Upgrade to OpenSSH 5.5p1.

svn path=/head/; revision=207319

crypto/openssh/ChangeLog

@@ -1,4 +1,120 @@
-20100307
+20100410
+ - (dtucker) [configure.ac] Put the check for the existence of getaddrinfo
+   back so we disable the IPv6 tests if we don't have it.
+
+20100409
+ - (dtucker) [contrib/cygwin/Makefile] Don't overwrite files with the wrong
+   ones.  Based on a patch from Roumen Petrov.
+ - (dtucker) [configure.ac] Bug #1744: use pkg-config for libedit flags if we
+   have it and the path is not provided to --with-libedit.  Based on a patch
+   from Iain Morgan.
+ - (dtucker) [configure.ac defines.h loginrec.c logintest.c] Bug #1732: enable
+   utmpx support on FreeBSD where possible.  Patch from Ed Schouten, ok djm@
+
+20100326
+ - (djm) [openbsd-compat/bsd-arc4random.c] Fix preprocessor detection
+   for arc4random_buf() and arc4random_uniform(); from Josh Gilkerson
+ - (dtucker) [configure.ac] Bug #1741: Add section for Haiku, patch originally
+   by Ingo Weinhold via Scott McCreary, ok djm@
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2010/03/25 23:38:28
+     [servconf.c]
+     from portable: getcwd(NULL, 0) doesn't work on all platforms, so
+     use a stack buffer; ok dtucker@
+   - djm@cvs.openbsd.org 2010/03/26 00:26:58
+     [ssh.1]
+     mention that -S none disables connection sharing; from Colin Watson
+ - (djm) [session.c] Allow ChrootDirectory to work on SELinux platforms -
+   set up SELinux execution context before chroot() call. From Russell
+   Coker via Colin watson; bz#1726 ok dtucker@
+ - (djm) [channels.c] Check for EPFNOSUPPORT as a socket() errno; bz#1721
+   ok dtucker@
+ - (dtucker) Bug #1725: explicitly link libX11 into gnome-ssh-askpass2 using
+   pkg-config, patch from Colin Watson.  Needed for newer linkers (ie gold).
+ - (djm) [contrib/ssh-copy-id] Don't blow up when the agent has no keys;
+   bz#1723 patch from Adeodato Simóvia Colin Watson; ok dtucker@
+ - (dtucker) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2010/03/26 01:06:13
+     [ssh_config.5]
+     Reformat default value of PreferredAuthentications entry (current
+     formatting implies ", " is acceptable as a separator, which it's not.
+     ok djm@
+
+20100324
+ - (dtucker) [contrib/cygwin/ssh-host-config] Mount the Windows directory
+   containing the services file explicitely case-insensitive.  This allows to
+   tweak the Windows services file reliably.  Patch from vinschen at redhat.
+
+20100321
+ - (djm) OpenBSD CVS Sync
+   - jmc@cvs.openbsd.org 2010/03/08 09:41:27
+     [ssh-keygen.1]
+     sort the list of constraints (to -O); ok djm
+   - jmc@cvs.openbsd.org 2010/03/10 07:40:35
+     [ssh-keygen.1]
+     typos; from Ross Richardson
+     closes prs 6334 and 6335
+   - djm@cvs.openbsd.org 2010/03/10 23:27:17
+     [auth2-pubkey.c]
+     correct certificate logging and make it more consistent between
+     authorized_keys and TrustedCAKeys; ok markus@
+   - djm@cvs.openbsd.org 2010/03/12 01:06:25
+     [servconf.c]
+     unbreak AuthorizedKeys option with a $HOME-relative path; reported by
+     vinschen AT redhat.com, ok dtucker@
+   - markus@cvs.openbsd.org 2010/03/12 11:37:40
+     [servconf.c]
+     do not prepend AuthorizedKeysFile with getcwd(), unbreaks relative paths
+     free() (not xfree()) the buffer returned by getcwd()
+   - djm@cvs.openbsd.org 2010/03/13 21:10:38
+     [clientloop.c]
+     protocol conformance fix: send language tag when disconnecting normally;
+     spotted by 1.41421 AT gmail.com, ok markus@ deraadt@
+   - djm@cvs.openbsd.org 2010/03/13 21:45:46
+     [ssh-keygen.1]
+     Certificates are named *-cert.pub, not *_cert.pub; committing a diff
+     from stevesk@ ok me
+   - jmc@cvs.openbsd.org 2010/03/13 23:38:13
+     [ssh-keygen.1]
+     fix a formatting error (args need quoted); noted by stevesk
+   - stevesk@cvs.openbsd.org 2010/03/15 19:40:02
+     [key.c key.h ssh-keygen.c]
+     also print certificate type (user or host) for ssh-keygen -L
+     ok djm kettenis
+   - stevesk@cvs.openbsd.org 2010/03/16 15:46:52
+     [auth-options.c]
+     spelling in error message. ok djm kettenis
+   - djm@cvs.openbsd.org 2010/03/16 16:36:49
+     [version.h]
+     crank version to openssh-5.5 since we have a few fixes since 5.4;
+     requested deraadt@ kettenis@
+ - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+   [contrib/suse/openssh.spec] Crank version numbers
+
+20100314
+ - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix
+   compilation failure when !HAVE_DLOPEN. Reported by felix-mindrot
+   AT fefe.de
+ - (djm) [Makefile.in] Respecify -lssh after -lopenbsd-compat for
+   ssh-pkcs11-helper to repair static builds (we do the same for
+   ssh-keyscan). Reported by felix-mindrot AT fefe.de
+
+20100312
+ - (tim) [Makefile.in] Now that scard is gone, no need to make $(datadir)
+ - (tim) [Makefile.in] Add missing $(EXEEXT) to install targets.
+   Patch from Corinna Vinschen.
+ - (tim) [contrib/cygwin/Makefile] Fix list of documentation files to install
+   on a Cygwin installation. Patch from Corinna Vinschen.
+
+20100311
+ - (tim) [contrib/suse/openssh.spec] crank version number here too.
+   report by imorgan AT nas.nasa.gov
+
+20100309
+ - (dtucker) [configure.ac] Use a proper AC_CHECK_DECL for BROKEN_GETADDRINFO
+   so setting it in CFLAGS correctly skips IPv6 tests.
+
+20100428
  - (djm) OpenBSD CVS Sync
    - djm@cvs.openbsd.org 2010/03/07 22:16:01
      [ssh-keygen.c]

crypto/openssh/README

@@ -1,4 +1,4 @@
-See http://www.openssh.com/txt/release-5.4 for the release notes.
+See http://www.openssh.com/txt/release-5.5 for the release notes.
 
 - A Japanese translation of this document and of the OpenSSH FAQ is
 - available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@@ -62,4 +62,4 @@ References -
 [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
 [7] http://www.openssh.com/faq.html
 
-$Id: README,v 1.72 2010/03/07 22:41:02 djm Exp $
+$Id: README,v 1.73 2010/03/21 19:11:55 djm Exp $

crypto/openssh/auth-options.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-options.c,v 1.48 2010/03/07 11:57:13 dtucker Exp $ */
+/* $OpenBSD: auth-options.c,v 1.49 2010/03/16 15:46:52 stevesk Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -434,7 +434,7 @@ auth_cert_constraints(Buffer *c_orig, struct passwd *pw)
 				goto out;
 			}
 			if (strlen(command) != clen) {
-				error("force-command constrain contains \\0");
+				error("force-command constraint contains \\0");
 				goto out;
 			}
 			if (cert_forced_command != NULL) {
@@ -454,7 +454,7 @@ auth_cert_constraints(Buffer *c_orig, struct passwd *pw)
 				goto out;
 			}
 			if (strlen(allowed) != clen) {
-				error("source-address constrain contains \\0");
+				error("source-address constraint contains \\0");
 				goto out;
 			}
 			if (cert_source_address_done++) {

crypto/openssh/auth2-pubkey.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.21 2010/03/04 10:36:03 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.22 2010/03/10 23:27:17 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -240,22 +240,26 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file)
 				continue;
 			if (!key_equal(found, key->cert->signature_key))
 				continue;
-			debug("matching CA found: file %s, line %lu",
-			    file, linenum);
 			fp = key_fingerprint(found, SSH_FP_MD5,
 			    SSH_FP_HEX);
-			verbose("Found matching %s CA: %s",
-			    key_type(found), fp);
-			xfree(fp);
+			debug("matching CA found: file %s, line %lu, %s %s",
+			    file, linenum, key_type(found), fp);
 			if (key_cert_check_authority(key, 0, 0, pw->pw_name,
 			    &reason) != 0) {
+				xfree(fp);
 				error("%s", reason);
 				auth_debug_add("%s", reason);
 				continue;
 			}
 			if (auth_cert_constraints(&key->cert->constraints,
-			    pw) != 0)
+			    pw) != 0) {
+				xfree(fp);
 				continue;
+			}
+			verbose("Accepted certificate ID \"%s\" "
+			    "signed by %s CA %s via %s", key->cert->key_id,
+			    key_type(found), fp, file);
+			xfree(fp);
 			found_key = 1;
 			break;
 		} else if (!key_is_cert_authority && key_equal(found, key)) {
@@ -281,15 +285,15 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file)
 static int
 user_cert_trusted_ca(struct passwd *pw, Key *key)
 {
-	char *key_fp, *ca_fp;
+	char *ca_fp;
 	const char *reason;
 	int ret = 0;
 
 	if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
 		return 0;
 
-	key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-	ca_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+	ca_fp = key_fingerprint(key->cert->signature_key,
+	    SSH_FP_MD5, SSH_FP_HEX);
 
 	if (key_in_file(key->cert->signature_key,
 	    options.trusted_user_ca_keys, 1) != 1) {
@@ -306,13 +310,12 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
 	if (auth_cert_constraints(&key->cert->constraints, pw) != 0)
 		goto out;
 
-	verbose("%s certificate %s allowed by trusted %s key %s",
-	    key_type(key), key_fp, key_type(key->cert->signature_key), ca_fp);
+	verbose("Accepted certificate ID \"%s\" signed by %s CA %s via %s",
+	    key->cert->key_id, key_type(key->cert->signature_key), ca_fp,
+	    options.trusted_user_ca_keys);
 	ret = 1;
 
  out:
-	if (key_fp != NULL)
-		xfree(key_fp);
 	if (ca_fp != NULL)
 		xfree(ca_fp);
 	return ret;

crypto/openssh/channels.c

@@ -3252,7 +3252,11 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
 			sock = socket(ai->ai_family, ai->ai_socktype,
 			    ai->ai_protocol);
 			if (sock < 0) {
-				if ((errno != EINVAL) && (errno != EAFNOSUPPORT)) {
+				if ((errno != EINVAL) && (errno != EAFNOSUPPORT)
+#ifdef EPFNOSUPPORT
+				    && (errno != EPFNOSUPPORT)
+#endif 
+				    ) {
 					error("socket: %.100s", strerror(errno));
 					freeaddrinfo(aitop);
 					return -1;

crypto/openssh/clientloop.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.218 2010/01/28 00:21:18 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.219 2010/03/13 21:10:38 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1484,6 +1484,7 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
 		packet_start(SSH2_MSG_DISCONNECT);
 		packet_put_int(SSH2_DISCONNECT_BY_APPLICATION);
 		packet_put_cstring("disconnected by user");
+		packet_put_cstring(""); /* language tag */
 		packet_send();
 		packet_write_wait();
 	}

crypto/openssh/config.h

@@ -124,7 +124,7 @@
 #define DISABLE_WTMPX 1
 
 /* Enable for PKCS#11 support */
-#define ENABLE_PKCS11 
+#define ENABLE_PKCS11 /**/
 
 /* Builtin PRNG command timeout */
 #define ENTROPY_TIMEOUT_MSEC 200
@@ -456,6 +456,9 @@
 /* Define to 1 if you have the `getutxline' function. */
 #define HAVE_GETUTXLINE 1
 
+/* Define to 1 if you have the `getutxuser' function. */
+#define HAVE_GETUTXUSER 1
+
 /* Define to 1 if you have the `get_default_context_with_level' function. */
 /* #undef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL */
 
@@ -552,6 +555,9 @@
 /* Define if system has libiaf that supports set_id */
 /* #undef HAVE_LIBIAF */
 
+/* Define to 1 if you have the `network' library (-lnetwork). */
+/* #undef HAVE_LIBNETWORK */
+
 /* Define to 1 if you have the `nsl' library (-lnsl). */
 /* #undef HAVE_LIBNSL */
 
@@ -805,6 +811,9 @@
 /* Define to 1 if you have the `setutent' function. */
 /* #undef HAVE_SETUTENT */
 
+/* Define to 1 if you have the `setutxdb' function. */
+#define HAVE_SETUTXDB 1
+
 /* Define to 1 if you have the `setutxent' function. */
 #define HAVE_SETUTXENT 1
 
@@ -1416,8 +1425,8 @@
 /* Define if you want SELinux support. */
 /* #undef WITH_SELINUX */
 
-/* Define to 1 if your processor stores words with the most significant byte
-   first (like Motorola and SPARC, unlike Intel and VAX). */
+/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
+   significant byte first (like Motorola and SPARC, unlike Intel and VAX). */
 #if defined __BIG_ENDIAN__
 # define WORDS_BIGENDIAN 1
 #elif ! defined __LITTLE_ENDIAN__

crypto/openssh/config.h.in

@@ -80,9 +80,6 @@
 /* Define if you want to specify the path to your lastlog file */
 #undef CONF_LASTLOG_FILE
 
-/* Define if you want to specify the path to your utmpx file */
-#undef CONF_UTMPX_FILE
-
 /* Define if you want to specify the path to your utmp file */
 #undef CONF_UTMP_FILE
 
@@ -455,6 +452,9 @@
 /* Define to 1 if you have the `getutxline' function. */
 #undef HAVE_GETUTXLINE
 
+/* Define to 1 if you have the `getutxuser' function. */
+#undef HAVE_GETUTXUSER
+
 /* Define to 1 if you have the `get_default_context_with_level' function. */
 #undef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
 
@@ -551,6 +551,9 @@
 /* Define if system has libiaf that supports set_id */
 #undef HAVE_LIBIAF
 
+/* Define to 1 if you have the `network' library (-lnetwork). */
+#undef HAVE_LIBNETWORK
+
 /* Define to 1 if you have the `nsl' library (-lnsl). */
 #undef HAVE_LIBNSL
 
@@ -804,6 +807,9 @@
 /* Define to 1 if you have the `setutent' function. */
 #undef HAVE_SETUTENT
 
+/* Define to 1 if you have the `setutxdb' function. */
+#undef HAVE_SETUTXDB
+
 /* Define to 1 if you have the `setutxent' function. */
 #undef HAVE_SETUTXENT
 

crypto/openssh/defines.h

@@ -25,7 +25,7 @@
 #ifndef _DEFINES_H
 #define _DEFINES_H
 
-/* $Id: defines.h,v 1.159 2010/01/13 23:44:34 tim Exp $ */
+/* $Id: defines.h,v 1.160 2010/04/09 08:13:27 dtucker Exp $ */
 
 
 /* Constants */

crypto/openssh/key.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: key.c,v 1.85 2010/03/04 01:44:57 djm Exp $ */
+/* $OpenBSD: key.c,v 1.86 2010/03/15 19:40:02 stevesk Exp $ */
 /*
  * read_bignum():
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -801,6 +801,19 @@ key_type(const Key *k)
 	return "unknown";
 }
 
+const char *
+key_cert_type(const Key *k)
+{
+	switch (k->cert->type) {
+	case SSH2_CERT_TYPE_USER:
+		return "user";
+	case SSH2_CERT_TYPE_HOST:
+		return "host";
+	default:
+		return "unknown";
+	}
+}
+
 const char *
 key_ssh_name(const Key *k)
 {

crypto/openssh/key.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: key.h,v 1.28 2010/02/26 20:29:54 djm Exp $ */
+/* $OpenBSD: key.h,v 1.29 2010/03/15 19:40:02 stevesk Exp $ */
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -82,6 +82,7 @@ int		 key_equal(const Key *, const Key *);
 char		*key_fingerprint(Key *, enum fp_type, enum fp_rep);
 u_char		*key_fingerprint_raw(Key *, enum fp_type, u_int *);
 const char	*key_type(const Key *);
+const char	*key_cert_type(const Key *);
 int		 key_write(const Key *, FILE *);
 int		 key_read(Key *, char **);
 u_int		 key_size(const Key *);

crypto/openssh/loginrec.c

@@ -510,6 +510,10 @@ getlast_entry(struct logininfo *li)
 #ifdef USE_LASTLOG
 	return(lastlog_get_entry(li));
 #else /* !USE_LASTLOG */
+#if defined(USE_UTMPX) && defined(HAVE_SETUTXDB) && \
+    defined(UTXDB_LASTLOGIN) && defined(HAVE_GETUTXUSER)
+	return (utmpx_get_entry(li));
+#endif
 
 #if 1
 	return (utmpx_get_entry(li));
@@ -1614,7 +1618,8 @@ lastlog_get_entry(struct logininfo *li)
 #endif /* HAVE_GETLASTLOGXBYNAME */
 #endif /* USE_LASTLOG */
 
-#if 1
+#if defined(USE_UTMPX) && defined(HAVE_SETUTXDB) && \
+    defined(UTXDB_LASTLOGIN) && defined(HAVE_GETUTXUSER)
 int
 utmpx_get_entry(struct logininfo *li)
 {
@@ -1637,7 +1642,7 @@ utmpx_get_entry(struct logininfo *li)
 	endutxent();
 	return (1);
 }
-#endif
+#endif /* USE_UTMPX && HAVE_SETUTXDB && UTXDB_LASTLOGIN && HAVE_GETUTXUSER */
 
 #ifdef USE_BTMP
   /*

crypto/openssh/logintest.c

@@ -264,7 +264,7 @@ showOptions(void)
 	printf("\tUSE_UTMP (UTMP_FILE=%s)\n", UTMP_FILE);
 #endif
 #ifdef USE_UTMPX
-	printf("\tUSE_UTMPX (UTMPX_FILE=%s)\n", UTMPX_FILE);
+	printf("\tUSE_UTMPX\n");
 #endif
 #ifdef USE_WTMP
 	printf("\tUSE_WTMP (WTMP_FILE=%s)\n", WTMP_FILE);

crypto/openssh/openbsd-compat/bsd-arc4random.c

@@ -84,7 +84,7 @@ arc4random_stir(void)
 }
 #endif /* !HAVE_ARC4RANDOM */
 
-#ifndef ARC4RANDOM_BUF
+#ifndef HAVE_ARC4RANDOM_BUF
 void
 arc4random_buf(void *_buf, size_t n)
 {
@@ -102,7 +102,7 @@ arc4random_buf(void *_buf, size_t n)
 }
 #endif /* !HAVE_ARC4RANDOM_BUF */
 
-#ifndef ARC4RANDOM_UNIFORM
+#ifndef HAVE_ARC4RANDOM_UNIFORM
 /*
  * Calculate a uniformly distributed random number less than upper_bound
  * avoiding "modulo bias".

crypto/openssh/servconf.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.204 2010/03/04 10:36:03 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.207 2010/03/25 23:38:28 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -474,15 +474,14 @@ parse_token(const char *cp, const char *filename,
 char *
 derelativise_path(const char *path)
 {
-	char *expanded, *ret, *cwd;
+	char *expanded, *ret, cwd[MAXPATHLEN];
 
 	expanded = tilde_expand_filename(path, getuid());
 	if (*expanded == '/')
 		return expanded;
-	if ((cwd = getcwd(NULL, 0)) == NULL)
+	if (getcwd(cwd, sizeof(cwd)) == NULL)
 		fatal("%s: getcwd: %s", __func__, strerror(errno));
 	xasprintf(&ret, "%s/%s", cwd, expanded);
-	xfree(cwd);
 	xfree(expanded);
 	return ret;
 }
@@ -1227,7 +1226,17 @@ process_server_config_line(ServerOptions *options, char *line,
 		charptr = (opcode == sAuthorizedKeysFile) ?
 		    &options->authorized_keys_file :
 		    &options->authorized_keys_file2;
-		goto parse_filename;
+		arg = strdelim(&cp);
+		if (!arg || *arg == '\0')
+			fatal("%s line %d: missing file name.",
+			    filename, linenum);
+		if (*activep && *charptr == NULL) {
+			*charptr = tilde_expand_filename(arg, getuid());
+			/* increase optional counter */
+			if (intptr != NULL)
+				*intptr = *intptr + 1;
+		}
+		break;
 
 	case sClientAliveInterval:
 		intptr = &options->client_alive_interval;

crypto/openssh/session.c

@@ -1581,6 +1581,10 @@ do_setusercontext(struct passwd *pw)
 		}
 #endif /* HAVE_SETPCRED */
 
+#ifdef WITH_SELINUX
+		ssh_selinux_setup_exec_context(pw->pw_name);
+#endif
+
 		if (options.chroot_directory != NULL &&
 		    strcasecmp(options.chroot_directory, "none") != 0) {
                         tmp = tilde_expand_filename(options.chroot_directory,
@@ -1605,10 +1609,6 @@ do_setusercontext(struct passwd *pw)
 
 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
 		fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
-
-#ifdef WITH_SELINUX
-	ssh_selinux_setup_exec_context(pw->pw_name);
-#endif
 }
 
 static void

crypto/openssh/ssh-keygen.1

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keygen.1,v 1.88 2010/03/08 00:28:55 djm Exp $
+.\"	$OpenBSD: ssh-keygen.1,v 1.92 2010/03/13 23:38:13 jmc Exp $
 .\"	$FreeBSD$
 .\"
 .\"  -*- nroff -*-
@@ -38,7 +38,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd March 8 2010
+.Dd March 13 2010
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -308,8 +308,15 @@ Please see the
 section for details.
 The constraints that are valid for user certificates are:
 .Bl -tag -width Ds
-.It Ic no-x11-forwarding
-Disable X11 forwarding (permitted by default).
+.It Ic clear
+Clear all enabled permissions.
+This is useful for clearing the default set of permissions so permissions may
+be added individually.
+.It Ic force-command Ns = Ns Ar command
+Forces the execution of
+.Ar command
+instead of any shell or command specified by the user when
+the certificate is used for authentication.
 .It Ic no-agent-forwarding
 Disable
 .Xr ssh-agent 1
@@ -324,12 +331,8 @@ Disable execution of
 by
 .Xr sshd 8
 (permitted by default).
-.It Ic clear
-Clear all enabled permissions.
-This is useful for clearing the default set of permissions so permissions may
-be added individually.
-.It Ic permit-x11-forwarding
-Allows X11 forwarding.
+.It Ic no-x11-forwarding
+Disable X11 forwarding (permitted by default).
 .It Ic permit-agent-forwarding
 Allows
 .Xr ssh-agent 1
@@ -343,14 +346,10 @@ Allows execution of
 .Pa ~/.ssh/rc
 by
 .Xr sshd 8 .
-.It Ic force-command=command
-Forces the execution of
-.Ar command
-instead of any shell or command specified by the user when
-the certificate is used for authentication.
-.It Ic source-address=address_list
-Restrict the source addresses from which the certificate is considered valid
-from.
+.It Ic permit-x11-forwarding
+Allows X11 forwarding.
+.It Ic source-address Ns = Ns Ar address_list
+Restrict the source addresses from which the certificate is considered valid.
 The
 .Ar address_list
 is a comma-separated list of one or more address/netmask pairs in CIDR
@@ -415,7 +414,7 @@ in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting
 of a minus sign followed by a relative time in the format described in the
 .Sx TIME FORMATS
 section of
-.Xr ssh_config 5 .
+.Xr sshd_config 5 .
 The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or
 a relative time starting with a plus character.
 .Pp
@@ -520,7 +519,7 @@ To generate a user certificate:
 .Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
 .Pp
 The resultant certificate will be placed in
-.Pa /path/to/user_key_cert.pub .
+.Pa /path/to/user_key-cert.pub .
 A host certificate requires the
 .Fl h
 option:
@@ -528,7 +527,7 @@ option:
 .Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
 .Pp
 The host certificate will be output to
-.Pa /path/to/host_key_cert.pub .
+.Pa /path/to/host_key-cert.pub .
 In both cases,
 .Ar key_id
 is a "key identifier" that is logged by the server when the certificate
@@ -540,7 +539,7 @@ By default, generated certificates are valid for all users or hosts.
 To generate a certificate for a specified set of principals:
 .Pp
 .Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
-.Dl $ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub
+.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"
 .Pp
 Additional limitations on the validity and use of user certificates may
 be specified through certificate constraints.

crypto/openssh/ssh-keygen.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.184 2010/03/07 22:16:01 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.185 2010/03/15 19:40:02 stevesk Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1393,7 +1393,8 @@ do_show_cert(struct passwd *pw)
 	    SSH_FP_MD5, SSH_FP_HEX);
 
 	printf("%s:\n", identity_file);
-	printf("        %s certificate %s\n", key_type(key), key_fp);
+	printf("        %s %s certificate %s\n", key_type(key),
+	    key_cert_type(key), key_fp);
 	printf("        Signed by %s CA %s\n",
 	    key_type(key->cert->signature_key), ca_fp);
 	printf("        Key ID \"%s\"\n", key->cert->key_id);

crypto/openssh/ssh-pkcs11-helper.c

@@ -17,8 +17,6 @@
 
 #include "includes.h"
 
-#ifdef ENABLE_PKCS11
-
 #include <sys/types.h>
 #ifdef HAVE_SYS_TIME_H
 # include <sys/time.h>
@@ -39,6 +37,8 @@
 #include "authfd.h"
 #include "ssh-pkcs11.h"
 
+#ifdef ENABLE_PKCS11
+
 /* borrows code from sftp-server and ssh-agent */
 
 struct pkcs11_keyinfo {

crypto/openssh/ssh.1

@@ -34,9 +34,9 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.302 2010/03/05 10:28:21 djm Exp $
+.\" $OpenBSD: ssh.1,v 1.303 2010/03/26 00:26:58 djm Exp $
 .\" $FreeBSD$
-.Dd March 5 2010
+.Dd March 26 2010
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -560,7 +560,10 @@ argument is
 the listen port will be dynamically allocated on the server and reported
 to the client at run time.
 .It Fl S Ar ctl_path
-Specifies the location of a control socket for connection sharing.
+Specifies the location of a control socket for connection sharing
+or the string
+.Dq none
+to disable connection sharing.
 Refer to the description of
 .Cm ControlPath
 and

crypto/openssh/ssh_config

@@ -46,4 +46,4 @@
 #   PermitLocalCommand no
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
-#   VersionAddendum FreeBSD-20100308
+#   VersionAddendum FreeBSD-20100428

crypto/openssh/ssh_config.5

@@ -34,9 +34,9 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.129 2010/03/05 10:28:21 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.130 2010/03/26 01:06:13 dtucker Exp $
 .\" $FreeBSD$
-.Dd March 5 2010
+.Dd March 26 2010
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -735,11 +735,7 @@ This allows a client to prefer one method (e.g.\&
 over another method (e.g.\&
 .Cm password )
 The default for this option is:
-.Do gssapi-with-mic ,
-hostbased,
-publickey,
-keyboard-interactive,
-password
+.Do gssapi-with-mic,hostbased,publickey,keyboard-interactive,password
 .Dc .
 .It Cm Protocol
 Specifies the protocol versions
@@ -1087,7 +1083,7 @@ in
 Specifies a string to append to the regular version string to identify
 OS- or site-specific modifications.
 The default is
-.Dq FreeBSD-20100308 .
+.Dq FreeBSD-20100428 .
 .It Cm VisualHostKey
 If this flag is set to
 .Dq yes ,

crypto/openssh/sshd_config

@@ -14,7 +14,7 @@
 # Note that some of FreeBSD's defaults differ from OpenBSD's, and
 # FreeBSD has a few additional options.
 
-#VersionAddendum FreeBSD-20100308
+#VersionAddendum FreeBSD-20100428
 
 #Port 22
 #AddressFamily any

crypto/openssh/sshd_config.5

@@ -988,7 +988,7 @@ The default is
 Specifies a string to append to the regular version string to identify
 OS- or site-specific modifications.
 The default is
-.Dq FreeBSD-20100308 .
+.Dq FreeBSD-20100428 .
 .It Cm X11DisplayOffset
 Specifies the first display number available for
 .Xr sshd 8 Ns 's

crypto/openssh/version.h

@@ -1,12 +1,12 @@
-/* $OpenBSD: version.h,v 1.57 2010/03/07 22:01:32 djm Exp $ */
+/* $OpenBSD: version.h,v 1.58 2010/03/16 16:36:49 djm Exp $ */
 /* $FreeBSD$ */
 
 #ifndef SSH_VERSION
 
 #define SSH_VERSION             (ssh_version_get())
 #define SSH_RELEASE             (ssh_version_get())
-#define SSH_VERSION_BASE        "OpenSSH_5.4p1"
-#define SSH_VERSION_ADDENDUM    "FreeBSD-20100308"
+#define SSH_VERSION_BASE        "OpenSSH_5.5p1"
+#define SSH_VERSION_ADDENDUM    "FreeBSD-20100428"
 
 const char *ssh_version_get(void);
 void ssh_version_set_addendum(const char *);