USE_BUILTIN_RIJNDAEL compat goop to openssl-compat.h so it can be
shared with umac.c. Allows building with OpenSSL 0.9.5 again including
umac support. With tim@ djm@, ok djm.
[ssh.c ssh.1]
Add "-K" flag for ssh to set GSSAPIAuthentication=yes and
GSSAPIDelegateCredentials=yes. This is symmetric with -k (disable GSSAPI)
and is useful for hosts with /home on Kerberised NFS; bz #1312
patch from Markus.Kuhn AT cl.cam.ac.uk; ok dtucker@ markus@
[ssh.c]
fix slave exit value when a control master goes away without passing the
full exit status by ensuring that the slave reads a full int. bz#1261
reported by frekko AT gmail.com; ok markus@ dtucker@
[scp.c]
make scp try to skip FIFOs rather than blocking when nothing is listening.
depends on the platform supporting sane O_NONBLOCK semantics for open
on FIFOs (apparently POSIX does not mandate this), which OpenBSD does.
bz #856; report by cjwatson AT debian.org; ok markus@
[ssh-add.1]
better document ssh-add's -d option (delete identies from agent), bz#1224
new text based on some provided by andrewmc-debian AT celt.dias.ie;
ok dtucker@
[ssh_config]
Add a "MACs" line after "Ciphers" with the default MAC algorithms,
to ease people who want to tweak both (eg. for performance reasons).
ok deraadt@ djm@ dtucker@
[kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1]
[ssh_config.5 sshd.8 sshd_config.5]
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet,
must specify umac-64@openssh.com). Provides about 20% end-to-end speedup
compared to hmac-md5. Represents a different approach to message
authentication to that of HMAC that may be beneficial if HMAC based on
one of its underlying hash algorithms is found to be vulnerable to a
new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
[kex.c monitor_wrap.c packet.c mac.h kex.h mac.c]
Preserve MAC ctx between packets, saving 2xhash calls per-packet.
Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm
committing at his request)
[scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1
ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8]
convert to new .Dd format;
(We will need to teach mdoc2man.awk to understand this too.)
[monitor.c]
pass received SIGINT from monitor to postauth child so it can clean
up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com;
ok markus@
[sshconnect2.c]
fall back to gethostname() when the outgoing connection is not
on a socket, such as is the case when ProxyCommand is used.
Gives hostbased auth an opportunity to work; bz#616, report
and feedback stuart AT kaloram.com; ok markus@
[sftp-server.c]
bz#1286 stop reading and processing commands when input or output buffer
is nearly full, otherwise sftp-server would happily try to grow the
input/output buffers past the maximum supported by the buffer API and
promptly fatal()
based on patch from Thue Janus Kristensen; feedback & ok dtucker@
[sftp-server.c]
cast "%llu" format spec to (unsigned long long); do not assume a
u_int64_t arg is the same as 'unsigned long long'.
from Dmitry V. Levin <ldv@altlinux.org>
ok markus@ 'Yes, that looks correct' millert@
