0.44 release changes

--HG-- extra : convert_revision : 47d6b5589a4eaf707ed1c3685d9ef49306af18d8

0.44 release changes
b5bd8591 · Matt Johnston · e6c957ca · b5bd8591 · b5bd8591 · b5bd8591
Commit b5bd8591 authored 20 years ago by Matt Johnston
--- a/CHANGES
+++ b/CHANGES
-0.44test5 - 
+0.44 - Mon Jan 3 2005
+
+- SECURITY: Fix for PAM auth so that usernames are logged and conversation
+  function responses are allocated correctly - all 0.44test4 users with PAM
+  compiled in (not default) are advised to upgrade.
+
+- Fix calls to getnameinfo() for compatibility with Solaris
+
+- Pristine compilation works (run 'configure' from a fresh dir and make it
+  there)
+
+- Fixes for compiling with most options disabled.
+
+- Upgraded to LibTomCrypt 0.99 and LibTomMath 0.32
+
+- Make sure that zeroing out of values in LTM and LTC won't get optimised away
+
+- Removed unused functions from loginrec.c
+
+- /dev/random is now the default entropy source rather than /dev/urandom
+
+- Logging of IPs in auth success/failure messages for improved greppability
  
 - Fix dbclient so that "scp -i keyfile" works. (It can handle "-ikeyfile
  properly)
  
- Fix for PAM auth so that usernames are logged and conversation function
-  responses are allocated correctly.
-
 - Avoid a race in server shell-handling code which prevents the exit-code
-  from being returned to the client.
+  from being returned to the client in some circumstances.
  
 - Makefile modified so that install target works correctly (doesn't try
  to install "all" binary) - patch from Juergen Daubert
  
-0.44test4 - Tue Sept 14 21:15:54 +0800
+- Various minor fixes and compile warnings.
+
+0.44test4 - Tue Sept 14 2004 21:15:54 +0800
  
 - Fix inetd mode so it actually loads the hostkeys (oops)
  

--- a/Makefile.in
+++ b/Makefile.in
 # This Makefile is for Dropbear SSH Server and Client
+# @configure_input@
  
 # invocation:
 # make PROGRAMS="dropbear dbclient scp" MULTI=1 STATIC=1 SCPPROGRESS=1

--- a/README
+++ b/README
@@ -69,6 +69,6 @@ pty, and you cannot login as any user other than that running the daemon
  
 The Dropbear distribution includes a standalone version of OpenSSH's scp
 program. You can compile it with "make scp", you may want to change the path
-of the ssh binary, specified near the top of the scp.c file. By default
+of the ssh binary, specified by _PATH_SSH_PROGRAM in options.h . By default
 the progress meter isn't compiled in to save space, you can enable it by 
 adding 'SCPPROGRESS=1' to the make commandline.
--- a/SMALL
+++ b/SMALL
 Tips for a small system:
  
-The following are set in options.h
+If you only want server functionality (for example), compile with
+	make PROGRAMS=dropbear
+rather than just
+	make dropbear
+so that client functionality in shared portions of Dropbear won't be included.
+The same applies if you are compiling just a client.
  
- You can safely disable blowfish and twofish ciphers, and MD5 hmac, without
-  affecting interoperability
+---
  
- If you're compiling statically, you can turn off host lookups
+The following are set in options.h:
  
- You can disable either password or public-key authentication, though note
-  that the IETF draft states that pubkey authentication is required.
+	- You can safely disable blowfish and twofish ciphers, and MD5 hmac, without
+	  affecting interoperability
  
- Similarly with DSS and RSA, you can disable one of these if you know that
-  all clients will be able to support a particular one. The IETF draft
-  states that DSS is required, however you may prefer to use RSA. 
-  DON'T disable either of these on systems where you aren't 100% sure about
-  who will be connecting and what clients they will be using.
+	- If you're compiling statically, you can turn off host lookups
  
- Disabling the MOTD code and SFTP-SERVER may save a small amount of codesize
+	- You can disable either password or public-key authentication, though note
+	  that the IETF draft states that pubkey authentication is required.
  
- You can disable x11, tcp and agent forwarding as desired. None of these are
-  essential, although agent-forwarding is often useful even on firewall boxes.
+	- Similarly with DSS and RSA, you can disable one of these if you know that
+	  all clients will be able to support a particular one. The IETF draft
+	  states that DSS is required, however you may prefer to use RSA. 
+	  DON'T disable either of these on systems where you aren't 100% sure about
+	  who will be connecting and what clients they will be using.
+
+	- Disabling the MOTD code and SFTP-SERVER may save a small amount of codesize
+
+	- You can disable x11, tcp and agent forwarding as desired. None of these are
+	  essential, although agent-forwarding is often useful even on firewall boxes.
+
+---
  
 If you are compiling statically, you may want to disable zlib, as it will use
 a few tens of kB of binary-size (./configure --disable-zlib).

--- a/TODO
+++ b/TODO
@@ -20,10 +20,11 @@ Things which might need doing:
 - CTR mode, SSH_MSG_IGNORE sending to improve CBC security
 - DH Group Exchange possibly, or just add group14 (whatever it's called today)
  
- Use m_burn for clearing sensitive items in LTM/LTC
-
 - fix scp.c for IRIX
  
 - Be able to use OpenSSH keys for the client? or at least have some form of 
  encrypted keys.
+
 - Client agent forwarding
+
+- Handle restrictions in ~/.ssh/authorized_keys ?
--- a/dbutil.c
+++ b/dbutil.c
@@ -603,6 +603,8 @@ void * m_realloc(void* ptr, size_t size) {
  
 /* Clear the data, based on the method in David Wheeler's
 * "Secure Programming for Linux and Unix HOWTO" */
+/* Beware of calling this from within dbutil.c - things might get
+ * optimised away */
 void m_burn(void *data, unsigned int len) {
 	volatile char *p = data;
  

--- a/debian/changelog
+++ b/debian/changelog
+dropbear (0.44test4-1) unstable; urgency=high
+
+  * New upstream release, various fixes.
+
+ -- Matt Johnston <matt@ucc.asn.au>  Mon, 3 January 2005 00:44:54 +0800
+
 dropbear (0.44test4-1) unstable; urgency=medium
  
  * New upstream beta, various useful fixes.

--- a/options.h
+++ b/options.h
@@ -117,7 +117,7 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
 * simple "Login: " "Password: " (or something like that - if your module is
 * similar but not quite like that, edit the strings in svr-authpam.c).
 * Basically, it's useful for systems like OS X where standard password crypts
- * don't work, but there's and interface via a PAM module. You'll need to
+ * don't work, but there's an interface via a PAM module. You'll need to
 * configure with --enable-pam as well, since it's off by default. And you
 * should only enable either PASSWORD _or_ PAM auth, not both. */
  
@@ -185,7 +185,7 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
 *******************************************************************/
  
 #ifndef DROPBEAR_VERSION
-#define DROPBEAR_VERSION "0.44test4"
+#define DROPBEAR_VERSION "0.44"
 #endif
  
 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION