Vendor import of OpenSSH 4.0p1.

1 files changed, 668 insertions, 1 deletions

diff --git a/crypto/openssh/ChangeLog b/crypto/openssh/ChangeLog
index 2292ffb..046e32e 100644
--- a/crypto/openssh/ChangeLog
+++ b/crypto/openssh/ChangeLog
@@ -1,3 +1,670 @@
+20050309
+ - (dtucker) [regress/test-exec.sh] Set BIN_SH=xpg4 on OSF1/Digital Unix/Tru64
+   so that regress tests behave.  From Chris Adams.
+ - (djm) OpenBSD CVS Sync
+   - jmc@cvs.openbsd.org 2005/03/07 23:41:54
+     [ssh.1 ssh_config.5]
+     more macro simplification;
+   - djm@cvs.openbsd.org 2005/03/08 23:49:48
+     [version.h]
+     OpenSSH 4.0
+ - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] 
+   [contrib/suse/openssh.spec] Update spec file versions
+ - (djm) [log.c] Fix dumb syntax error; ok dtucker@
+ - (djm) Release OpenSSH 4.0p1
+
+20050307
+ - (dtucker) [configure.ac] Disable gettext search when configuring with
+   BSM audit support for the time being.  ok djm@
+ - (dtucker) OpenBSD CVS Sync (regress/)
+   - fgsch@cvs.openbsd.org 2004/12/10 01:31:30
+     [Makefile sftp-glob.sh]
+     some globbing regress; prompted and ok djm@
+   - david@cvs.openbsd.org 2005/01/14 04:21:18
+     [Makefile test-exec.sh]
+     pass the SUDO make variable to the individual sh tests; ok dtucker@ markus@
+   - dtucker@cvs.openbsd.org 2005/02/27 11:33:30
+     [multiplex.sh test-exec.sh sshd-log-wrapper.sh]
+     Add optional capability to log output from regress commands; ok markus@
+     Use with: make TEST_SSH_LOGFILE=/tmp/regress.log
+   - djm@cvs.openbsd.org 2005/02/27 23:13:36
+     [login-timeout.sh]
+     avoid nameservice lookups in regress test; ok dtucker@
+   - djm@cvs.openbsd.org 2005/03/04 08:48:46
+     [Makefile envpass.sh]
+     regress test for SendEnv config parsing bug; ok dtucker@
+ - (dtucker) [regress/test-exec.sh] Put SUDO in the right place.
+ - (tim) [configure.ac] SCO 3.2v4.2 no longer supported.
+
+20050306
+ - (dtucker) [monitor.c] Bug #125 comment #47: fix errors returned by monitor
+   when attempting to audit disconnect events.  Reported by Phil Dibowitz.
+ - (dtucker) [session.c sshd.c] Bug #125 comment #49: Send disconnect audit
+   events earlier, prevents mm_request_send errors reported by Matt Goebel.
+
+20050305
+ - (djm) [contrib/cygwin/README] Improve Cygwin build documentation. Patch 
+   from vinschen at redhat.com
+ - (djm) OpenBSD CVS Sync
+   - jmc@cvs.openbsd.org 2005/03/02 11:45:01
+     [ssh.1]
+     missing word;
+   - djm@cvs.openbsd.org 2005/03/04 08:48:06
+     [readconf.c]
+     fix SendEnv config parsing bug found by Roumen Petrov; ok dtucker@
+
+20050302
+ - (djm) OpenBSD CVS sync:
+   - jmc@cvs.openbsd.org 2005/03/01 14:47:58
+     [ssh.1]
+     remove some unneccesary macros;
+     do not mark up punctuation;
+   - jmc@cvs.openbsd.org 2005/03/01 14:55:23
+     [ssh_config.5]
+     do not mark up punctuation;
+     whitespace;
+   - jmc@cvs.openbsd.org 2005/03/01 14:59:49
+     [sshd.8]
+     new sentence, new line;
+     whitespace;
+   - jmc@cvs.openbsd.org 2005/03/01 15:05:00
+     [ssh-keygen.1]
+     whitespace;
+   - jmc@cvs.openbsd.org 2005/03/01 15:47:14
+     [ssh-keyscan.1 ssh-keyscan.c]
+     sort options and sync usage();
+   - jmc@cvs.openbsd.org 2005/03/01 17:19:35
+     [scp.1 sftp.1]
+     add HashKnownHosts to -o list;
+     ok markus@
+   - jmc@cvs.openbsd.org 2005/03/01 17:22:06
+     [ssh.c]
+     sync usage() w/ man SYNOPSIS;
+     ok markus@
+   - jmc@cvs.openbsd.org 2005/03/01 17:32:19
+     [ssh-add.1]
+     sort options;
+   - jmc@cvs.openbsd.org 2005/03/01 18:15:56
+     [ssh-keygen.1]
+     sort options (no attempt made at synopsis clean up though);
+     spelling (occurance -> occurrence);
+     use prompt before examples;
+     grammar;
+   - djm@cvs.openbsd.org 2005/03/02 01:00:06
+     [sshconnect.c]
+     fix addition of new hashed hostnames when CheckHostIP=yes;
+     found and ok dtucker@
+   - djm@cvs.openbsd.org 2005/03/02 01:27:41
+     [ssh-keygen.c]
+     ignore hostnames with metachars when hashing; ok deraadt@
+   - djm@cvs.openbsd.org 2005/03/02 02:21:07
+     [ssh.1]
+     bz#987: mention ForwardX11Trusted in ssh.1,
+     reported by andrew.benham AT thus.net; ok deraadt@
+ - (tim) [regress/agent-ptrace.sh] add another possible gdb error.
+
+20050301
+ - (djm) OpenBSD CVS sync:
+   - otto@cvs.openbsd.org 2005/02/16 09:56:44
+     [ssh.c]
+     Better diagnostic if an identity file is not accesible. ok markus@ djm@
+   - djm@cvs.openbsd.org 2005/02/18 03:05:53
+     [canohost.c]
+     better error messages for getnameinfo failures; ok dtucker@
+   - djm@cvs.openbsd.org 2005/02/20 22:59:06
+     [sftp.c]
+     turn on ssh batch mode when in sftp batch mode, patch from 
+     jdmossh AT nand.net;
+     ok markus@
+   - jmc@cvs.openbsd.org 2005/02/25 10:55:13
+     [sshd.8]
+     add /etc/motd and $HOME/.hushlogin to FILES;
+     from michael knudsen;
+   - djm@cvs.openbsd.org 2005/02/28 00:54:10
+     [ssh_config.5]
+     bz#849: document timeout on untrusted x11 forwarding sessions. Reported by
+     orion AT cora.nwra.com; ok markus@
+   - djm@cvs.openbsd.org 2005/03/01 10:09:52
+     [auth-options.c channels.c channels.h clientloop.c compat.c compat.h]
+     [misc.c misc.h readconf.c readconf.h servconf.c ssh.1 ssh.c ssh_config.5]
+     [sshd_config.5]
+     bz#413: allow optional specification of bind address for port forwardings.
+     Patch originally by Dan Astorian, but worked on by several people
+     Adds GatewayPorts=clientspecified option on server to allow remote 
+     forwards to bind to client-specified ports.
+   - djm@cvs.openbsd.org 2005/03/01 10:40:27
+     [hostfile.c hostfile.h readconf.c readconf.h ssh.1 ssh_config.5]
+     [sshconnect.c sshd.8]
+     add support for hashing host names and addresses added to known_hosts
+     files, to improve privacy of which hosts user have been visiting; ok 
+     markus@ deraadt@
+   - djm@cvs.openbsd.org 2005/03/01 10:41:28
+     [ssh-keyscan.1 ssh-keyscan.c]
+     option to hash hostnames output by ssh-keyscan; ok markus@ deraadt@
+   - djm@cvs.openbsd.org 2005/03/01 10:42:49
+     [ssh-keygen.1 ssh-keygen.c ssh_config.5]
+     add tools for managing known_hosts files with hashed hostnames, including
+     hashing existing files and deleting hosts by name; ok markus@ deraadt@
+
+20050226
+ - (dtucker) [openbsd-compat/bsd-openpty.c openbsd-compat/inet_ntop.c]
+   Remove two obsolete Cygwin #ifdefs.  Patch from vinschen at redhat.com.
+ - (dtucker) [acconfig.h configure.ac openbsd-compat/bsd-misc.{c,h}]
+   Remove SETGROUPS_NOOP, was only used by Cygwin, which doesn't need it any
+   more.  Patch from vinschen at redhat.com.
+ - (dtucker) [Makefile.in] Add a install-nosysconf target for installing the
+   binaries without the config files.  Primarily useful for packaging.
+   Patch from phil at usc.edu.  ok djm@
+
+20050224
+ - (djm) [configure.ac] in_addr_t test needs sys/types.h too
+
+20050222
+ - (dtucker) [uidswap.c] Skip uid restore test on Cygwin.  Patch from
+   vinschen at redhat.com.
+
+20050220
+ - (dtucker) [LICENCE Makefile.in README.platform audit-bsm.c configure.ac
+   defines.h] Bug #125: Add *EXPERIMENTAL* BSM audit support.  Configure
+   --with-audit=bsm to enable.  Patch originally from Sun Microsystems,
+   parts by John R. Jackson.  ok djm@
+ - (dtucker) [configure.ac] Missing comma in AIX section, somehow causes
+   unrelated platforms to be configured incorrectly.
+
+20050216
+ - (djm) write seed to temporary file and atomically rename into place; 
+   ok dtucker@
+ - (dtucker) [ssh-rand-helper.c] Provide seed_rng since it may be called
+   via mkstemp in some configurations.  ok djm@
+ - (dtucker) [auth-shadow.c] Prevent compiler warnings if "DAY" is defined
+   by the system headers.
+ - (dtucker) [configure.ac] Bug #893: check for libresolv early on Reliant
+   Unix; prevents problems relating to the location of -lresolv in the
+   link order.
+ - (dtucker) [session.c] Bug #918: store credentials from gssapi-with-mic
+   authentication early enough to be available to PAM session modules when
+   privsep=yes.  Patch from deengert at anl.gov, ok'ed in principle by Sam
+   Hartman and similar to Debian's ssh-krb5 package.
+ - (dtucker) [configure.ac openbsd-compat/port-aix.{c,h}] Silence some more
+   compiler warnings on AIX.
+
+20050215
+ - (dtucker) [config.sh.in] Collect oslevel -r too.
+ - (dtucker) [README.platform auth.c configure.ac loginrec.c
+   openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Bug #835: enable IPv6
+   on AIX where possible (see README.platform for details) and work around
+   a misfeature of AIX's getnameinfo.  ok djm@
+ - (dtucker) [loginrec.c] Add missing #include.
+
+20050211
+ - (dtucker) [configure.ac] Tidy up configure --help output.
+ - (dtucker) [openbsd-compat/fake-rfc2553.h] We now need EAI_SYSTEM too.
+
+20050210
+ - (dtucker) [configure.ac] Bug #919: Provide visible feedback for the
+   --disable-etc-default-login configure option.
+
+20050209
+ - (dtucker) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2005/01/28 09:45:53
+     [ssh_config]
+     Make it clear that the example entries in ssh_config are only some of the
+     commonly-used options and refer the user to ssh_config(5) for more
+     details; ok djm@
+   - jmc@cvs.openbsd.org 2005/01/28 15:05:43
+     [ssh_config.5]
+     grammar;
+   - jmc@cvs.openbsd.org 2005/01/28 18:14:09
+     [ssh_config.5]
+     wording;
+     ok markus@
+   - dtucker@cvs.openbsd.org 2005/01/30 11:18:08
+     [monitor.c]
+     Make code match intent; ok djm@
+   - dtucker@cvs.openbsd.org 2005/02/08 22:24:57
+     [sshd.c]
+     Provide reason in error message if getnameinfo fails; ok markus@
+ - (dtucker) [auth-passwd.c openbsd-compat/port-aix.c] Don't call
+   disable_forwarding() from compat library. Prevent linker errrors trying
+   to resolve it for binaries other than sshd.  ok djm@
+ - (dtucker) [configure.ac] Bug #854: prepend pwd to relative --with-ssl-dir
+   paths.  ok djm@
+ - (dtucker) [configure.ac session.c] Some platforms (eg some SCO) require
+   the username to be passed to the passwd command when changing expired
+   passwords.  ok djm@
+
+20050208
+ - (dtucker) [regress/test-exec.sh] Bug #912: Set _POSIX2_VERSION for the
+   regress tests so newer versions of GNU head(1) behave themselves.  Patch
+   by djm, so ok me.
+ - (dtucker) [openbsd-compat/port-aix.c] Silence compiler warnings.
+ - (dtucker) [audit.c audit.h auth.c auth1.c auth2.c loginrec.c monitor.c
+   monitor_wrap.c monitor_wrap.h session.c sshd.c]: Prepend all of the audit
+   defines and enums with SSH_ to prevent namespace collisions on some
+   platforms (eg AIX).
+
+20050204
+ - (dtucker) [monitor.c] Permit INVALID_USER audit events from slave too.
+ - (dtucker) [auth.c] Fix parens in audit log check.
+
+20050202
+ - (dtucker) [configure.ac openbsd-compat/realpath.c] Sync up with realpath
+   rev 1.11 from OpenBSD and make it use fchdir if available.  ok djm@
+ - (dtucker) [auth.c loginrec.h openbsd-compat/{bsd-cray,port-aix}.{c,h}]
+   Make record_failed_login() call provide hostname rather than having the
+   implementations having to do lookups themselves.  Only affects AIX and
+   UNICOS (the latter only uses the "user" parameter anyway).  ok djm@
+ - (dtucker) [session.c sshd.c] Bug #445: Propogate KRB5CCNAME if set to child
+   the process.  Since we also unset KRB5CCNAME at startup, if it's set after
+   authentication it must have been set by the platform's native auth system.
+   This was already done for AIX; this enables it for the general case.
+ - (dtucker) [auth.c canohost.c canohost.h configure.ac defines.h loginrec.c]
+   Bug #974: Teach sshd to write failed login records to btmp for failed auth
+   attempts (currently only for password, kbdint and C/R, only on Linux and
+   HP-UX), based on code from login.c from util-linux. With ashok_kovai at
+   hotmail.com, ok djm@
+ - (dtucker) [Makefile.in auth.c auth.h auth1.c auth2.c loginrec.c monitor.c
+   monitor.h monitor_wrap.c monitor_wrap.h session.c sshd.c] Bug #125:
+   (first stage) Add audit instrumentation to sshd, currently disabled by
+   default.  with suggestions from and ok djm@
+
+20050201
+ - (dtucker) [log.c] Bug #973: force log_init() to open syslog, since on some
+   platforms syslog will revert to its default values.  This may result in
+   messages from external libraries (eg libwrap) being sent to a different
+   facility.
+ - (dtucker) [sshd_config.5] Bug #701: remove warning about
+   keyboard-interactive since this is no longer the case.
+
+20050124
+ - (dtucker) OpenBSD CVS Sync
+   - otto@cvs.openbsd.org 2005/01/21 08:32:02
+     [auth-passwd.c sshd.c]
+     Warn in advance for password and account expiry; initialize loginmsg
+     buffer earlier and clear it after privsep fork. ok and help dtucker@
+     markus@
+   - dtucker@cvs.openbsd.org 2005/01/22 08:17:59
+     [auth.c]
+     Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and
+     DenyGroups.  bz #909, ok djm@
+   - djm@cvs.openbsd.org 2005/01/23 10:18:12
+     [cipher.c]
+     config option "Ciphers" should be case-sensitive; ok dtucker@
+   - dtucker@cvs.openbsd.org 2005/01/24 10:22:06
+     [scp.c sftp.c]
+     Have scp and sftp wait for the spawned ssh to exit before they exit
+     themselves.  This prevents ssh from being unable to restore terminal
+     modes (not normally a problem on OpenBSD but common with -Portable
+     on POSIX platforms).  From peak at argo.troja.mff.cuni.cz (bz#950);
+     ok djm@ markus@
+   - dtucker@cvs.openbsd.org 2005/01/24 10:29:06
+     [moduli]
+     Import new moduli; requested by deraadt@ a week ago
+   - dtucker@cvs.openbsd.org 2005/01/24 11:47:13
+     [auth-passwd.c]
+     #if -> #ifdef so builds without HAVE_LOGIN_CAP work too; ok djm@ otto@
+
+20050120
+ - (dtucker) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2004/12/23 17:35:48
+     [session.c]
+     check for NULL; from mpech
+   - markus@cvs.openbsd.org 2004/12/23 17:38:07
+     [ssh-keygen.c]
+     leak; from mpech
+   - djm@cvs.openbsd.org 2004/12/23 23:11:00
+     [servconf.c servconf.h sshd.c sshd_config sshd_config.5]
+     bz #898: support AddressFamily in sshd_config. from
+     peak@argo.troja.mff.cuni.cz; ok deraadt@
+   - markus@cvs.openbsd.org 2005/01/05 08:51:32
+     [sshconnect.c]
+     remove dead code, log connect() failures with level error, ok djm@
+   - jmc@cvs.openbsd.org 2005/01/08 00:41:19
+     [sshd_config.5]
+     `login'(n) -> `log in'(v);
+   - dtucker@cvs.openbsd.org 2005/01/17 03:25:46
+     [moduli.c]
+     Correct spelling: SCHNOOR->SCHNORR; ok djm@
+   - dtucker@cvs.openbsd.org 2005/01/17 22:48:39
+     [sshd.c]
+     Make debugging output continue after reexec; ok djm@
+   - dtucker@cvs.openbsd.org 2005/01/19 13:11:47
+     [auth-bsdauth.c auth2-chall.c]
+     Have keyboard-interactive code call the drivers even for responses for
+     invalid logins.  This allows the drivers themselves to decide how to
+     handle them and prevent leaking information where possible.  Existing
+     behaviour for bsdauth is maintained by checking authctxt->valid in the
+     bsdauth driver.  Note that any third-party kbdint drivers will now need
+     to be able to handle responses for invalid logins.  ok markus@
+   - djm@cvs.openbsd.org 2004/12/22 02:13:19
+     [cipher-ctr.c cipher.c]
+     remove fallback AES support for old OpenSSL, as OpenBSD has had it for
+     many years now; ok deraadt@
+     (Id sync only: Portable will continue to support older OpenSSLs)
+ - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user
+   existence via keyboard-interactive/pam, in conjunction with previous
+   auth2-chall.c change; with Colin Watson and djm.
+ - (dtucker) [loginrec.h] Bug #952: Increase size of username field to 128
+   bytes to prevent errors from login_init_entry() when the username is
+   exactly 64 bytes(!) long.  From brhamon at cisco.com, ok djm@
+ - (dtucker) [auth-chall.c auth.h auth2-chall.c] Bug #936: Remove pam from
+   the list of available kbdint devices if UsePAM=no.  ok djm@
+
+20050118
+ - (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement
+   "make survey" and "make send-survey".  This will provide data on the
+   configure parameters, platform and platform features to the development
+   team, which will allow (among other things) better targetting of testing.
+   It's entirely voluntary and is off be default. ok djm@
+ - (dtucker) [survey.sh.in] Remove any blank lines from the output of
+   ccver-v and ccver-V.
+
+20041220
+ - (dtucker) [ssh-rand-helper.c] Fall back to command-based seeding if reading
+   from prngd is enabled at compile time but fails at run time, eg because
+   prngd is not running.  Note that if you have prngd running when OpenSSH is
+   built, OpenSSL will consider itself internally seeded and rand-helper won't
+   be built at all unless explicitly enabled via --with-rand-helper.  ok djm@
+ - (dtucker) [regress/rekey.sh] Touch datafile before filling with dd, since
+   on some wacky platforms (eg old AIXes), dd will refuse to create an output
+   file if it doesn't exist.
+
+20041213
+ - (dtucker) [contrib/findssh.sh] Clean up on interrupt; from
+   amarendra.godbole at ge com.
+
+20041211
+ - (dtucker) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2004/12/06 16:00:43
+     [bufaux.c]
+     use 0x00 not \0 since buf[] is a bignum
+   - fgsch@cvs.openbsd.org 2004/12/10 03:10:42
+     [sftp.c]
+     - fix globbed ls for paths the same lenght as the globbed path when
+       we have a unique matching.
+     - fix globbed ls in case of a directory when we have a unique matching.
+     - as a side effect, if the path does not exist error (used to silently
+       ignore).
+     - don't do extra do_lstat() if we only have one matching file.
+     djm@ ok
+   - dtucker@cvs.openbsd.org 2004/12/11 01:48:56
+     [auth-rsa.c auth2-pubkey.c authfile.c misc.c misc.h]
+     Fix debug call in error path of authorized_keys processing and fix related
+     warnings; ok djm@
+
+20041208
+ - (tim) [configure.ac] Comment some non obvious platforms in the
+ target-specific case statement. Suggested and OK by dtucker@
+
+20041207
+ - (dtucker) [regress/scp.sh] Use portable-friendly $DIFFOPTs in new test.
+
+20041206
+ - (dtucker) [TODO WARNING.RNG] Update to reflect current reality.  ok djm@
+ - (dtucker) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2004/11/25 22:22:14
+     [sftp-client.c sftp.c]
+     leak; from mpech
+   - jmc@cvs.openbsd.org 2004/11/29 00:05:17
+     [sftp.1]
+     missing full stop;
+   - djm@cvs.openbsd.org 2004/11/29 07:41:24
+     [sftp-client.h sftp.c]
+     Some small fixes from moritz@jodeit.org. ok deraadt@
+   - jaredy@cvs.openbsd.org 2004/12/05 23:55:07
+     [sftp.1]
+     - explain that patterns can be used as arguments in get/put/ls/etc
+       commands (prodded by Michael Knudsen)
+     - describe ls flags as a list
+     - other minor improvements
+     ok jmc, djm
+   - dtucker@cvs.openbsd.org 2004/12/06 11:41:03
+     [auth-rsa.c auth2-pubkey.c authfile.c misc.c misc.h ssh.h sshd.8]
+     Discard over-length authorized_keys entries rather than complaining when
+     they don't decode.  bz #884, with & ok djm@
+ - (dtucker) OpenBSD CVS Sync (regress/)
+   - djm@cvs.openbsd.org 2004/06/26 06:16:07
+     [reexec.sh]
+     don't change the name of the copied sshd for the reexec fallback test,
+     makes life simpler for portable
+   - dtucker@cvs.openbsd.org 2004/07/08 12:59:35
+     [scp.sh]
+     Regress test for bz #863 (scp double-error), requires $SUDO.  ok markus@
+   - david@cvs.openbsd.org 2004/07/09 19:45:43
+     [Makefile]
+     add a missing CLEANFILES used in the re-exec test
+   - djm@cvs.openbsd.org 2004/10/08 02:01:50
+     [reexec.sh]
+     shrink and tidy; ok dtucker@
+   - djm@cvs.openbsd.org 2004/10/29 23:59:22
+     [Makefile added brokenkeys.sh]
+     regression test for handling of corrupt keys in authorized_keys file
+   - djm@cvs.openbsd.org 2004/11/07 00:32:41
+     [multiplex.sh]
+     regression tests for new multiplex commands
+   - dtucker@cvs.openbsd.org 2004/11/25 09:39:27
+     [test-exec.sh]
+     Remove obsolete RhostsAuthentication from test config; ok markus@
+   - dtucker@cvs.openbsd.org 2004/12/06 10:49:56
+     [test-exec.sh]
+     Check if TEST_SSH_SSHD is a full path to sshd before searching; ok markus@
+
+20041203
+ - (dtucker) OpenBSD CVS Sync
+   - jmc@cvs.openbsd.org 2004/11/07 17:42:36
+     [ssh.1]
+     options sort, and whitespace;
+   - jmc@cvs.openbsd.org 2004/11/07 17:57:30
+     [ssh.c]
+     usage():
+     - add -O
+     - sync -S w/ manpage
+     - remove -h
+ - (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is
+   subsequently denied by the PAM auth stack, send the PAM message to the
+   user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2).
+   ok djm@
+
+20041107
+ - (dtucker) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2004/11/05 12:19:56
+     [sftp.c]
+     command editing and history support via libedit; ok markus@
+     thanks to hshoexer@ and many testers on tech@ too
+   - djm@cvs.openbsd.org 2004/11/07 00:01:46
+     [clientloop.c clientloop.h ssh.1 ssh.c]
+     add basic control of a running multiplex master connection; including the
+     ability to check its status and request it to exit; ok markus@
+ - (dtucker) [INSTALL Makefile.in configure.ac] Add --with-libedit configure
+   option and supporting makefile bits and documentation.
+
+20041105
+ - (dtucker) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2004/08/30 09:18:08
+     [LICENCE]
+     s/keygen/keyscan/
+   - jmc@cvs.openbsd.org 2004/08/30 21:22:49
+     [ssh-add.1 ssh.1]
+     .Xsession -> .xsession;
+     originally from a pr from f at obiit dot org, but missed by myself;
+     ok markus@ matthieu@
+   - djm@cvs.openbsd.org 2004/09/07 23:41:30
+     [clientloop.c ssh.c]
+     cleanup multiplex control socket on SIGHUP too, spotted by sturm@
+     ok markus@ deraadt@
+   - deraadt@cvs.openbsd.org 2004/09/15 00:46:01
+     [ssh.c]
+     /* fallthrough */ is something a programmer understands.  But
+     /* FALLTHROUGH */ is also understood by lint, so that is better.
+   - jaredy@cvs.openbsd.org 2004/09/15 03:25:41
+     [sshd_config.5]
+     mention PrintLastLog only prints last login time for interactive
+     sessions, like PrintMotd mentions.
+     From Michael Knudsen, with wording changed slightly to match the
+     PrintMotd description.
+     ok djm
+   - mickey@cvs.openbsd.org 2004/09/15 18:42:27
+     [sshd.c]
+     use less doubles in daemons; markus@ ok
+   - deraadt@cvs.openbsd.org 2004/09/15 18:46:04
+     [scp.c]
+     scratch that do { } while (0) wrapper in this case
+   - djm@cvs.openbsd.org 2004/09/23 13:00:04
+     [ssh.c]
+     correctly honour -n in multiplex client mode; spotted by sturm@ ok markus@
+   - djm@cvs.openbsd.org 2004/09/25 03:45:14
+     [sshd.c]
+     these printf args are no longer double; ok deraadt@ markus@
+   - djm@cvs.openbsd.org 2004/10/07 10:10:24
+     [scp.1 sftp.1 ssh.1 ssh_config.5]
+     document KbdInteractiveDevices; ok markus@
+   - djm@cvs.openbsd.org 2004/10/07 10:12:36
+     [ssh-agent.c]
+     don't unlink agent socket when bind() fails, spotted by rich AT
+     rich-paul.net, ok markus@
+   - markus@cvs.openbsd.org 2004/10/20 11:48:53
+     [packet.c ssh1.h]
+     disconnect for invalid (out of range) message types.
+   - djm@cvs.openbsd.org 2004/10/29 21:47:15
+     [channels.c channels.h clientloop.c]
+     fix some window size change bugs for multiplexed connections: windows sizes
+     were not being updated if they had changed after ~^Z suspends and SIGWINCH
+     was not being processed unless the first connection had requested a tty;
+     ok markus
+   - djm@cvs.openbsd.org 2004/10/29 22:53:56
+     [clientloop.c misc.h readpass.c ssh-agent.c]
+     factor out common permission-asking code to separate function; ok markus@
+   - djm@cvs.openbsd.org 2004/10/29 23:56:17
+     [bufaux.c bufaux.h buffer.c buffer.h]
+     introduce a new buffer API that returns an error rather than fatal()ing
+     when presented with bad data; ok markus@
+   - djm@cvs.openbsd.org 2004/10/29 23:57:05
+     [key.c]
+     use new buffer API to avoid fatal errors on corrupt keys in authorized_keys
+     files; ok markus@
+
+20041102
+ - (dtucker) [configure.ac includes.h] Bug #947: Fix compile error on HP-UX
+   10.x by testing for conflicts in shadow.h and undef'ing _INCLUDE__STDC__
+   only if a conflict is detected.
+
+20041019
+ - (dtucker) [uidswap.c] Don't test dropping of gids for the root user or
+   on Cygwin.  Cygwin parts from vinschen at redhat com; ok djm@
+
+20041016
+ - (djm) [auth-pam.c] snprintf->strl*, fix server message length calculations;
+   ok dtucker@
+
+20041006
+ - (dtucker) [README.privsep] Bug #939: update info about HP-UX Trusted Mode
+   and other PAM platforms.
+ - (dtucker) [monitor_mm.c openbsd-compat/xmmap.c] Bug #940: cast constants
+   to void * to appease picky compilers (eg Tru64's "cc -std1").
+
+20040930
+ - (dtucker) [configure.ac] Set AC_PACKAGE_NAME.  ok djm@
+
+20040923
+ - (dtucker) [openbsd-compat/bsd-snprintf.c] Previous change was off by one,
+   which could have caused the justification to be wrong.  ok djm@
+
+20040921
+ - (dtucker) [openbsd-compat/bsd-snprintf.c] Check for max length too.
+   ok djm@
+ - (dtucker) [contrib/cygwin/ssh-host-config] Update to match current Cygwin
+   install process.  Patch from vinschen at redhat.com.
+
+20040912
+ - (djm) [loginrec.c] Start KNF and tidy up of this long-neglected file.
+   No change in resultant binary
+ - (djm) [loginrec.c] __func__ifiy
+ - (djm) [loginrec.c] xmalloc
+ - (djm) [ssh.c sshd.c version.h] Don't divulge portable version in protocol
+   banner. Suggested by deraadt@, ok mouring@, dtucker@
+ - (dtucker) [configure.ac] Fix incorrect quoting and tests for cross-compile.
+   Partly by & ok djm@.
+
+20040911
+ - (djm) [ssh-agent.c] unifdef some cygwin code; ok dtucker@
+ - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #890: Send output from
+   failing PAM session modules to user then exit, similar to the way
+   /etc/nologin is handled.  ok djm@
+ - (dtucker) [auth-pam.c] Relocate sshpam_store_conv(), no code change.
+ - (djm) [auth2-kbdint.c auth2-none.c  auth2-passwd.c auth2-pubkey.c] 
+   Make cygwin code more consistent with that which surrounds it
+ - (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c]
+   Bug #892: Send messages from failing PAM account modules to the client via
+   SSH2_MSG_USERAUTH_BANNER messages.  Note that this will not happen with
+   SSH2 kbdint authentication, which need to be dealt with separately.  ok djm@
+ - (dtucker) [session.c] Bug #927: make .hushlogin silent again.  ok djm@
+ - (dtucker) [configure.ac] Bug #321: Add cross-compile support to configure.
+   Parts by chua at ayrnetworks.com, astrand at lysator.liu.se and me.  ok djm@
+ - (dtucker) [auth-krb5.c] Bug #922: Pass KRB5CCNAME to PAM.  From deengert
+   at anl.gov, ok djm@
+
+20040830
+ - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.{c,h}] Bug #915: only
+   copy required environment variables on Cygwin.  Patch from vinschen at
+   redhat.com, ok djm@
+ - (dtucker) [regress/Makefile] Clean scp-ssh-wrapper.scp too.  Patch from
+   vinschen at redhat.com.
+ - (dtucker) [Makefile.in contrib/ssh-copy-id] Bug #894: Improve portability
+   of shell constructs.  Patch from cjwatson at debian.org.
+
+20040829
+ - (dtucker) [openbsd-compat/getrrsetbyname.c] Prevent getrrsetbyname from
+   failing with NOMEMORY if no sigs are returned and malloc(0) returns NULL.
+   From Martin.Kraemer at Fujitsu-Siemens.com; ok djm@
+ - (dtucker) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2004/08/23 11:48:09
+     [authfile.c]
+     fix error path, spotted by Martin.Kraemer AT Fujitsu-Siemens.com; ok markus
+   - djm@cvs.openbsd.org 2004/08/23 11:48:47
+     [channels.c]
+     typo, spotted by Martin.Kraemer AT Fujitsu-Siemens.com; ok markus
+   - dtucker@cvs.openbsd.org 2004/08/23 14:26:38
+     [ssh-keysign.c ssh.c]
+     Use permanently_set_uid() in ssh and ssh-keysign for consistency, matches
+     change in Portable; ok markus@ (CVS ID sync only)
+   - dtucker@cvs.openbsd.org 2004/08/23 14:29:23
+     [ssh-keysign.c]
+     Remove duplicate getuid(), suggested by & ok markus@
+   - markus@cvs.openbsd.org 2004/08/26 16:00:55
+     [ssh.1 sshd.8]
+     get rid of references to rhosts authentication; with jmc@
+   - djm@cvs.openbsd.org 2004/08/28 01:01:48
+     [sshd.c]
+     don't erroneously close stdin for !reexec case, from Dave Johnson;
+     ok markus@
+ - (dtucker) [configure.ac] Include sys/stream.h in sys/ptms.h header check,
+   fixes configure warning on Solaris reported by wknox at mitre.org.
+ - (dtucker) [regress/multiplex.sh] Skip test on platforms that do not
+   support FD passing since multiplex requires it.  Noted by tim@
+ - (dtucker) [regress/dynamic-forward.sh] Allow time for connections to be torn
+   down, needed on some platforms, should be harmless on others.  Patch from
+   jason at devrandom.org.
+ - (dtucker) [regress/scp.sh] Make this work on Cygwin too, which doesn't like
+   files ending in .exe that aren't binaries; patch from vinschen at redhat.com.
+ - (dtucker) [Makefile.in] Get regress/Makefile symlink right for out-of-tree
+   builds too, from vinschen at redhat.com.
+ - (dtucker) [regress/agent-ptrace.sh] Skip ptrace test on OSF1/DUnix/Tru64
+   too; patch from cmadams at hiwaay.net.
+ - (dtucker) [configure.ac] Replace non-portable echo \n with extra echo.
+ - (dtucker) [openbsd-compat/port-aix.c] Bug #712: Explicitly check for
+   accounts with authentication configs that sshd can't support (ie
+   SYSTEM=NONE and AUTH1=something).
+
+20040828
+ - (dtucker) [openbsd-compat/mktemp.c] Remove superfluous Cygwin #ifdef; from
+   vinschen at redhat.com.
+
+20040823
+ - (djm) [ssh-rand-helper.c] Typo. Found by 
+   Martin.Kraemer AT Fujitsu-Siemens.com
+ - (djm) [loginrec.c] Typo and bad args in error messages; Spotted by 
+   Martin.Kraemer AT Fujitsu-Siemens.com
+
 20040817
  - (dtucker) [regress/README.regress] Note compatibility issues with GNU head.
  - (djm) OpenBSD CVS Sync
@@ -1654,4 +2321,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.3517 2004/08/17 12:50:40 djm Exp $
+$Id: ChangeLog,v 1.3707.2.1 2005/03/09 04:52:09 djm Exp $