ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-03-10 05:50:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

0.44 release changes

Browse Source 
--HG--
extra : convert_revision : 47d6b5589a4eaf707ed1c3685d9ef49306af18d8
This commit is contained in:
Matt Johnston 2005-01-02 17:08:27 +00:00
parent e6c957caaa
commit b5bd8591e7
8 changed files with 66 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
CHANGES
View File

@ -1,18 +1,38 @@
0.44test5 - 0.44 - Mon Jan 3 2005
- SECURITY: Fix for PAM auth so that usernames are logged and conversation
function responses are allocated correctly - all 0.44test4 users with PAM
compiled in (not default) are advised to upgrade.
- Fix calls to getnameinfo() for compatibility with Solaris
- Pristine compilation works (run 'configure' from a fresh dir and make it
there)
- Fixes for compiling with most options disabled.
- Upgraded to LibTomCrypt 0.99 and LibTomMath 0.32
- Make sure that zeroing out of values in LTM and LTC won't get optimised away
- Removed unused functions from loginrec.c
- /dev/random is now the default entropy source rather than /dev/urandom
- Logging of IPs in auth success/failure messages for improved greppability
- Fix dbclient so that "scp -i keyfile" works. (It can handle "-ikeyfile - Fix dbclient so that "scp -i keyfile" works. (It can handle "-ikeyfile
properly) properly)
- Fix for PAM auth so that usernames are logged and conversation function
responses are allocated correctly.
- Avoid a race in server shell-handling code which prevents the exit-code - Avoid a race in server shell-handling code which prevents the exit-code
from being returned to the client. from being returned to the client in some circumstances.
- Makefile modified so that install target works correctly (doesn't try - Makefile modified so that install target works correctly (doesn't try
to install "all" binary) - patch from Juergen Daubert to install "all" binary) - patch from Juergen Daubert
0.44test4 - Tue Sept 14 21:15:54 +0800 - Various minor fixes and compile warnings.
0.44test4 - Tue Sept 14 2004 21:15:54 +0800
- Fix inetd mode so it actually loads the hostkeys (oops) - Fix inetd mode so it actually loads the hostkeys (oops)

1
Makefile.in
View File

@ -1,4 +1,5 @@
# This Makefile is for Dropbear SSH Server and Client # This Makefile is for Dropbear SSH Server and Client
# @configure_input@
# invocation: # invocation:
# make PROGRAMS="dropbear dbclient scp" MULTI=1 STATIC=1 SCPPROGRESS=1 # make PROGRAMS="dropbear dbclient scp" MULTI=1 STATIC=1 SCPPROGRESS=1

2
README
View File

@ -69,6 +69,6 @@ pty, and you cannot login as any user other than that running the daemon
The Dropbear distribution includes a standalone version of OpenSSH's scp The Dropbear distribution includes a standalone version of OpenSSH's scp
program. You can compile it with "make scp", you may want to change the path program. You can compile it with "make scp", you may want to change the path
of the ssh binary, specified near the top of the scp.c file. By default of the ssh binary, specified by _PATH_SSH_PROGRAM in options.h . By default
the progress meter isn't compiled in to save space, you can enable it by the progress meter isn't compiled in to save space, you can enable it by
adding 'SCPPROGRESS=1' to the make commandline. adding 'SCPPROGRESS=1' to the make commandline.

25
SMALL
View File

@ -1,26 +1,37 @@
Tips for a small system: Tips for a small system:
The following are set in options.h If you only want server functionality (for example), compile with
make PROGRAMS=dropbear
rather than just
make dropbear
so that client functionality in shared portions of Dropbear won't be included.
The same applies if you are compiling just a client.
- You can safely disable blowfish and twofish ciphers, and MD5 hmac, without ---
The following are set in options.h:
- You can safely disable blowfish and twofish ciphers, and MD5 hmac, without
affecting interoperability affecting interoperability
- If you're compiling statically, you can turn off host lookups - If you're compiling statically, you can turn off host lookups
- You can disable either password or public-key authentication, though note - You can disable either password or public-key authentication, though note
that the IETF draft states that pubkey authentication is required. that the IETF draft states that pubkey authentication is required.
- Similarly with DSS and RSA, you can disable one of these if you know that - Similarly with DSS and RSA, you can disable one of these if you know that
all clients will be able to support a particular one. The IETF draft all clients will be able to support a particular one. The IETF draft
states that DSS is required, however you may prefer to use RSA. states that DSS is required, however you may prefer to use RSA.
DON'T disable either of these on systems where you aren't 100% sure about DON'T disable either of these on systems where you aren't 100% sure about
who will be connecting and what clients they will be using. who will be connecting and what clients they will be using.
- Disabling the MOTD code and SFTP-SERVER may save a small amount of codesize - Disabling the MOTD code and SFTP-SERVER may save a small amount of codesize
- You can disable x11, tcp and agent forwarding as desired. None of these are - You can disable x11, tcp and agent forwarding as desired. None of these are
essential, although agent-forwarding is often useful even on firewall boxes. essential, although agent-forwarding is often useful even on firewall boxes.
---
If you are compiling statically, you may want to disable zlib, as it will use If you are compiling statically, you may want to disable zlib, as it will use
a few tens of kB of binary-size (./configure --disable-zlib). a few tens of kB of binary-size (./configure --disable-zlib).

5
TODO
View File

@ -20,10 +20,11 @@ Things which might need doing:
- CTR mode, SSH_MSG_IGNORE sending to improve CBC security - CTR mode, SSH_MSG_IGNORE sending to improve CBC security
- DH Group Exchange possibly, or just add group14 (whatever it's called today) - DH Group Exchange possibly, or just add group14 (whatever it's called today)
- Use m_burn for clearing sensitive items in LTM/LTC
- fix scp.c for IRIX - fix scp.c for IRIX
- Be able to use OpenSSH keys for the client? or at least have some form of - Be able to use OpenSSH keys for the client? or at least have some form of
encrypted keys. encrypted keys.
- Client agent forwarding - Client agent forwarding
- Handle restrictions in ~/.ssh/authorized_keys ?

2
dbutil.c
View File

@ -603,6 +603,8 @@ void * m_realloc(void* ptr, size_t size) {
/* Clear the data, based on the method in David Wheeler's /* Clear the data, based on the method in David Wheeler's
* "Secure Programming for Linux and Unix HOWTO" */ * "Secure Programming for Linux and Unix HOWTO" */
/* Beware of calling this from within dbutil.c - things might get
* optimised away */
void m_burn(void *data, unsigned int len) { void m_burn(void *data, unsigned int len) {
volatile char *p = data; volatile char *p = data;

6
debian/changelog vendored
View File

@ -1,3 +1,9 @@
dropbear (0.44test4-1) unstable; urgency=high
* New upstream release, various fixes.
-- Matt Johnston <matt@ucc.asn.au> Mon, 3 January 2005 00:44:54 +0800
dropbear (0.44test4-1) unstable; urgency=medium dropbear (0.44test4-1) unstable; urgency=medium
* New upstream beta, various useful fixes. * New upstream beta, various useful fixes.

4
options.h
View File

@ -117,7 +117,7 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
* simple "Login: " "Password: " (or something like that - if your module is * simple "Login: " "Password: " (or something like that - if your module is
* similar but not quite like that, edit the strings in svr-authpam.c). * similar but not quite like that, edit the strings in svr-authpam.c).
* Basically, it's useful for systems like OS X where standard password crypts * Basically, it's useful for systems like OS X where standard password crypts
* don't work, but there's and interface via a PAM module. You'll need to * don't work, but there's an interface via a PAM module. You'll need to
* configure with --enable-pam as well, since it's off by default. And you * configure with --enable-pam as well, since it's off by default. And you
* should only enable either PASSWORD _or_ PAM auth, not both. */ * should only enable either PASSWORD _or_ PAM auth, not both. */
@ -185,7 +185,7 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
*******************************************************************/ *******************************************************************/
#ifndef DROPBEAR_VERSION #ifndef DROPBEAR_VERSION
#define DROPBEAR_VERSION "0.44test4" #define DROPBEAR_VERSION "0.44"
#endif #endif
#define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION