diff options
-rw-r--r-- | CHANGES | 32 | ||||
-rw-r--r-- | Makefile.in | 1 | ||||
-rw-r--r-- | README | 2 | ||||
-rw-r--r-- | SMALL | 39 | ||||
-rw-r--r-- | TODO | 5 | ||||
-rw-r--r-- | dbutil.c | 2 | ||||
-rw-r--r-- | debian/changelog | 6 | ||||
-rw-r--r-- | options.h | 4 |
8 files changed, 66 insertions, 25 deletions
@@ -1,18 +1,38 @@ -0.44test5 - +0.44 - Mon Jan 3 2005 + +- SECURITY: Fix for PAM auth so that usernames are logged and conversation + function responses are allocated correctly - all 0.44test4 users with PAM + compiled in (not default) are advised to upgrade. + +- Fix calls to getnameinfo() for compatibility with Solaris + +- Pristine compilation works (run 'configure' from a fresh dir and make it + there) + +- Fixes for compiling with most options disabled. + +- Upgraded to LibTomCrypt 0.99 and LibTomMath 0.32 + +- Make sure that zeroing out of values in LTM and LTC won't get optimised away + +- Removed unused functions from loginrec.c + +- /dev/random is now the default entropy source rather than /dev/urandom + +- Logging of IPs in auth success/failure messages for improved greppability - Fix dbclient so that "scp -i keyfile" works. (It can handle "-ikeyfile properly) -- Fix for PAM auth so that usernames are logged and conversation function - responses are allocated correctly. - - Avoid a race in server shell-handling code which prevents the exit-code - from being returned to the client. + from being returned to the client in some circumstances. - Makefile modified so that install target works correctly (doesn't try to install "all" binary) - patch from Juergen Daubert -0.44test4 - Tue Sept 14 21:15:54 +0800 +- Various minor fixes and compile warnings. + +0.44test4 - Tue Sept 14 2004 21:15:54 +0800 - Fix inetd mode so it actually loads the hostkeys (oops) diff --git a/Makefile.in b/Makefile.in index 4cad5bf..dfb2004 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,5 @@ # This Makefile is for Dropbear SSH Server and Client +# @configure_input@ # invocation: # make PROGRAMS="dropbear dbclient scp" MULTI=1 STATIC=1 SCPPROGRESS=1 @@ -69,6 +69,6 @@ pty, and you cannot login as any user other than that running the daemon The Dropbear distribution includes a standalone version of OpenSSH's scp program. You can compile it with "make scp", you may want to change the path -of the ssh binary, specified near the top of the scp.c file. By default +of the ssh binary, specified by _PATH_SSH_PROGRAM in options.h . By default the progress meter isn't compiled in to save space, you can enable it by adding 'SCPPROGRESS=1' to the make commandline. @@ -1,25 +1,36 @@ Tips for a small system: -The following are set in options.h +If you only want server functionality (for example), compile with + make PROGRAMS=dropbear +rather than just + make dropbear +so that client functionality in shared portions of Dropbear won't be included. +The same applies if you are compiling just a client. -- You can safely disable blowfish and twofish ciphers, and MD5 hmac, without - affecting interoperability +--- -- If you're compiling statically, you can turn off host lookups +The following are set in options.h: -- You can disable either password or public-key authentication, though note - that the IETF draft states that pubkey authentication is required. + - You can safely disable blowfish and twofish ciphers, and MD5 hmac, without + affecting interoperability -- Similarly with DSS and RSA, you can disable one of these if you know that - all clients will be able to support a particular one. The IETF draft - states that DSS is required, however you may prefer to use RSA. - DON'T disable either of these on systems where you aren't 100% sure about - who will be connecting and what clients they will be using. + - If you're compiling statically, you can turn off host lookups -- Disabling the MOTD code and SFTP-SERVER may save a small amount of codesize + - You can disable either password or public-key authentication, though note + that the IETF draft states that pubkey authentication is required. -- You can disable x11, tcp and agent forwarding as desired. None of these are - essential, although agent-forwarding is often useful even on firewall boxes. + - Similarly with DSS and RSA, you can disable one of these if you know that + all clients will be able to support a particular one. The IETF draft + states that DSS is required, however you may prefer to use RSA. + DON'T disable either of these on systems where you aren't 100% sure about + who will be connecting and what clients they will be using. + + - Disabling the MOTD code and SFTP-SERVER may save a small amount of codesize + + - You can disable x11, tcp and agent forwarding as desired. None of these are + essential, although agent-forwarding is often useful even on firewall boxes. + +--- If you are compiling statically, you may want to disable zlib, as it will use a few tens of kB of binary-size (./configure --disable-zlib). @@ -20,10 +20,11 @@ Things which might need doing: - CTR mode, SSH_MSG_IGNORE sending to improve CBC security - DH Group Exchange possibly, or just add group14 (whatever it's called today) -- Use m_burn for clearing sensitive items in LTM/LTC - - fix scp.c for IRIX - Be able to use OpenSSH keys for the client? or at least have some form of encrypted keys. + - Client agent forwarding + +- Handle restrictions in ~/.ssh/authorized_keys ? @@ -603,6 +603,8 @@ void * m_realloc(void* ptr, size_t size) { /* Clear the data, based on the method in David Wheeler's * "Secure Programming for Linux and Unix HOWTO" */ +/* Beware of calling this from within dbutil.c - things might get + * optimised away */ void m_burn(void *data, unsigned int len) { volatile char *p = data; diff --git a/debian/changelog b/debian/changelog index 279290c..bfc0730 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +dropbear (0.44test4-1) unstable; urgency=high + + * New upstream release, various fixes. + + -- Matt Johnston <matt@ucc.asn.au> Mon, 3 January 2005 00:44:54 +0800 + dropbear (0.44test4-1) unstable; urgency=medium * New upstream beta, various useful fixes. @@ -117,7 +117,7 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */ * simple "Login: " "Password: " (or something like that - if your module is * similar but not quite like that, edit the strings in svr-authpam.c). * Basically, it's useful for systems like OS X where standard password crypts - * don't work, but there's and interface via a PAM module. You'll need to + * don't work, but there's an interface via a PAM module. You'll need to * configure with --enable-pam as well, since it's off by default. And you * should only enable either PASSWORD _or_ PAM auth, not both. */ @@ -185,7 +185,7 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */ *******************************************************************/ #ifndef DROPBEAR_VERSION -#define DROPBEAR_VERSION "0.44test4" +#define DROPBEAR_VERSION "0.44" #endif #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION |