Mercurial > dropbear
changeset 161:b9d3f725e00b
0.44 release changes
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Sun, 02 Jan 2005 17:08:27 +0000 |
parents | 7ceceb46d655 |
children | 0cfba3034be5 |
files | CHANGES Makefile.in README SMALL TODO dbutil.c debian/changelog options.h |
diffstat | 8 files changed, 67 insertions(+), 26 deletions(-) [+] |
line wrap: on
line diff
--- a/CHANGES Sun Jan 02 12:04:45 2005 +0000 +++ b/CHANGES Sun Jan 02 17:08:27 2005 +0000 @@ -1,18 +1,38 @@ -0.44test5 - +0.44 - Mon Jan 3 2005 + +- SECURITY: Fix for PAM auth so that usernames are logged and conversation + function responses are allocated correctly - all 0.44test4 users with PAM + compiled in (not default) are advised to upgrade. + +- Fix calls to getnameinfo() for compatibility with Solaris + +- Pristine compilation works (run 'configure' from a fresh dir and make it + there) + +- Fixes for compiling with most options disabled. + +- Upgraded to LibTomCrypt 0.99 and LibTomMath 0.32 + +- Make sure that zeroing out of values in LTM and LTC won't get optimised away + +- Removed unused functions from loginrec.c + +- /dev/random is now the default entropy source rather than /dev/urandom + +- Logging of IPs in auth success/failure messages for improved greppability - Fix dbclient so that "scp -i keyfile" works. (It can handle "-ikeyfile properly) -- Fix for PAM auth so that usernames are logged and conversation function - responses are allocated correctly. - - Avoid a race in server shell-handling code which prevents the exit-code - from being returned to the client. + from being returned to the client in some circumstances. - Makefile modified so that install target works correctly (doesn't try to install "all" binary) - patch from Juergen Daubert -0.44test4 - Tue Sept 14 21:15:54 +0800 +- Various minor fixes and compile warnings. + +0.44test4 - Tue Sept 14 2004 21:15:54 +0800 - Fix inetd mode so it actually loads the hostkeys (oops)
--- a/Makefile.in Sun Jan 02 12:04:45 2005 +0000 +++ b/Makefile.in Sun Jan 02 17:08:27 2005 +0000 @@ -1,4 +1,5 @@ # This Makefile is for Dropbear SSH Server and Client +# @configure_input@ # invocation: # make PROGRAMS="dropbear dbclient scp" MULTI=1 STATIC=1 SCPPROGRESS=1
--- a/README Sun Jan 02 12:04:45 2005 +0000 +++ b/README Sun Jan 02 17:08:27 2005 +0000 @@ -69,6 +69,6 @@ The Dropbear distribution includes a standalone version of OpenSSH's scp program. You can compile it with "make scp", you may want to change the path -of the ssh binary, specified near the top of the scp.c file. By default +of the ssh binary, specified by _PATH_SSH_PROGRAM in options.h . By default the progress meter isn't compiled in to save space, you can enable it by adding 'SCPPROGRESS=1' to the make commandline.
--- a/SMALL Sun Jan 02 12:04:45 2005 +0000 +++ b/SMALL Sun Jan 02 17:08:27 2005 +0000 @@ -1,25 +1,36 @@ Tips for a small system: -The following are set in options.h - -- You can safely disable blowfish and twofish ciphers, and MD5 hmac, without - affecting interoperability +If you only want server functionality (for example), compile with + make PROGRAMS=dropbear +rather than just + make dropbear +so that client functionality in shared portions of Dropbear won't be included. +The same applies if you are compiling just a client. -- If you're compiling statically, you can turn off host lookups +--- + +The following are set in options.h: -- You can disable either password or public-key authentication, though note - that the IETF draft states that pubkey authentication is required. + - You can safely disable blowfish and twofish ciphers, and MD5 hmac, without + affecting interoperability + + - If you're compiling statically, you can turn off host lookups -- Similarly with DSS and RSA, you can disable one of these if you know that - all clients will be able to support a particular one. The IETF draft - states that DSS is required, however you may prefer to use RSA. - DON'T disable either of these on systems where you aren't 100% sure about - who will be connecting and what clients they will be using. + - You can disable either password or public-key authentication, though note + that the IETF draft states that pubkey authentication is required. -- Disabling the MOTD code and SFTP-SERVER may save a small amount of codesize + - Similarly with DSS and RSA, you can disable one of these if you know that + all clients will be able to support a particular one. The IETF draft + states that DSS is required, however you may prefer to use RSA. + DON'T disable either of these on systems where you aren't 100% sure about + who will be connecting and what clients they will be using. -- You can disable x11, tcp and agent forwarding as desired. None of these are - essential, although agent-forwarding is often useful even on firewall boxes. + - Disabling the MOTD code and SFTP-SERVER may save a small amount of codesize + + - You can disable x11, tcp and agent forwarding as desired. None of these are + essential, although agent-forwarding is often useful even on firewall boxes. + +--- If you are compiling statically, you may want to disable zlib, as it will use a few tens of kB of binary-size (./configure --disable-zlib).
--- a/TODO Sun Jan 02 12:04:45 2005 +0000 +++ b/TODO Sun Jan 02 17:08:27 2005 +0000 @@ -20,10 +20,11 @@ - CTR mode, SSH_MSG_IGNORE sending to improve CBC security - DH Group Exchange possibly, or just add group14 (whatever it's called today) -- Use m_burn for clearing sensitive items in LTM/LTC - - fix scp.c for IRIX - Be able to use OpenSSH keys for the client? or at least have some form of encrypted keys. + - Client agent forwarding + +- Handle restrictions in ~/.ssh/authorized_keys ?
--- a/dbutil.c Sun Jan 02 12:04:45 2005 +0000 +++ b/dbutil.c Sun Jan 02 17:08:27 2005 +0000 @@ -603,6 +603,8 @@ /* Clear the data, based on the method in David Wheeler's * "Secure Programming for Linux and Unix HOWTO" */ +/* Beware of calling this from within dbutil.c - things might get + * optimised away */ void m_burn(void *data, unsigned int len) { volatile char *p = data;
--- a/debian/changelog Sun Jan 02 12:04:45 2005 +0000 +++ b/debian/changelog Sun Jan 02 17:08:27 2005 +0000 @@ -1,3 +1,9 @@ +dropbear (0.44test4-1) unstable; urgency=high + + * New upstream release, various fixes. + + -- Matt Johnston <[email protected]> Mon, 3 January 2005 00:44:54 +0800 + dropbear (0.44test4-1) unstable; urgency=medium * New upstream beta, various useful fixes.
--- a/options.h Sun Jan 02 12:04:45 2005 +0000 +++ b/options.h Sun Jan 02 17:08:27 2005 +0000 @@ -117,7 +117,7 @@ * simple "Login: " "Password: " (or something like that - if your module is * similar but not quite like that, edit the strings in svr-authpam.c). * Basically, it's useful for systems like OS X where standard password crypts - * don't work, but there's and interface via a PAM module. You'll need to + * don't work, but there's an interface via a PAM module. You'll need to * configure with --enable-pam as well, since it's off by default. And you * should only enable either PASSWORD _or_ PAM auth, not both. */ @@ -185,7 +185,7 @@ *******************************************************************/ #ifndef DROPBEAR_VERSION -#define DROPBEAR_VERSION "0.44test4" +#define DROPBEAR_VERSION "0.44" #endif #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION