshd.c]
- - pid_t
- [session.c]
- - remove bogus chan_read_failed. this could cause data
- corruption (missing data) at end of a SSH2 session.
- - Merge fixes from Debian patch from Phil Hands <phil@hands.com>
- - Allow setting of PAM service name through CFLAGS (SSHD_PAM_SERVICE)
- - Use vhangup to clean up Linux ttys
- - Force posix getopt processing on GNU libc systems
- - Debian bug #55910 - remove references to ssl(8) manpages
- - Debian bug #58031 - ssh_config lies about default cipher
-
-20000419
- - OpenBSD CVS updates
- [channels.c]
- - fix pr 1196, listen_port and port_to_connect interchanged
- [scp.c]
- - after completion, replace the progress bar ETA counter with a final
- elapsed time; my idea, aaron wrote the patch
- [ssh_config sshd_config]
- - show 'Protocol' as an example, ok markus@
- [sshd.c]
- - missing xfree()
- - Add missing header to bsd-misc.c
-
-20000416
- - Reduce diff against OpenBSD source
- - All OpenSSL includes are now unconditionally referenced as
- openssl/foo.h
- - Pick up formatting changes
- - Other minor changed (typecasts, etc) that I missed
-
-20000415
- - OpenBSD CVS updates.
- [ssh.1 ssh.c]
- - ssh -2
- [auth.c channels.c clientloop.c packet.c packet.h serverloop.c]
- [session.c sshconnect.c]
- - check payload for (illegal) extra data
- [ALL]
- whitespace cleanup
-
-20000413
- - INSTALL doc updates
- - Merged OpenBSD updates to include paths.
-
-20000412
- - OpenBSD CVS updates:
- - [channels.c]
- repair x11-fwd
- - [sshconnect.c]
- fix passwd prompt for ssh2, less debugging output.
- - [clientloop.c compat.c dsa.c kex.c sshd.c]
- less debugging output
- - [kex.c kex.h sshconnect.c sshd.c]
- check for reasonable public DH values
- - [README.openssh2 cipher.c cipher.h compat.c compat.h readconf.c]
- [readconf.h servconf.c servconf.h ssh.c ssh.h sshconnect.c sshd.c]
- add Cipher and Protocol options to ssh/sshd, e.g.:
- ssh -o 'Protocol 1,2' if you prefer proto 1, ssh -o 'Ciphers
- arcfour,3des-cbc'
- - [sshd.c]
- print 1.99 only if server supports both
-
-20000408
- - Avoid some compiler warnings in fake-get*.c
- - Add IPTOS macros for systems which lack them
- - Only set define entropy collection macros if they are found
- - More large OpenBSD CVS updates:
- - [auth.c auth.h servconf.c servconf.h serverloop.c session.c]
- [session.h ssh.h sshd.c README.openssh2]
- ssh2 server side, see README.openssh2; enable with 'sshd -2'
- - [channels.c]
- no adjust after close
- - [sshd.c compat.c ]
- interop w/ latest ssh.com windows client.
-
-20000406
- - OpenBSD CVS update:
- - [channels.c]
- close efd on eof
- - [clientloop.c compat.c ssh.c sshconnect.c myproposal.h]
- ssh2 client implementation, interops w/ ssh.com and lsh servers.
- - [sshconnect.c]
- missing free.
- - [authfile.c cipher.c cipher.h packet.c sshconnect.c sshd.c]
- remove unused argument, split cipher_mask()
- - [clientloop.c]
- re-order: group ssh1 vs. ssh2
- - Make Redhat spec require openssl >= 0.9.5a
-
-20000404
- - Add tests for RAND_add function when searching for OpenSSL
- - OpenBSD CVS update:
- - [packet.h packet.c]
- ssh2 packet format
- - [packet.h packet.c nchan2.ms nchan.h compat.h compat.c]
- [channels.h channels.c]
- channel layer support for ssh2
- - [kex.h kex.c hmac.h hmac.c dsa.c dsa.h]
- DSA, keyexchange, algorithm agreement for ssh2
- - Generate manpages before make install not at the end of make all
- - Don't seed the rng quite so often
- - Always reseed rng when requested
-
-20000403
- - Wrote entropy collection routines for systems that lack /dev/random
- and EGD
- - Disable tests and typedefs for 64 bit types. They are currently unused.
-
-20000401
- - Big OpenBSD CVS update (mainly beginnings of SSH2 infrastructure)
- - [auth.c session.c sshd.c auth.h]
- split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
- - [bufaux.c bufaux.h]
- support ssh2 bignums
- - [channels.c channels.h clientloop.c sshd.c nchan.c nchan.h packet.c]
- [readconf.c ssh.c ssh.h serverloop.c]
- replace big switch() with function tables (prepare for ssh2)
- - [ssh2.h]
- ssh2 message type codes
- - [sshd.8]
- reorder Xr to avoid cutting
- - [serverloop.c]
- close(fdin) if fdin != fdout, shutdown otherwise, ok theo@
- - [channels.c]
- missing close
- allow bigger packets
- - [cipher.c cipher.h]
- support ssh2 ciphers
- - [compress.c]
- cleanup, less code
- - [dispatch.c dispatch.h]
- function tables for different message types
- - [log-server.c]
- do not log() if debuggin to stderr
- rename a cpp symbol, to avoid param.h collision
- - [mpaux.c]
- KNF
- - [nchan.c]
- sync w/ channels.c
-
-20000326
- - Better tests for OpenSSL w/ RSAref
- - Added replacement setenv() function from OpenBSD libc. Suggested by
- Ben Lindstrom <mouring@pconline.com>
- - OpenBSD CVS update
- - [auth-krb4.c]
- -Wall
- - [auth-rh-rsa.c auth-rsa.c hostfile.c hostfile.h key.c key.h match.c]
- [match.h ssh.c ssh.h sshconnect.c sshd.c]
- initial support for DSA keys. ok deraadt@, niels@
- - [cipher.c cipher.h]
- remove unused cipher_attack_detected code
- - [scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8]
- Fix some formatting problems I missed before.
- - [ssh.1 sshd.8]
- fix spelling errors, From: FreeBSD
- - [ssh.c]
- switch to raw mode only if he _get_ a pty (not if we _want_ a pty).
-
-20000324
- - Released 1.2.3
-
-20000317
- - Clarified --with-default-path option.
- - Added -blibpath handling for AIX to work around stupid runtime linking.
- Problem elucidated by gshapiro@SENDMAIL.ORG by way of Jim Knoble
- <jmknoble@pobox.com>
- - Checks for 64 bit int types. Problem report from Mats Fredholm
- <matsf@init.se>
- - OpenBSD CVS updates:
- - [atomicio.c auth-krb4.c bufaux.c channels.c compress.c fingerprint.c]
- [packet.h radix.c rsa.c scp.c ssh-agent.c ssh-keygen.c sshconnect.c]
- [sshd.c]
- pedantic: signed vs. unsigned, void*-arithm, etc
- - [ssh.1 sshd.8]
- Various cleanups and standardizations.
- - Runtime error fix for HPUX from Otmar Stahl
- <O.Stahl@lsw.uni-heidelberg.de>
-
-20000316
- - Fixed configure not passing LDFLAGS to Solaris. Report from David G.
- Hesprich <dghespri@sprintparanet.com>
- - Propogate LD through to Makefile
- - Doc cleanups
- - Added blurb about "scp: command not found" errors to UPGRADING
-
-20000315
- - Fix broken CFLAGS handling during search for OpenSSL. Fixes va_list
- problems with gcc/Solaris.
- - Don't free argument to putenv() after use (in setenv() replacement).
- Report from Seigo Tanimura <tanimura@r.dl.itc.u-tokyo.ac.jp>
- - Created contrib/ subdirectory. Included helpers from Phil Hands'
- Debian package, README file and chroot patch from Ricardo Cerqueira
- <rmcc@clix.pt>
- - Moved gnome-ssh-askpass.c to contrib directory and removed config
- option.
- - Slight cleanup to doc files
- - Configure fix from Bratislav ILICH <bilic@zepter.ru>
-
-20000314
- - Include macro for IN6_IS_ADDR_V4MAPPED. Report from
- peter@frontierflying.com
- - Include /usr/local/include and /usr/local/lib for systems that don't
- do it themselves
- - -R/usr/local/lib for Solaris
- - Fix RSAref detection
- - Fix IN6_IS_ADDR_V4MAPPED macro
-
-20000311
- - Detect RSAref
- - OpenBSD CVS change
- [sshd.c]
- - disallow guessing of root password
- - More configure fixes
- - IPv6 workarounds from Hideaki YOSHIFUJI <yoshfuji@ecei.tohoku.ac.jp>
-
-20000309
- - OpenBSD CVS updates to v1.2.3
- [ssh.h atomicio.c]
- - int atomicio -> ssize_t (for alpha). ok deraadt@
- [auth-rsa.c]
- - delay MD5 computation until client sends response, free() early, cleanup.
- [cipher.c]
- - void* -> unsigned char*, ok niels@
- [hostfile.c]
- - remove unused variable 'len'. fix comments.
- - remove unused variable
- [log-client.c log-server.c]
- - rename a cpp symbol, to avoid param.h collision
- [packet.c]
- - missing xfree()
- - getsockname() requires initialized tolen; andy@guildsoftware.com
- - use getpeername() in packet_connection_is_on_socket(), fixes sshd -i;
- from Holger.Trapp@Informatik.TU-Chemnitz.DE
- [pty.c pty.h]
- - register cleanup for pty earlier. move code for pty-owner handling to
- pty.c ok provos@, dugsong@
- [readconf.c]
- - turn off x11-fwd for the client, too.
- [rsa.c]
- - PKCS#1 padding
- [scp.c]
- - allow '.' in usernames; from jedgar@fxp.org
- [servconf.c]
- - typo: ignore_user_known_hosts int->flag; naddy@mips.rhein-neckar.de
- - sync with sshd_config
- [ssh-keygen.c]
- - enable ssh-keygen -l -f ~/.ssh/known_hosts, ok deraadt@
- [ssh.1]
- - Change invalid 'CHAT' loglevel to 'VERBOSE'
- [ssh.c]
- - suppress AAAA query host when '-4' is used; from shin@nd.net.fujitsu.co.jp
- - turn off x11-fwd for the client, too.
- [sshconnect.c]
- - missing xfree()
- - retry rresvport_af(), too. from sumikawa@ebina.hitachi.co.jp.
- - read error vs. "Connection closed by remote host"
- [sshd.8]
- - ie. -> i.e.,
- - do not link to a commercial page..
- - sync with sshd_config
- [sshd.c]
- - no need for poll.h; from bright@wintelcom.net
- - log with level log() not fatal() if peer behaves badly.
- - don't panic if client behaves strange. ok deraadt@
- - make no-port-forwarding for RSA keys deny both -L and -R style fwding
- - delay close() of pty until the pty has been chowned back to root
- - oops, fix comment, too.
- - missing xfree()
- - move XAUTHORITY to subdir. ok dugsong@. fixes debian bug #57907, too.
- (http://cgi.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=57907)
- - register cleanup for pty earlier. move code for pty-owner handling to
- pty.c ok provos@, dugsong@
- - create x11 cookie file
- - fix pr 1113, fclose() -> pclose(), todo: remote popen()
- - version 1.2.3
- - Cleaned up
- - Removed warning workaround for Linux and devpts filesystems (no longer
- required after OpenBSD updates)
-
-20000308
- - Configure fix from Hiroshi Takekawa <takekawa@sr3.t.u-tokyo.ac.jp>
-
-20000307
- - Released 1.2.2p1
-
-20000305
- - Fix DEC compile fix
- - Explicitly seed OpenSSL's PRNG before checking rsa_alive()
- - Check for getpagesize in libucb.a if not found in libc. Fix for old
- Solaris from Andre Lucas <andre.lucas@dial.pipex.com>
- - Check for libwrap if --with-tcp-wrappers option specified. Suggestion
- Mate Wierdl <mw@moni.msci.memphis.edu>
-
-20000303
- - Added "make host-key" target, Suggestion from Dominik Brettnacher
- <domi@saargate.de>
- - Don't permanently fail on bind() if getaddrinfo has more choices left for
- us. Needed to work around messy IPv6 on Linux. Patch from Arkadiusz
- Miskiewicz <misiek@pld.org.pl>
- - DEC Unix compile fix from David Del Piero <David.DelPiero@qed.qld.gov.au>
- - Manpage fix from David Del Piero <David.DelPiero@qed.qld.gov.au>
-
-20000302
- - Big cleanup of autoconf code
- - Rearranged to be a little more logical
- - Added -R option for Solaris
- - Rewrote OpenSSL detection code. Now uses AC_TRY_RUN with a test program
- to detect library and header location _and_ ensure library has proper
- RSA support built in (this is a problem with OpenSSL 0.9.5).
- - Applied pty cleanup patch from markus.friedl@informatik.uni-erlangen.de
- - Avoid warning message with Unix98 ptys
- - Warning was valid - possible race condition on PTYs. Avoided using
- platform-specific code.
- - Document some common problems
- - Allow root access to any key. Patch from
- markus.friedl@informatik.uni-erlangen.de
-
-20000207
- - Removed SOCKS code. Will support through a ProxyCommand.
-
-20000203
- - Fixed SEGVs in authloop, fix from vbzoli@hbrt.hu
- - Add --with-ssl-dir option
-
-20000202
- - Fix lastlog code for directory based lastlogs. Fix from Josh Durham
- <jmd@aoe.vt.edu>
- - Documentation fixes from HARUYAMA Seigo <haruyama@nt.phys.s.u-tokyo.ac.jp>
- - Added URLs to Japanese translations of documents by HARUYAMA Seigo
- <haruyama@nt.phys.s.u-tokyo.ac.jp>
-
-20000201
- - Use socket pairs by default (instead of pipes). Prevents race condition
- on several (buggy) OSs. Report and fix from tridge@linuxcare.com
-
-20000127
- - Seed OpenSSL's random number generator before generating RSA keypairs
- - Split random collector into seperate file
- - Compile fix from Andre Lucas <andre.lucas@dial.pipex.com>
-
-20000126
- - Released 1.2.2 stable
-
- - NeXT keeps it lastlog in /usr/adm. Report from
- mouring@newton.pconline.com
- - Added note in UPGRADING re interop with commercial SSH using idea.
- Report from Jim Knoble <jmknoble@pobox.com>
- - Fix linking order for Kerberos/AFS. Fix from Holget Trapp
- <Holger.Trapp@Informatik.TU-Chemnitz.DE>
-
-20000125
- - Fix NULL pointer dereference in login.c. Fix from Andre Lucas
- <andre.lucas@dial.pipex.com>
- - Reorder PAM initialisation so it does not mess up lastlog. Reported
- by Andre Lucas <andre.lucas@dial.pipex.com>
- - Use preformatted manpages on SCO, report from Gary E. Miller
- <gem@rellim.com>
- - New URL for x11-ssh-askpass.
- - Fixpaths was missing /etc/ssh_known_hosts. Report from Jim Knoble
- <jmknoble@pobox.com>
- - Added 'DESTDIR' option to Makefile to ease package building. Patch from
- Jim Knoble <jmknoble@pobox.com>
- - Updated RPM spec files to use DESTDIR
-
-20000124
- - Pick up version 1.2.2 from OpenBSD CVS (no changes, just version number
- increment)
-
-20000123
- - OpenBSD CVS:
- - [packet.c]
- getsockname() requires initialized tolen; andy@guildsoftware.com
- - AIX patch from Matt Richards <v2matt@btv.ibm.com> and David Rankin
- <drankin@bohemians.lexington.ky.us>
- - Fix lastlog support, patch from Andre Lucas <andre.lucas@dial.pipex.com>
-
-20000122
- - Fix compilation of bsd-snprintf.c on Solaris, fix from Ben Taylor
- <bent@clark.net>
- - Merge preformatted manpage patch from Andre Lucas
- <andre.lucas@dial.pipex.com>
- - Make IPv4 use the default in RPM packages
- - Irix uses preformatted manpages
- - Missing htons() in bsd-bindresvport.c, fix from Holger Trapp
- <Holger.Trapp@Informatik.TU-Chemnitz.DE>
- - OpenBSD CVS updates:
- - [packet.c]
- use getpeername() in packet_connection_is_on_socket(), fixes sshd -i;
- from Holger.Trapp@Informatik.TU-Chemnitz.DE
- - [sshd.c]
- log with level log() not fatal() if peer behaves badly.
- - [readpass.c]
- instead of blocking SIGINT, catch it ourselves, so that we can clean
- the tty modes up and kill ourselves -- instead of our process group
- leader (scp, cvs, ...) going away and leaving us in noecho mode.
- people with cbreak shells never even noticed..
- - [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8]
- ie. -> i.e.,
-
-20000120
- - Don't use getaddrinfo on AIX
- - Update to latest OpenBSD CVS:
- - [auth-rsa.c]
- - fix user/1056, sshd keeps restrictions; dbt@meat.net
- - [sshconnect.c]
- - disable agent fwding for proto 1.3, remove abuse of auth-rsa flags.
- - destroy keys earlier
- - split key exchange (kex) and user authentication (user-auth),
- ok: provos@
- - [sshd.c]
- - no need for poll.h; from bright@wintelcom.net
- - disable agent fwding for proto 1.3, remove abuse of auth-rsa flags.
- - split key exchange (kex) and user authentication (user-auth),
- ok: provos@
- - Big manpage and config file cleanup from Andre Lucas
- <andre.lucas@dial.pipex.com>
- - Re-added latest (unmodified) OpenBSD manpages
- - Doc updates
- - NetBSD patch from David Rankin <drankin@bohemians.lexington.ky.us> and
- Christos Zoulas <christos@netbsd.org>
-
-20000119
- - SCO compile fixes from Gary E. Miller <gem@rellim.com>
- - Compile fix from Darren_Hall@progressive.com
- - Linux/glibc-2.1.2 takes a *long* time to look up names for AF_UNSPEC
- addresses using getaddrinfo(). Added a configure switch to make the
- default lookup mode AF_INET
-
-20000118
- - Fixed --with-pid-dir option
- - Makefile fix from Gary E. Miller <gem@rellim.com>
- - Compile fix for HPUX and Solaris from Andre Lucas
- <andre.lucas@dial.pipex.com>
-
-20000117
- - Clean up bsd-bindresvport.c. Use arc4random() for picking initial
- port, ignore EINVAL errors (Linux) when searching for free port.
- - Revert __snprintf -> snprintf aliasing. Apparently Solaris
- __snprintf isn't. Report from Theo de Raadt <theo@cvs.openbsd.org>
- - Document location of Redhat PAM file in INSTALL.
- - Fixed X11 forwarding bug on Linux. libc advertises AF_INET6
- INADDR_ANY_INIT addresses via getaddrinfo, but may not be able to
- deliver (no IPv6 kernel support)
- - Released 1.2.1pre27
-
- - Fix rresvport_af failure errors (logic error in bsd-bindresvport.c)
- - Fix --with-ipaddr-display option test. Fix from Jarno Huuskonen
- <jhuuskon@hytti.uku.fi>
- - Fix hang on logout if processes are still using the pty. Needs
- further testing.
- - Patch from Christos Zoulas <christos@zoulas.com>
- - Try $prefix first when looking for OpenSSL.
- - Include sys/types.h when including sys/socket.h in test programs
- - Substitute PID directory in sshd.8. Suggestion from Andrew
- Stribblehill <a.d.stribblehill@durham.ac.uk>
-
-20000116
- - Renamed --with-xauth-path to --with-xauth
- - Added --with-pid-dir option
- - Released 1.2.1pre26
-
- - Compilation fix from Kiyokazu SUTO <suto@ks-and-ks.ne.jp>
- - Fixed broken bugfix for /dev/ptmx on Linux systems which lack
- openpty(). Report from Kiyokazu SUTO <suto@ks-and-ks.ne.jp>
-
-20000115
- - Add --with-xauth-path configure directive and explicit test for
- /usr/openwin/bin/xauth for Solaris systems. Report from Anders
- Nordby <anders@fix.no>
- - Fix incorrect detection of /dev/ptmx on Linux systems that lack
- openpty. Report from John Seifarth <john@waw.be>
- - Look for intXX_t and u_intXX_t in sys/bitypes.h if they are not in
- sys/types.h. Fixes problems on SCO, report from Gary E. Miller
- <gem@rellim.com>
- - Use __snprintf and __vnsprintf if they are found where snprintf and
- vnsprintf are lacking. Suggested by Ben Taylor <bent@shell.clark.net>
- and others.
-
-20000114
- - Merged OpenBSD IPv6 patch:
- - [sshd.c sshd.8 sshconnect.c ssh.h ssh.c servconf.h servconf.c scp.1]
- [scp.c packet.h packet.c login.c log.c canohost.c channels.c]
- [hostfile.c sshd_config]
- ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new
- features: sshd allows multiple ListenAddress and Port options. note
- that libwrap is not IPv6-ready. (based on patches from
- fujiwara@rcac.tdi.co.jp)
- - [ssh.c canohost.c]
- more hints (hints.ai_socktype=SOCK_STREAM) for getaddrinfo,
- from itojun@
- - [channels.c]
- listen on _all_ interfaces for X11-Fwd (hints.ai_flags = AI_PASSIVE)
- - [packet.h]
- allow auth-kerberos for IPv4 only
- - [scp.1 sshd.8 servconf.h scp.c]
- document -4, -6, and 'ssh -L 2022/::1/22'
- - [ssh.c]
- 'ssh @host' is illegal (null user name), from
- karsten@gedankenpolizei.de
- - [sshconnect.c]
- better error message
- - [sshd.c]
- allow auth-kerberos for IPv4 only
- - Big IPv6 merge:
- - Cleanup overrun in sockaddr copying on RHL 6.1
- - Replacements for getaddrinfo, getnameinfo, etc based on versions
- from patch from KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
- - Replacement for missing structures on systems that lack IPv6
- - record_login needed to know about AF_INET6 addresses
- - Borrowed more code from OpenBSD: rresvport_af and requisites
-
-20000110
- - Fixes to auth-skey to enable it to use the standard OpenSSL libraries
-
-20000107
- - New config.sub and config.guess to fix problems on SCO. Supplied
- by Gary E. Miller <gem@rellim.com>
- - SCO build fix from Gary E. Miller <gem@rellim.com>
- - Released 1.2.1pre25
-
-20000106
- - Documentation update & cleanup
- - Better KrbIV / AFS detection, based on patch from:
- Holger Trapp <Holger.Trapp@Informatik.TU-Chemnitz.DE>
-
-20000105
- - Fixed annoying DES corruption problem. libcrypt has been
- overriding symbols in libcrypto. Removed libcrypt and crypt.h
- altogether (libcrypto includes its own crypt(1) replacement)
- - Added platform-specific rules for Irix 6.x. Included warning that
- they are untested.
-
-20000103
- - Add explicit make rules for files proccessed by fixpaths.
- - Fix "make install" in RPM spec files. Report from Tenkou N. Hattori
- <tnh@kondara.org>
- - Removed "nullok" directive from default PAM configuration files.
- Added information on enabling EmptyPasswords on openssh+PAM in
- UPGRADING file.
- - OpenBSD CVS updates
- - [ssh-agent.c]
- cleanup_exit() for SIGTERM/SIGHUP, too. from fgsch@ and
- dgaudet@arctic.org
- - [sshconnect.c]
- compare correct version for 1.3 compat mode
-
-20000102
- - Prevent multiple inclusion of config.h and defines.h. Suggested
- by Andre Lucas <andre.lucas@dial.pipex.com>
- - Properly clean up on exit of ssh-agent. Patch from Dean Gaudet
- <dgaudet@arctic.org>
-
-19991231
- - Fix password support on systems with a mixture of shadowed and
- non-shadowed passwords (e.g. NIS). Report and fix from
- HARUYAMA Seigo <haruyama@nt.phys.s.u-tokyo.ac.jp>
- - Fix broken autoconf typedef detection. Report from Marc G.
- Fournier <marc.fournier@acadiau.ca>
- - Fix occasional crash on LinuxPPC. Patch from Franz Sirl
- <Franz.Sirl-kernel@lauterbach.com>
- - Prevent typedefs from being compiled more than once. Report from
- Marc G. Fournier <marc.fournier@acadiau.ca>
- - Fill in ut_utaddr utmp field. Report from Benjamin Charron
- <iretd@bigfoot.com>
- - Really fix broken default path. Fix from Jim Knoble
- <jmknoble@pobox.com>
- - Remove test for quad_t. No longer needed.
- - Released 1.2.1pre24
-
- - Added support for directory-based lastlogs
- - Really fix typedefs, patch from Ben Taylor <bent@clark.net>
-
-19991230
- - OpenBSD CVS updates:
- - [auth-passwd.c]
- check for NULL 1st
- - Removed most of the pam code into its own file auth-pam.[ch]. This
- cleaned up sshd.c up significantly.
- - PAM authentication was incorrectly interpreting
- "PermitRootLogin without-password". Report from Matthias Andree
- <ma@dt.e-technik.uni-dortmund.de
- - Several other cleanups
- - Merged Dante SOCKS support patch from David Rankin
- <drankin@bohemians.lexington.ky.us>
- - Updated documentation with ./configure options
- - Released 1.2.1pre23
-
-19991229
- - Applied another NetBSD portability patch from David Rankin
- <drankin@bohemians.lexington.ky.us>
- - Fix --with-default-path option.
- - Autodetect perl, patch from David Rankin
- <drankin@bohemians.lexington.ky.us>
- - Print whether OpenSSH was compiled with RSARef, patch from
- Nalin Dahyabhai <nalin@thermo.stat.ncsu.edu>
- - Calls to pam_setcred, patch from Nalin Dahyabhai
- <nalin@thermo.stat.ncsu.edu>
- - Detect missing size_t and typedef it.
- - Rename helper.[ch] to (more appropriate) bsd-misc.[ch]
- - Minor Makefile cleaning
-
-19991228
- - Replacement for getpagesize() for systems which lack it
- - NetBSD login.c compile fix from David Rankin
- <drankin@bohemians.lexington.ky.us>
- - Fully set ut_tv if present in utmp or utmpx
- - Portability fixes for Irix 5.3 (now compiles OK!)
- - autoconf and other misc cleanups
- - Merged AIX patch from Darren Hall <dhall@virage.org>
- - Cleaned up defines.h
- - Released 1.2.1pre22
-
-19991227
- - Automatically correct paths in manpages and configuration files. Patch
- and script from Andre Lucas <andre.lucas@dial.pipex.com>
- - Removed credits from README to CREDITS file, updated.
- - Added --with-default-path to specify custom path for server
- - Removed #ifdef trickery from acconfig.h into defines.h
- - PAM bugfix. PermitEmptyPassword was being ignored.
- - Fixed PAM config files to allow empty passwords if server does.
- - Explained spurious PAM auth warning workaround in UPGRADING
- - Use last few chars of tty line as ut_id
- - New SuSE RPM spec file from Chris Saia <csaia@wtower.com>
- - OpenBSD CVS updates:
- - [packet.h auth-rhosts.c]
- check format string for packet_disconnect and packet_send_debug, too
- - [channels.c]
- use packet_get_maxsize for channels. consistence.
-
-19991226
- - Enabled utmpx support by default for Solaris
- - Cleanup sshd.c PAM a little more
- - Revised RPM package to include Jim Knoble's <jmknoble@pobox.com>
- X11 ssh-askpass program.
- - Disable logging of PAM success and failures, PAM is verbose enough.
- Unfortunatly there is currently no way to disable auth failure
- messages. Mention this in UPGRADING file and sent message to PAM
- developers
- - OpenBSD CVS update:
- - [ssh-keygen.1 ssh.1]
- remove ref to .ssh/random_seed, mention .ssh/environment in
- .Sh FILES, too
- - Released 1.2.1pre21
- - Fixed implicit '.' in default path, report from Jim Knoble
- <jmknoble@pobox.com>
- - Redhat RPM spec fixes from Jim Knoble <jmknoble@pobox.com>
-
-19991225
- - More fixes from Andre Lucas <andre.lucas@dial.pipex.com>
- - Cleanup of auth-passwd.c for shadow and MD5 passwords
- - Cleanup and bugfix of PAM authentication code
- - Released 1.2.1pre20
-
- - Merged fixes from Ben Taylor <bent@clark.net>
- - Fixed configure support for PAM. Reported by Naz <96na@eng.cam.ac.uk>
- - Disabled logging of PAM password authentication failures when password
- is empty. (e.g start of authentication loop). Reported by Naz
- <96na@eng.cam.ac.uk>)
-
-19991223
- - Merged later HPUX patch from Andre Lucas
- <andre.lucas@dial.pipex.com>
- - Above patch included better utmpx support from Ben Taylor
- <bent@clark.net>
-
-19991222
- - Fix undefined fd_set type in ssh.h from Povl H. Pedersen
- <pope@netguide.dk>
- - Fix login.c breakage on systems which lack ut_host in struct
- utmp. Reported by Willard Dawson <willard.dawson@sbs.siemens.com>
-
-19991221
- - Integration of large HPUX patch from Andre Lucas
- <andre.lucas@dial.pipex.com>. Integrating it had a few other
- benefits:
- - Ability to disable shadow passwords at configure time
- - Ability to disable lastlog support at configure time
- - Support for IP address in $DISPLAY
- - OpenBSD CVS update:
- - [sshconnect.c]
- say "REMOTE HOST IDENTIFICATION HAS CHANGED"
- - Fix DISABLE_SHADOW support
- - Allow MD5 passwords even if shadow passwords are disabled
- - Release 1.2.1pre19
-
-19991218
- - Redhat init script patch from Chun-Chung Chen
- <cjj@u.washington.edu>
- - Avoid breakage on systems without IPv6 headers
-
-19991216
- - Makefile changes for Solaris from Peter Kocks
- <peter.kocks@baygate.com>
- - Minor updates to docs
- - Merged OpenBSD CVS changes:
- - [authfd.c ssh-agent.c]
- keysize warnings talk about identity files
- - [packet.c]
- "Connection closed by x.x.x.x": fatal() -> log()
- - Correctly handle empty passwords in shadow file. Patch from:
- "Chris, the Young One" <cky@pobox.com>
- - Released 1.2.1pre18
-
-19991215
- - Integrated patchs from Juergen Keil <jk@tools.de>
- - Avoid void* pointer arithmatic
- - Use LDFLAGS correctly
- - Fix SIGIO error in scp
- - Simplify status line printing in scp
- - Added better test for inline functions compiler support from
- Darren_Hall@progressive.com
-
-19991214
- - OpenBSD CVS Changes
- - [canohost.c]
- fix get_remote_port() and friends for sshd -i;
- Holger.Trapp@Informatik.TU-Chemnitz.DE
- - [mpaux.c]
- make code simpler. no need for memcpy. niels@ ok
- - [pty.c]
- namebuflen not sizeof namebuflen; bnd@ep-ag.com via djm@mindrot.org
- fix proto; markus
- - [ssh.1]
- typo; mark.baushke@solipsa.com
- - [channels.c ssh.c ssh.h sshd.c]
- type conflict for 'extern Type *options' in channels.c; dot@dotat.at
- - [sshconnect.c]
- move checking of hostkey into own function.
- - [version.h]
- OpenSSH-1.2.1
- - Clean up broken includes in pty.c
- - Some older systems don't have poll.h, they use sys/poll.h instead
- - Doc updates
-
-19991211
- - Fix compilation on systems with AFS. Reported by
- aloomis@glue.umd.edu
- - Fix installation on Solaris. Reported by
- Gordon Rowell <gordonr@gormand.com.au>
- - Fix gccisms (__attribute__ and inline). Report by edgy@us.ibm.com,
- patch from Markus Friedl <markus.friedl@informatik.uni-erlangen.de>
- - Auto-locate xauth. Patch from David Agraz <dagraz@jahoopa.com>
- - Compile fix from David Agraz <dagraz@jahoopa.com>
- - Avoid compiler warning in bsd-snprintf.c
- - Added pam_limits.so to default PAM config. Suggested by
- Jim Knoble <jmknoble@pobox.com>
-
-19991209
- - Import of patch from Ben Taylor <bent@clark.net>:
- - Improved PAM support
- - "uninstall" rule for Makefile
- - utmpx support
- - Should fix PAM problems on Solaris
- - OpenBSD CVS updates:
- - [readpass.c]
- avoid stdio; based on work by markus, millert, and I
- - [sshd.c]
- make sure the client selects a supported cipher
- - [sshd.c]
- fix sighup handling. accept would just restart and daemon handled
- sighup only after the next connection was accepted. use poll on
- listen sock now.
- - [sshd.c]
- make that a fatal
- - Applied patch from David Rankin <drankin@bohemians.lexington.ky.us>
- to fix libwrap support on NetBSD
- - Released 1.2pre17
-
-19991208
- - Compile fix for Solaris with /dev/ptmx from
- David Agraz <dagraz@jahoopa.com>
-
-19991207
- - sshd Redhat init script patch from Jim Knoble <jmknoble@pobox.com>
- fixes compatability with 4.x and 5.x
- - Fixed default SSH_ASKPASS
- - Fix PAM account and session being called multiple times. Problem
- reported by Adrian Baugh <adrian@merlin.keble.ox.ac.uk>
- - Merged more OpenBSD changes:
- - [atomicio.c authfd.c scp.c serverloop.c ssh.h sshconnect.c sshd.c]
- move atomicio into it's own file. wrap all socket write()s which
- were doing write(sock, buf, len) != len, with atomicio() calls.
- - [auth-skey.c]
- fd leak
- - [authfile.c]
- properly name fd variable
- - [channels.c]
- display great hatred towards strcpy
- - [pty.c pty.h sshd.c]
- use openpty() if it exists (it does on BSD4_4)
- - [tildexpand.c]
- check for ~ expansion past MAXPATHLEN
- - Modified helper.c to use new atomicio function.
- - Reformat Makefile a little
- - Moved RC4 routines from rc4.[ch] into helper.c
- - Added autoconf code to detect /dev/ptmx (Solaris) and /dev/ptc (AIX)
- - Updated SuSE spec from Chris Saia <csaia@wtower.com>
- - Tweaked Redhat spec
- - Clean up bad imports of a few files (forgot -kb)
- - Released 1.2pre16
-
-19991204
- - Small cleanup of PAM code in sshd.c
- - Merged OpenBSD CVS changes:
- - [auth-krb4.c auth-passwd.c auth-skey.c ssh.h]
- move skey-auth from auth-passwd.c to auth-skey.c, same for krb4
- - [auth-rsa.c]
- warn only about mismatch if key is _used_
- warn about keysize-mismatch with log() not error()
- channels.c readconf.c readconf.h ssh.c ssh.h sshconnect.c
- ports are u_short
- - [hostfile.c]
- indent, shorter warning
- - [nchan.c]
- use error() for internal errors
- - [packet.c]
- set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
- serverloop.c
- indent
- - [ssh-add.1 ssh-add.c ssh.h]
- document $SSH_ASKPASS, reasonable default
- - [ssh.1]
- CheckHostIP is not available for connects via proxy command
- - [sshconnect.c]
- typo
- easier to read client code for passwd and skey auth
- turn of checkhostip for proxy connects, since we don't know the remote ip
-
-19991126
- - Add definition for __P()
- - Added [v]snprintf() replacement for systems that lack it
-
-19991125
- - More reformatting merged from OpenBSD CVS
- - Merged OpenBSD CVS changes:
- - [channels.c]
- fix packet_integrity_check() for !have_hostname_in_open.
- report from mrwizard@psu.edu via djm@ibs.com.au
- - [channels.c]
- set SO_REUSEADDR and SO_LINGER for forwarded ports.
- chip@valinux.com via damien@ibs.com.au
- - [nchan.c]
- it's not an error() if shutdown_write failes in nchan.
- - [readconf.c]
- remove dead #ifdef-0-code
- - [readconf.c servconf.c]
- strcasecmp instead of tolower
- - [scp.c]
- progress meter overflow fix from damien@ibs.com.au
- - [ssh-add.1 ssh-add.c]
- SSH_ASKPASS support
- - [ssh.1 ssh.c]
- postpone fork_after_authentication until command execution,
- request/patch from jahakala@cc.jyu.fi via damien@ibs.com.au
- plus: use daemon() for backgrounding
- - Added BSD compatible install program and autoconf test, thanks to
- Niels Kristian Bech Jensen <nkbj@image.dk>
- - Solaris fixing, thanks to Ben Taylor <bent@clark.net>
- - Merged beginnings of AIX support from Tor-Ake Fransson <torake@hotmail.com>
- - Release 1.2pre15
-
-19991124
- - Merged very large OpenBSD source code reformat
- - OpenBSD CVS updates
- - [channels.c cipher.c compat.c log-client.c scp.c serverloop.c]
- [ssh.h sshd.8 sshd.c]
- syslog changes:
- * Unified Logmessage for all auth-types, for success and for failed
- * Standard connections get only ONE line in the LOG when level==LOG:
- Auth-attempts are logged only, if authentication is:
- a) successfull or
- b) with passwd or
- c) we had more than AUTH_FAIL_LOG failues
- * many log() became verbose()
- * old behaviour with level=VERBOSE
- - [readconf.c readconf.h ssh.1 ssh.h sshconnect.c sshd.c]
- tranfer s/key challenge/response data in SSH_SMSG_AUTH_TIS_CHALLENGE
- messages. allows use of s/key in windows (ttssh, securecrt) and
- ssh-1.2.27 clients without 'ssh -v', ok: niels@
- - [sshd.8]
- -V, for fallback to openssh in SSH2 compatibility mode
- - [sshd.c]
- fix sigchld race; cjc5@po.cwru.edu
-
-19991123
- - Added SuSE package files from Chris Saia <csaia@wtower.com>
- - Restructured package-related files under packages/*
- - Added generic PAM config
- - Numerous little Solaris fixes
- - Add recommendation to use GNU make to INSTALL document
-
-19991122
- - Make <enter> close gnome-ssh-askpass (Debian bug #50299)
- - OpenBSD CVS Changes
- - [ssh-keygen.c]
- don't create ~/.ssh only if the user wants to store the private
- key there. show fingerprint instead of public-key after
- keygeneration. ok niels@
- - Added OpenBSD bsd-strlcat.c, created bsd-strlcat.h
- - Added timersub() macro
- - Tidy RCSIDs of bsd-*.c
- - Added autoconf test and macro to deal with old PAM libraries
- pam_strerror definition (one arg vs two).
- - Fix EGD problems (Thanks to Ben Taylor <bent@clark.net>)
- - Retry /dev/urandom reads interrupted by signal (report from
- Robert Hardy <rhardy@webcon.net>)
- - Added a setenv replacement for systems which lack it
- - Only display public key comment when presenting ssh-askpass dialog
- - Released 1.2pre14
-
- - Configure, Make and changelog corrections from Tudor Bosman
- <tudorb@jm.nu> and Niels Kristian Bech Jensen <nkbj@image.dk>
-
-19991121
- - OpenBSD CVS Changes:
- - [channels.c]
- make this compile, bad markus
- - [log.c readconf.c servconf.c ssh.h]
- bugfix: loglevels are per host in clientconfig,
- factor out common log-level parsing code.
- - [servconf.c]
- remove unused index (-Wall)
- - [ssh-agent.c]
- only one 'extern char *__progname'
- - [sshd.8]
- document SIGHUP, -Q to synopsis
- - [sshconnect.c serverloop.c sshd.c packet.c packet.h]
- [channels.c clientloop.c]
- SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@
- [hope this time my ISP stays alive during commit]
- - [OVERVIEW README] typos; green@freebsd
- - [ssh-keygen.c]
- replace xstrdup+strcat with strlcat+fixed buffer, fixes OF (bad me)
- exit if writing the key fails (no infinit loop)
- print usage() everytime we get bad options
- - [ssh-keygen.c] overflow, djm@mindrot.org
- - [sshd.c] fix sigchld race; cjc5@po.cwru.edu
-
-19991120
- - Merged more Solaris support from Marc G. Fournier
- <marc.fournier@acadiau.ca>
- - Wrote autoconf tests for integer bit-types
- - Fixed enabling kerberos support
- - Fix segfault in ssh-keygen caused by buffer overrun in filename
- handling.
-
-19991119
- - Merged PAM buffer overrun patch from Chip Salzenberg <chip@valinux.com>
- - Merged OpenBSD CVS changes
- - [auth-rhosts.c auth-rsa.c ssh-agent.c sshconnect.c sshd.c]
- more %d vs. %s in fmt-strings
- - [authfd.c]
- Integers should not be printed with %s
- - EGD uses a socket, not a named pipe. Duh.
- - Fix includes in fingerprint.c
- - Fix scp progress bar bug again.
- - Move ssh-askpass from ${libdir}/ssh to ${libexecdir}/ssh at request of
- David Rankin <drankin@bohemians.lexington.ky.us>
- - Added autoconf option to enable Kerberos 4 support (untested)
- - Added autoconf option to enable AFS support (untested)
- - Added autoconf option to enable S/Key support (untested)
- - Added autoconf option to enable TCP wrappers support (compiles OK)
- - Renamed BSD helper function files to bsd-*
- - Added tests for login and daemon and enable OpenBSD replacements for
- when they are absent.
- - Added non-PAM MD5 password support patch from Tudor Bosman <tudorb@jm.nu>
-
-19991118
- - Merged OpenBSD CVS changes
- - [scp.c] foregroundproc() in scp
- - [sshconnect.h] include fingerprint.h
- - [sshd.c] bugfix: the log() for passwd-auth escaped during logging
- changes.
- - [ssh.1] Spell my name right.
- - Added openssh.com info to README
-
-19991117
- - Merged OpenBSD CVS changes
- - [ChangeLog.Ylonen] noone needs this anymore
- - [authfd.c] close-on-exec for auth-socket, ok deraadt
- - [hostfile.c]
- in known_hosts key lookup the entry for the bits does not need
- to match, all the information is contained in n and e. This
- solves the problem with buggy servers announcing the wrong
- modulus length. markus and me.
- - [serverloop.c]
- bugfix: check for space if child has terminated, from:
- iedowse@maths.tcd.ie
- - [ssh-add.1 ssh-add.c ssh-keygen.1 ssh-keygen.c sshconnect.c]
- [fingerprint.c fingerprint.h]
- rsa key fingerprints, idea from Bjoern Groenvall <bg@sics.se>
- - [ssh-agent.1] typo
- - [ssh.1] add OpenSSH information to AUTHOR section. okay markus@
- - [sshd.c]
- force logging to stderr while loading private key file
- (lost while converting to new log-levels)
-
-19991116
- - Fix some Linux libc5 problems reported by Miles Wilson <mw@mctitle.com>
- - Merged OpenBSD CVS changes:
- - [auth-rh-rsa.c auth-rsa.c authfd.c authfd.h hostfile.c mpaux.c]
- [mpaux.h ssh-add.c ssh-agent.c ssh.h ssh.c sshd.c]
- the keysize of rsa-parameter 'n' is passed implizit,
- a few more checks and warnings about 'pretended' keysizes.
- - [cipher.c cipher.h packet.c packet.h sshd.c]
- remove support for cipher RC4
- - [ssh.c]
- a note for legay systems about secuity issues with permanently_set_uid(),
- the private hostkey and ptrace()
- - [sshconnect.c]
- more detailed messages about adding and checking hostkeys
-
-19991115
- - Merged OpenBSD CVS changes:
- - [ssh-add.c] change passphrase loop logic and remove ref to
- $DISPLAY, ok niels
- - Changed to ssh-add.c broke askpass support. Revised it to be a little more
- modular.
- - Revised autoconf support for enabling/disabling askpass support.
- - Merged more OpenBSD CVS changes:
- [auth-krb4.c]
- - disconnect if getpeername() fails
- - missing xfree(*client)
- [canohost.c]
- - disconnect if getpeername() fails
- - fix comment: we _do_ disconnect if ip-options are set
- [sshd.c]
- - disconnect if getpeername() fails
- - move checking of remote port to central place
- [auth-rhosts.c] move checking of remote port to central place
- [log-server.c] avoid extra fd per sshd, from millert@
- [readconf.c] print _all_ bad config-options in ssh(1), too
- [readconf.h] print _all_ bad config-options in ssh(1), too
- [ssh.c] print _all_ bad config-options in ssh(1), too
- [sshconnect.c] disconnect if getpeername() fails
- - OpenBSD's changes to sshd.c broke the PAM stuff, re-merged it.
- - Various small cleanups to bring diff (against OpenBSD) size down.
- - Merged more Solaris compability from Marc G. Fournier
- <marc.fournier@acadiau.ca>
- - Wrote autoconf tests for __progname symbol
- - RPM spec file fixes from Jim Knoble <jmknoble@pobox.com>
- - Released 1.2pre12
-
- - Another OpenBSD CVS update:
- - [ssh-keygen.1] fix .Xr
-
-19991114
- - Solaris compilation fixes (still imcomplete)
-
-19991113
- - Build patch from Niels Kristian Bech Jensen <nkbj@image.dk>
- - Don't install config files if they already exist
- - Fix inclusion of additional preprocessor directives from acconfig.h
- - Removed redundant inclusions of config.h
- - Added 'Obsoletes' lines to RPM spec file
- - Merged OpenBSD CVS changes:
- - [bufaux.c] save a view malloc/memcpy/memset/free's, ok niels
- - [scp.c] fix overflow reported by damien@ibs.com.au: off_t
- totalsize, ok niels,aaron
- - Delay fork (-f option) in ssh until after port forwarded connections
- have been initialised. Patch from Jani Hakala <jahakala@cc.jyu.fi>
- - Added shadow password patch from Thomas Neumann <tom@smart.ruhr.de>
- - Added ifdefs to auth-passwd.c to exclude it when PAM is enabled
- - Tidied default config file some more
- - Revised Redhat initscript to fix bug: sshd (re)start would fail
- if executed from inside a ssh login.
-
-19991112
- - Merged changes from OpenBSD CVS
- - [sshd.c] session_key_int may be zero
- - [auth-rh-rsa.c servconf.c servconf.h ssh.h sshd.8 sshd.c sshd_config]
- IgnoreUserKnownHosts(default=no), used for RhostRSAAuth, ok
- deraadt,millert
- - Brought default sshd_config more in line with OpenBSD's
- - Grab server in gnome-ssh-askpass (Debian bug #49872)
- - Released 1.2pre10
-
- - Added INSTALL documentation
- - Merged yet more changes from OpenBSD CVS
- - [auth-rh-rsa.c auth-rhosts.c auth-rsa.c channels.c clientloop.c]
- [ssh.c ssh.h sshconnect.c sshd.c]
- make all access to options via 'extern Options options'
- and 'extern ServerOptions options' respectively;
- options are no longer passed as arguments:
- * make options handling more consistent
- * remove #include "readconf.h" from ssh.h
- * readconf.h is only included if necessary
- - [mpaux.c] clear temp buffer
- - [servconf.c] print _all_ bad options found in configfile
- - Make ssh-askpass support optional through autoconf
- - Fix nasty division-by-zero error in scp.c
- - Released 1.2pre11
-
-19991111
- - Added (untested) Entropy Gathering Daemon (EGD) support
- - Fixed /dev/urandom fd leak (Debian bug #49722)
- - Merged OpenBSD CVS changes:
- - [auth-rh-rsa.c] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too
- - [ssh.1] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too
- - [sshd.8] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too
- - Fix integer overflow which was messing up scp's progress bar for large
- file transfers. Fix submitted to OpenBSD developers. Report and fix
- from Kees Cook <cook@cpoint.net>
- - Merged more OpenBSD CVS changes:
- - [auth-krb4.c auth-passwd.c] remove x11- and krb-cleanup from fatal()
- + krb-cleanup cleanup
- - [clientloop.c log-client.c log-server.c ]
- [readconf.c readconf.h servconf.c servconf.h ]
- [ssh.1 ssh.c ssh.h sshd.8]
- add LogLevel {QUIET, FATAL, ERROR, INFO, CHAT, DEBUG} to ssh/sshd,
- obsoletes QuietMode and FascistLogging in sshd.
- - [sshd.c] fix fatal/assert() bug reported by damien@ibs.com.au:
- allow session_key_int != sizeof(session_key)
- [this should fix the pre-assert-removal-core-files]
- - Updated default config file to use new LogLevel option and to improve
- readability
-
-19991110
- - Merged several minor fixes:
- - ssh-agent commandline parsing
- - RPM spec file now installs ssh setuid root
- - Makefile creates libdir
- - Merged beginnings of Solaris compability from Marc G. Fournier
- <marc.fournier@acadiau.ca>
-
-19991109
- - Autodetection of SSL/Crypto library location via autoconf
- - Fixed location of ssh-askpass to follow autoconf
- - Integrated Makefile patch from Niels Kristian Bech Jensen <nkbj@image.dk>
- - Autodetection of RSAref library for US users
- - Minor doc updates
- - Merged OpenBSD CVS changes:
- - [rsa.c] bugfix: use correct size for memset()
- - [sshconnect.c] warn if announced size of modulus 'n' != real size
- - Added GNOME passphrase requestor (use --with-gnome-askpass)
- - RPM build now creates subpackages
- - Released 1.2pre9
-
-19991108
- - Removed debian/ directory. This is now being maintained separately.
- - Added symlinks for slogin in RPM spec file
- - Fixed permissions on manpages in RPM spec file
- - Added references to required libraries in README file
- - Removed config.h.in from CVS
- - Removed pwdb support (better pluggable auth is provided by glibc)
- - Made PAM and requisite libdl optional
- - Removed lots of unnecessary checks from autoconf
- - Added support and autoconf test for openpty() function (Unix98 pty support)
- - Fix for scp not finding ssh if not installed as /usr/bin/ssh
- - Added TODO file
- - Merged parts of Debian patch From Phil Hands <phil@hands.com>:
- - Added ssh-askpass program
- - Added ssh-askpass support to ssh-add.c
- - Create symlinks for slogin on install
- - Fix "distclean" target in makefile
- - Added example for ssh-agent to manpage
- - Added support for PAM_TEXT_INFO messages
- - Disable internal /etc/nologin support if PAM enabled
- - Merged latest OpenBSD CVS changes:
- - [all] replace assert() with error, fatal or packet_disconnect
- - [sshd.c] don't send fail-msg but disconnect if too many authentication
- failures
- - [sshd.c] remove unused argument. ok dugsong
- - [sshd.c] typo
- - [rsa.c] clear buffers used for encryption. ok: niels
- - [rsa.c] replace assert() with error, fatal or packet_disconnect
- - [auth-krb4.c] remove unused argument. ok dugsong
- - Fixed coredump after merge of OpenBSD rsa.c patch
- - Released 1.2pre8
-
-19991102
- - Merged change from OpenBSD CVS
- - One-line cleanup in sshd.c
-
-19991030
- - Integrated debian package support from Dan Brosemer <odin@linuxfreak.com>
- - Merged latest updates for OpenBSD CVS:
- - channels.[ch] - remove broken x11 fix and document istate/ostate
- - ssh-agent.c - call setsid() regardless of argv[]
- - ssh.c - save a few lines when disabling rhosts-{rsa-}auth
- - Documentation cleanups
- - Renamed README -> README.Ylonen
- - Renamed README.openssh ->README
-
-19991029
- - Renamed openssh* back to ssh* at request of Theo de Raadt
- - Incorporated latest changes from OpenBSD's CVS
- - Integrated Makefile patch from Niels Kristian Bech Jensen <nkbj@image.dk>
- - Integrated PAM env patch from Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
- - Make distclean now removed configure script
- - Improved PAM logging
- - Added some debug() calls for PAM
- - Removed redundant subdirectories
- - Integrated part of a patch from Dan Brosemer <odin@linuxfreak.com> for
- building on Debian.
- - Fixed off-by-one error in PAM env patch
- - Released 1.2pre6
-
-19991028
- - Further PAM enhancements.
- - Much cleaner
- - Now uses account and session modules for all logins.
- - Integrated patch from Dan Brosemer <odin@linuxfreak.com>
- - Build fixes
- - Autoconf
- - Change binary names to open*
- - Fixed autoconf script to detect PAM on RH6.1
- - Added tests for libpwdb, and OpenBSD functions to autoconf
- - Released 1.2pre4
-
- - Imported latest OpenBSD CVS code
- - Updated README.openssh
- - Released 1.2pre5
-
-19991027
- - Adapted PAM patch.
- - Released 1.0pre2
-
- - Excised my buggy replacements for strlcpy and mkdtemp
- - Imported correct OpenBSD strlcpy and mkdtemp routines.
- - Reduced arc4random_stir entropy read to 32 bytes (256 bits)
- - Picked up correct version number from OpenBSD
- - Added sshd.pam PAM configuration file
- - Added sshd.init Redhat init script
- - Added openssh.spec RPM spec file
- - Released 1.2pre3
-
-19991026
- - Fixed include paths of OpenSSL functions
- - Use OpenSSL MD5 routines
- - Imported RC4 code from nanocrypt
- - Wrote replacements for OpenBSD arc4random* functions
- - Wrote replacements for strlcpy and mkdtemp
- - Released 1.0pre1
diff --git a/usr/src/cmd/ssh/doc/INSTALL b/usr/src/cmd/ssh/doc/INSTALL
deleted file mode 100644
index 9112b92b57..0000000000
--- a/usr/src/cmd/ssh/doc/INSTALL
+++ /dev/null
@@ -1,199 +0,0 @@
-1. Prerequisites
-----------------
-
-You will need working installations of Zlib and OpenSSL.
-
-Zlib:
-http://www.freesoftware.com/pub/infozip/zlib/
-
-OpenSSL 0.9.5a or greater:
-http://www.openssl.org/
-
-RPMs of OpenSSL are available at http://violet.ibs.com.au/openssh/files/support
-
-OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system
-supports it. PAM is standard on Redhat and Debian Linux and on Solaris.
-
-PAM:
-http://www.kernel.org/pub/linux/libs/pam/
-
-If you wish to build the GNOME passphrase requester, you will need the GNOME
-libraries and headers.
-
-GNOME:
-http://www.gnome.org/
-
-Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11
-passphrase requester. This is maintained separately at:
-
-http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/index.html
-
-The Entropy Gathering Daemon (EGD) is supported if you have a system which
-lacks /dev/random and don't want to use OpenSSH's internal entropy collection.
-
-EGD:
-http://www.lothar.com/tech/crypto/
-
-GNU Make:
-ftp://ftp.gnu.org/gnu/make/
-
-OpenSSH has only been tested with GNU make. It may work with other
-'make' programs, but you are on your own.
-
-pcre (POSIX Regular Expression library):
-ftp://ftp.cus.cam.ac.uk/pub/software/programs/pcre/
-
-Most platforms do not required this. However older 4.3 BSD do not
-have a posix regex library.
-
-
-2. Building / Installation
---------------------------
-
-To install OpenSSH with default options:
-
-./configure
-make
-make install
-
-This will install the OpenSSH binaries in /usr/local/bin, configuration files
-in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different
-installation prefix, use the --prefix option to configure:
-
-./configure --prefix=/opt
-make
-make install
-
-Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override
-specific paths, for example:
-
-./configure --prefix=/opt --sysconfdir=/etc/ssh
-make
-make install
-
-This will install the binaries in /opt/{bin,lib,sbin}, but will place the
-configuration files in /etc/ssh.
-
-If you are using PAM, you will need to manually install a PAM
-control file as "/etc/pam.d/sshd" (or wherever your system
-prefers to keep them). A generic PAM configuration is included as
-"contrib/sshd.pam.generic", you may need to edit it before using it on
-your system. If you are using a recent version of Redhat Linux, the
-config file in contrib/redhat/sshd.pam should be more useful.
-Failure to install a valid PAM file may result in an inability to
-use password authentication.
-
-There are a few other options to the configure script:
-
---with-rsh=PATH allows you to specify the path to your rsh program.
-Normally ./configure will search the current $PATH for 'rsh'. You
-may need to specify this option if rsh is not in your path or has a
-different name.
-
---without-pam will disable PAM support. PAM is automatically detected
-and switched on if found.
-
---enable-gnome-askpass will build the GNOME passphrase dialog. You
-need a working installation of GNOME, including the development
-headers, for this to work.
-
---with-random=/some/file allows you to specify an alternate source of
-random numbers (the default is /dev/urandom). Unless you are absolutely
-sure of what you are doing, it is best to leave this alone.
-
---with-egd-pool=/some/file allows you to enable Entropy Gathering
-Daemon support and to specify a EGD pool socket. Use this if your
-Unix lacks /dev/random and you don't want to use OpenSSH's builtin
-entropy collection support.
-
---with-lastlog=FILE will specify the location of the lastlog file.
-./configure searches a few locations for lastlog, but may not find
-it if lastlog is installed in a different place.
-
---without-lastlog will disable lastlog support entirely.
-
---with-kerberos4=PATH will enable Kerberos IV support. You will need
-to have the Kerberos libraries and header files installed for this
-to work. Use the optional PATH argument to specify the root of your
-Kerberos installation.
-
---with-afs=PATH will enable AFS support. You will need to have the
-Kerberos IV and the AFS libraries and header files installed for this
-to work. Use the optional PATH argument to specify the root of your
-AFS installation. AFS requires Kerberos support to be enabled.
-
---with-skey will enable S/Key one time password support. You will need
-the S/Key libraries and header files installed for this to work.
-
---with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny)
-support. You will need libwrap.a and tcpd.h installed.
-
---with-md5-passwords will enable the use of MD5 passwords. Enable this
-if your operating system uses MD5 passwords without using PAM.
-
---with-utmpx enables utmpx support. utmpx support is automatic for
-some platforms.
-
---without-shadow disables shadow password support.
-
---with-ipaddr-display forces the use of a numeric IP address in the
-$DISPLAY environment variable. Some broken systems need this.
-
---with-default-path=PATH allows you to specify a default $PATH for sessions
-started by sshd. This replaces the standard path entirely.
-
---with-pid-dir=PATH specifies the directory in which the ssh.pid file is
-created.
-
---with-xauth=PATH specifies the location of the xauth binary
-
---with-ipv4-default instructs OpenSSH to use IPv4 by default for new
-connections. Normally OpenSSH will try attempt to lookup both IPv6 and
-IPv4 addresses. On Linux/glibc-2.1.2 this causes long delays in name
-resolution. If this option is specified, you can still attempt to
-connect to IPv6 addresses using the command line option '-6'.
-
---with-ssl-dir=DIR allows you to specify where your OpenSSL libraries
-are installed.
-
---with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
-real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
-
-If you need to pass special options to the compiler or linker, you
-can specify these as environment variables before running ./configure.
-For example:
-
-CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure
-
-3. Configuration
-----------------
-
-The runtime configuration files are installed by in ${prefix}/etc or
-whatever you specified as your --sysconfdir (/usr/local/etc by default).
-
-The default configuration should be instantly usable, though you should
-review it to ensure that it matches your security requirements.
-
-To generate a host key, run "make host-key". Alternately you can do so
-manually using the following commands:
-
- ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N ""
- ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N ""
-
-Replacing /etc/ssh with the correct path to the configuration directory.
-(${prefix}/etc or whatever you specified with --sysconfdir during
-configuration)
-
-If you have configured OpenSSH with EGD support, ensure that EGD is
-running and has collected some Entropy.
-
-For more information on configuration, please refer to the manual pages
-for sshd, ssh and ssh-agent.
-
-4. Problems?
-------------
-
-If you experience problems compiling, installing or running OpenSSH.
-Please refer to the "reporting bugs" section of the webpage at
-http://www.openssh.com/
-
diff --git a/usr/src/cmd/ssh/doc/LICENCE b/usr/src/cmd/ssh/doc/LICENCE
deleted file mode 100644
index 04d6fe18e3..0000000000
--- a/usr/src/cmd/ssh/doc/LICENCE
+++ /dev/null
@@ -1,194 +0,0 @@
-This file is part of the ssh software.
-
-The licences which components of this software falls under are as
-follows. First, we will summarize and say that that all components
-are under a BSD licence, or a licence more free than that.
-
-OpenSSH contains no GPL code.
-
-1)
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- * All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose. Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
-
- [Tatu continues]
- * However, I am not implying to give any licenses to any patents or
- * copyrights held by third parties, and the software includes parts that
- * are not under my direct control. As far as I know, all included
- * source code is used in accordance with the relevant license agreements
- * and can be used freely for any purpose (the GNU license being the most
- * restrictive); see below for details.
-
- [However, none of that term is relevant at this point in time. All of
- these restrictively licenced software components which he talks about
- have been removed from OpenSSH, ie.
-
- - RSA is no longer included, found in the OpenSSL library
- - IDEA is no longer included, it's use is depricated
- - DES is now external, in the OpenSSL library
- - GMP is no longer used, and instead we call BN code from OpenSSL
- - Zlib is now external, in a library
- - The make-ssh-known-hosts script is no longer included
- - TSS has been removed
- - MD5 is now external, in the OpenSSL library
- - RC4 support has been replaced with ARC4 support from OpenSSL
- - Blowfish is now external, in the OpenSSL library
-
- [The licence continues]
-
- Note that any information and cryptographic algorithms used in this
- software are publicly available on the Internet and at any major
- bookstore, scientific library, and patent office worldwide. More
- information can be found e.g. at "http://www.cs.hut.fi/crypto".
-
- The legal status of this program is some combination of all these
- permissions and restrictions. Use only at your own responsibility.
- You will be responsible for any legal consequences yourself; I am not
- making any claims whether possessing or using this is legal or not in
- your country, and I am not taking any responsibility on your behalf.
-
-
- NO WARRANTY
-
- BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
- FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
- OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
- PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
- OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
- MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
- TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
- PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
- REPAIR OR CORRECTION.
-
- IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
- WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
- REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
- INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
- OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
- TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
- YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
- PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGES.
-
-2)
- The 32-bit CRC implementation in crc32.c is due to Gary S. Brown.
- Comments in the file indicate it may be used for any purpose without
- restrictions:
-
- * COPYRIGHT (C) 1986 Gary S. Brown. You may use this program, or
- * code or tables extracted from it, as desired without restriction.
-
-3)
- The 32-bit CRC compensation attack detector in deattack.c was
- contributed by CORE SDI S.A. under a BSD-style license. See
- http://www.core-sdi.com/english/ssh/ for details.
-
- * Cryptographic attack detector for ssh - source code
- *
- * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina.
- *
- * All rights reserved. Redistribution and use in source and binary
- * forms, with or without modification, are permitted provided that
- * this copyright notice is retained.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
- * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS
- * SOFTWARE.
- *
- * Ariel Futoransky <futo@core-sdi.com>
- * <http://www.core-sdi.com>
-
-3a)
- Various parts are from the University of California.
-
- * Copyright (c) 1983, 1987, 1989-1995
- * The Regents of the University of California. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * This product includes software developed by the University of
- * California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
-
- * Copyright (c) 1989, 1991, 1993, 1994
- * The Regents of the University of California. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
-
-4)
- Remaining components of the software are provided under a standard
- 2-term BSD licence with the following names as copyright holders:
-
- Markus Friedl
- Theo de Raadt
- Niels Provos
- Dug Song
- Aaron Campbell
-
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/usr/src/cmd/ssh/doc/OVERVIEW b/usr/src/cmd/ssh/doc/OVERVIEW
deleted file mode 100644
index 7f34ac45bd..0000000000
--- a/usr/src/cmd/ssh/doc/OVERVIEW
+++ /dev/null
@@ -1,164 +0,0 @@
-This document is intended for those who wish to read the ssh source
-code. This tries to give an overview of the structure of the code.
-
-Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>
-Updated 17 Nov 1995.
-Updated 19 Oct 1999 for OpenSSH-1.2
-
-The software consists of ssh (client), sshd (server), scp, sdist, and
-the auxiliary programs ssh-keygen, ssh-agent, ssh-add, and
-make-ssh-known-hosts. The main program for each of these is in a .c
-file with the same name.
-
-There are some subsystems/abstractions that are used by a number of
-these programs.
-
- Buffer manipulation routines
-
- - These provide an arbitrary size buffer, where data can be appended.
- Data can be consumed from either end. The code is used heavily
- throughout ssh. The basic buffer manipulation functions are in
- buffer.c (header buffer.h), and additional code to manipulate specific
- data types is in bufaux.c.
-
- Compression Library
-
- - Ssh uses the GNU GZIP compression library (ZLIB).
-
- Encryption/Decryption
-
- - Ssh contains several encryption algorithms. These are all
- accessed through the cipher.h interface. The interface code is
- in cipher.c, and the implementations are in libc.
-
- Multiple Precision Integer Library
-
- - Uses the SSLeay BIGNUM sublibrary.
- - Some auxiliary functions for mp-int manipulation are in mpaux.c.
-
- Random Numbers
-
- - Uses arc4random() and such.
-
- RSA key generation, encryption, decryption
-
- - Ssh uses the RSA routines in libssl.
-
- RSA key files
-
- - RSA keys are stored in files with a special format. The code to
- read/write these files is in authfile.c. The files are normally
- encrypted with a passphrase. The functions to read passphrases
- are in readpass.c (the same code is used to read passwords).
-
- Binary packet protocol
-
- - The ssh binary packet protocol is implemented in packet.c. The
- code in packet.c does not concern itself with packet types or their
- execution; it contains code to build packets, to receive them and
- extract data from them, and the code to compress and/or encrypt
- packets. CRC code comes from crc32.c.
-
- - The code in packet.c calls the buffer manipulation routines
- (buffer.c, bufaux.c), compression routines (compress.c, zlib),
- and the encryption routines.
-
- X11, TCP/IP, and Agent forwarding
-
- - Code for various types of channel forwarding is in channels.c.
- The file defines a generic framework for arbitrary communication
- channels inside the secure channel, and uses this framework to
- implement X11 forwarding, TCP/IP forwarding, and authentication
- agent forwarding.
- The new, Protocol 1.5, channel close implementation is in nchan.c
-
- Authentication agent
-
- - Code to communicate with the authentication agent is in authfd.c.
-
- Authentication methods
-
- - Code for various authentication methods resides in auth-*.c
- (auth-passwd.c, auth-rh-rsa.c, auth-rhosts.c, auth-rsa.c). This
- code is linked into the server. The routines also manipulate
- known hosts files using code in hostfile.c. Code in canohost.c
- is used to retrieve the canonical host name of the remote host.
- Code in match.c is used to match host names.
-
- - In the client end, authentication code is in sshconnect.c. It
- reads Passwords/passphrases using code in readpass.c. It reads
- RSA key files with authfile.c. It communicates the
- authentication agent using authfd.c.
-
- The ssh client
-
- - The client main program is in ssh.c. It first parses arguments
- and reads configuration (readconf.c), then calls ssh_connect (in
- sshconnect.c) to open a connection to the server (possibly via a
- proxy), and performs authentication (ssh_login in sshconnect.c).
- It then makes any pty, forwarding, etc. requests. It may call
- code in ttymodes.c to encode current tty modes. Finally it
- calls client_loop in clientloop.c. This does the real work for
- the session.
-
- - The client is suid root. It tries to temporarily give up this
- rights while reading the configuration data. The root
- privileges are only used to make the connection (from a
- privileged socket). Any extra privileges are dropped before
- calling ssh_login.
-
- Pseudo-tty manipulation and tty modes
-
- - Code to allocate and use a pseudo tty is in pty.c. Code to
- encode and set terminal modes is in ttymodes.c.
-
- Logging in (updating utmp, lastlog, etc.)
-
- - The code to do things that are done when a user logs in are in
- login.c. This includes things such as updating the utmp, wtmp,
- and lastlog files. Some of the code is in sshd.c.
-
- Writing to the system log and terminal
-
- - The programs use the functions fatal(), log(), debug(), error()
- in many places to write messages to system log or user's
- terminal. The implementation that logs to system log is in
- log-server.c; it is used in the server program. The other
- programs use an implementation that sends output to stderr; it
- is in log-client.c. The definitions are in ssh.h.
-
- The sshd server (daemon)
-
- - The sshd daemon starts by processing arguments and reading the
- configuration file (servconf.c). It then reads the host key,
- starts listening for connections, and generates the server key.
- The server key will be regenerated every hour by an alarm.
-
- - When the server receives a connection, it forks, disables the
- regeneration alarm, and starts communicating with the client.
- They first perform identification string exchange, then
- negotiate encryption, then perform authentication, preparatory
- operations, and finally the server enters the normal session
- mode by calling server_loop in serverloop.c. This does the real
- work, calling functions in other modules.
-
- - The code for the server is in sshd.c. It contains a lot of
- stuff, including:
- - server main program
- - waiting for connections
- - processing new connection
- - authentication
- - preparatory operations
- - building up the execution environment for the user program
- - starting the user program.
-
- Auxiliary files
-
- - There are several other files in the distribution that contain
- various auxiliary routines:
- ssh.h the main header file for ssh (various definitions)
- getput.h byte-order independent storage of integers
- includes.h includes most system headers. Lots of #ifdefs.
- tildexpand.c expand tilde in file names
- uidswap.c uid-swapping
- xmalloc.c "safe" malloc routines
diff --git a/usr/src/cmd/ssh/doc/README b/usr/src/cmd/ssh/doc/README
deleted file mode 100644
index f94e2ed1c5..0000000000
--- a/usr/src/cmd/ssh/doc/README
+++ /dev/null
@@ -1,70 +0,0 @@
-[ A Japanese translation of this document is available at
-[ http://www.unixuser.org/%7Eharuyama/security/openssh/index.html
-[ Thanks to HARUYAMA Seigo <haruyama@nt.phys.s.u-tokyo.ac.jp>
-
-******* IMPORTANT
-* On systmes which lack a /dev/random driver, version of this port
-* prior to 1.2.2 were not correctly seeding OpenSSL's random number
-* pool. This resulted in lower quality RSA keys being generated. If
-* you generated host or user keys with v1.2.2 or previous versions,
-* please generate new ones using a more recent version.
-
-This is the port of OpenBSD's excellent OpenSSH[0] to Linux and other
-Unices.
-
-OpenSSH is based on the last free version of Tatu Ylonen's SSH with
-all patent-encumbered algorithms removed (to external libraries), all
-known security bugs fixed, new features reintroduced and many other
-clean-ups. More information about SSH itself can be found in the file
-README.Ylonen. OpenSSH has been created by Aaron Campbell, Bob Beck,
-Markus Friedl, Niels Provos, Theo de Raadt, and Dug Song. It has a
-homepage at http://www.openssh.com/
-
-This port consists of the re-introduction of autoconf support, PAM
-support (for Linux and Solaris), EGD[1] support and replacements for
-OpenBSD library functions that are (regrettably) absent from other
-unices. This port has been best tested on Linux, Solaris, HPUX, NetBSD
-and Irix. Support for AIX, SCO, NeXT and other Unices is underway.
-This version actively tracks changes in the OpenBSD CVS repository.
-
-The PAM support is now more functional than the popular packages of
-commercial ssh-1.2.x. It checks "account" and "session" modules for
-all logins, not just when using password authentication.
-
-OpenSSH depends on Zlib[2], OpenSSL[3] and optionally PAM[4].
-
-There is now several mailing lists for this port of OpenSSH. Please
-refer to http://www.openssh.com/list.html for details on how to join.
-
-Please send bug reports and patches to the mailing list
-openssh-unix-dev@mindrot.org. The list is open to posting by
-unsubscribed users.
-
-If you are a citizen of the USA or another country which restricts
-export of cryptographic products, then please refrain from sending
-crypto-related code or patches to the list. We cannot accept them.
-Other code contribution are accepted, but please follow the OpenBSD
-style guidelines[5].
-
-Please refer to the INSTALL document for information on how to install
-OpenSSH on your system. There are a number of differences between this
-port of OpenSSH and F-Secure SSH 1.x, please refer to the OpenSSH FAQ[6]
-for details and general tips.
-
-Damien Miller <djm@mindrot.org>
-
-Miscellania -
-
-This version of SSH is based upon code retrieved from the OpenBSD CVS
-repository which in turn was based on the last free
-version of SSH released by Tatu Ylonen.
-
-References -
-
-[0] http://www.openssh.com/faq.html
-[1] http://www.lothar.com/tech/crypto/
-[2] ftp://ftp.freesoftware.com/pub/infozip/zlib/
-[3] http://www.openssl.org/
-[4] http://www.kernel.org/pub/linux/libs/pam/ (PAM is standard on Solaris)
-[5] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9&apropos=0&manpath=OpenBSD+Current
-[6] http://www.openssh.com/faq.html
diff --git a/usr/src/cmd/ssh/doc/README.Ylonen b/usr/src/cmd/ssh/doc/README.Ylonen
deleted file mode 100644
index 38987b926a..0000000000
--- a/usr/src/cmd/ssh/doc/README.Ylonen
+++ /dev/null
@@ -1,567 +0,0 @@
-
-[ Please note that this file has not been updated for OpenSSH and
- covers the ssh-1.2.12 release from Dec 1995 only. ]
-
-Ssh (Secure Shell) is a program to log into another computer over a
-network, to execute commands in a remote machine, and to move files
-from one machine to another. It provides strong authentication and
-secure communications over insecure channels. It is inteded as a
-replacement for rlogin, rsh, rcp, and rdist.
-
-See the file INSTALL for installation instructions. See COPYING for
-license terms and other legal issues. See RFC for a description of
-the protocol. There is a WWW page for ssh; see http://www.cs.hut.fi/ssh.
-
-This file has been updated to match ssh-1.2.12.
-
-
-FEATURES
-
- o Strong authentication. Closes several security holes (e.g., IP,
- routing, and DNS spoofing). New authentication methods: .rhosts
- together with RSA based host authentication, and pure RSA
- authentication.
-
- o Improved privacy. All communications are automatically and
- transparently encrypted. RSA is used for key exchange, and a
- conventional cipher (normally IDEA, DES, or triple-DES) for
- encrypting the session. Encryption is started before
- authentication, and no passwords or other information is
- transmitted in the clear. Encryption is also used to protect
- against spoofed packets.
-
- o Secure X11 sessions. The program automatically sets DISPLAY on
- the server machine, and forwards any X11 connections over the
- secure channel. Fake Xauthority information is automatically
- generated and forwarded to the remote machine; the local client
- automatically examines incoming X11 connections and replaces the
- fake authorization data with the real data (never telling the
- remote machine the real information).
-
- o Arbitrary TCP/IP ports can be redirected through the encrypted channel
- in both directions (e.g., for e-cash transactions).
-
- o No retraining needed for normal users; everything happens
- automatically, and old .rhosts files will work with strong
- authentication if administration installs host key files.
-
- o Never trusts the network. Minimal trust on the remote side of
- the connection. Minimal trust on domain name servers. Pure RSA
- authentication never trusts anything but the private key.
-
- o Client RSA-authenticates the server machine in the beginning of
- every connection to prevent trojan horses (by routing or DNS
- spoofing) and man-in-the-middle attacks, and the server
- RSA-authenticates the client machine before accepting .rhosts or
- /etc/hosts.equiv authentication (to prevent DNS, routing, or
- IP-spoofing).
-
- o Host authentication key distribution can be centrally by the
- administration, automatically when the first connection is made
- to a machine (the key obtained on the first connection will be
- recorded and used for authentication in the future), or manually
- by each user for his/her own use. The central and per-user host
- key repositories are both used and complement each other. Host
- keys can be generated centrally or automatically when the software
- is installed. Host authentication keys are typically 1024 bits.
-
- o Any user can create any number of user authentication RSA keys for
- his/her own use. Each user has a file which lists the RSA public
- keys for which proof of possession of the corresponding private
- key is accepted as authentication. User authentication keys are
- typically 1024 bits.
-
- o The server program has its own server RSA key which is
- automatically regenerated every hour. This key is never saved in
- any file. Exchanged session keys are encrypted using both the
- server key and the server host key. The purpose of the separate
- server key is to make it impossible to decipher a captured session by
- breaking into the server machine at a later time; one hour from
- the connection even the server machine cannot decipher the session
- key. The key regeneration interval is configurable. The server
- key is normally 768 bits.
-
- o An authentication agent, running in the user's laptop or local
- workstation, can be used to hold the user's RSA authentication
- keys. Ssh automatically forwards the connection to the
- authentication agent over any connections, and there is no need to
- store the RSA authentication keys on any machine in the network
- (except the user's own local machine). The authentication
- protocols never reveal the keys; they can only be used to verify
- that the user's agent has a certain key. Eventually the agent
- could rely on a smart card to perform all authentication
- computations.
-
- o The software can be installed and used (with restricted
- functionality) even without root privileges.
-
- o The client is customizable in system-wide and per-user
- configuration files. Most aspects of the client's operation can
- be configured. Different options can be specified on a per-host basis.
-
- o Automatically executes conventional rsh (after displaying a
- warning) if the server machine is not running sshd.
-
- o Optional compression of all data with gzip (including forwarded X11
- and TCP/IP port data), which may result in significant speedups on
- slow connections.
-
- o Complete replacement for rlogin, rsh, and rcp.
-
-
-WHY TO USE SECURE SHELL
-
-Currently, almost all communications in computer networks are done
-without encryption. As a consequence, anyone who has access to any
-machine connected to the network can listen in on any communication.
-This is being done by hackers, curious administrators, employers,
-criminals, industrial spies, and governments. Some networks leak off
-enough electromagnetic radiation that data may be captured even from a
-distance.
-
-When you log in, your password goes in the network in plain
-text. Thus, any listener can then use your account to do any evil he
-likes. Many incidents have been encountered worldwide where crackers
-have started programs on workstations without the owners knowledge
-just to listen to the network and collect passwords. Programs for
-doing this are available on the Internet, or can be built by a
-competent programmer in a few hours.
-
-Any information that you type or is printed on your screen can be
-monitored, recorded, and analyzed. For example, an intruder who has
-penetrated a host connected to a major network can start a program
-that listens to all data flowing in the network, and whenever it
-encounters a 16-digit string, it checks if it is a valid credit card
-number (using the check digit), and saves the number plus any
-surrounding text (to catch expiration date and holder) in a file.
-When the intruder has collected a few thousand credit card numbers, he
-makes smallish mail-order purchases from a few thousand stores around
-the world, and disappears when the goods arrive but before anyone
-suspects anything.
-
-Businesses have trade secrets, patent applications in preparation,
-pricing information, subcontractor information, client data, personnel
-data, financial information, etc. Currently, anyone with access to
-the network (any machine on the network) can listen to anything that
-goes in the network, without any regard to normal access restrictions.
-
-Many companies are not aware that information can so easily be
-recovered from the network. They trust that their data is safe
-since nobody is supposed to know that there is sensitive information
-in the network, or because so much other data is transferred in the
-network. This is not a safe policy.
-
-Individual persons also have confidential information, such as
-diaries, love letters, health care documents, information about their
-personal interests and habits, professional data, job applications,
-tax reports, political documents, unpublished manuscripts, etc.
-
-One should also be aware that economical intelligence and industrial
-espionage has recently become a major priority of the intelligence
-agencies of major governments. President Clinton recently assigned
-economical espionage as the primary task of the CIA, and the French
-have repeatedly been publicly boasting about their achievements on
-this field.
-
-
-There is also another frightening aspect about the poor security of
-communications. Computer storage and analysis capability has
-increased so much that it is feasible for governments, major
-companies, and criminal organizations to automatically analyze,
-identify, classify, and file information about millions of people over
-the years. Because most of the work can be automated, the cost of
-collecting this information is getting very low.
-
-Government agencies may be able to monitor major communication
-systems, telephones, fax, computer networks, etc., and passively
-collect huge amounts of information about all people with any
-significant position in the society. Most of this information is not
-sensitive, and many people would say there is no harm in someone
-getting that information. However, the information starts to get
-sensitive when someone has enough of it. You may not mind someone
-knowing what you bought from the shop one random day, but you might
-not like someone knowing every small thing you have bought in the last
-ten years.
-
-If the government some day starts to move into a more totalitarian
-direction (one should remember that Nazi Germany was created by
-democratic elections), there is considerable danger of an ultimate
-totalitarian state. With enough information (the automatically
-collected records of an individual can be manually analyzed when the
-person becomes interesting), one can form a very detailed picture of
-the individual's interests, opinions, beliefs, habits, friends,
-lovers, weaknesses, etc. This information can be used to 1) locate
-any persons who might oppose the new system 2) use deception to
-disturb any organizations which might rise against the government 3)
-eliminate difficult individuals without anyone understanding what
-happened. Additionally, if the government can monitor communications
-too effectively, it becomes too easy to locate and eliminate any
-persons distributing information contrary to the official truth.
-
-Fighting crime and terrorism are often used as grounds for domestic
-surveillance and restricting encryption. These are good goals, but
-there is considerable danger that the surveillance data starts to get
-used for questionable purposes. I find that it is better to tolerate
-a small amount of crime in the society than to let the society become
-fully controlled. I am in favor of a fairly strong state, but the
-state must never get so strong that people become unable to spread
-contra-offical information and unable to overturn the government if it
-is bad. The danger is that when you notice that the government is
-too powerful, it is too late. Also, the real power may not be where
-the official government is.
-
-For these reasons (privacy, protecting trade secrets, and making it
-more difficult to create a totalitarian state), I think that strong
-cryptography should be integrated to the tools we use every day.
-Using it causes no harm (except for those who wish to monitor
-everything), but not using it can cause huge problems. If the society
-changes in undesirable ways, then it will be to late to start
-encrypting.
-
-Encryption has had a "military" or "classified" flavor to it. There
-are no longer any grounds for this. The military can and will use its
-own encryption; that is no excuse to prevent the civilians from
-protecting their privacy and secrets. Information on strong
-encryption is available in every major bookstore, scientific library,
-and patent office around the world, and strong encryption software is
-available in every country on the Internet.
-
-Some people would like to make it illegal to use encryption, or to
-force people to use encryption that governments can break. This
-approach offers no protection if the government turns bad. Also, the
-"bad guys" will be using true strong encryption anyway. Good
-encryption techniques are too widely known to make them disappear.
-Thus, any "key escrow encryption" or other restrictions will only help
-monitor ordinary people and petty criminals. It does not help against
-powerful criminals, terrorists, or espionage, because they will know
-how to use strong encryption anyway. (One source for internationally
-available encryption software is http://www.cs.hut.fi/crypto.)
-
-
-OVERVIEW OF SECURE SHELL
-
-The software consists of a number of programs.
-
- sshd Server program run on the server machine. This
- listens for connections from client machines, and
- whenever it receives a connection, it performs
- authentication and starts serving the client.
-
- ssh This is the client program used to log into another
- machine or to execute commands on the other machine.
- "slogin" is another name for this program.
-
- scp Securely copies files from one machine to another.
-
- ssh-keygen Used to create RSA keys (host keys and user
- authentication keys).
-
- ssh-agent Authentication agent. This can be used to hold RSA
- keys for authentication.
-
- ssh-add Used to register new keys with the agent.
-
- make-ssh-known-hosts
- Used to create the /etc/ssh_known_hosts file.
-
-
-Ssh is the program users normally use. It is started as
-
- ssh host
-
-or
-
- ssh host command
-
-The first form opens a new shell on the remote machine (after
-authentication). The latter form executes the command on the remote
-machine.
-
-When started, the ssh connects sshd on the server machine, verifies
-that the server machine really is the machine it wanted to connect,
-exchanges encryption keys (in a manner which prevents an outside
-listener from getting the keys), performs authentication using .rhosts
-and /etc/hosts.equiv, RSA authentication, or conventional password
-based authentication. The server then (normally) allocates a
-pseudo-terminal and starts an interactive shell or user program.
-
-The TERM environment variable (describing the type of the user's
-terminal) is passed from the client side to the remote side. Also,
-terminal modes will be copied from the client side to the remote side
-to preserve user preferences (e.g., the erase character).
-
-If the DISPLAY variable is set on the client side, the server will
-create a dummy X server and set DISPLAY accordingly. Any connections
-to the dummy X server will be forwarded through the secure channel,
-and will be made to the real X server from the client side. An
-arbitrary number of X programs can be started during the session, and
-starting them does not require anything special from the user. (Note
-that the user must not manually set DISPLAY, because then it would
-connect directly to the real display instead of going through the
-encrypted channel). This behavior can be disabled in the
-configuration file or by giving the -x option to the client.
-
-Arbitrary IP ports can be forwarded over the secure channel. The
-program then creates a port on one side, and whenever a connection is
-opened to this port, it will be passed over the secure channel, and a
-connection will be made from the other side to a specified host:port
-pair. Arbitrary IP forwarding must always be explicitly requested,
-and cannot be used to forward privileged ports (unless the user is
-root). It is possible to specify automatic forwards in a per-user
-configuration file, for example to make electronic cash systems work
-securely.
-
-If there is an authentication agent on the client side, connection to
-it will be automatically forwarded to the server side.
-
-For more infomation, see the manual pages ssh(1), sshd(8), scp(1),
-ssh-keygen(1), ssh-agent(1), ssh-add(1), and make-ssh-known-hosts(1)
-included in this distribution.
-
-
-X11 CONNECTION FORWARDING
-
-X11 forwarding serves two purposes: it is a convenience to the user
-because there is no need to set the DISPLAY variable, and it provides
-encrypted X11 connections. I cannot think of any other easy way to
-make X11 connections encrypted; modifying the X server, clients or
-libraries would require special work for each machine, vendor and
-application. Widely used IP-level encryption does not seem likely for
-several years. Thus what we have left is faking an X server on the
-same machine where the clients are run, and forwarding the connections
-to a real X server over the secure channel.
-
-X11 forwarding works as follows. The client extracts Xauthority
-information for the server. It then creates random authorization
-data, and sends the random data to the server. The server allocates
-an X11 display number, and stores the (fake) Xauthority data for this
-display. Whenever an X11 connection is opened, the server forwards
-the connection over the secure channel to the client, and the client
-parses the first packet of the X11 protocol, substitutes real
-authentication data for the fake data (if the fake data matched), and
-forwards the connection to the real X server.
-
-If the display does not have Xauthority data, the server will create a
-unix domain socket in /tmp/.X11-unix, and use the unix domain socket
-as the display. No authentication information is forwarded in this
-case. X11 connections are again forwarded over the secure channel.
-To the X server the connections appear to come from the client
-machine, and the server must have connections allowed from the local
-machine. Using authentication data is always recommended because not
-using it makes the display insecure. If XDM is used, it automatically
-generates the authentication data.
-
-One should be careful not to use "xin" or "xstart" or other similar
-scripts that explicitly set DISPLAY to start X sessions in a remote
-machine, because the connection will then not go over the secure
-channel. The recommended way to start a shell in a remote machine is
-
- xterm -e ssh host &
-
-and the recommended way to execute an X11 application in a remote
-machine is
-
- ssh -n host emacs &
-
-If you need to type a password/passphrase for the remote machine,
-
- ssh -f host emacs
-
-may be useful.
-
-
-
-RSA AUTHENTICATION
-
-RSA authentication is based on public key cryptograpy. The idea is
-that there are two encryption keys, one for encryption and another for
-decryption. It is not possible (on human timescale) to derive the
-decryption key from the encryption key. The encryption key is called
-the public key, because it can be given to anyone and it is not
-secret. The decryption key, on the other hand, is secret, and is
-called the private key.
-
-RSA authentication is based on the impossibility of deriving the
-private key from the public key. The public key is stored on the
-server machine in the user's $HOME/.ssh/authorized_keys file. The
-private key is only kept on the user's local machine, laptop, or other
-secure storage. Then the user tries to log in, the client tells the
-server the public key that the user wishes to use for authentication.
-The server then checks if this public key is admissible. If so, it
-generates a 256 bit random number, encrypts it with the public key,
-and sends the value to the client. The client then decrypts the
-number with its private key, computes a 128 bit MD5 checksum from the
-resulting data, and sends the checksum back to the server. (Only a
-checksum is sent to prevent chosen-plaintext attacks against RSA.)
-The server checks computes a checksum from the correct data,
-and compares the checksums. Authentication is accepted if the
-checksums match. (Theoretically this indicates that the client
-only probably knows the correct key, but for all practical purposes
-there is no doubt.)
-
-The RSA private key can be protected with a passphrase. The
-passphrase can be any string; it is hashed with MD5 to produce an
-encryption key for IDEA, which is used to encrypt the private part of
-the key file. With passphrase, authorization requires access to the key
-file and the passphrase. Without passphrase, authorization only
-depends on possession of the key file.
-
-RSA authentication is the most secure form of authentication supported
-by this software. It does not rely on the network, routers, domain
-name servers, or the client machine. The only thing that matters is
-access to the private key.
-
-All this, of course, depends on the security of the RSA algorithm
-itself. RSA has been widely known since about 1978, and no effective
-methods for breaking it are known if it is used properly. Care has
-been taken to avoid the well-known pitfalls. Breaking RSA is widely
-believed to be equivalent to factoring, which is a very hard
-mathematical problem that has received considerable public research.
-So far, no effective methods are known for numbers bigger than about
-512 bits. However, as computer speeds and factoring methods are
-increasing, 512 bits can no longer be considered secure. The
-factoring work is exponential, and 768 or 1024 bits are widely
-considered to be secure in the near future.
-
-
-RHOSTS AUTHENTICATION
-
-Conventional .rhosts and hosts.equiv based authentication mechanisms
-are fundamentally insecure due to IP, DNS (domain name server) and
-routing spoofing attacks. Additionally this authentication method
-relies on the integrity of the client machine. These weaknesses is
-tolerable, and been known and exploited for a long time.
-
-Ssh provides an improved version of these types of authentication,
-because they are very convenient for the user (and allow easy
-transition from rsh and rlogin). It permits these types of
-authentication, but additionally requires that the client host be
-authenticated using RSA.
-
-The server has a list of host keys stored in /etc/ssh_known_host, and
-additionally each user has host keys in $HOME/.ssh/known_hosts. Ssh
-uses the name servers to obtain the canonical name of the client host,
-looks for its public key in its known host files, and requires the
-client to prove that it knows the private host key. This prevents IP
-and routing spoofing attacks (as long as the client machine private
-host key has not been compromized), but is still vulnerable to DNS
-attacks (to a limited extent), and relies on the integrity of the
-client machine as to who is requesting to log in. This prevents
-outsiders from attacking, but does not protect against very powerful
-attackers. If maximal security is desired, only RSA authentication
-should be used.
-
-It is possible to enable conventional .rhosts and /etc/hosts.equiv
-authentication (without host authentication) at compile time by giving
-the option --with-rhosts to configure. However, this is not
-recommended, and is not done by default.
-
-These weaknesses are present in rsh and rlogin. No improvement in
-security will be obtained unless rlogin and rsh are completely
-disabled (commented out in /etc/inetd.conf). This is highly
-recommended.
-
-
-WEAKEST LINKS IN SECURITY
-
-One should understand that while this software may provide
-cryptographically secure communications, it may be easy to
-monitor the communications at their endpoints.
-
-Basically, anyone with root access on the local machine on which you
-are running the software may be able to do anything. Anyone with root
-access on the server machine may be able to monitor your
-communications, and a very talented root user might even be able to
-send his/her own requests to your authentication agent.
-
-One should also be aware that computers send out electromagnetic
-radition that can sometimes be picked up hundreds of meters away.
-Your keyboard is particularly easy to listen to. The image on your
-monitor might also be seen on another monitor in a van parked behind
-your house.
-
-Beware that unwanted visitors might come to your home or office and
-use your machine while you are away. They might also make
-modifications or install bugs in your hardware or software.
-
-Beware that the most effective way for someone to decrypt your data
-may be with a rubber hose.
-
-
-LEGAL ISSUES
-
-As far as I am concerned, anyone is permitted to use this software
-freely. However, see the file COPYING for detailed copying,
-licensing, and distribution information.
-
-In some countries, particularly France, Russia, Iraq, and Pakistan,
-it may be illegal to use any encryption at all without a special
-permit, and the rumor has it that you cannot get a permit for any
-strong encryption.
-
-This software may be freely imported into the United States; however,
-the United States Government may consider re-exporting it a criminal
-offence.
-
-Note that any information and cryptographic algorithms used in this
-software are publicly available on the Internet and at any major
-bookstore, scientific library, or patent office worldwide.
-
-THERE IS NO WARRANTY FOR THIS PROGRAM. Please consult the file
-COPYING for more information.
-
-
-MAILING LISTS AND OTHER INFORMATION
-
-There is a mailing list for ossh. It is ossh@sics.se. If you would
-like to join, send a message to majordomo@sics.se with "subscribe
-ssh" in body.
-
-The WWW home page for ssh is http://www.cs.hut.fi/ssh. It contains an
-archive of the mailing list, and detailed information about new
-releases, mailing lists, and other relevant issues.
-
-Bug reports should be sent to ossh-bugs@sics.se.
-
-
-ABOUT THE AUTHOR
-
-This software was written by Tatu Ylonen <ylo@cs.hut.fi>. I work as a
-researcher at Helsinki University of Technology, Finland. For more
-information, see http://www.cs.hut.fi/~ylo/. My PGP public key is
-available via finger from ylo@cs.hut.fi and from the key servers. I
-prefer PGP encrypted mail.
-
-The author can be contacted via ordinary mail at
- Tatu Ylonen
- Helsinki University of Technology
- Otakaari 1
- FIN-02150 ESPOO
- Finland
-
- Fax. +358-0-4513293
-
-
-ACKNOWLEDGEMENTS
-
-I thank Tero Kivinen, Timo Rinne, Janne Snabb, and Heikki Suonsivu for
-their help and comments in the design, implementation and porting of
-this software. I also thank numerous contributors, including but not
-limited to Walker Aumann, Jurgen Botz, Hans-Werner Braun, Stephane
-Bortzmeyer, Adrian Colley, Michael Cooper, David Dombek, Jerome
-Etienne, Bill Fithen, Mark Fullmer, Bert Gijsbers, Andreas Gustafsson,
-Michael Henits, Steve Johnson, Thomas Koenig, Felix Leitner, Gunnar
-Lindberg, Andrew Macpherson, Marc Martinec, Paul Mauvais, Donald
-McKillican, Leon Mlakar, Robert Muchsel, Mark Treacy, Bryan
-O'Sullivan, Mikael Suokas, Ollivier Robert, Jakob Schlyter, Tomasz
-Surmacz, Alvar Vinacua, Petri Virkkula, Michael Warfield, and
-Cristophe Wolfhugel.
-
-Thanks also go to Philip Zimmermann, whose PGP software and the
-associated legal battle provided inspiration, motivation, and many
-useful techniques, and to Bruce Schneier whose book Applied
-Cryptography has done a great service in widely distributing knowledge
-about cryptographic methods.
-
-
-Copyright (c) 1995 Tatu Ylonen, Espoo, Finland.
diff --git a/usr/src/cmd/ssh/doc/WARNING.RNG b/usr/src/cmd/ssh/doc/WARNING.RNG
deleted file mode 100644
index 21f4901c98..0000000000
--- a/usr/src/cmd/ssh/doc/WARNING.RNG
+++ /dev/null
@@ -1,79 +0,0 @@
-This document contains a description of portable OpenSSH's random
-number collection code. An alternate reading of this text could
-well be titled "Why I should pressure my system vendor to supply
-/dev/random in their OS".
-
-Why is this important? OpenSSH depends on good, unpredictable numbers
-for generating keys, performing digital signatures and forming
-cryptographic challenges. If the random numbers that it uses are
-predictable, then the strength of the whole system is compromised.
-
-A particularly pernicious problem arises with DSA keys (used by the
-ssh2 protocol). Performing a DSA signature (which is required for
-authentication), entails the use of a 160 bit random number. If an
-attacker can predict this number, then they can deduce your *private*
-key and impersonate you or your hosts.
-
-If you are using the builtin random number support (configure will
-tell you if this is the case), then read this document in its entirety.
-
-Please also request that your OS vendor provides a kernel-based random
-number collector (/dev/random) in future versions of your operating
-systems by default.
-
-On to the description...
-
-The portable OpenSSH contains random number collection support for
-systems which lack a kernel entropy pool (/dev/random).
-
-This collector operates by executing the programs listed in
-($etcdir)/ssh_prng_cmds, reading their output and adding it to the
-PRNG supplied by OpenSSL (which is hash-based). It also stirs in the
-output of several system calls and timings from the execution of the
-programs that it runs.
-
-The ssh_prng_cmds file also specifies a 'rate' for each program. This
-represents the number of bits of randomness per byte of output from
-the specified program.
-
-The random number code will also read and save a seed file to
-~/.ssh/prng_seed. This contents of this file are added to the random
-number generator at startup. The goal here is to maintain as much
-randomness between sessions as possible.
-
-The entropy collection code has two main problems:
-
-1. It is slow.
-
-Executing each program in the list can take a large amount of time,
-especially on slower machines. Additionally some program can take a
-disproportionate time to execute.
-
-This can be tuned by the administrator. To debug the entropy
-collection is great detail, turn on full debugging ("ssh -v -v -v" or
-"sshd -d -d -d"). This will list each program as it is executed, how
-long it took to execute, its exit status and whether and how much data
-it generated. You can the find the culprit programs which are causing
-the real slow-downs.
-
-The entropy collector will timeout programs which take too long
-to execute, the actual timeout used can be adjusted with the
---with-entropy-timeout configure option. OpenSSH will not try to
-re-execute programs which have not been found, have had a non-zero
-exit status or have timed out more than a couple of times.
-
-2. Estimating the real 'rate' of program outputs is non-trivial
-
-The shear volume of the task is problematic: there are currently
-around 50 commands in the ssh_prng_cmds list, portable OpenSSH
-supports at least 12 different OSs. That is already 600 sets of data
-to be analysed, without taking into account the numerous differences
-between versions of each OS.
-
-On top of this, the different commands can produce varying amounts of
-usable data depending on how busy the machine is, how long it has been
-up and various other factors.
-
-To make matters even more complex, some of the commands are reporting
-largely the same data as other commands (eg. the various "ps" calls).
-
diff --git a/usr/src/cmd/ssh/doc/nchan.ms b/usr/src/cmd/ssh/doc/nchan.ms
deleted file mode 100644
index 1679d39f30..0000000000
--- a/usr/src/cmd/ssh/doc/nchan.ms
+++ /dev/null
@@ -1,97 +0,0 @@
-.\"
-.\" Copyright (c) 1999 Markus Friedl. All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.TL
-OpenSSH Channel Close Protocol 1.5 Implementation
-.SH
-Channel Input State Diagram
-.PS
-reset
-l=1
-s=1.2
-ellipsewid=s*ellipsewid
-boxwid=s*boxwid
-ellipseht=s*ellipseht
-S1: ellipse "INPUT" "OPEN"
-move right 2*l from last ellipse.e
-S4: ellipse "INPUT" "CLOSED"
-move down l from last ellipse.s
-S3: ellipse "INPUT" "WAIT" "OCLOSED"
-move down l from 1st ellipse.s
-S2: ellipse "INPUT" "WAIT" "DRAIN"
-arrow "" "rcvd OCLOSE/" "shutdown_read" "send IEOF" from S1.e to S4.w
-arrow "ibuf_empty/" "send IEOF" from S2.e to S3.w
-arrow from S1.s to S2.n
-box invis "read_failed/" "shutdown_read" with .e at last arrow.c
-arrow from S3.n to S4.s
-box invis "rcvd OCLOSE/" "-" with .w at last arrow.c
-ellipse wid .9*ellipsewid ht .9*ellipseht at S4
-arrow "start" "" from S1.w+(-0.5,0) to S1.w
-arrow from S2.ne to S4.sw
-box invis "rcvd OCLOSE/ " with .e at last arrow.c
-box invis " send IEOF" with .w at last arrow.c
-.PE
-.SH
-Channel Output State Diagram
-.PS
-S1: ellipse "OUTPUT" "OPEN"
-move right 2*l from last ellipse.e
-S3: ellipse "OUTPUT" "WAIT" "IEOF"
-move down l from last ellipse.s
-S4: ellipse "OUTPUT" "CLOSED"
-move down l from 1st ellipse.s
-S2: ellipse "OUTPUT" "WAIT" "DRAIN"
-arrow "" "write_failed/" "shutdown_write" "send OCLOSE" from S1.e to S3.w
-arrow "obuf_empty ||" "write_failed/" "shutdown_write" "send OCLOSE" from S2.e to S4.w
-arrow from S1.s to S2.n
-box invis "rcvd IEOF/" "-" with .e at last arrow.c
-arrow from S3.s to S4.n
-box invis "rcvd IEOF/" "-" with .w at last arrow.c
-ellipse wid .9*ellipsewid ht .9*ellipseht at S4
-arrow "start" "" from S1.w+(-0.5,0) to S1.w
-.PE
-.SH
-Notes
-.PP
-The input buffer is filled with data from the socket
-(the socket represents the local consumer/producer of the
-forwarded channel).
-The data is then sent over the INPUT-end (transmit-end) of the channel to the
-remote peer.
-Data sent by the peer is received on the OUTPUT-end (receive-end),
-saved in the output buffer and written to the socket.
-.PP
-If the local protocol instance has forwarded all data on the
-INPUT-end of the channel, it sends an IEOF message to the peer.
-If the peer receives the IEOF and has consumed all
-data he replies with an OCLOSE.
-When the local instance receives the OCLOSE
-he considers the INPUT-half of the channel closed.
-The peer has his OUTOUT-half closed.
-.PP
-A channel can be deallocated by a protocol instance
-if both the INPUT- and the OUTOUT-half on his
-side of the channel are closed.
-Note that when an instance is unable to consume the
-received data, he is permitted to send an OCLOSE
-before the matching IEOF is received.
diff --git a/usr/src/cmd/ssh/doc/nchan2.ms b/usr/src/cmd/ssh/doc/nchan2.ms
deleted file mode 100644
index 1b119d1353..0000000000
--- a/usr/src/cmd/ssh/doc/nchan2.ms
+++ /dev/null
@@ -1,64 +0,0 @@
-.TL
-OpenSSH Channel Close Protocol 2.0 Implementation
-.SH
-Channel Input State Diagram
-.PS
-reset
-l=1
-s=1.2
-ellipsewid=s*ellipsewid
-boxwid=s*boxwid
-ellipseht=s*ellipseht
-S1: ellipse "INPUT" "OPEN"
-move right 2*l from last ellipse.e
-S3: ellipse invis
-move down l from last ellipse.s
-S4: ellipse "INPUT" "CLOSED"
-move down l from 1st ellipse.s
-S2: ellipse "INPUT" "WAIT" "DRAIN"
-arrow from S1.e to S4.n
-box invis "rcvd CLOSE/" "shutdown_read" with .sw at last arrow.c
-arrow "ibuf_empty ||" "rcvd CLOSE/" "send EOF" "" from S2.e to S4.w
-arrow from S1.s to S2.n
-box invis "read_failed/" "shutdown_read" with .e at last arrow.c
-ellipse wid .9*ellipsewid ht .9*ellipseht at S4
-arrow "start" "" from S1.w+(-0.5,0) to S1.w
-.PE
-.SH
-Channel Output State Diagram
-.PS
-S1: ellipse "OUTPUT" "OPEN"
-move right 2*l from last ellipse.e
-S3: ellipse invis
-move down l from last ellipse.s
-S4: ellipse "OUTPUT" "CLOSED"
-move down l from 1st ellipse.s
-S2: ellipse "OUTPUT" "WAIT" "DRAIN"
-arrow from S1.e to S4.n
-box invis "write_failed/" "shutdown_write" with .sw at last arrow.c
-arrow "obuf_empty ||" "write_failed/" "shutdown_write" "" from S2.e to S4.w
-arrow from S1.s to S2.n
-box invis "rcvd EOF ||" "rcvd CLOSE/" "-" with .e at last arrow.c
-ellipse wid .9*ellipsewid ht .9*ellipseht at S4
-arrow "start" "" from S1.w+(-0.5,0) to S1.w
-.PE
-.SH
-Notes
-.PP
-The input buffer is filled with data from the socket
-(the socket represents the local consumer/producer of the
-forwarded channel).
-The data is then sent over the INPUT-end (transmit-end) of the channel to the
-remote peer.
-Data sent by the peer is received on the OUTPUT-end (receive-end),
-saved in the output buffer and written to the socket.
-.PP
-If the local protocol instance has forwarded all data on the
-INPUT-end of the channel, it sends an EOF message to the peer.
-.PP
-A CLOSE message is sent to the peer if
-both the INPUT- and the OUTOUT-half of the local
-end of the channel are closed.
-.PP
-The channel can be deallocated by a protocol instance
-if a CLOSE message he been both sent and received.
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-16 04:48:29 +0000