Commit b5bd8591 authored by Matt Johnston's avatar Matt Johnston
Browse files

0.44 release changes

--HG--
extra : convert_revision : 47d6b5589a4eaf707ed1c3685d9ef49306af18d8
parent e6c957ca
0.44test5 -
0.44 - Mon Jan 3 2005
- SECURITY: Fix for PAM auth so that usernames are logged and conversation
function responses are allocated correctly - all 0.44test4 users with PAM
compiled in (not default) are advised to upgrade.
- Fix calls to getnameinfo() for compatibility with Solaris
- Pristine compilation works (run 'configure' from a fresh dir and make it
there)
- Fixes for compiling with most options disabled.
- Upgraded to LibTomCrypt 0.99 and LibTomMath 0.32
- Make sure that zeroing out of values in LTM and LTC won't get optimised away
- Removed unused functions from loginrec.c
- /dev/random is now the default entropy source rather than /dev/urandom
- Logging of IPs in auth success/failure messages for improved greppability
- Fix dbclient so that "scp -i keyfile" works. (It can handle "-ikeyfile
properly)
- Fix for PAM auth so that usernames are logged and conversation function
responses are allocated correctly.
- Avoid a race in server shell-handling code which prevents the exit-code
from being returned to the client.
from being returned to the client in some circumstances.
- Makefile modified so that install target works correctly (doesn't try
to install "all" binary) - patch from Juergen Daubert
0.44test4 - Tue Sept 14 21:15:54 +0800
- Various minor fixes and compile warnings.
0.44test4 - Tue Sept 14 2004 21:15:54 +0800
- Fix inetd mode so it actually loads the hostkeys (oops)
......
# This Makefile is for Dropbear SSH Server and Client
# @[email protected]
# invocation:
# make PROGRAMS="dropbear dbclient scp" MULTI=1 STATIC=1 SCPPROGRESS=1
......
......@@ -69,6 +69,6 @@ pty, and you cannot login as any user other than that running the daemon
The Dropbear distribution includes a standalone version of OpenSSH's scp
program. You can compile it with "make scp", you may want to change the path
of the ssh binary, specified near the top of the scp.c file. By default
of the ssh binary, specified by _PATH_SSH_PROGRAM in options.h . By default
the progress meter isn't compiled in to save space, you can enable it by
adding 'SCPPROGRESS=1' to the make commandline.
Tips for a small system:
The following are set in options.h
If you only want server functionality (for example), compile with
make PROGRAMS=dropbear
rather than just
make dropbear
so that client functionality in shared portions of Dropbear won't be included.
The same applies if you are compiling just a client.
- You can safely disable blowfish and twofish ciphers, and MD5 hmac, without
affecting interoperability
---
- If you're compiling statically, you can turn off host lookups
The following are set in options.h:
- You can disable either password or public-key authentication, though note
that the IETF draft states that pubkey authentication is required.
- You can safely disable blowfish and twofish ciphers, and MD5 hmac, without
affecting interoperability
- Similarly with DSS and RSA, you can disable one of these if you know that
all clients will be able to support a particular one. The IETF draft
states that DSS is required, however you may prefer to use RSA.
DON'T disable either of these on systems where you aren't 100% sure about
who will be connecting and what clients they will be using.
- If you're compiling statically, you can turn off host lookups
- Disabling the MOTD code and SFTP-SERVER may save a small amount of codesize
- You can disable either password or public-key authentication, though note
that the IETF draft states that pubkey authentication is required.
- You can disable x11, tcp and agent forwarding as desired. None of these are
essential, although agent-forwarding is often useful even on firewall boxes.
- Similarly with DSS and RSA, you can disable one of these if you know that
all clients will be able to support a particular one. The IETF draft
states that DSS is required, however you may prefer to use RSA.
DON'T disable either of these on systems where you aren't 100% sure about
who will be connecting and what clients they will be using.
- Disabling the MOTD code and SFTP-SERVER may save a small amount of codesize
- You can disable x11, tcp and agent forwarding as desired. None of these are
essential, although agent-forwarding is often useful even on firewall boxes.
---
If you are compiling statically, you may want to disable zlib, as it will use
a few tens of kB of binary-size (./configure --disable-zlib).
......
......@@ -20,10 +20,11 @@ Things which might need doing:
- CTR mode, SSH_MSG_IGNORE sending to improve CBC security
- DH Group Exchange possibly, or just add group14 (whatever it's called today)
- Use m_burn for clearing sensitive items in LTM/LTC
- fix scp.c for IRIX
- Be able to use OpenSSH keys for the client? or at least have some form of
encrypted keys.
- Client agent forwarding
- Handle restrictions in ~/.ssh/authorized_keys ?
......@@ -603,6 +603,8 @@ void * m_realloc(void* ptr, size_t size) {
/* Clear the data, based on the method in David Wheeler's
* "Secure Programming for Linux and Unix HOWTO" */
/* Beware of calling this from within dbutil.c - things might get
* optimised away */
void m_burn(void *data, unsigned int len) {
volatile char *p = data;
......
dropbear (0.44test4-1) unstable; urgency=high
* New upstream release, various fixes.
-- Matt Johnston <[email protected]> Mon, 3 January 2005 00:44:54 +0800
dropbear (0.44test4-1) unstable; urgency=medium
* New upstream beta, various useful fixes.
......
......@@ -117,7 +117,7 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
* simple "Login: " "Password: " (or something like that - if your module is
* similar but not quite like that, edit the strings in svr-authpam.c).
* Basically, it's useful for systems like OS X where standard password crypts
* don't work, but there's and interface via a PAM module. You'll need to
* don't work, but there's an interface via a PAM module. You'll need to
* configure with --enable-pam as well, since it's off by default. And you
* should only enable either PASSWORD _or_ PAM auth, not both. */
......@@ -185,7 +185,7 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
*******************************************************************/
#ifndef DROPBEAR_VERSION
#define DROPBEAR_VERSION "0.44test4"
#define DROPBEAR_VERSION "0.44"
#endif
#define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment