Ssh 1.2.23 release notes SECURITY ======== * Fixed no-port-forwarding so that it will also disable local port forwardings at the server side. * Added GatewayPorts option and -g option from Steve Bellovin . After this all port forwardings are bind to localhost address only, unless -g option is given. SSHD ==== * Added .rhosts to understand #-comment in the end of the line. Patch from . * Added setting of REMOTEUSER environment variable name if remote username available. * Added configure option --with-nologin-allow[=/etc/nologin.allow] to have sshd read the given file for a list of usernames exempt from /etc/nologin. This allows administrators retain remote access in the case of needed maintainence when users needed to not be on the system. Jointly created by Philip Kizer and . * Added IgnoreRootRhosts option to server config file. Patch from Luke Mewburn . * Added ssh version 2 compat option. The ssh2 will start ssh1 with -V option if the client is not ssh2 client. * Added code that will ignore the string given to SSH_MSG_IGNORE. Bug reported by Bernard Perrot . * Check that proxy command isn't empy before starting it. Patch from Chuck Goodhart . * Added patch from Bill O'Neill that will fix the Digital Unix 4.0 C2 password expiration problems. * Patch from John P.Speno to allow osf c2 resources to be set to 0. * Added checking of system default lock from John P.Speno . * Added patch that will force password change if OSF C2 password is expired. Patch from Florian Fuchs. * Added libwrap calls to debug mode sshd also. * Added code that will set resource limits under BSD/OS. Patch from Payl Borman . * Added setting of AUTHSTATE and KRB5CCNAME environment variables if we have authenticate() in AIX. Patch from Matt Richards (v2matt@btv.ibm.com). * FreeBSD /etc/login.conf capabilities patches from Steve Birnbaum and torstenb@FreeBSD.ORG. * Fixed idle_timeout code in serverloop.c. Patch from Bob Goellner . * Moved initgroups before closing all filedescriptors. Patch from Donald Buczek . * Combined two getpwent calls in the ssh.c to get around bug in red hat 4.2 nis library. * Added using of aix authenticate function if it exists from Matt Richards (v2matt@btv.ibm.com). * Added check that kerberos initialization succeeds from Dima Ruban (dima@best.net). * Added check that .rhosts/.shosts file cannot have any other control characters except whitespaces. * includes.h (S_ISLNK): Fixed bug reported by Paul J. Sanchez . AGENT ===== * Fixed too early free of authsocket in the authfd.c (reported by many people). * Added grabbing of keyboard in ssh-askpass. Patch from Raymund Will . * Allow authentication socket to be symlink, if we are not suid. Patch from Steve Birnbaum . SSH === * Configurable password prompt from Maciej W. Rozycki . * Added setsid patch for -f option in ssh from Garance A Drosehn . * Disabled TCP_NODELAY and added --enable-tcp-nodelay configure option to enable it again (Sean Doran ). SCP === * Fixed 2 GB file handling in scp. Bug reported by Anthony Talltree . MAKE-KNOWN-HOSTS.PL =================== * Fixed make-known-hosts.pl so that it will first send SIGINT to ssh and then wait 1 second before sending SIGKILL. This will allow ssh-client to die cleanly and restore the terminal settings before exiting. CONFIGURE ========= * Added cray T3E patches from Kaj Mustikkamäki (kaj.mustikkamaki@csc.fi). * Added socks5 with kerberos patches from E. Jay Berkenbilt . * Added dectection of ttyslot function in the configure.in. Use it if found. * Added support for X11 socket being in the /var/X/.X11-unix instead of /tmp/.X11-unix directory (mcr@sandelman.ottawa.on.ca). GENERAL ======= * Make make install compatible with ssh-2. It will now install the binaries as 1 and if the 2 already exists it doesn't do anything more. If 2 does not exists, make install will make a symbolic link from to 1. This means that if you have ssh2 installed then the make install doesn't touch ssh-program, it will just install itself as ssh1. You can manually change the ssh link to point either ssh1 or ssh2. REMEMBER ======== * Ssh compilation success/failure web-page. You can fill in the reply form about your compilation at . You can query about the success/failure database from .