summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--CHANGES32
-rw-r--r--Makefile.in1
-rw-r--r--README2
-rw-r--r--SMALL39
-rw-r--r--TODO5
-rw-r--r--dbutil.c2
-rw-r--r--debian/changelog6
-rw-r--r--options.h4
8 files changed, 66 insertions, 25 deletions
diff --git a/CHANGES b/CHANGES
index 18c71f9..f2689c1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,18 +1,38 @@
-0.44test5 -
+0.44 - Mon Jan 3 2005
+
+- SECURITY: Fix for PAM auth so that usernames are logged and conversation
+ function responses are allocated correctly - all 0.44test4 users with PAM
+ compiled in (not default) are advised to upgrade.
+
+- Fix calls to getnameinfo() for compatibility with Solaris
+
+- Pristine compilation works (run 'configure' from a fresh dir and make it
+ there)
+
+- Fixes for compiling with most options disabled.
+
+- Upgraded to LibTomCrypt 0.99 and LibTomMath 0.32
+
+- Make sure that zeroing out of values in LTM and LTC won't get optimised away
+
+- Removed unused functions from loginrec.c
+
+- /dev/random is now the default entropy source rather than /dev/urandom
+
+- Logging of IPs in auth success/failure messages for improved greppability
- Fix dbclient so that "scp -i keyfile" works. (It can handle "-ikeyfile
properly)
-- Fix for PAM auth so that usernames are logged and conversation function
- responses are allocated correctly.
-
- Avoid a race in server shell-handling code which prevents the exit-code
- from being returned to the client.
+ from being returned to the client in some circumstances.
- Makefile modified so that install target works correctly (doesn't try
to install "all" binary) - patch from Juergen Daubert
-0.44test4 - Tue Sept 14 21:15:54 +0800
+- Various minor fixes and compile warnings.
+
+0.44test4 - Tue Sept 14 2004 21:15:54 +0800
- Fix inetd mode so it actually loads the hostkeys (oops)
diff --git a/Makefile.in b/Makefile.in
index 4cad5bf..dfb2004 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,5 @@
# This Makefile is for Dropbear SSH Server and Client
+# @configure_input@
# invocation:
# make PROGRAMS="dropbear dbclient scp" MULTI=1 STATIC=1 SCPPROGRESS=1
diff --git a/README b/README
index 52e3cf0..43dd1f2 100644
--- a/README
+++ b/README
@@ -69,6 +69,6 @@ pty, and you cannot login as any user other than that running the daemon
The Dropbear distribution includes a standalone version of OpenSSH's scp
program. You can compile it with "make scp", you may want to change the path
-of the ssh binary, specified near the top of the scp.c file. By default
+of the ssh binary, specified by _PATH_SSH_PROGRAM in options.h . By default
the progress meter isn't compiled in to save space, you can enable it by
adding 'SCPPROGRESS=1' to the make commandline.
diff --git a/SMALL b/SMALL
index a7442aa..babd671 100644
--- a/SMALL
+++ b/SMALL
@@ -1,25 +1,36 @@
Tips for a small system:
-The following are set in options.h
+If you only want server functionality (for example), compile with
+ make PROGRAMS=dropbear
+rather than just
+ make dropbear
+so that client functionality in shared portions of Dropbear won't be included.
+The same applies if you are compiling just a client.
-- You can safely disable blowfish and twofish ciphers, and MD5 hmac, without
- affecting interoperability
+---
-- If you're compiling statically, you can turn off host lookups
+The following are set in options.h:
-- You can disable either password or public-key authentication, though note
- that the IETF draft states that pubkey authentication is required.
+ - You can safely disable blowfish and twofish ciphers, and MD5 hmac, without
+ affecting interoperability
-- Similarly with DSS and RSA, you can disable one of these if you know that
- all clients will be able to support a particular one. The IETF draft
- states that DSS is required, however you may prefer to use RSA.
- DON'T disable either of these on systems where you aren't 100% sure about
- who will be connecting and what clients they will be using.
+ - If you're compiling statically, you can turn off host lookups
-- Disabling the MOTD code and SFTP-SERVER may save a small amount of codesize
+ - You can disable either password or public-key authentication, though note
+ that the IETF draft states that pubkey authentication is required.
-- You can disable x11, tcp and agent forwarding as desired. None of these are
- essential, although agent-forwarding is often useful even on firewall boxes.
+ - Similarly with DSS and RSA, you can disable one of these if you know that
+ all clients will be able to support a particular one. The IETF draft
+ states that DSS is required, however you may prefer to use RSA.
+ DON'T disable either of these on systems where you aren't 100% sure about
+ who will be connecting and what clients they will be using.
+
+ - Disabling the MOTD code and SFTP-SERVER may save a small amount of codesize
+
+ - You can disable x11, tcp and agent forwarding as desired. None of these are
+ essential, although agent-forwarding is often useful even on firewall boxes.
+
+---
If you are compiling statically, you may want to disable zlib, as it will use
a few tens of kB of binary-size (./configure --disable-zlib).
diff --git a/TODO b/TODO
index dac9a04..4b82efc 100644
--- a/TODO
+++ b/TODO
@@ -20,10 +20,11 @@ Things which might need doing:
- CTR mode, SSH_MSG_IGNORE sending to improve CBC security
- DH Group Exchange possibly, or just add group14 (whatever it's called today)
-- Use m_burn for clearing sensitive items in LTM/LTC
-
- fix scp.c for IRIX
- Be able to use OpenSSH keys for the client? or at least have some form of
encrypted keys.
+
- Client agent forwarding
+
+- Handle restrictions in ~/.ssh/authorized_keys ?
diff --git a/dbutil.c b/dbutil.c
index ce43933..c77386f 100644
--- a/dbutil.c
+++ b/dbutil.c
@@ -603,6 +603,8 @@ void * m_realloc(void* ptr, size_t size) {
/* Clear the data, based on the method in David Wheeler's
* "Secure Programming for Linux and Unix HOWTO" */
+/* Beware of calling this from within dbutil.c - things might get
+ * optimised away */
void m_burn(void *data, unsigned int len) {
volatile char *p = data;
diff --git a/debian/changelog b/debian/changelog
index 279290c..bfc0730 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+dropbear (0.44test4-1) unstable; urgency=high
+
+ * New upstream release, various fixes.
+
+ -- Matt Johnston <matt@ucc.asn.au> Mon, 3 January 2005 00:44:54 +0800
+
dropbear (0.44test4-1) unstable; urgency=medium
* New upstream beta, various useful fixes.
diff --git a/options.h b/options.h
index 7a8f1fd..11e7db1 100644
--- a/options.h
+++ b/options.h
@@ -117,7 +117,7 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
* simple "Login: " "Password: " (or something like that - if your module is
* similar but not quite like that, edit the strings in svr-authpam.c).
* Basically, it's useful for systems like OS X where standard password crypts
- * don't work, but there's and interface via a PAM module. You'll need to
+ * don't work, but there's an interface via a PAM module. You'll need to
* configure with --enable-pam as well, since it's off by default. And you
* should only enable either PASSWORD _or_ PAM auth, not both. */
@@ -185,7 +185,7 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
*******************************************************************/
#ifndef DROPBEAR_VERSION
-#define DROPBEAR_VERSION "0.44test4"
+#define DROPBEAR_VERSION "0.44"
#endif
#define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION