0.44 release changes

--HG--
extra : convert_revision : 47d6b5589a4eaf707ed1c3685d9ef49306af18d8

CHANGES

@@ -1,18 +1,38 @@
-0.44test5 - 
+0.44 - Mon Jan 3 2005
+
+- SECURITY: Fix for PAM auth so that usernames are logged and conversation
+  function responses are allocated correctly - all 0.44test4 users with PAM
+  compiled in (not default) are advised to upgrade.
+
+- Fix calls to getnameinfo() for compatibility with Solaris
+
+- Pristine compilation works (run 'configure' from a fresh dir and make it
+  there)
+
+- Fixes for compiling with most options disabled.
+
+- Upgraded to LibTomCrypt 0.99 and LibTomMath 0.32
+
+- Make sure that zeroing out of values in LTM and LTC won't get optimised away
+
+- Removed unused functions from loginrec.c
+
+- /dev/random is now the default entropy source rather than /dev/urandom
+
+- Logging of IPs in auth success/failure messages for improved greppability
 
 - Fix dbclient so that "scp -i keyfile" works. (It can handle "-ikeyfile
   properly)
 
-- Fix for PAM auth so that usernames are logged and conversation function
-  responses are allocated correctly.
-
 - Avoid a race in server shell-handling code which prevents the exit-code
-  from being returned to the client.
+  from being returned to the client in some circumstances.
 
 - Makefile modified so that install target works correctly (doesn't try
   to install "all" binary) - patch from Juergen Daubert
 
-0.44test4 - Tue Sept 14 21:15:54 +0800
+- Various minor fixes and compile warnings.
+
+0.44test4 - Tue Sept 14 2004 21:15:54 +0800
 
 - Fix inetd mode so it actually loads the hostkeys (oops)
 

Makefile.in

@@ -1,4 +1,5 @@
 # This Makefile is for Dropbear SSH Server and Client
+# @configure_input@
 
 # invocation:
 # make PROGRAMS="dropbear dbclient scp" MULTI=1 STATIC=1 SCPPROGRESS=1

README

@@ -69,6 +69,6 @@ pty, and you cannot login as any user other than that running the daemon
 
 The Dropbear distribution includes a standalone version of OpenSSH's scp
 program. You can compile it with "make scp", you may want to change the path
-of the ssh binary, specified near the top of the scp.c file. By default
+of the ssh binary, specified by _PATH_SSH_PROGRAM in options.h . By default
 the progress meter isn't compiled in to save space, you can enable it by 
 adding 'SCPPROGRESS=1' to the make commandline.

SMALL

@@ -1,6 +1,15 @@
 Tips for a small system:
 
-The following are set in options.h
+If you only want server functionality (for example), compile with
+	make PROGRAMS=dropbear
+rather than just
+	make dropbear
+so that client functionality in shared portions of Dropbear won't be included.
+The same applies if you are compiling just a client.
+
+---
+
+The following are set in options.h:
 
 	- You can safely disable blowfish and twofish ciphers, and MD5 hmac, without
 	  affecting interoperability
@@ -21,6 +30,8 @@ The following are set in options.h
 	- You can disable x11, tcp and agent forwarding as desired. None of these are
 	  essential, although agent-forwarding is often useful even on firewall boxes.
 
+---
+
 If you are compiling statically, you may want to disable zlib, as it will use
 a few tens of kB of binary-size (./configure --disable-zlib).
 

TODO

@@ -20,10 +20,11 @@ Things which might need doing:
 - CTR mode, SSH_MSG_IGNORE sending to improve CBC security
 - DH Group Exchange possibly, or just add group14 (whatever it's called today)
 
-- Use m_burn for clearing sensitive items in LTM/LTC
-
 - fix scp.c for IRIX
 
 - Be able to use OpenSSH keys for the client? or at least have some form of 
   encrypted keys.
+
 - Client agent forwarding
+
+- Handle restrictions in ~/.ssh/authorized_keys ?

dbutil.c

@@ -603,6 +603,8 @@ void * m_realloc(void* ptr, size_t size) {
 
 /* Clear the data, based on the method in David Wheeler's
  * "Secure Programming for Linux and Unix HOWTO" */
+/* Beware of calling this from within dbutil.c - things might get
+ * optimised away */
 void m_burn(void *data, unsigned int len) {
 	volatile char *p = data;
 

debian/changelog

@@ -1,3 +1,9 @@
+dropbear (0.44test4-1) unstable; urgency=high
+
+  * New upstream release, various fixes.
+
+ -- Matt Johnston <matt@ucc.asn.au>  Mon, 3 January 2005 00:44:54 +0800
+
 dropbear (0.44test4-1) unstable; urgency=medium
 
   * New upstream beta, various useful fixes.

options.h

@@ -117,7 +117,7 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
  * simple "Login: " "Password: " (or something like that - if your module is
  * similar but not quite like that, edit the strings in svr-authpam.c).
  * Basically, it's useful for systems like OS X where standard password crypts
- * don't work, but there's and interface via a PAM module. You'll need to
+ * don't work, but there's an interface via a PAM module. You'll need to
  * configure with --enable-pam as well, since it's off by default. And you
  * should only enable either PASSWORD _or_ PAM auth, not both. */
 
@@ -185,7 +185,7 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
  *******************************************************************/
 
 #ifndef DROPBEAR_VERSION
-#define DROPBEAR_VERSION "0.44test4"
+#define DROPBEAR_VERSION "0.44"
 #endif
 
 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION