summaryrefslogtreecommitdiffstats
path: root/ChangeLog
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--ChangeLog2836
1 files changed, 1601 insertions, 1235 deletions
diff --git a/ChangeLog b/ChangeLog
index 3bbccf5..a1a5265 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,1604 @@
+commit fa41f6592ff1b6ead4a652ac75af31eabb05b912
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Jul 1 14:33:26 2024 +1000
+
+ version numbers
+
+commit bfebb8a5130a792c5356bd06e1ddef72a0a0449f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jul 1 04:31:59 2024 +0000
+
+ upstream: openssh-9.8
+
+ OpenBSD-Commit-ID: 5f8b89e38a4c5f7c6d52ffa19f796d49f36fab19
+
+commit 146c420d29d055cc75c8606327a1cf8439fe3a08
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jul 1 04:31:17 2024 +0000
+
+ upstream: when sending ObscureKeystrokeTiming chaff packets, we
+
+ can't rely on channel_did_enqueue to tell that there is data to send. This
+ flag indicates that the channels code enqueued a packet on _this_ ppoll()
+ iteration, not that data was enqueued in _any_ ppoll() iteration in the
+ timeslice. ok markus@
+
+ OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136
+
+commit 637e4dfea4ed81264e264b6200172ce319c64ead
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jul 1 03:10:19 2024 +0000
+
+ upstream: use "lcd" to change directory before "lls" rather then "cd",
+
+ since the directory we're trying to list is local. Spotted by Corinna
+ Vinschen
+
+ OpenBSD-Regress-ID: 821feca4a4bebe491944e624c8f7f2990b891415
+
+commit c8cfe258cee0b8466ea84597bf15e1fcff3bc328
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Jun 27 23:01:15 2024 +0000
+
+ upstream: delete obsolete comment
+
+ OpenBSD-Commit-ID: 5fb04f298ed155053f3fbfdf0c6fe7cdf84bbfa2
+
+commit 94b9d37100f6fa536aaa1d1a0e4926fe44fbf04d
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Jun 27 22:36:44 2024 +0000
+
+ upstream: retire unused API
+
+ OpenBSD-Commit-ID: 3e30d7b0615e2707f6bbe70f61b1c2f72f78161b
+
+commit 268c3a7f5783e731ed60f4e28da66ee3743581d3
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Thu Jun 27 21:02:16 2024 +0000
+
+ upstream: ssl(8) no longer contains a HISTORY section;
+
+ OpenBSD-Commit-ID: 83b7ff34433d79595e9c2a5d2a561a6660251245
+
+commit 12b6cc09ce6c430681f03af2a8069e37a664690b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Jun 26 23:47:46 2024 +0000
+
+ upstream: move child process waitpid() loop out of SIGCHLD handler;
+
+ ok deraadt
+
+ OpenBSD-Commit-ID: 65815a39564e431414aed7c5ace8076f4e9ca741
+
+commit d6bcd13297c2ab8b528df5a6898f994734849031
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date: Wed Jun 26 23:16:52 2024 +0000
+
+ upstream: Instead of using possibly complex ssh_signal(), write all
+
+ the parts of the grace_alarm_handler() using the exact things allowed by the
+ signal-safe rules. This is a good rule of thumb: Handlers should be written
+ to either set a global volatile sig_atomic_t inspected from outside, and/or
+ directly perform only safe operations listed in our sigaction(2) manual page.
+ ok djm markus
+
+ OpenBSD-Commit-ID: 14168ae8368aab76e4ed79e17a667cb46f404ecd
+
+commit b8793e2b0851f7d71b97554fa5260b23796d6277
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date: Wed Jun 26 23:14:14 2024 +0000
+
+ upstream: save_errno wrappers inside two small signal handlers that
+
+ perform system calls, for systems with libc that do perform libc sigtramps.
+ ok djm markus
+
+ OpenBSD-Commit-ID: 7749b56419a7c9dcfe4c6c04811e429813346c62
+
+commit f23e9332c4c8df37465c4a4f38275ea98980ed7e
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Mon Jun 24 06:59:39 2024 +0000
+
+ upstream: - uppercase start of sentence - correct sentence grammar
+
+ ok djm
+
+ OpenBSD-Commit-ID: 1ec4b0fdb633a43667f2c8fff1d600bd647dde25
+
+commit 1839e3eb71a759aa795602c1e4196300f4ac2615
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jun 24 04:05:11 2024 +0000
+
+ upstream: mention SshdSessionPath option
+
+ OpenBSD-Commit-ID: c29734d36c21003973b15c1c9965c35f36cef30c
+
+commit 603193e32aef5db7d60c58066d5de89806e79312
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Jun 20 18:45:14 2024 +1000
+
+ Rerun upstream tests on .sh file changes too.
+
+commit dbbf9337c19381786a8e5a8a49152fe6b80c780d
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Thu Jun 20 08:23:18 2024 +0000
+
+ upstream: Work around dbclient cipher/mac query bug.
+
+ Unlike earlier versions, recent Dropbear (at least v2024.85) requires
+ a host arg when querying supported ciphers and macs via "-c/-m
+ help". Earlier versions accept but do not require it, so always
+ provide it. If these queries fail, skip the test with a warning.
+
+ OpenBSD-Regress-ID: 98eb863a3f0363416922efb273885e6b3c7f68d4
+
+commit 8de2c8cebc46bbdb94b7a2c120fcadfb66a3cccc
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Thu Jun 20 08:18:34 2024 +0000
+
+ upstream: Remove dropbear key types not supported
+
+ by current OpenSSH. Allows subsequent test runs to work if OpenSSH is
+ rebuilt w/out OpenSSL.
+
+ OpenBSD-Regress-ID: e0129eb2b1d31771105903a8055216fbba20a770
+
+commit e9b6471c59b21e5d9ef1b3832d4bf727338add85
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Jun 20 00:18:05 2024 +0000
+
+ upstream: stricter check for overfull tables in penalty record path
+
+ OpenBSD-Commit-ID: 7df01e648a0723418c554e64a9f2b6d38db060a6
+
+commit d9336d344eb2a1e898c5e66147b3f108c7214694
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Jun 19 23:24:47 2024 +0000
+
+ upstream: put back reaping of preauth child process when writes
+
+ from the monitor fail. Not sure how this got lost in the avalanche of
+ patches.
+
+ OpenBSD-Commit-ID: eb7eb36371e1ac01050b32b70fb2b3e5d98e72f5
+
+commit 579d9adb70ec0206a788eb5c63804c31a67e9310
+Author: naddy@openbsd.org <naddy@openbsd.org>
+Date: Mon Jun 17 13:50:18 2024 +0000
+
+ upstream: remove one more mention of DSA
+
+ OpenBSD-Commit-ID: 8515f55a15f02836ba657df341415f63c60526ca
+
+commit 7089b5f8436ef0b8d3d3ad9ce01045fb9e7aab15
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Wed Jun 19 23:09:05 2024 +1000
+
+ Move -f to the place needed to restart sshd.
+
+commit d5f83cfd852b14a25f347f082ab539a9454702ad
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Wed Jun 19 21:04:01 2024 +1000
+
+ Need to supply "-f" to restart sshd.
+
+commit fad34b4ca25c0ef31e5aa841d461b6f21da5b8c1
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Wed Jun 19 10:15:51 2024 +0000
+
+ upstream: Provide defaults for ciphers and macs
+
+ if querying for them fails since on some versions of Dropbear (at least
+ v2024.85) "-m help" doesn't seem to work. Enable all supported pubkey
+ algorithms in the server.
+
+ OpenBSD-Regress-ID: 4f95556a49ee9f621789f25217c367a33d2745ca
+
+commit 5521060e35ada9f957cecdddc06d0524e75409ef
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Wed Jun 19 10:10:46 2024 +0000
+
+ upstream: Use ed25519 keys for kex tests
+
+ since that's supported by OpenSSH even when built without OpenSSL.
+ Only test diffie-hellman kex if OpenSSH is compiled with support for it.
+
+ OpenBSD-Regress-ID: a5d09ef9bbd171f9e4ec73ed0d9eeb49a8878e97
+
+commit dbd3b833f6e3815e58f2dc6e14f61a51bcd4d6bd
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Wed Jun 19 10:08:34 2024 +0000
+
+ upstream: Rework dropbear key setup
+
+ to always generate ed25519 keys, other types only if OpenSSH has support
+ for the corresponding key type.
+
+ OpenBSD-Regress-ID: 8f91f12604cddb9f8d93aa34f3f93a3f6074395d
+
+commit d6218504e11ae9148adf410fc69b0710a052be36
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Wed Jun 19 20:20:24 2024 +1000
+
+ Restart sshd after installing it for testing.
+
+ When installing an sshd built without OpenSSL the mismatch between
+ the running sshd and newly installed sshd-session will cause the
+ remainder of the test to fail.
+
+commit 786a4465b6bb702daf4fb17b7c3bcb42b52f0b46
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Jun 18 19:59:59 2024 +1000
+
+ Remove macos-11 runner.
+
+ Github is retiring them soon.
+
+commit df1c72a55edbebac14363b57de66ac6a147ecc67
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Jun 19 09:34:34 2024 +1000
+
+ PAMServiceName may appear in a Match block
+
+commit de1c2e70e5a5dc3c8d2fe04b24cc93d8ef6930e7
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Tue Jun 18 08:11:48 2024 +0000
+
+ upstream: Re-enable ssh-dss tests
+
+ ... if ssh is compiled with DSA support
+
+ OpenBSD-Regress-ID: bbfaf8c17f2b50a2d46ac35cb97af99b990c990d
+
+commit dabc2c7cf3c141e8e5d5a1a60d6c1d2d2422cf43
+Author: anton@openbsd.org <anton@openbsd.org>
+Date: Tue Jun 18 06:14:27 2024 +0000
+
+ upstream: Stop using DSA in dropbear interop tests.
+
+ OpenBSD-Regress-ID: abfd4457d99d8cc1417fd22ca2c570270f74c1cf
+
+commit 761438012710169445acc179e3870c53c862bda0
+Author: Damien Miller <djm@mindrot.org>
+Date: Tue Jun 18 12:29:45 2024 +1000
+
+ missed a bit of DSA in the fuzzer
+
+commit 3f9cc47da588e8de520720e59f98438043fdaf93
+Author: Damien Miller <djm@mindrot.org>
+Date: Tue Jun 18 09:35:53 2024 +1000
+
+ DSA support is disabled, so remove from fuzzers
+
+commit 00eb95957dea5484b2c7c043f7d2bbc87301bef2
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jun 17 08:30:29 2024 +0000
+
+ upstream: disable the DSA signature algorithm by default; ok
+
+ markus@
+
+ (yes, I know this expands to "the Digitial Signature Algorithm
+ signature algorithm)
+
+ OpenBSD-Commit-ID: 961ef594e46dd2dcade8dd5721fa565cee79ffed
+
+commit 5603befe11c9464ea26fe77cbacc95a7cc0b1ea7
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jun 17 08:28:31 2024 +0000
+
+ upstream: promote connection-closed messages from verbose to info
+
+ log level; they could be the only record of the connection terminating if the
+ client doesn't send a SSH2_MSG_DISCONNECT message. ok dtucker@
+
+ OpenBSD-Commit-ID: 0c8bfaf5e9fdff945cee09ac21e641f6c5d65d3c
+
+commit b00331402fe5c60d577f3ffcc35e49286cdc6b47
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Jun 17 17:02:18 2024 +1000
+
+ propagate PAM crashes to PerSourcePenalties
+
+ If the PAM subprocess crashes, exit with a crash status that will be
+ picked up by the sshd(8) listener process where it can be used by
+ PerSourcePenalties to block the client. This is similar handling to
+ the privsep preauth process.
+
+commit 1c207f456ace38987deda047758d13fbf857f948
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Jun 17 15:06:01 2024 +1000
+
+ minix doesn't have loopback, so skip penalty tests
+
+ pointed out by dtucker@
+
+commit 48443d202eaec52d4d39defdd709a4499a7140c6
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Jun 16 11:54:49 2024 +0000
+
+ upstream: same treatment for this test
+
+ OpenBSD-Regress-ID: d0cc9efca7833e673ea7b0cb3a679a3acee8d4c7
+
+commit 45562a95ea11d328c22d97bf39401cd29684fb1f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Jun 16 08:18:06 2024 +0000
+
+ upstream: penalty test is still a bit racy
+
+ OpenBSD-Regress-ID: 90c9ac224db454637baf1ebee5857e007321e824
+
+commit 8d0f7eb147ef72d18acb16c0b18672d44941a8ca
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Jun 15 03:59:10 2024 +0000
+
+ upstream: crank up penalty timeouts so this should work on even the
+
+ slowest of test builders
+
+ OpenBSD-Regress-ID: 70bda39c83e3fc9d0f3c1fad4542ed33e173d468
+
+commit 93c75471a1202ab3e29db6938648d4e2602c0475
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Fri Jun 14 05:20:34 2024 +0000
+
+ upstream: sort -q in the options list;
+
+ OpenBSD-Commit-ID: 6839b38378f38f754de638a5e988c13b4164cc7c
+
+commit dd7807bbe80a93ffb4616f2bd5cf83ad5a5595fb
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Jun 14 05:01:22 2024 +0000
+
+ upstream: clarify KEXAlgorithms supported vs available. Inspired by
+
+ bz3701 from Colin Watson.
+
+ OpenBSD-Commit-ID: e698e69bea19bd52971d253f2b1094490c4701f7
+
+commit d172ad56df85b68316dbadbedad16761a1265874
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Jun 14 05:00:42 2024 +0000
+
+ upstream: ssh-keyscan -q man bits
+
+ OpenBSD-Commit-ID: ba28d0e1ac609a4c99c453e57e86560c79079db1
+
+commit 092e4ff9ccaacbe035f286feb1b56ed499604743
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri Jun 14 14:46:35 2024 +1000
+
+ skip penalty-expire test in valgrind test env
+
+commit 2866ad08a9c50d7b67ce9424ca990532b806a21a
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Jun 14 04:43:11 2024 +0000
+
+ upstream: split the PerSourcePenalties test in two: one tests penalty
+
+ enforcement but not penalty expiry, the other tests penalty expiry.
+
+ This lets us disable the expiry testing in certain CI test environments.
+
+ OpenBSD-Regress-ID: f56811064f3e3cb52ee73a206b8c2a06af1c8791
+
+commit b2c64bc170d75823622a37cab3ca1804ca87ad16
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri Jun 14 14:19:23 2024 +1000
+
+ add a sshd_config PamServiceName option
+
+ Allows selecting which PAM service name to use when UsePAM is
+ enabled. Defaults to "sshd" unless overridden at compile time
+ by defining SSHD_PAM_SERVICE.
+
+ bz2102, ok dtucker@
+
+commit 9f032a4dd17bf0ae6066223d82aa5e784285d987
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Jun 14 00:26:12 2024 +0000
+
+ upstream: don't redirect stderr for ssh-keyscan we expect to succeed
+
+ OpenBSD-Regress-ID: 8878b8eb4e070ed2e343166d3eb86db4a08a216c
+
+commit 1e84d0cf40e94ae3a77d6a7ca8c036d8e3d55a40
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Jun 14 00:25:25 2024 +0000
+
+ upstream: make host/banner comments go to stderr instead of stdout,
+
+ so they are useful as comments without extra shell redirection and so they
+ don't clutter actual errors on stderr.
+
+ Add a -q flag to shut them up.
+
+ ok dtucker@
+
+ OpenBSD-Commit-ID: bec813de56a71adb5c1a76adcf49621130d24264
+
+commit 3e806d011855d6bd648ec95b9df630ebbd11c3bf
+Author: naddy@openbsd.org <naddy@openbsd.org>
+Date: Thu Jun 13 15:06:33 2024 +0000
+
+ upstream: separate keywords with comma
+
+ OpenBSD-Commit-ID: d65a99666202a8188c4991c18d14374a229f7be5
+
+commit abfd1f7a3cbd0a92581a0febba254b2f6649c0d9
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Jun 14 00:23:55 2024 +0000
+
+ upstream: specify an algorithm for ssh-keyscan, otherwise it will make
+
+ multiple attempts simultaneously and confuse the test
+
+ OpenBSD-Regress-ID: 6e910f3315c4345053db1bf5cbf61826b194d0b9
+
+commit a8fbe2f7d0d96d299ee8e69769e3b51067978748
+Author: Damien Miller <djm@mindrot.org>
+Date: Thu Jun 13 16:41:29 2024 +1000
+
+ sshd: don't use argv[0] as PAM service name
+
+ sshd would implicitly use argv[0] as the PAM service name to
+ allow people to select different PAM service names by making
+ differently-named copies/links to the sshd binary.
+
+ Splitting sshd into sshd/sshd-session broke this, as the process
+ that starts PAM is always sshd-session and the user has no control
+ over this.
+
+ Hardcode "sshd" as the default PAM service name unless/until we
+ figure out a better way. Should unbreak OSX integration tests.
+
+commit bf204bd05c3ae650f87e2b96527688579f59774c
+Author: Damien Miller <djm@mindrot.org>
+Date: Thu Jun 13 15:00:28 2024 +1000
+
+ prepare for checking in autogenerated files
+
+ We plan to check in automatically generated files (config.h.in, etc) on
+ release branches. These files are normally ignored by .gitignore, but
+ this shuffles the contents of this file to make it easy to un-ignore
+ them.
+
+commit 425f79a837489904c343b349ef00e09aeaa4e752
+Author: Damien Miller <djm@mindrot.org>
+Date: Thu Jun 13 14:41:33 2024 +1000
+
+ typo in comment
+
+commit afe10313c1fa8d478af399ee7d54c8f85503013b
+Author: Damien Miller <djm@mindrot.org>
+Date: Thu Jun 13 14:35:25 2024 +1000
+
+ fix PTY allocation on Cygwin, broken by sshd split
+
+ Cygwin doesn't support FD passing and so used to disable post-auth
+ privilege separation entirely because privsep requires PTY allocation
+ to happen in the privileged monitor process with the PTY file
+ descriptors being passed back to the unprivileged process.
+
+ This brings back a minimal version of the previous special treatment
+ for Cygwin (and any other platform that sets DISABLE_FD_PASSING):
+ privilege separation remains enabled, but PTY allocation happens in
+ the post-auth user process rather than the monitor.
+
+ This either requires PTY allocation to not need privilege to begin
+ with (this appears to be the case on Cygwin), or the post-auth
+ privsep process retain privilege (other platforms that set the
+ DISABLE_FD_PASSING option).
+
+ Keeping privileges here is bad, but the non-Cygwin systems that set
+ DISABLE_FD_PASSING are so deeply legacy that this is likely to be the
+ least of their problems.
+
+commit f66d4df5749551380a8c4ae642347675a0b6a2e9
+Author: Damien Miller <djm@mindrot.org>
+Date: Thu Jun 13 11:33:09 2024 +1000
+
+ delay lookup of privsep user until config loaded
+
+ sshd-session attempting to use options.kerberos_authentication to
+ decide whether it needed to lookup the privsep user before the
+ configuration was loaded. This caused it to get a placeholder value
+ that caused it always to try to lookup the privsep user, breaking at
+ least one test environment.
+
+commit f1c42858b94f5d9b58867b34dce3afb39c6b56a8
+Author: Damien Miller <djm@mindrot.org>
+Date: Thu Jun 13 11:16:57 2024 +1000
+
+ missing file for PerSourcePenalties regress test
+
+commit 4de80ff4e6fab5a6bb0028e7d57c6c23d1485adb
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Jun 12 22:36:00 2024 +0000
+
+ upstream: split PerSourcePenalties address tracking. Previously it
+
+ used one shared table and overflow policy for IPv4 and IPv6 addresses, now it
+ will use separate tables and optionally different overflow policies.
+
+ This prevents misbehaviour from IPv6 addresses (which are vastly easier
+ to obtain many of) from affecting IPv4 connections and may allow for
+ stricter overflow policies.
+
+ ok deraadt@
+
+ OpenBSD-Commit-ID: 12637ed0aa4d5f1f3e702da42ea967cbd8bfdfd9
+
+commit 06ab4c6931b0aaa4334db2faaa7e1069e76d0df6
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Tue Jun 11 05:24:39 2024 +0000
+
+ upstream: do not mark up "(default: 20ms)";
+
+ OpenBSD-Commit-ID: 54151ecdecfa1b67dcdda4fd24826ef6e2148ad4
+
+commit cfe243cd9fde148ed060637876e27bb55ac78be9
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jun 11 02:54:51 2024 +0000
+
+ upstream: reap preauth net child if it hangs up during privsep message
+
+ send, not just message receive
+
+ OpenBSD-Commit-ID: 02a093f4ab4f8f83f0cd1ea2bb35b9ca420448f0
+
+commit b0a711c00b9c64afd1c9d6fb538275c6604a2676
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jun 11 01:58:27 2024 +0000
+
+ upstream: fix PIDFILE handling, broken for SUDO=doas in last commit
+
+ here
+
+ OpenBSD-Regress-ID: 96fec579af228f87a036e94801eb294af9074625
+
+commit 90fb801e2d9241be50a2a7ff79428386442a041f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jun 11 02:00:30 2024 +0000
+
+ upstream: reap the pre-auth [net] child if it hangs up during privsep
+
+ message sending, not just receiving
+
+ OpenBSD-Commit-ID: f7341605bf08c4c15830910446e6775323f2f8cb
+
+commit ef878d58798f6688c7f4d4e417dc0c29023ea831
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jun 11 01:23:25 2024 +0000
+
+ upstream: a little more RB_TREE paranoia
+
+ OpenBSD-Commit-ID: 8dc2fd21eebd8830c4a4d25461ac4fe228e11156
+
+commit fc4e96b2174d6a894d2033421699d091679baced
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jun 11 01:22:25 2024 +0000
+
+ upstream: fix off-by-one comparison for PerSourcePenalty
+
+ OpenBSD-Commit-ID: af4f5d01c41ef870b23e55655bfbf73474a6c02b
+
+commit 82c836df4ff41145553cd7adb11c5b985aeaa06f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jun 11 01:21:41 2024 +0000
+
+ upstream: move tree init before possible early return
+
+ OpenBSD-Commit-ID: 72e2c5b69f151c08a7c5bf5ad929b97a92c273df
+
+commit a2300f015cc4939c4d9c564b58b74e71202dc978
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jun 11 01:07:35 2024 +0000
+
+ upstream: update to mention that PerSourcePenalties default to
+
+ being enabled and document the default values for each parameter.
+
+ OpenBSD-Commit-ID: b981288bddfb097aad269f62df4081c688ce0034
+
+commit 41987efd356d3fc30139aeab4b09374acf8f91a0
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jun 11 00:44:52 2024 +0000
+
+ upstream: reap the [net] child if it hangs up while writing privsep
+
+ message payloads, not just the message header
+
+ OpenBSD-Commit-ID: 24dbd400aa381ac96be7ed2dd49018487dfef6ce
+
+commit 6211aa085fa91155a24922e5329576ac9a8f3175
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jun 11 00:40:21 2024 +0000
+
+ upstream: log waitpid() status for abnormal exits
+
+ OpenBSD-Commit-ID: b317930e06b51819c1a2bc6a4359764fecfb1c2d
+
+commit a59634c7adb9ae988748d99963dfafb3070d8d41
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jun 11 00:36:20 2024 +0000
+
+ upstream: correct error message
+
+ OpenBSD-Commit-ID: 581f60f73099083392887206860229ab104620ed
+
+commit fa7d7a667f2ee031e72873e36de2d2a36bca973b
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date: Fri Jun 7 13:23:30 2024 +0000
+
+ upstream: avoid shadowing issues which some compilers won't accept
+
+ ok djm
+
+ OpenBSD-Commit-ID: 1e89572397dda83433d58c4fa6333a08f51170d4
+
+commit 3ad4cd9eeca5c9bc6706db44b6de88e2e4513fd6
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Thu Jun 6 21:14:49 2024 +0000
+
+ upstream: escape the final dot at eol in "e.g." to avoid double
+
+ spacing;
+
+ OpenBSD-Commit-ID: 0a9fb10bc9f7d577afe2da3f498a08bc431115b9
+
+commit 0e0c69761a4c33ccd4a256560f522784a753d1a8
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Jun 6 20:25:48 2024 +0000
+
+ upstream: enable PerSourcePenalties by default.
+
+ ok markus
+
+ NB. if you run a sshd that accepts connections from behind large NAT
+ blocks, proxies or anything else that aggregates many possible users
+ behind few IP addresses, then this change may cause legitimate traffic
+ to be denied.
+
+ Please read the PerSourcePenalties, PerSourcePenaltyExemptList and
+ PerSourceNetBlockSize options in sshd_config(5) for how to tune your
+ sshd(8) for your specific circumstances.
+
+ OpenBSD-Commit-ID: 24a0e5c23d37e5a63e16d2c6da3920a51078f6ce
+
+commit bd1f74741daabeaf20939a85cd8cec08c76d0bec
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Jun 6 20:20:42 2024 +0000
+
+ upstream: mention that PerSourcePenalties don't affect concurrent
+
+ in-progress connections.
+
+ OpenBSD-Commit-ID: 20389da6264f2c97ac3463edfaa1182c212d420c
+
+commit 9774b938578327d88a651f4c63c504809717590a
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Jun 6 19:49:25 2024 +0000
+
+ upstream: regress test for PerSourcePenalties
+
+ OpenBSD-Regress-ID: a1af13d411b25a727742644459d26480b9a1b0f1
+
+commit b8ebd86cefe9812204a10c028dc90de29918667d
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Jun 6 19:48:40 2024 +0000
+
+ upstream: make sure logs are saved from sshd run via start_sshd
+
+ OpenBSD-Regress-ID: de4ef0e32e3ab85ff3a6c36eb08d1909c0dd1b4a
+
+commit d7b2070bdaa4ebbfafb9975c1d5a62b73289d31f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Jun 6 19:47:48 2024 +0000
+
+ upstream: simplify
+
+ OpenBSD-Regress-ID: 50316e0d1ae0c0a057a45af042253e54ce23d11c
+
+commit e6ea3d224513b6bfb93818809d4c7397f5995ba2
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Jun 6 18:48:13 2024 +0000
+
+ upstream: prepare for PerSourcePenalties being enabled by default
+
+ in future
+
+ OpenBSD-Regress-ID: 5236c6d1c823997aac5a35e2915da30f1903bec7
+
+commit c0cb3b8c837761816a60a3cdb54062668df09652
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Jun 6 19:50:01 2024 +0000
+
+ upstream: disable stderr redirection before closing fds
+
+ OpenBSD-Commit-ID: d42cb895ee4542098050367fc35321c9303f003a
+
+commit 81c1099d22b81ebfd20a334ce986c4f753b0db29
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Jun 6 17:15:25 2024 +0000
+
+ upstream: Add a facility to sshd(8) to penalise particular
+
+ problematic client behaviours, controlled by two new sshd_config(5) options:
+ PerSourcePenalties and PerSourcePenaltyExemptList.
+
+ When PerSourcePenalties are enabled, sshd(8) will monitor the exit
+ status of its child pre-auth session processes. Through the exit
+ status, it can observe situations where the session did not
+ authenticate as expected. These conditions include when the client
+ repeatedly attempted authentication unsucessfully (possibly indicating
+ an attack against one or more accounts, e.g. password guessing), or
+ when client behaviour caused sshd to crash (possibly indicating
+ attempts to exploit sshd).
+
+ When such a condition is observed, sshd will record a penalty of some
+ duration (e.g. 30 seconds) against the client's address. If this time
+ is above a minimum threshold specified by the PerSourcePenalties, then
+ connections from the client address will be refused (along with any
+ others in the same PerSourceNetBlockSize CIDR range).
+
+ Repeated offenses by the same client address will accrue greater
+ penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
+ option allows certain address ranges to be exempt from all penalties.
+
+ We hope these options will make it significantly more difficult for
+ attackers to find accounts with weak/guessable passwords or exploit
+ bugs in sshd(8) itself.
+
+ PerSourcePenalties is off by default, but we expect to enable it
+ automatically in the near future.
+
+ much feedback markus@ and others, ok markus@
+
+ OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
+
+commit 916b0b6174e203cf2c5ec9bcf409472eb7ffbf43
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri Jun 7 03:31:02 2024 +1000
+
+ whitespace
+
+commit 49b55e44182b8294419aa580cbf043d5b9e3d953
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date: Tue Jun 4 15:14:45 2024 +0000
+
+ upstream: enable -fret-clean on amd64, for libc libcrypto ld.so
+
+ kernel, and all the ssh tools. The dynamic objects are entirely ret-clean,
+ static binaries will contain a blend of cleaning and non-cleaning callers.
+
+ OpenBSD-Commit-ID: 112aacedd3b61cc5c34b1fa6d9fb759214179172
+
+commit cc80d51d034bcb24fd0f2564a4bdf1612000a2a2
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Jun 5 02:21:30 2024 +1000
+
+ remove PRIVSEP macros for osx
+
+commit 8785491123d4d722b310c20f383570be758f8263
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Jun 1 07:03:37 2024 +0000
+
+ upstream: be really strict with fds reserved for communication with the
+
+ separate sshd-session process - reserve them early and fatal if we can't
+ dup2(2) them later. The pre-split fallback to re-reading the configuration
+ files is not possible, so sshd-session absolutely requires the fd the
+ configuration is passed over to be in order.
+
+ ok deraadt@
+
+ OpenBSD-Commit-ID: 308a98ef3c8a6665ebf92c7c9a0fc9600ccd7065
+
+commit f1c8918cb98459910fb159373baea053ba4108c0
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri May 31 19:12:26 2024 +1000
+
+ depend
+
+commit 94b4866cb1f4b0ed29a9f367047b30f81002316f
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri May 31 19:11:14 2024 +1000
+
+ rename need_privsep to need_chroot
+
+ privsep is mandatory, chroot is optional (disabled when running
+ sshd as non-root)
+
+commit e68a95142e5024b144f8eeccd5ffdee42c34f44c
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri May 31 19:05:34 2024 +1000
+
+ remove remaining use_privsep mention
+
+commit b21d271f651d2536dca819cc6d74032fe98634db
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri May 31 09:01:08 2024 +0000
+
+ upstream: warn when -r (deprecated option to disable re-exec) is
+
+ passed
+
+ OpenBSD-Commit-ID: 73145ef5150edbe3ce7889f0844ed8fa6155f551
+
+commit a4b5bc246cbca476deeeb4462aa31746a56e3021
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri May 31 08:49:35 2024 +0000
+
+ upstream: typos
+
+ OpenBSD-Commit-ID: edfa72eb06bfa65da30fabf7d2fe76d2d33f77bf
+
+commit 8054b906983ceaed01fabd8188d3dac24c05ba39
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon May 27 01:52:26 2024 +0000
+
+ upstream: don't need sys/queue.h here
+
+ OpenBSD-Commit-ID: dd137396828171eb19e4911581812ca58de6c578
+
+commit 210d4239733da6180ce853538aeb9413d5c62ad5
+Author: naddy@openbsd.org <naddy@openbsd.org>
+Date: Sun May 26 20:35:12 2024 +0000
+
+ upstream: remove references to SSH1 and DSA server keys
+
+ OpenBSD-Commit-ID: 57cc1c98d4f998981473734f144b904af7d178a2
+
+commit f0b9261d7fdd0ef86806b49fe76344bd16770cd0
+Author: jsg@openbsd.org <jsg@openbsd.org>
+Date: Thu May 23 23:47:16 2024 +0000
+
+ upstream: remove unused struct fwd_perm_list, no decl with complete
+
+ type ok djm@
+
+ OpenBSD-Commit-ID: 416fb3970b7e73c76d2963c4f00cf96f2b2ee2fb
+
+commit 2477a98c3ef78e63b11a1393656e00288f52ae97
+Author: naddy@openbsd.org <naddy@openbsd.org>
+Date: Wed May 22 15:24:55 2024 +0000
+
+ upstream: Do not pass -Werror twice when building with clang.
+
+ OpenBSD-Commit-ID: 5f378c38ad8976d507786dc4db9283a879ec8cd0
+
+commit 435844f5675245b4271f8581f15e6d1f34fde3bc
+Author: miod@openbsd.org <miod@openbsd.org>
+Date: Wed May 22 11:49:36 2024 +0000
+
+ upstream: Do not pass -Werror if building with gcc 3, for asn1.h
+
+ and bio.h cause (admittedly bogus) warnings with gcc 3.
+
+ OpenBSD-Commit-ID: fb39324748824cb0387e9d67c41d1bef945c54ea
+
+commit fc5dc092830de23767c6ef67baa18310a64ee533
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed May 22 04:20:00 2024 +0000
+
+ upstream: this test has been broken since 2014, and has been
+
+ testing the same key exchange algorithm repeatedly instead of testing all of
+ them. Spotted by nreilly AT blackberry.com in bz3692
+
+ Who broke the test? me.
+
+ OpenBSD-Regress-ID: 48f4f5946276f975667141957d25441b3c9a50e2
+
+commit fd4816791beaed2fdae7eea3e1494d1972b2a39d
+Author: anton@openbsd.org <anton@openbsd.org>
+Date: Sun May 19 19:10:01 2024 +0000
+
+ upstream: Add missing kex-names.c source file required since the
+
+ ssh split.
+
+ OpenBSD-Regress-ID: ca666223f828fc4b069cb9016bff1eb50faf9fbb
+
+commit beccb7319c5449f6454889013403c336446d622e
+Author: naddy@openbsd.org <naddy@openbsd.org>
+Date: Fri May 17 14:42:00 2024 +0000
+
+ upstream: remove duplicate copy of relink kit for sshd-session
+
+ OpenBSD-Commit-ID: 6d2ded4cd91d4d727c2b26e099b91ea935bed504
+
+commit dcd79fa141311c287e0595ede684b7116122fae0
+Author: jsg@openbsd.org <jsg@openbsd.org>
+Date: Fri May 17 06:42:04 2024 +0000
+
+ upstream: remove prototypes with no matching function; ok djm@
+
+ OpenBSD-Commit-ID: 6d9065dadea5f14a01bece0dbfe2fba1be31c693
+
+commit 6454a05e7c6574d70adf17efe505a8581a86ca4f
+Author: jsg@openbsd.org <jsg@openbsd.org>
+Date: Fri May 17 06:38:00 2024 +0000
+
+ upstream: remove externs for removed vars; ok djm@
+
+ OpenBSD-Commit-ID: f51ea791d45c15d4927eb4ae7d877ccc1e5a2aab
+
+commit f3e4db4601ef7d2feb1d6f7447e432aaf353a616
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date: Fri May 17 06:11:17 2024 +0000
+
+ upstream: -Werror was turned on (probably just for development),
+
+ and this is a simple way to satisfy older gcc.
+
+ OpenBSD-Commit-ID: 7f698df54384b437ce33ab7405f0b86c87019e86
+
+commit 24a1f3e5ad6f4a49377d4c74c36637e9a239efd0
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri May 17 14:50:43 2024 +1000
+
+ attempt at updating RPM specs for sshd-session
+
+commit 17b566eeb7a0c6acc9c48b35c08885901186f861
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri May 17 04:42:13 2024 +0000
+
+ upstream: g/c unused variable
+
+ OpenBSD-Commit-ID: aa6ef0778a1f1bde0d73efba72a777c48d2bd010
+
+commit 01fb82eb2aa0a4eaf5c394ea8bb37ea4c26f8a3f
+Author: jsg@openbsd.org <jsg@openbsd.org>
+Date: Fri May 17 02:39:11 2024 +0000
+
+ upstream: spelling; ok djm@
+
+ OpenBSD-Commit-ID: bdea29bb3ed2a5a7782999c4c663b219d2270483
+
+commit b88b690e99145a021fc1a1a116a11e0bce0594e7
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri May 17 01:45:22 2024 +0000
+
+ upstream: allow overriding the sshd-session binary path
+
+ OpenBSD-Regress-ID: 5058cd1c4b6ca1a15474e33546142931d9f964da
+
+commit a68f80f2511f0e0c5cef737a8284cc2dfabad818
+Author: anton@openbsd.org <anton@openbsd.org>
+Date: Wed Apr 3 06:01:11 2024 +0000
+
+ upstream: Since ssh-agent(1) is only readable by root by now, use
+
+ ssh(1) while generating data in tests.
+
+ OpenBSD-Regress-ID: 24eb40de2e6b0ace185caaba35e2d470331ffe68
+
+commit 92e55890314ce2b0be21a43ebcbc043b4abc232f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri May 17 01:17:40 2024 +0000
+
+ upstream: fix incorrect debug option name introduce in previous
+
+ commit
+
+ OpenBSD-Commit-ID: 66d69e22b1c072c694a7267c847f212284614ed3
+
+commit 4ad72878af7b6ec28da6e230e36a91650ebe84c1
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date: Fri May 17 00:33:25 2024 +0000
+
+ upstream: construct and install a relink-kit for sshd-session ok
+
+ djm
+
+ OpenBSD-Commit-ID: 8b3820adb4da4e139c4b3cffbcc0bde9f08bf0c6
+
+commit 02e679a2cb3f6df8e9dbb1519ed578226485157f
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri May 17 12:21:27 2024 +1000
+
+ Makefile support for sshd-session
+
+commit c0416035c5eaf70a8450d11c8833c5f7068ee7ad
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri May 17 00:32:32 2024 +0000
+
+ upstream: missing files from previous
+
+ OpenBSD-Commit-ID: 4b7be4434d8799f02365552b641a7a70a7ebeb2f
+
+commit 03e3de416ed7c34faeb692967737be4a7bbe2eb5
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri May 17 00:30:23 2024 +0000
+
+ upstream: Start the process of splitting sshd into separate
+
+ binaries. This step splits sshd into a listener and a session binary. More
+ splits are planned.
+
+ After this changes, the listener binary will validate the configuration,
+ load the hostkeys, listen on port 22 and manage MaxStartups only. All
+ session handling will be performed by a new sshd-session binary that the
+ listener fork+execs.
+
+ This reduces the listener process to the minimum necessary and sets us
+ up for future work on the sshd-session binary.
+
+ feedback/ok markus@ deraadt@
+
+ NB. if you're updating via source, please restart sshd after installing,
+ otherwise you run the risk of locking yourself out.
+
+ OpenBSD-Commit-ID: 43c04a1ab96cdbdeb53d2df0125a6d42c5f19934
+
+commit 1c0d81357921f8d3bab06841df649edac515ae5b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu May 9 09:46:47 2024 +0000
+
+ upstream: simplify exit message handling, which was more complicated
+
+ than it needed to be because of unexpunged ssh1 remnants. ok markus@
+
+ OpenBSD-Commit-ID: 8b0cd2c0dee75fb053718f442aa89510b684610b
+
+commit cbbbf76aa6cd54fce32eacce1300e7abcf9461d4
+Author: tobias@openbsd.org <tobias@openbsd.org>
+Date: Mon May 6 19:26:17 2024 +0000
+
+ upstream: remove SSH1 leftovers
+
+ Authored with Space Meyer <git at the-space dot agency>
+
+ ok djm
+
+ OpenBSD-Commit-ID: 81db602e4cb407baae472689db1c222ed7b2afa3
+
+commit bc5dcb8ab9a4e8af54a724883732af378f42ea78
+Author: tobias@openbsd.org <tobias@openbsd.org>
+Date: Tue Apr 30 15:40:43 2024 +0000
+
+ upstream: never close stdin
+
+ The sanitise_stdfd call makes sure that standard file descriptors are
+ open (if they were closed, they are connected with /dev/null).
+
+ Do not close stdin in any case to prevent error messages when stdin is
+ read multiple times and to prevent later usage of fd 0 for connections,
+ e.g.
+
+ echo localhost | ssh-keyscan -f - -f -
+
+ While at it, make stdin-related error messages nicer.
+
+ Authored with Max Kunzelmann <maxdev at posteo dot de>
+
+ ok djm
+
+ OpenBSD-Commit-ID: 48e9b7938e2fa2f9bd47e6de6df66a31e0b375d3
+
+commit 6a42b70e56bef1aacdcdf06352396e837883e84f
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed May 8 09:43:59 2024 +1000
+
+ sync getrrsetbyname.c with recent upstream changes
+
+commit 385ecb31e147dfea59c1c488a1d2011d3867e60e
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Apr 30 06:23:51 2024 +0000
+
+ upstream: fix home-directory extension implementation, it always
+
+ returned the current user's home directory contrary to the spec.
+
+ Patch from Jakub Jelen via GHPR477
+
+ OpenBSD-Commit-ID: 5afd775eab7f9cbe222d7fbae4c793de6c3b3d28
+
+commit 14e2b16bc67ffcc188906f65008667e22f73d103
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Apr 30 06:16:55 2024 +0000
+
+ upstream: flush stdout after writing "sftp>" prompt when not using
+
+ editline.
+
+ From Alpine Linux via GHPR480
+
+ OpenBSD-Commit-ID: 80bdc7ffe0358dc090eb9b93e6dedb2b087b24cd
+
+commit 2e69a724051488e3fb3cd11531c4b5bc1764945b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Apr 30 05:53:03 2024 +0000
+
+ upstream: stricter validation of messaging socket fd number; disallow
+
+ usage of stderr. Based on GHPR492 by RealHurrison
+
+ OpenBSD-Commit-ID: 73dbbe82ea16f73ce1d044d3232bc869ae2f2ce8
+
+commit da757b022bf18c6f7d04e685a10cd96ed00f83da
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Apr 30 05:45:56 2024 +0000
+
+ upstream: add missing reserved fields to key constraint protocol
+
+ documentation.
+
+ from Wiktor Kwapisiewicz via GHPR487
+
+ OpenBSD-Commit-ID: 0dfb69998cfdb3fa00cbb0e7809e7d2f6126e3df
+
+commit 16d0b82fa08038f35f1b3630c70116979f49784f
+Author: Damien Miller <djm@mindrot.org>
+Date: Tue Apr 30 12:39:34 2024 +1000
+
+ depend
+
+commit 66aaa678dbe59aa21d0d9d89a3596ecedde0254b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Apr 30 02:14:10 2024 +0000
+
+ upstream: correctly restore sigprocmask around ppoll() reported
+
+ by Tõivo Leedjärv; ok deraadt@
+
+ OpenBSD-Commit-ID: c0c0f89de5294a166578f071eade2501929c4686
+
+commit 80fb0eb21551aed3aebb009ab20aeffeb01e44e0
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Apr 30 02:10:49 2024 +0000
+
+ upstream: add explict check for server hostkey type against
+
+ HostkeyAlgorithms. Allows HostkeyAlgorithms to disable implicit fallback from
+ certificate keys to plain keys. ok markus@
+
+ OpenBSD-Commit-ID: 364087e4a395ff9b2f42bf3aefdb2090bb23643a
+
+commit 5b28096d31ff7d80748fc845553a4aef5bb05d86
+Author: jsg@openbsd.org <jsg@openbsd.org>
+Date: Tue Apr 23 13:34:50 2024 +0000
+
+ upstream: correct indentation; no functional change ok tb@
+
+ OpenBSD-Commit-ID: dd9702fd43de546bc6a3f4f025c74d6f3692a0d4
+
+commit fd3cb8a82784e05f621dea5b56ac6f89bc53c067
+Author: semarie@openbsd.org <semarie@openbsd.org>
+Date: Thu Apr 4 16:00:51 2024 +0000
+
+ upstream: set right mode on ssh-agent at boot-time
+
+ which sthen@
+ ok deraadt@
+
+ OpenBSD-Commit-ID: 662b5056a2c6171563e1626f9c69f27862b5e7af
+
+commit 54343a260e3aa4bceca1852dde31cd08e2abd82b
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date: Tue Apr 2 12:22:38 2024 +0000
+
+ upstream: Oops, incorrect hex conversion spotted by claudio.
+
+ While here try to improve how it reads a bit better. Surprising the
+ regression tests didn't spot this error, maybe it fails to roundtrip the
+ values.
+
+ OpenBSD-Commit-ID: 866cfcc1955aef8f3fc32da0b70c353a1b859f2e
+
+commit ec78c31409590ad74efc194f886273ed080a545a
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date: Tue Apr 2 10:02:08 2024 +0000
+
+ upstream: for parse_ipqos(), use strtonum() instead of mostly
+
+ idiomatic strtoul(), but wow it's so gross. ok djm
+
+ OpenBSD-Commit-ID: cec14a76af2eb7b225300c80fc0e21052be67b05
+
+commit 8176e1a6c2e6da9361a7abb6fbf6c23c299f495b
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date: Tue Apr 2 09:56:58 2024 +0000
+
+ upstream: can shortcut by returning strtonum() value directly; ok
+
+ djm
+
+ OpenBSD-Commit-ID: 7bb2dd3d6d1f288dac14247d1de446e3d7ba8b8e
+
+commit 9f543d7022a781f80bb696f9d73f1d1c6f9e31d6
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date: Tue Apr 2 09:52:14 2024 +0000
+
+ upstream: rewrite convtime() to use a isdigit-scanner and
+
+ strtonum() instead of strange strtoul can might be fooled by garage
+ characters. passes regress/usr.bin/ssh/unittests/misc ok djm
+
+ OpenBSD-Commit-ID: 4b1ef826bb16047aea3f3bdcb385b72ffd450abc
+
+commit 8673137f780d8d9e4cda3c4605cb5d88d5cea271
+Author: claudio@openbsd.org <claudio@openbsd.org>
+Date: Tue Apr 2 09:48:24 2024 +0000
+
+ upstream: Remove unused ptr[3] char array in pkcs11_decode_hex.
+
+ OK deraadt@
+
+ OpenBSD-Commit-ID: 3d14433e39fd558f662d3b0431c4c555ef920481
+
+commit c7fec708f331f108343d69e4d74c9a5d86d6cfe7
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date: Tue Apr 2 09:32:28 2024 +0000
+
+ upstream: Replace non-idiomatic strtoul(, 16) to parse a region
+
+ of 2-character hex sequences with a low-level replacement designed just for
+ the task. ok djm
+
+ OpenBSD-Commit-ID: 67bab8b8a4329a19a0add5085eacd6f4cc215e85
+
+commit 019a5f483b0f588da6270ec401d0b4bb35032f3f
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date: Tue Apr 2 09:29:31 2024 +0000
+
+ upstream: Use strtonum() instead of severely non-idomatic
+
+ strtoul() In particular this will now reject trailing garbage, ie.
+ '12garbage'. ok djm
+
+ OpenBSD-Commit-ID: c82d95e3ccbfedfc91a8041c2f8bf0cf987d1501
+
+commit 8231ca046fa39ea4eb99b79e0a6e09dec50ac952
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date: Mon Apr 1 15:50:17 2024 +0000
+
+ upstream: also create a relink kit for ssh-agent, since it is a
+
+ long-running setgid program carrying keys with some (not very powerful)
+ communication channels. solution for testing the binary from dtucker.
+ agreement from djm. Will add it into /etc/rc in a few days.
+
+ OpenBSD-Commit-ID: 2fe8d707ae35ba23c7916adcb818bb5b66837ba0
+
+commit bf7bf50bd6a14e49c9c243cb8f4de31e555a5a2e
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date: Mon Apr 1 15:48:16 2024 +0000
+
+ upstream: new-style relink kit for sshd. The old scheme created
+
+ a Makefile by concatenating two Makefiles and was incredibly fragile. In the
+ new way a narrow-purposed install.sh script is created and shipped with the
+ objects. A recently commited /etc/rc script understands these files.
+
+ OpenBSD-Commit-ID: ef9341d5a50f0d33e3a6fbe995e92964bc7ef2d3
+
+commit 00e63688920905e326d8667cb47f17a156b6dc8f
+Author: renmingshuai <renmingshuai@huawei.com>
+Date: Fri Apr 12 10:20:49 2024 +0800
+
+ Shell syntax fix (leftover from a sync).
+
+ Signed-off-by: renmingshuai <renmingshuai@huawei.com>
+
+commit 2eded551ba96e66bc3afbbcc883812c2eac02bd7
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Apr 25 13:20:19 2024 +1000
+
+ Merge flags for OpenSSL 3.x versions.
+
+ OpenSSL has moved to 3.4 which we don't currently accept. Based on
+ the OpenSSL versioning policy[0] it looks like all of the 3.x versions
+ should work with OpenSSH, so remove the distinction in configure and
+ accept all of them.
+
+ [0] https://openssl.org/policies/general/versioning-policy.html
+
+commit 8673245918081c6d1dc7fb3733c8eb2c5a902c5e
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Apr 25 13:19:03 2024 +1000
+
+ Remove 9.6 branch from status page.
+
+commit 70d43049747fa3c66cf876d52271859407cec2fa
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Apr 25 13:16:58 2024 +1000
+
+ Update LibreSSL and OpenSSL versions tested.
+
+ Update LibreSSL versions to current releases (3.8.4 & 3.9.1).
+ Add newly-released OpenSSL 3.3.0, and add tests against the 3.1 and
+ 3.3 branches.
+
+commit 88351eca17dcc55189991ba60e50819b6d4193c1
+Author: 90 <hi@90.gripe>
+Date: Fri Apr 5 19:36:06 2024 +0100
+
+ Fix missing header for systemd notification
+
+commit 08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Apr 3 14:40:32 2024 +1100
+
+ notify systemd on listen and reload
+
+ Standalone implementation that does not depend on libsystemd.
+ With assistance from Luca Boccassi, and feedback/testing from Colin
+ Watson. bz2641
+
+commit 43e7c1c07cf6aae7f4394ca8ae91a3efc46514e2
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sun Mar 31 21:51:57 2024 +1100
+
+ Port changes from selfhosted to upstream tests.
+
+ Should get them working again.
+
+commit 281ea25a44bff53eefb4af7bab7aa670b1f8b6b2
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sat Mar 30 18:20:16 2024 +1100
+
+ Check if OpenSSL implementation supports DSA.
+
+ If --enable/disable-dsa-keys is not specified, set based on what OpenSSL
+ supports. If specified as enabled, but not supported by OpenSSL error
+ out. ok djm@
+
+commit 2d2c068de8d696fe3246f390b146197f51ea1e83
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Mar 30 05:56:22 2024 +0000
+
+ upstream: in OpenSSH private key format, correct type for subsequent
+
+ private keys in blob. From Jakub Jelen via GHPR430
+
+ OpenBSD-Commit-ID: d17dbf47554de2d752061592f95b5d772baab50b
+
+commit c2c0bdd3e96b3ef66d77fccb85ff4962dc76caf0
+Author: Eero Häkkinen <Eero+git@xn--Hkkinen-5wa.fi>
+Date: Sat Sep 16 00:55:08 2023 +0300
+
+ Expose SSH_AUTH_INFO_0 always to PAM auth modules.
+
+ This changes SSH_AUTH_INFO_0 to be exposed to PAM auth modules also
+ when a password authentication method is in use and not only
+ when a keyboard-interactive authentication method is in use.
+
+commit 02c5ad23124ae801cf248d99ea5068fc4331ca01
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Wed Mar 27 17:42:58 2024 +1100
+
+ Rearrange selfhosted VM scheduling.
+
+ Instead of trying to infer the type of the self hosted tests in each of
+ the driver scripts (inconsistently...), set one of the following
+ variables to "true" in the workflow:
+
+ VM: tests run in a virtual machine.
+ EPHEMERAL: tests run on an ephemeral virtual machine.
+ PERSISTENT: tests run on a persistent virtual machine
+ REMOTE: tests run on a physical remote host.
+
+ EPHEMERAL VMs can have multiple instances of any given VM can exist
+ simultaneously and are run by a runner pool. The other types have a
+ dedicated runner instance and can only run a single test at a time.
+
+ Other settings:
+ SSHFS: We need to sshfs mount over the repo so the workflow can collect
+ build artifacts. This also implies the tests must be run over ssh.
+ DEBUG_ACTIONS: enable "set -x" in scripts for debugging.
+
+commit cd8a72707c02615365d0851ac51063ab6bfe258f
+Author: Damien Miller <djm@mindrot.org>
+Date: Sat Mar 30 16:05:59 2024 +1100
+
+ add new token-based signing key for dtucker@
+
+ Verified in person and via signature with old key.
+ Will remove old key in a bit.
+
+commit 8d0e46c1ddb5b7f0992591b0dc5d8aaa77cc9dba
+Author: Alkaid <zgf574564920@gmail.com>
+Date: Tue Mar 12 03:59:12 2024 -0700
+
+ Fix OpenSSL ED25519 support detection
+
+ Wrong function signature in configure.ac prevents openssh from enabling
+ the recently new support for ED25519 priv keys in PEM PKCS8 format.
+
+commit 697359be9c23ee43618243cdbcc9c7981e766752
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Mar 30 04:27:44 2024 +0000
+
+ upstream: allow WAYLAND_DISPLAY to enable SSH_ASKPASS
+
+ From dkg via GHPR479; ok dtucker@
+
+ OpenBSD-Commit-ID: 1ac1f9c45da44eabbae89375393c662349239257
+
+commit 7844705b0364574cc70b941be72036c2c2966363
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Mar 29 10:40:07 2024 +0000
+
+ upstream: Use egrep instead of grep -E.
+
+ Some plaforms don't have the latter so this makes things easier
+ in -portable.
+
+ OpenBSD-Regress-ID: ff82260eb0db1f11130200b25d820cf73753bbe3
+
+commit 22b2b6c555334bffdf357a2e4aa74308b03b83c3
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Tue Mar 26 08:09:16 2024 +0000
+
+ upstream: test -h is the POSIXly way of testing for a symlink. Reduces
+
+ diff vs Portable.
+
+ OpenBSD-Regress-ID: 6f31cd6e231e3b8c5c2ca0307573ccb7484bff7d
+
+commit edcff77f82c2bb2b5653b36f1e47274c5ef3e8be
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Mar 26 18:58:58 2024 +1100
+
+ Fix name of OpenBSD upstream CI jobs.
+
+commit 861b084429940e024f1b6e9c2779eac95d7a45db
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Mar 26 18:55:33 2024 +1100
+
+ Resync with upstream: ${} around DATAFILE.
+
+commit 63f248c7693e7f0a3b9a13d2980ac9a7e37f2aea
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Mar 25 19:28:09 2024 +0000
+
+ upstream: optional debugging
+
+ OpenBSD-Regress-ID: b4852bf97ac8fb2e3530f2d5f999edd66058d7bc
+
+commit 16e2ebe06a62f09d4877b769876d92d6008a896f
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Mon Mar 25 06:05:42 2024 +0000
+
+ upstream: Verify string returned from local shell command.
+
+ OpenBSD-Regress-ID: 5039bde24d33d809aebfa8d3ad7fe9053224e6f8
+
+commit b326f7a1f39ff31324cc3fe2735178fb474c04a4
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Mon Mar 25 03:30:31 2024 +0000
+
+ upstream: Improve shell portability: grep -q is not portable so
+
+ redirect stdout, and use printf instead of relying on echo to do \n
+ substitution. Reduces diff vs Portable.
+
+ Also resync somewhat with upstream.
+
+ OpenBSD-Regress-ID: 9ae876a8ec4c4725f1e9820a0667360ee2398337
+
+commit dbf2e319f0c582613fa45a735ea3c242ce56946b
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Mon Mar 25 02:07:08 2024 +0000
+
+ upstream: Save error code from SSH for use inside case statement,
+
+ from portable. In some shells, "case" will reset the value of $?, so save it
+ first.
+
+ OpenBSD-Regress-ID: da32e5be19299cb4f0f7de7f29c11257a62d6949
+
+commit d2c8c4fa7def4fb057ed05b3db57b62c810a26f6
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Mon Mar 25 01:40:47 2024 +0000
+
+ upstream: Increase timeout. Resyncs with portable where some of
+
+ the test VMs are slow enough for this to matter.
+
+ OpenBSD-Regress-ID: 6a83a693602eb0312f06a4ad2cd6f40d99d24b26
+
+commit 83621b63514a84791623db3efb59d38bc4bf9563
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Mon Mar 25 01:28:29 2024 +0000
+
+ upstream: In PuTTY interop test, don't assume the PuTTY major
+
+ version is 0. Patch from cjwatson at debian.org via bz#3671.
+
+ OpenBSD-Regress-ID: 835ed03c1b04ad46be82e674495521f11b840191
+
+commit 8a421b927700f3834b4d985778e252b8e3299f83
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Mar 26 18:38:14 2024 +1100
+
+ Really mkdir /usr/local/etc in CI tests.
+
+commit 2946ed522c47ce045314533d426b4e379f745e59
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Mar 26 17:19:09 2024 +1100
+
+ Better short name for OpenBSD upstream CI jobs too.
+
+commit 18dbe8eff647aacb82d7e86b4ce63d5beee11f25
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Mar 26 17:13:52 2024 +1100
+
+ Ensure /usr/local/etc exists before using in tests.
+
+commit 5fc1085128e3348bb1b5ee4d955cc767b019b3ad
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Mar 26 16:50:46 2024 +1100
+
+ Be more specific about when to rerun workflows.
+
+commit 5516923e8ae3da0823fea0d7d28aa813627142c0
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Mar 26 16:35:27 2024 +1100
+
+ Add short names for test jobs on github CI.
+
+commit dc37d2d2470b4a9cedcee9ac926b7362214e3305
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Mar 26 16:26:14 2024 +1100
+
+ If we're using xpg4's id, remember to pass args.
+
+commit fe169487937780392b23d3ff3c00e5898c10f784
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Tue Mar 26 01:23:11 2024 +0000
+
+ upstream: Import regenerated moduli.
+
+ OpenBSD-Commit-ID: ad3d1486d105b008c93e952d158e5af4d9d4c531
+
+commit 151146f03b490d19145cd421763aa7d42f5c50e2
+Author: job@openbsd.org <job@openbsd.org>
+Date: Thu Mar 14 06:23:14 2024 +0000
+
+ upstream: Clarify how literal IPv6 addresses can be used in -J mode
+
+ OK djm@
+
+ OpenBSD-Commit-ID: 524ddae97746b3563ad4a887dfd0a6e6ba114c50
+
+commit 0d5bdc87a675271862b67eb6a9fb13a202fb4894
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Mar 25 16:14:21 2024 +1100
+
+ Add Mac OS X 14 test targets.
+
+commit 2d7964a03e1f50a48040ec6912c0a956df909d21
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Mar 25 14:05:40 2024 +1100
+
+ Move xpg4 'id' handling into test-exec.sh.
+
+ Handle replacement of 'id' the same way as we do other Portable specific
+ replacements in test-exec.sh. This brings percent.sh back into sync
+ with upstream.
+
+commit 75d1d49ed10d978171cdafad28bdbffdbd48f41e
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Mar 25 10:38:03 2024 +1100
+
+ Update branches shown on ci-status to 9.7 and 9.6.
+
+commit f9193f03db0029fc9c31fbdb5c66a2737446bd8f
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Mar 25 09:28:02 2024 +1100
+
+ Improve detection of -fzero-call-used-regs=used.
+
+ Should better detect problems with gcc 13 on m68k. bz#3673 from Colin
+ Watson via bz#3673 and https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110934
+
+ Signed-off-by: Darren Tucker <dtucker@dtucker.net>
+
commit 86bdd3853f4d32c85e295e6216a2fe0953ad93f0
Author: Damien Miller <djm@mindrot.org>
Date: Mon Mar 11 16:20:49 2024 +1100
@@ -7063,1238 +8664,3 @@ Date: Fri Jul 1 04:45:50 2022 +0000
in format description
OpenBSD-Commit-ID: 3de33572733ee7fcfd7db33d37db23d2280254f0
-
-commit 32e82a392d9f263485effdd606ff5862d289a4a0
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Fri Jul 1 13:55:19 2022 +1000
-
- Skip select+rlimit check if sandboxing is disabled
-
- It's not needed in that case, and the test can fail when being built
- with some compiler memory sanitizer flags. bz#3441
-
-commit 4be7184ebe2a2ccef175983517a35ee06766e1b4
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Jul 1 03:52:57 2022 +0000
-
- upstream: bump up loglevel from debug to info when unable to open
-
- authorized keys/principals file for errno != ENOENT; bz2042 ok dtucker
-
- OpenBSD-Commit-ID: e79aa550d91ade6a80f081bda689da24c086d66b
-
-commit 6c31ba10e97b6953c4f325f526f3e846dfea647a
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Jul 1 03:39:44 2022 +0000
-
- upstream: Don't leak the strings allocated by order_hostkeyalgs()
-
- and list_hostkey_types() that are passed to compat_pkalg_proposal(). Part of
- github PR#324 from ZoltanFridrich, ok djm@
-
- This is a roll-forward of the previous rollback now that the required
- changes in compat.c have been done.
-
- OpenBSD-Commit-ID: c7cd93730b3b9f53cdad3ae32462922834ef73eb
-
-commit 486c4dc3b83b4b67d663fb0fa62bc24138ec3946
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Jul 1 03:35:45 2022 +0000
-
- upstream: Always return allocated strings from the kex filtering so
-
- that we can free them later. Fix one leak in compat_kex_proposal. Based on
- github PR#324 from ZoltanFridrich with some simplications by me. ok djm@
-
- OpenBSD-Commit-ID: 9171616da3307612d0ede086fd511142f91246e4
-
-commit 96faa0de6c673a2ce84736eba37fc9fb723d9e5c
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Jul 1 00:36:30 2022 +0000
-
- upstream: ignore SIGPIPE earlier in main(), specifically before
-
- muxclient() which performs operations that could cause one; Reported by Noam
- Lewis via bz3454, ok dtucker@
-
- OpenBSD-Commit-ID: 63d8e13276869eebac6d7a05d5a96307f9026e47
-
-commit 33efac790f6b09d54894ba6c3e17dfb08b6fc7e1
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date: Tue Jun 28 06:09:14 2022 +0000
-
- upstream: reflect the update to -D arg name in usage();
-
- OpenBSD-Commit-ID: abdcde4f92b1ef094ae44210ee99d3b0155aad9c
-
-commit c71a1442d02f0a3586109dfe2cb366de36dee08e
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Wed Jun 29 18:28:47 2022 +1000
-
- Update OpenSSL tests to the most recent releases.
-
-commit 2a822f29300b2de7335fbff65f0b187a0c582304
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Jun 27 21:41:55 2022 +0000
-
- upstream: allow arguments to sftp -D option, e.g. sftp -D
-
- "/usr/libexec/sftp-server -el debug3"
-
- ok markus@
-
- OpenBSD-Commit-ID: 5a002b9f3a7aef2731fc0ffa9c921cf15f38ecce
-
-commit 2369a2810187e08f2af5d58b343956062fb96ee8
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Jun 24 10:45:06 2022 +0000
-
- upstream: Roll back previous KEX changes as they aren't safe until
-
- compat_pkalg_proposal and friends always allocate their returned strings.
- Reported by Qualys.
-
- OpenBSD-Commit-ID: 1c7a88a0d5033f42f88ab9bec58ef1cf72c81ad0
-
-commit 646686136c34c2dbf6a01296dfaa9ebee029386d
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Jun 24 04:37:00 2022 +0000
-
- upstream: Don't leak the strings allocated by order_hostkeyalgs()
-
- and list_hostkey_types() that are passed to compat_pkalg_proposal(). Part of
- github PR#324 from ZoltanFridrich, ok djm@
-
- OpenBSD-Commit-ID: b2f6e5f60f2bba293b831654328a8a0035ef4a1b
-
-commit 193c6d8d905dde836b628fc07a7b9cf2d347e2a3
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Sat Jun 25 12:16:15 2022 +1000
-
- Zero out LIBFIDO2 when SK support not usable.
-
- Prevents us from trying to link them into ssh-sk-helper and failing to
- build.
-
-commit 40f5d849d25c60b4ae21261e78484d435f5cfd51
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Sat Jun 25 11:47:28 2022 +1000
-
- Disable SK support if FIDO libs not found.
-
-commit 5fd922ade1b25880fe8a8249f5c0385e413108f9
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Jun 24 14:43:54 2022 +1000
-
- fix broken case statement in previous
-
-commit f51423bdaf0008d46b6af082bcfd7a22a87375f0
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Jun 24 14:40:42 2022 +1000
-
- request 1.1x API compatibility for OpenSSL >=3.x
-
- idea/patch from Pedro Martelletto via GHPR#322; ok dtucker@
-
-commit 455cee8d6c2e4c48c5af9faead3599c49948411e
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Jun 24 04:27:14 2022 +0000
-
- upstream: make it clear that RekeyLimit applies to both transmitted
-
- and received data. GHPR#328 from Jan Pazdziora
-
- OpenBSD-Commit-ID: d180a905fec9ff418a75c07bb96ea41c9308c3f9
-
-commit 17904f05802988d0bb9ed3c8d1d37411e8f459c3
-Author: tobhe@openbsd.org <tobhe@openbsd.org>
-Date: Tue Jun 21 14:52:13 2022 +0000
-
- upstream: Make sure not to fclose() the same fd twice in case of an
-
- error.
-
- ok dtucker@
-
- OpenBSD-Commit-ID: e384c4e05d5521e7866b3d53ca59acd2a86eef99
-
-commit f29d6cf98c25bf044079032d22c1a57c63ab9d8e
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Sat Jun 18 02:17:16 2022 +0000
-
- upstream: Don't attempt to fprintf a null identity comment. From
-
- Martin Vahlensieck via tech@.
-
- OpenBSD-Commit-ID: 4c54d20a8e8e4e9912c38a7b4ef5bfc5ca2e05c2
-
-commit ad1762173bb38716a106e8979806149fd0f2753e
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Jun 17 01:00:03 2022 +0000
-
- upstream: Log an error if pipe() fails while accepting a
-
- connection. bz#3447, from vincent-openssh at vinc17 net, ok djm@
-
- OpenBSD-Commit-ID: 9d59f19872b94900a5c79da2d57850241ac5df94
-
-commit 9c59e7486cc8691401228b43b96a3edbb06e0412
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Jun 24 14:20:43 2022 +1000
-
- automatically enable built-in FIDO support
-
- If libfido2 is found and usable, then enable the built-in
- security key support unless --without-security-key-builtin
- was requested.
-
- ok dtucker@
-
-commit 7d25b37fb2a5ff4dadabcbdac6087a97479434f5
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Jun 24 13:46:39 2022 +1000
-
- fix possible NULL deref when built without FIDO
-
- Analysis/fix from kircher in bz3443; ok dtucker@
-
-commit f5ba85daddfc2da6a8dab6038269e02c0695be44
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Jun 15 16:08:25 2022 +0000
-
- upstream: make sure that UseDNS hostname lookup happens in the monitor
-
- and not in the pledge(2)'d unprivileged process; fixes regression caused by
- recent refactoring spotted by henning@
-
- OpenBSD-Commit-ID: a089870b95101cd8881a2dff65b2f1627d13e88d
-
-commit acb2059febaddd71ee06c2ebf63dcf211d9ab9f2
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Jun 3 04:47:21 2022 +0000
-
- upstream: move auth_openprincipals() and auth_openkeyfile() over to
-
- auth2-pubkeyfile.c too; they make more sense there.
-
- OpenBSD-Commit-ID: 9970d99f900e1117fdaab13e9e910a621b7c60ee
-
-commit 3d9b0845f34510111cc693bb99a667662ca50cd8
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Jun 3 04:31:54 2022 +0000
-
- upstream: test setenv in both client and server, test first-match-wins
-
- too
-
- OpenBSD-Regress-ID: 4c8804f9db38a02db480b9923317457b377fe34b
-
-commit 22e1a3a71ad6d108ff0c5f07f93c3fcbd30f8b40
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Jun 3 04:30:46 2022 +0000
-
- upstream: Make SetEnv directives first-match-wins in both
-
- sshd_config and sshd_config; previously if the same name was reused then the
- last would win (which is the opposite to how the config is supposed to work).
-
- While there, make the ssh_config parsing more like sshd_config.
-
- bz3438, ok dtucker
-
- OpenBSD-Commit-ID: 797909c1e0262c0d00e09280459d7ab00f18273b
-
-commit 38ed6c57e9e592c08e020fa6e82b45b4e1040970
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Jun 3 04:00:15 2022 +0000
-
- upstream: Add missing *-sk types to ssh-keyscan manpage. From
-
- skazi0 via github PR#294.
-
- OpenBSD-Commit-ID: fda2c869cdb871f3c90a89fb3f985370bb5d25c0
-
-commit ea97ec98c41ec2b755dfab459347db674ff9a5de
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Jun 3 03:21:09 2022 +0000
-
- upstream: Add period at end of "not known by any other names"
-
- message. github PR#320 from jschauma, ok djm@
-
- OpenBSD-Commit-ID: bd60809803c4bfd3ebb7c5c4d918b10e275266f2
-
-commit 88e376fcd67478ad1660d94bc73ab348ac9f4527
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Jun 3 03:17:42 2022 +0000
-
- upstream: ssh-keygen -A: do not generate DSA keys by default.
-
- Based on github PR#303 from jsegitz with man page text from jmc@, ok markus@
- djm@
-
- OpenBSD-Commit-ID: 5c4c57bdd7063ff03381cfb6696659dd3f9f5b9f
-
-commit 6b3fb624675082a1e5aa615d1b8479873d8b5731
-Author: naddy@openbsd.org <naddy@openbsd.org>
-Date: Tue May 31 14:05:12 2022 +0000
-
- upstream: ssh-keygen: implement "verify-required" certificate option.
-
- This was already documented when support for user-verified FIDO
- keys was added, but the ssh-keygen(1) code was missing.
-
- ok djm@
-
- OpenBSD-Commit-ID: f660f973391b593fea4b7b25913c9a15c3eb8a06
-
-commit b7f86ffc301be105bba9a3e0618b6fab3ae379bd
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date: Sat May 28 05:57:56 2022 +0000
-
- upstream: keywords ref ssh_config.5;
-
- from caspar schutijser
-
- OpenBSD-Commit-ID: f146a19d7d5c9374c3b9c520da43b2732d7d1a4e
-
-commit dc7bc52372f2744fa39191577be5306ee57aacd4
-Author: Damien Miller <djm@mindrot.org>
-Date: Mon May 30 09:29:09 2022 +1000
-
- fix some bugs in the fuzzer
-
-commit 1781f507c113667613351c19898efaf1e311a865
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Fri May 27 18:19:48 2022 +1000
-
- Test against OpenSSL 1.1.1o and 3.0.3.
-
-commit c53906e0c59e569691b4095d3e8db79cf78fa058
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Fri May 27 18:18:31 2022 +1000
-
- Test against LibreSSL 3.5.3.
-
-commit 9b3ad432ad2f19319bcc089370e356c6315d682f
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri May 27 17:00:43 2022 +1000
-
- fuzzer for authorized_keys parsing
-
- mostly redundant to authopt_fuzz, but it's sensitive code so IMO it
- makes sense to test this layer too
-
-commit c83d8c4d6f3ccceef84d46de107f6b71cda06359
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri May 27 05:02:46 2022 +0000
-
- upstream: split the low-level file handling functions out from
-
- auth2-pubkey.c
-
- Put them in a new auth2-pubkeyfile.c to make it easier to refer to them
- (e.g. in unit/fuzz tests) without having to refer to everything else
- pubkey auth brings in.
-
- ok dtucker@
-
- OpenBSD-Commit-ID: 3fdca2c61ad97dc1b8d4a7346816f83dc4ce2217
-
-commit 3b0b142d2a0767d8cd838e2f3aefde8a0aaa41e1
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri May 27 05:01:25 2022 +0000
-
- upstream: refactor authorized_keys/principals handling
-
- remove "struct ssh *" from arguments - this was only used to pass the
- remote host/address. These can be passed in instead and the resulting
- code is less tightly coupled to ssh_api.[ch]
-
- ok dtucker@
-
- OpenBSD-Commit-ID: 9d4373d013edc4cc4b5c21a599e1837ac31dda0d
-
-commit 2c334fd36f80cb91cc42e4b978b10aa35e0df236
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri May 27 04:29:40 2022 +0000
-
- upstream: f sshpkt functions fail, then password is not cleared
-
- with freezero. Unconditionally call freezero to guarantee that password is
- removed from RAM.
-
- From tobias@ and c3h2_ctf via github PR#286, ok djm@
-
- OpenBSD-Commit-ID: 6b093619c9515328e25b0f8093779c52402c89cd
-
-commit 5d3a77f4c5ae774c6796387266503f52c7cdc7c2
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri May 27 04:27:49 2022 +0000
-
- upstream: Avoid kill with -1 argument. The out_ctx label can be
-
- reached before fork has been called. If this happens, then kill -1 would be
- called, sending SIGTERM to all processes reachable by the current process.
-
- From tobias@ and c3h2_ctf via github PR#286, ok djm@
-
- OpenBSD-Commit-ID: 6277af1207d81202f5daffdccfeeaed4c763b1a8
-
-commit 533b31cd08e4b97f455466f91c36915e2924c15a
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri May 27 04:13:24 2022 +0000
-
- upstream: Note that ProxyJump also accepts the same tokens as
-
- ProxyCommand. From pallxk via github PR#305.
-
- OpenBSD-Commit-ID: 7115ac351b129205f1f1ffa6bbfd62abd76be7c5
-
-commit 9d8c80f8a304babe61ca28f2e3fb5eb6dc9c39bf
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed May 25 06:03:44 2022 +0000
-
- upstream: revert previous; it was broken (spotted by Theo)
-
- OpenBSD-Commit-ID: 457c79afaca2f89ec2606405c1059b98b30d8b0d
-
-commit 9e0d02ef7ce88b67643bfb1c2272c9f5f04cc680
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed May 25 00:31:13 2022 +0000
-
- upstream: make SSHBUF_DBG/SSHBUF_TELL (off by default and only enabled
-
- via #define) dump to stderr rather than stdout
-
- OpenBSD-Commit-ID: 10298513ee32db8390aecb0397d782d68cb14318
-
-commit 2487163630f28be28b7e2396b4bd6511b98f1d3e
-Author: Tim Rice <tim@multitalents.net>
-Date: Tue May 24 10:21:25 2022 -0700
-
- configure.ac: Add missing AC_DEFINE for caph_cache_tzdata test causing
- HAVE_CAPH_CACHE_TZDATA to be missing from config.h.in.
- Spotted by Bryan Drewery
-
-commit bedb93415b60db3dfd704a3d525e82adb14a2481
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun May 15 23:48:07 2022 +0000
-
- upstream: regress test for in-place transfers and clobbering larger
-
- files with smaller ones; would have caught last regression in scp(1)
-
- OpenBSD-Regress-ID: 19de4e88dd3a4f7e5c1618c9be3c32415bd93bc2
-
-commit b4f0d719c2548cb74da509fb65f384dada4ebd37
-Author: anton@openbsd.org <anton@openbsd.org>
-Date: Fri Apr 22 05:08:43 2022 +0000
-
- upstream: Only run agent-ptrace.sh if gdb is available as all
-
- architectures do not ship with gdb.
-
- OpenBSD-Regress-ID: ec53e928803e6b87f9ac142d38888ca79a45348d
-
-commit 9b73345f80255a7f3048026462f2c0c6a241eeac
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun May 15 23:47:21 2022 +0000
-
- upstream: fix in-place copies; r1.163 incorrectly skipped truncation in
-
- all cases, not just at the start of a transfer. This could cause overwrites
- of larger files to leave junk at the end. Spotted by tb@
-
- OpenBSD-Commit-ID: b189f19cd68119548c8e24e39c79f61e115bf92c
-
-commit 56a0697fe079ff3e1ba30a2d5c26b5e45f7b71f8
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri May 13 06:31:50 2022 +0000
-
- upstream: arrange for scp, when in sftp mode, to not ftruncate(3) files
-
- early
-
- previous behavious of unconditionally truncating the destination file
- would cause "scp ~/foo localhost:" and "scp localhost:foo ~/" to
- delete all the contents of their destination.
-
- spotted by solene@ sthen@, also bz3431; ok dtucker@
-
- OpenBSD-Commit-ID: ca39fdd39e0ec1466b9666f15cbcfddea6aaa179
-
-commit fbcef70c2832712f027bccea1aa9bc4b4103da93
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Mon May 9 08:25:27 2022 +0000
-
- upstream: Remove errant apostrophe. From haruyama at queen-ml org.
-
- OpenBSD-Commit-ID: dc6b294567cb84b384ad6ced9ca469f2bbf0bd10
-
-commit 0086a286ea6bbd11ca9b664ac3bb12b27443d6eb
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon May 9 03:09:53 2022 +0000
-
- upstream: Allow existing -U (use agent) flag to work with "-Y sign"
-
- operations, where it will be interpreted to require that the private keys is
- hosted in an agent; bz3429, suggested by Adam Szkoda; ok dtucker@
-
- OpenBSD-Commit-ID: a7bc69873b99c32c42c7628ed9ea91565ba08c2f
-
-commit cb010744cc98f651b1029bb09efa986eb54e4ccf
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun May 8 22:58:35 2022 +0000
-
- upstream: improve error message when 'ssh-keygen -Y sign' is unable to
-
- load a private key; bz3429, reported by Adam Szkoda ok dtucker@
-
- OpenBSD-Commit-ID: bb57b285e67bea536ef81b1055467be2fc380e74
-
-commit aa61fc82c63d309a90c22ca74fb1da6c6f4372fd
-Author: Tobias Heider <me@tobhe.de>
-Date: Mon May 9 02:00:01 2022 +0200
-
- Remove duplicate bcrypt_pbkdf.o from Makefile
-
- bcrypt_pbkdf.o is duplicated in the openbsd-compat Makefile's object
- file list.
-
-commit deb506d00da8d11fb04c1e7b9b1e1cc379c1705c
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun May 8 22:32:36 2022 +0000
-
- upstream: When performing operations that glob(3) a remote path, ensure
-
- that the implicit working directory used to construct that path escapes
- glob(3) characters.
-
- This prevents glob characters from being processed in places they
- shouldn't, e.g. "cd /tmp/a*/", "get *.txt" should have the get operation
- treat the path "/tmp/a*" literally and not attempt to expand it.
-
- Reported by Lusia Kundel; ok markus@
-
- OpenBSD-Commit-ID: 4f647f58482cbad3d58b1eab7f6a1691433deeef
-
-commit f38cf74f20b5da113cfa823afd5bfb5c6ba65f3d
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Fri May 6 14:50:18 2022 +1000
-
- Also retest OpenBSD upstream on .yml changes.
-
-commit f87a132800ba3710ab130d703448a31ef1128d77
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Fri May 6 14:46:09 2022 +1000
-
- Note that, for now, we need variadic macros.
-
-commit 217b518e0f7c52c4b909e935141a55344c61e644
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Fri May 6 14:39:34 2022 +1000
-
- Add ubsan minimal testcase on OpenBSD.
-
- As suggested by djm@.
-
-commit 457dce2cfef6a48f5442591cd8b21c7e8cba13f8
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu May 5 01:04:14 2022 +0000
-
- upstream: sshkey_unshield_private() contains a exact duplicate of
-
- the code in private2_check_padding(). Pull private2_check_padding() up so the
- code can be reused. From Martin Vahlensieck, ok deraadt@
-
- OpenBSD-Commit-ID: 876884c3f0e62e8fd8d1594bab06900f971c9c85
-
-commit 0e44db4d9cb313e68a59a44d27884af66c02356e
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu May 5 00:56:58 2022 +0000
-
- upstream: channel_new no longer frees remote_name. So update the
-
- comment accordingly. As remote_name is not modified, it can be const as
- well. From Martin Vahlensieck
-
- OpenBSD-Commit-ID: e4e10dc8dc9f40c166ea5a8e991942bedc75a76a
-
-commit 37b62fd5caf19c85a48241535277cefff65adace
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu May 5 00:55:11 2022 +0000
-
- upstream: mux.c: mark argument as const; from Martin Vahlensieck
-
- OpenBSD-Commit-ID: 69a1a93a55986c7c2ad9f733c093b46a47184341
-
-commit f4e67c0ad259b4cf10177277a5827fa5545bac53
-Author: markus@openbsd.org <markus@openbsd.org>
-Date: Wed May 4 07:31:22 2022 +0000
-
- upstream: make sure stdout is non-blocking; ok djm@
-
- OpenBSD-Commit-ID: 64940fffbd1b882eda2d7c8c7a43c79368309c0d
-
-commit e5c036d2092c00bef395e9161dc5ce42d4be9565
-Author: florian@openbsd.org <florian@openbsd.org>
-Date: Tue May 3 07:42:27 2022 +0000
-
- upstream: Add FIDO AUTHENTICATOR section and explain a bit how FIDO
-
- works. The wording came mostly from the 8.2 OpenSSH release notes, addapted
- to fit the man page. Then move the -O bits into the new section as is already
- done for CERTIFICATES and MODULI GENERATION. Finally we can explain the
- trade-offs of resident keys. While here, consistently refer to the FIDO
- thingies as "FIDO authenticators", not "FIDO tokens".
-
- input & OK jmc, naddy
-
- OpenBSD-Commit-ID: dd98748d7644df048f78dcf793b3b63db9ab1d25
-
-commit 575771bf79bef7127be6aaccddc46031ea15529e
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date: Mon May 2 05:40:37 2022 +0000
-
- upstream: remove an obsolete rsa1 format example from an example;
-
- from megan batty
- ok djm
-
- OpenBSD-Commit-ID: db2c89879c29bf083df996bd830abfb1e70d62bf
-
-commit 0bc6b4c8f04e292577bdb44d5dc6b630d3448087
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun May 1 23:20:30 2022 +0000
-
- upstream: fix some integer overflows in sieve_large() that show up when
-
- trying to generate modp groups > 16k bits. Reported via GHPR#306 by Bertram
- Felgenhauer, but fixed in a different way. feedback/ok tb@
-
- OpenBSD-Commit-ID: 81cbc6dd3a21c57bd6fadea10e44afe37bca558e
-
-commit a45615cb172bc827e21ec76750de39dfb30ecc05
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Apr 29 04:55:07 2022 +0000
-
- upstream: be stricter in which characters will be accepted in
-
- specifying a mask length; allow only 0-9. From khaleesicodes via GHPR#278; ok
- dtucker@
-
- OpenBSD-Commit-ID: e267746c047ea86665cdeccef795a8a56082eeb2
-
-commit 4835544d2dd31de6ffc7dba59f92093aea98155b
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Sat Apr 30 10:56:41 2022 +1000
-
- Add Mac OS X 12 test target.
-
-commit 97a6a8b8c1f2da09712d0e72d0ef800e4edd34cd
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Fri Apr 29 18:27:34 2022 +1000
-
- Only run tests when source files change.
-
- Also run tests on changes to V_9_0 branch.
-
-commit 6d0392b9ff4b50a56ac5685d1b9392e2cd432ca3
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Fri Apr 29 18:22:34 2022 +1000
-
- Remove now-empty int32_minmax.inc.
-
-commit af59463553b5ad52d3b42c4455ee3c5600158bb7
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Apr 29 03:24:30 2022 +0000
-
- upstream: mention that the helpers are used by ssh(1), ssh-agent(1)
-
- and ssh-keygen(1). Previously only ssh(1) was mentioned. From Pedro
- Martelletto
-
- OpenBSD-Commit-ID: 30f880f989d4b329589c1c404315685960a5f153
-
-commit 3e26b3a6eebcee27be177207cc0846fb844b7a56
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Apr 29 03:16:48 2022 +0000
-
- upstream: Don't leak SK device. Patch from Pedro Martelletto via
-
- github PR#316. ok djm@
-
- OpenBSD-Commit-ID: 17d11327545022e727d95fd08b213171c5a4585d
-
-commit 247082b5013f0d4fcae8f97453f2a2f01bcda811
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Apr 29 03:13:32 2022 +0000
-
- upstream: fix memleak on session-bind path; from Pedro Martelletto, ok
-
- dtucker@
-
- OpenBSD-Commit-ID: e85899a26ba402b4c0717b531317e8fc258f0a7e
-
-commit e05522008092ceb86a87bdd4ad7878424315db89
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Apr 28 02:53:31 2022 +0000
-
- upstream: avoid printing hash algorithm twice; from lucas AT sexy.is
-
- OpenBSD-Commit-ID: 9d24671e10a84141b7c504396cabad600e47a941
-
-commit 0979e29356915261d69a9517a1e0aaade7c9fc75
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Wed Apr 27 11:08:55 2022 +0000
-
- upstream: Add authfd path to debug output. ok markus@
-
- OpenBSD-Commit-ID: f735a17d1a6f2bee63bfc609d76ef8db8c090890
-
-commit 67b7c784769c74fd4d6b147d91e17e1ac1a8a96d
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Tue Apr 26 07:41:44 2022 +0000
-
- upstream: Check sshauthopt_new() for NULL. bz#3425, from
-
- tessgauthier at microsoft.com. ok djm@
-
- OpenBSD-Commit-ID: af0315bc3e44aa406daa7e0ae7c2d719a974483f
-
-commit d571314d14b919fbd7c84a61f9bf2065fc0a6841
-Author: millert@openbsd.org <millert@openbsd.org>
-Date: Wed Apr 20 16:00:25 2022 +0000
-
- upstream: Remove unnecessary includes: openssl/hmac.h and
-
- openssl/evp.h. From Martin Vahlensieck.
-
- OpenBSD-Commit-ID: a6debb5fb0c8a44e43e8d5ca7cc70ad2f3ea31c3
-
-commit da8dddf8cc1f2516ff894b8183e83a7c5ba3ef80
-Author: millert@openbsd.org <millert@openbsd.org>
-Date: Wed Apr 20 15:59:18 2022 +0000
-
- upstream: Add missing includes of stdlib.h and stdint.h. We need
-
- stdlib.h for malloc(3) and stdint.h for SIZE_MAX. Unlike the other xmss
- files, ssh-xmss.c does not include xmss_commons.h so ssh-xmss.c must include
- those headers itself. From Martin Vahlensieck
-
- OpenBSD-Commit-ID: 70e28a9818cee3da1be2ef6503d4b396dd421e6b
-
-commit fe9d87a6800a7a33be08f4d5ab662a758055ced2
-Author: millert@openbsd.org <millert@openbsd.org>
-Date: Wed Apr 20 15:56:49 2022 +0000
-
- upstream: Avoid an unnecessary xstrdup in rm_env() when matching
-
- patterns. Since match_pattern() doesn't modify its arguments (they are
- const), there is no need to make an extra copy of the strings in
- options->send_env. From Martin Vahlensieck
-
- OpenBSD-Commit-ID: 2c9db31e3f4d3403b49642c64ee048b2a0a39351
-
-commit 7bf2eb958fbb551e7d61e75c176bb3200383285d
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Tue Apr 26 23:30:59 2022 +1000
-
- Add debian-riscv64 test target.
-
-commit 3913c935523902482974c4c503bcff20bd850a6a
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Mon Apr 25 17:20:06 2022 +1000
-
- Update OpenSSL and LibreSSL versions in tests.
-
-commit dcd8dca29bcdb193ff6be35b96fc55e6e30d37d9
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Sat Apr 23 20:40:28 2022 +1000
-
- Include stdlib.h for free() prototype.
-
- ... which is used inside the CUSTOM_SYS_AUTH_GET_LASTLOGIN_MSG block.
-
-commit 4cc05de568e1c3edd7834ff3bd9d8214eb34861b
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Sat Apr 23 20:17:26 2022 +1000
-
- Cache timezone data in capsicum sandbox.
-
- From emaste at freebsd.org, originally part of FreeBSD commit r339216
- / fc3c19a9 with autoconf bits added by me.
-
-commit c31404426d212e2964ff9e5e58e1d0fce3d83f27
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Thu Apr 21 01:36:46 2022 +0000
-
- upstream: It looks like we can't completely avoid
-
- waiting for processes to exit so retrieve the pid via controlmaster and
- use that.
-
- OpenBSD-Regress-ID: 8246f00f22b14e49d2ff1744c94897ead33d457b
-
-commit d19b21afab5c8e2f3df6bd8aee9766bdad3d8c58
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Wed Apr 20 13:25:55 2022 +0000
-
- upstream: Use ssh -f and ControlPersist ..
-
- to start up test forwards and ssh -O stop to shut them down intead of
- sleep loops. This speeds up the test by an order of magnitude.
-
- OpenBSD-Regress-ID: eb3db5f805100919b092a3b2579c611fba3e83e7
-
-commit 5f76286a126721fa005de6edf3d1c7a265555f19
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Wed Apr 20 05:24:13 2022 +0000
-
- upstream: Simplify forward-control test.
-
- Since we no longer need to support SSH1 we don't need to run shell
- commands on the other end of the connection and can use ssh -N instead.
- This also makes the test less racy.
-
- OpenBSD-Regress-ID: 32e94ce272820cc398f30b848b2b0f080d10302c
-
-commit 687bbf23572d8bdf25cbbcdf8ac583514e1ba710
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Mar 31 03:07:33 2022 +0000
-
- upstream: regression test for sftp cp command
-
- OpenBSD-Regress-ID: c96bea9edde3a384b254785e7f9b2b24a81cdf82
-
-commit f1233f19a6a9fe58f52946f50df4772f5b136761
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Wed Apr 20 01:13:47 2022 +0000
-
- upstream: Import regenerated moduli
-
- OpenBSD-Commit-ID: f9a0726d957cf10692a231996a1f34e7f9cdfeb0
-
-commit fec014785de198b9a325d1b94e324bb958c5fe7b
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Apr 20 04:19:11 2022 +0000
-
- upstream: Try to continue running local I/O for channels in state
-
- OPEN during SSH transport rekeying. The most visible benefit is that it
- should make ~-escapes work in the client (e.g. to exit) if the connection
- happened to have stalled during a rekey event. Based work by and ok dtucker@
-
- OpenBSD-Commit-ID: a66e8f254e92edd4ce09c9f750883ec8f1ea5f45
-
-commit e68154b0d4f0f5085a050ea896955da1b1be6e30
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Wed Apr 20 01:13:47 2022 +0000
-
- upstream: Import regenerated moduli
-
- OpenBSD-Commit-ID: f9a0726d957cf10692a231996a1f34e7f9cdfeb0
-
-commit 69928b106d8f0fa15b88cf3850d992ed81c44ae0
-Author: tj@openbsd.org <tj@openbsd.org>
-Date: Sat Apr 16 00:22:31 2022 +0000
-
- upstream: list the correct version number
-
- for when usage of the sftp protocol became default and fix a typo
- from ed maste
-
- OpenBSD-Commit-ID: 24e1795ed2283fdeacf16413c2f07503bcdebb31
-
-commit 21042a05c0b304c16f655efeec97438249d2e2cc
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Tue Apr 12 05:09:49 2022 +0000
-
- upstream: Correct path for system known hosts file in description
-
- of IgnoreUserKnownHosts. Patch from Martin Vahlensieck via tech@
-
- OpenBSD-Commit-ID: 9b7784f054fa5aa4d63cb36bd563889477127215
-
-commit 53f4aff60a7c1a08a23917bd47496f8901c471f5
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Sat Apr 16 14:33:20 2022 +1000
-
- Resync moduli.5 with upstream.
-
- 1.18: remove duplicate publication year; carsten dot kunze at arcor dot de
- 1.19: ssh-keygen's -G/-T have been replaced with -M generate/screen.
-
-commit d2b888762b9844eb0d8eb59909cdf5af5159f810
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Sat Apr 16 14:31:13 2022 +1000
-
- Retire fbsd6 test VM.
-
- It's long since out of support, relatively slow (it's i686) and the
- compiler has trouble with PIE.
-
-commit cd1f70009860a154b51230d367c55ea5f9a4504e
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Apr 11 22:52:08 2022 +0000
-
- upstream: clear io_want/io_ready flags at start of poll() cycle;
-
- avoids plausible spin during rekeying if channel io_want flags are reused
- across cycles. ok markus@ deraadt@
-
- OpenBSD-Commit-ID: 91034f855b7c73cd2591657c49ac30f10322b967
-
-commit aa1920302778273f7f94c2091319aba199068ca0
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Apr 8 05:43:39 2022 +0000
-
- upstream: Note that curve25519-sha256 was later published in
-
- RFC8731. ok djm@
-
- OpenBSD-Commit-ID: 2ac2b5d642d4cf5918eaec8653cad9a4460b2743
-
-commit 4673fa8f2be983f2f88d5afd754adb1a2a39ec9e
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Apr 8 04:40:40 2022 +0000
-
- upstream: two defensive changes from Tobias Stoeckmann via GHPR287
-
- enforce stricter invarient for sshbuf_set_parent() - never allow
- a buffer to have a previously-set parent changed.
-
- In sshbuf_reset(), if the reallocation fails, then zero the entire
- buffer and not the (potentially smaller) default initial alloc size.
-
- OpenBSD-Commit-ID: 14583203aa5d50ad38d2e209ae10abaf8955e6a9
-
-commit 26eef015e2d2254375e13afaaf753b78932b1bf5
-Author: Damien Miller <djm@mindrot.org>
-Date: Mon Apr 11 16:07:09 2022 +1000
-
- Revert "update build-aux files to match autoconf-2.71"
-
- This reverts commit 0a8ca39fac6ad19096b6c263436f8b2dd51606f2.
-
- It turns out that the checked-in copies of these files are actually newer
- than autoconf-2.71's copies, so this was effectively a downgrade.
- Spotted by Bo Anderson via github
-
-commit 0a8ca39fac6ad19096b6c263436f8b2dd51606f2
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Apr 8 14:48:58 2022 +1000
-
- update build-aux files to match autoconf-2.71
-
- i.e. config.guess, config.sub and install-sh
-
-commit 94eb6858efecc1b4f02d8a6bd35e149f55c814c8
-Author: Damien Miller <djm@mindrot.org>
-Date: Wed Apr 6 10:47:48 2022 +1000
-
- update version numbers for release
-
-commit 8e4a8eadf4fe74e65e6492f34250f8cf7d67e8da
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Apr 4 22:45:25 2022 +0000
-
- upstream: openssh-9.0
-
- OpenBSD-Commit-ID: 0dfb461188f4513ec024c1534da8c1ce14c20b64
-
-commit a9f23ea2e3227f406880c2634d066f6f50fa5eaa
-Author: naddy@openbsd.org <naddy@openbsd.org>
-Date: Thu Mar 31 17:58:44 2022 +0000
-
- upstream: ssh: document sntrup761x25519-sha512@openssh.com as
-
- default KEX
-
- OpenBSD-Commit-ID: 12545bfa10bcbf552d04d9d9520d0f4e98b0e171
-
-commit 9ec2713d122af79d66ebb9c1d6d9ae8621a8945f
-Author: naddy@openbsd.org <naddy@openbsd.org>
-Date: Thu Mar 31 17:27:27 2022 +0000
-
- upstream: man pages: add missing commas between subordinate and
-
- main clauses
-
- jmc@ dislikes a comma before "then" in a conditional, so leave those
- untouched.
-
- ok jmc@
-
- OpenBSD-Commit-ID: 9520801729bebcb3c9fe43ad7f9776ab4dd05ea3
-
-commit 3741df98ffaaff92b474ee70d8ef276b5882f85a
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Mon Apr 4 23:52:11 2022 +1000
-
- Disable security key on fbsd6 test host.
-
-commit 32c12236f27ae83bfe6d2983b67c9bc67a83a417
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Mon Apr 4 15:16:51 2022 +1000
-
- Specify TEST_SHELL=bash on AIX.
-
- The system shells cause the agent-restrict test to fail due to some
- quoting so explicitly specify bash until we can get configure to
- autmatically work around that.
-
-commit 90452c8b69d065b7c7c285ff78b81418a75bcd76
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Fri Apr 1 23:38:44 2022 +1100
-
- Only return events from ppoll that were requested.
-
- If the underlying system's select() returns bits that were not in the
- request set, our ppoll() implementation can return revents for events
- not requested, which can apparently cause a hang. Only return revents
- for activity in the requested event set. bz#3416, analysis and fix by
- yaroslav.kuzmin at vmssoftware com, ok djm@
-
-commit 6c49eb5fabc56f4865164ed818aa5112d09c31a8
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Fri Apr 1 23:21:40 2022 +1100
-
- Only run regression tests on slow VMs.
-
-commit f67e47903977b42cb6abcd5565a61bd7293e4dc3
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Fri Apr 1 23:21:06 2022 +1100
-
- Increase test timeout to allow slow VMs to finish
-
-commit 02488c1b54065ddc4f25835dbd2618b2a2fe21f5
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Fri Apr 1 16:27:38 2022 +1100
-
- Use bash or ksh if available for SH in Makefile.
-
-commit 34c7018c316af4773e432066de28d0ef9d0888cd
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Fri Apr 1 14:56:54 2022 +1100
-
- Set Makefile SHELL as determined by configure.
-
- This should improve compatibility for users with non-POSIX shells. If
- using Makefile.in directly (eg make -f Makefile.in distprep) then SHELL
- will need to be specified on the command line (along with MANFMT in that
- particular case). ok djm@
-
-commit 5b054d76402faab38c48377efd112426469553a0
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Fri Apr 1 13:16:47 2022 +1100
-
- Skip slow tests on (very) slow test targets.
-
-commit b275818065b31a865142c48c2acf6a7c1655c542
-Author: Damien Miller <djm@mindrot.org>
-Date: Thu Mar 31 14:11:36 2022 +1100
-
- depend
-
-commit 3fa539c3ffaabd6211995512d33e29150f88c5c5
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Mar 31 03:07:03 2022 +0000
-
- upstream: add a sftp client "cp" command that supports server-side
-
- copying of files. Useful for this task and for testing the copy-data
- extension. Patch from Mike Frysinger; ok dtucker@
-
- OpenBSD-Commit-ID: 1bb1b950af0d49f0d5425b1f267e197aa1b57444
-
-commit 7988bfc4b701c4b3fe9b36c8561a3d1c5d4c9a74
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Mar 31 03:05:49 2022 +0000
-
- upstream: add support for the "corp-data" protocol extension to
-
- allow server-side copies to be performed without having to go via the client.
- Patch by Mike Frysinger, ok dtucker@
-
- OpenBSD-Commit-ID: 00aa510940fedd66dab1843b58682de4eb7156d5
-
-commit 32dc1c29a4ac9c592ddfef0a4895eb36c1f567ba
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Mar 30 21:13:23 2022 +0000
-
- upstream: select post-quantum KEX
-
- sntrup761x25519-sha512@openssh.com as the default; ok markus@
-
- OpenBSD-Commit-ID: f02d99cbfce22dffec2e2ab1b60905fbddf48fb9
-
-commit d6556de1db0822c76ba2745cf5c097d9472adf7c
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Mar 30 21:10:25 2022 +0000
-
- upstream: fix poll() spin when a channel's output fd closes without
-
- data in the channel buffer. Introduce more exact packing of channel fds into
- the pollfd array. fixes bz3405 and bz3411; ok deraadt@ markus@
-
- OpenBSD-Commit-ID: 06740737849c9047785622ad5d472cb6a3907d10
-
-commit 8a74a96d25ca4d32fbf298f6c0ac5a148501777d
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Mar 30 04:33:09 2022 +0000
-
- upstream: ssh is almost out of getopt() characters; note the
-
- remaining remaining available ones in a comment
-
- OpenBSD-Commit-ID: 48d38cef59d6bc8e84c6c066f6d601875d3253fd
-
-commit 6d4fc51adb9d8a42f67b5474f02f877422379de6
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Mar 30 04:27:51 2022 +0000
-
- upstream: avoid NULL deref via ssh-keygen -Y find-principals.
-
- bz3409, reported by Mateusz Adamowski
-
- OpenBSD-Commit-ID: a3b2c02438052ee858e0ee18e5a288586b5df2c5
-
-commit e937514920335b92b543fd9be79cd6481d1eb0b6
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Mon Mar 28 17:51:03 2022 +1100
-
- Add AIX 5.1 test target.
-
-commit 4bbe815ba974b4fd89cc3fc3e3ef1be847a0befe
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Sat Mar 26 22:01:31 2022 +1100
-
- Drop leading "v" from release version identifier.
-
- It's present in the git tags but not in the release tarball names.
- Also drop extra "/" from URL path.
-
-commit f5cdd3b3c275dffaebfca91df782dca29975e9ac
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Sat Mar 26 16:28:04 2022 +1100
-
- Use tarballs when testing LibreSSL releases.
-
- This means they'll still work when the combination of -portable and
- openbsd github repos no longer match.
-
-commit 24dc37d198f35a7cf71bf4d5384363c7ef4209d4
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Sat Mar 26 15:02:45 2022 +1100
-
- Remove now-unused passwd variable.
-
-commit 5b467ceef2c356f0a77f5e8ab4eb0fac367e4d24
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Sat Mar 26 13:15:44 2022 +1100
-
- Missing semicolon.
-
-commit 2923d026e55998133c0f6e5186dca2a3c0fa5ff5
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Sat Mar 26 12:49:50 2022 +1100
-
- Factor out platform-specific locked account check.
-
- Also fixes an incorrect free on platforms with both libiaf and shadow
- passwords (probably only Unixware). Prompted by github PR#284,
- originally from @c3h2_ctf and stoeckmann@.
-
-commit d23efe4b12886ffe416be10bc0a7da6ca8aa72d1
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Sat Mar 26 08:13:46 2022 +1100
-
- Add OpenWRT mips and mipsel test targets.
-
-commit 16ea8b85838dd7a4dbeba4e51ac4f43fd68b1e5b
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun Mar 20 08:52:17 2022 +0000
-
- upstream: don't leak argument list; bz3404, reported by Balu
-
- Gajjala ok dtucker@
-
- OpenBSD-Commit-ID: fddc32d74e5dd5cff1a49ddd6297b0867eae56a6
-
-commit a72bde294fe0518c9a44ba63864093a1ef2425e3
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun Mar 20 08:51:21 2022 +0000
-
- upstream: make addargs() and replacearg() a little more robust and
-
- improve error reporting
-
- make freeargs(NULL) a noop like the other free functions
-
- ok dtucker as part of bz3403
-
- OpenBSD-Commit-ID: 15f86da83176978b4d1d288caa24c766dfa2983d
-
-commit 731087d2619fa7f01e675b23f57af10d745e8af2
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Mar 18 04:04:11 2022 +0000
-
- upstream: don't try to resolve ListenAddress directives in the sshd
-
- re-exec path - we're never going to use the result and if the operation fails
- then it can prevent connections from being accepted. Reported by Aaron
- Poffenberger; with / ok dtucker@
-
- OpenBSD-Commit-ID: 44c53a43909a328e2f5ab26070fdef3594eded60
-
-commit 1c83c082128694ddd11ac05fdf31d70312ff1763
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Mar 18 02:50:21 2022 +0000
-
- upstream: remove blank line
-
- OpenBSD-Commit-ID: d5e0182965b2fbfb03ad5f256d1a1ce5706bcddf
-
-commit 807be68684da7a1fe969c399ddce2fafb7997dcb
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Mar 18 02:32:22 2022 +0000
-
- upstream: helpful comment
-
- OpenBSD-Commit-ID: e3315a45cb04e7feeb614d76ec80a9fe4ca0e8c7
-
-commit a0b5816f8f1f645acdf74f7bc11b34455ec30bac
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Mar 18 02:31:25 2022 +0000
-
- upstream: ssh-keygen -Y check-novalidate requires namespace or SEGV
-
- will ensue. Patch from Mateusz Adamowski via GHPR#307
-
- OpenBSD-Commit-ID: 99e8ec38f9feb38bce6de240335be34aedeba5fd
-
-commit 5a252d54a63be30d5ba4be76210942d754a531c0
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Tue Mar 15 05:27:37 2022 +0000
-
- upstream: improve DEBUG_CHANNEL_POLL debugging message
-
- OpenBSD-Commit-ID: 2275eb7bc4707d019b1a0194b9c92c0b78da848f
-
-commit ce324cf58ba2840e31afeb996935800780c8fa4b
-Author: cheloha@openbsd.org <cheloha@openbsd.org>
-Date: Sun Mar 13 23:27:54 2022 +0000
-
- upstream: ssh: xstrdup(): use memcpy(3)
-
- Copying the given string into the buffer with strlcpy(3) confers no
- benefit in this context because we have already determined the
- string's length with strlen(3) in order to allocate that buffer.
-
- Thread: https://marc.info/?l=openbsd-tech&m=164687525802691&w=2
-
- ok dtucker@ millert@
-
- OpenBSD-Commit-ID: f8bfc082e36e2d2dc4e1feece02fe274155ca11a