mirror of
https://github.com/clearml/dropbear
synced 2025-03-09 13:30:45 +00:00
0.44 release changes
--HG-- extra : convert_revision : 47d6b5589a4eaf707ed1c3685d9ef49306af18d8
This commit is contained in:
Matt Johnston
parent
e6c957caaa
commit
b5bd8591e7
32
CHANGES
32
CHANGES
@ -1,18 +1,38 @@
|
||||
0.44test5 -
|
||||
0.44 - Mon Jan 3 2005
|
||||
|
||||
- SECURITY: Fix for PAM auth so that usernames are logged and conversation
|
||||
function responses are allocated correctly - all 0.44test4 users with PAM
|
||||
compiled in (not default) are advised to upgrade.
|
||||
|
||||
- Fix calls to getnameinfo() for compatibility with Solaris
|
||||
|
||||
- Pristine compilation works (run 'configure' from a fresh dir and make it
|
||||
there)
|
||||
|
||||
- Fixes for compiling with most options disabled.
|
||||
|
||||
- Upgraded to LibTomCrypt 0.99 and LibTomMath 0.32
|
||||
|
||||
- Make sure that zeroing out of values in LTM and LTC won't get optimised away
|
||||
|
||||
- Removed unused functions from loginrec.c
|
||||
|
||||
- /dev/random is now the default entropy source rather than /dev/urandom
|
||||
|
||||
- Logging of IPs in auth success/failure messages for improved greppability
|
||||
|
||||
- Fix dbclient so that "scp -i keyfile" works. (It can handle "-ikeyfile
|
||||
properly)
|
||||
|
||||
- Fix for PAM auth so that usernames are logged and conversation function
|
||||
responses are allocated correctly.
|
||||
|
||||
- Avoid a race in server shell-handling code which prevents the exit-code
|
||||
from being returned to the client.
|
||||
from being returned to the client in some circumstances.
|
||||
|
||||
- Makefile modified so that install target works correctly (doesn't try
|
||||
to install "all" binary) - patch from Juergen Daubert
|
||||
|
||||
0.44test4 - Tue Sept 14 21:15:54 +0800
|
||||
- Various minor fixes and compile warnings.
|
||||
|
||||
0.44test4 - Tue Sept 14 2004 21:15:54 +0800
|
||||
|
||||
- Fix inetd mode so it actually loads the hostkeys (oops)
|
||||
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
# This Makefile is for Dropbear SSH Server and Client
|
||||
# @configure_input@
|
||||
|
||||
# invocation:
|
||||
# make PROGRAMS="dropbear dbclient scp" MULTI=1 STATIC=1 SCPPROGRESS=1
|
||||
|
||||
2
README
2
README
@ -69,6 +69,6 @@ pty, and you cannot login as any user other than that running the daemon
|
||||
|
||||
The Dropbear distribution includes a standalone version of OpenSSH's scp
|
||||
program. You can compile it with "make scp", you may want to change the path
|
||||
of the ssh binary, specified near the top of the scp.c file. By default
|
||||
of the ssh binary, specified by _PATH_SSH_PROGRAM in options.h . By default
|
||||
the progress meter isn't compiled in to save space, you can enable it by
|
||||
adding 'SCPPROGRESS=1' to the make commandline.
|
||||
|
||||
39
SMALL
39
SMALL
@ -1,25 +1,36 @@
|
||||
Tips for a small system:
|
||||
|
||||
The following are set in options.h
|
||||
If you only want server functionality (for example), compile with
|
||||
make PROGRAMS=dropbear
|
||||
rather than just
|
||||
make dropbear
|
||||
so that client functionality in shared portions of Dropbear won't be included.
|
||||
The same applies if you are compiling just a client.
|
||||
|
||||
- You can safely disable blowfish and twofish ciphers, and MD5 hmac, without
|
||||
affecting interoperability
|
||||
---
|
||||
|
||||
- If you're compiling statically, you can turn off host lookups
|
||||
The following are set in options.h:
|
||||
|
||||
- You can disable either password or public-key authentication, though note
|
||||
that the IETF draft states that pubkey authentication is required.
|
||||
- You can safely disable blowfish and twofish ciphers, and MD5 hmac, without
|
||||
affecting interoperability
|
||||
|
||||
- Similarly with DSS and RSA, you can disable one of these if you know that
|
||||
all clients will be able to support a particular one. The IETF draft
|
||||
states that DSS is required, however you may prefer to use RSA.
|
||||
DON'T disable either of these on systems where you aren't 100% sure about
|
||||
who will be connecting and what clients they will be using.
|
||||
- If you're compiling statically, you can turn off host lookups
|
||||
|
||||
- Disabling the MOTD code and SFTP-SERVER may save a small amount of codesize
|
||||
- You can disable either password or public-key authentication, though note
|
||||
that the IETF draft states that pubkey authentication is required.
|
||||
|
||||
- You can disable x11, tcp and agent forwarding as desired. None of these are
|
||||
essential, although agent-forwarding is often useful even on firewall boxes.
|
||||
- Similarly with DSS and RSA, you can disable one of these if you know that
|
||||
all clients will be able to support a particular one. The IETF draft
|
||||
states that DSS is required, however you may prefer to use RSA.
|
||||
DON'T disable either of these on systems where you aren't 100% sure about
|
||||
who will be connecting and what clients they will be using.
|
||||
|
||||
- Disabling the MOTD code and SFTP-SERVER may save a small amount of codesize
|
||||
|
||||
- You can disable x11, tcp and agent forwarding as desired. None of these are
|
||||
essential, although agent-forwarding is often useful even on firewall boxes.
|
||||
|
||||
---
|
||||
|
||||
If you are compiling statically, you may want to disable zlib, as it will use
|
||||
a few tens of kB of binary-size (./configure --disable-zlib).
|
||||
|
||||
5
TODO
5
TODO
@ -20,10 +20,11 @@ Things which might need doing:
|
||||
- CTR mode, SSH_MSG_IGNORE sending to improve CBC security
|
||||
- DH Group Exchange possibly, or just add group14 (whatever it's called today)
|
||||
|
||||
- Use m_burn for clearing sensitive items in LTM/LTC
|
||||
|
||||
- fix scp.c for IRIX
|
||||
|
||||
- Be able to use OpenSSH keys for the client? or at least have some form of
|
||||
encrypted keys.
|
||||
|
||||
- Client agent forwarding
|
||||
|
||||
- Handle restrictions in ~/.ssh/authorized_keys ?
|
||||
|
||||
2
dbutil.c
2
dbutil.c
@ -603,6 +603,8 @@ void * m_realloc(void* ptr, size_t size) {
|
||||
|
||||
/* Clear the data, based on the method in David Wheeler's
|
||||
* "Secure Programming for Linux and Unix HOWTO" */
|
||||
/* Beware of calling this from within dbutil.c - things might get
|
||||
* optimised away */
|
||||
void m_burn(void *data, unsigned int len) {
|
||||
volatile char *p = data;
|
||||
|
||||
|
||||
6
debian/changelog
vendored
6
debian/changelog
vendored
@ -1,3 +1,9 @@
|
||||
dropbear (0.44test4-1) unstable; urgency=high
|
||||
|
||||
* New upstream release, various fixes.
|
||||
|
||||
-- Matt Johnston <matt@ucc.asn.au> Mon, 3 January 2005 00:44:54 +0800
|
||||
|
||||
dropbear (0.44test4-1) unstable; urgency=medium
|
||||
|
||||
* New upstream beta, various useful fixes.
|
||||
|
||||
@ -117,7 +117,7 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
|
||||
* simple "Login: " "Password: " (or something like that - if your module is
|
||||
* similar but not quite like that, edit the strings in svr-authpam.c).
|
||||
* Basically, it's useful for systems like OS X where standard password crypts
|
||||
* don't work, but there's and interface via a PAM module. You'll need to
|
||||
* don't work, but there's an interface via a PAM module. You'll need to
|
||||
* configure with --enable-pam as well, since it's off by default. And you
|
||||
* should only enable either PASSWORD _or_ PAM auth, not both. */
|
||||
|
||||
@ -185,7 +185,7 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
|
||||
*******************************************************************/
|
||||
|
||||
#ifndef DROPBEAR_VERSION
|
||||
#define DROPBEAR_VERSION "0.44test4"
|
||||
#define DROPBEAR_VERSION "0.44"
|
||||
#endif
|
||||
|
||||
#define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION
|
||||
|
||||
Loading…
Reference in New Issue
Block a user