Commit 206be79a authored by Ed Maste's avatar Ed Maste
Browse files

Vendor import of OpenSSH 8.5p1

parent 3bbd8dc9
This source diff could not be displayed because it is too large. You can view the blob instead.
#!/bin/sh
#
# usage: configs vmname test_config (or '' for default)
#
# Sets the following variables:
# CONFIGFLAGS options to ./configure
# SSHD_CONFOPTS sshd_config options
# TEST_TARGET make target used when testing. defaults to "tests".
# LTESTS
config=$1
TEST_TARGET="tests"
LTESTS=""
SKIP_LTESTS=""
SUDO=sudo # run with sudo by default
TEST_SSH_UNSAFE_PERMISSIONS=1
CONFIGFLAGS=""
LIBCRYPTOFLAGS=""
case "$config" in
default|sol64)
;;
kitchensink)
CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam"
CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux"
CONFIGFLAGS="${CONFIGFLAGS} --with-cflags=-DSK_DEBUG"
;;
hardenedmalloc)
CONFIGFLAGS="--with-ldflags=-lhardened_malloc"
;;
kerberos5)
CONFIGFLAGS="--with-kerberos5"
;;
libedit)
CONFIGFLAGS="--with-libedit"
;;
*pam)
CONFIGFLAGS="--with-pam"
SSHD_CONFOPTS="UsePam yes"
;;
libressl-head)
LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl/head --with-rpath=-Wl,-rpath,"
;;
openssl-head)
LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl/head --with-rpath=-Wl,-rpath,"
;;
selinux)
CONFIGFLAGS="--with-selinux"
;;
sk)
CONFIGFLAGS="--with-security-key-builtin"
;;
without-openssl)
LIBCRYPTOFLAGS="--without-openssl"
TEST_TARGET=t-exec
;;
valgrind-1)
# rlimit sandbox and FORTIFY_SOURCE confuse Valgrind.
CONFIGFLAGS="--without-sandbox --without-hardening"
CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0"
# Valgrind slows things down enough that the agent timeout test
# won't reliably pass, and the unit tests run longer than allowed
# by github.
TEST_TARGET="t-exec USE_VALGRIND=1"
SKIP_LTESTS="agent-timeout rekey try-ciphers cert-userkey integrity"
;;
valgrind-2)
CONFIGFLAGS="--without-sandbox --without-hardening"
CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0"
# The rekey test takes >30 min so run separately.
TEST_TARGET="t-exec USE_VALGRIND=1"
LTESTS="rekey try-ciphers cert-userkey integrity"
;;
*)
echo "Unknown configuration $config"
exit 1
;;
esac
# The Solaris 64bit targets are special since they need a non-flag arg.
case "$config" in
sol64*)
CONFIGFLAGS="x86_64 --with-cflags=-m64 --with-ldflags=-m64 ${CONFIGFLAGS}"
LIBCRYPTOFLAGS="--with-ssl-dir=/usr/local/ssl64"
;;
esac
case "${TARGET_HOST}" in
sol10|sol11)
# sol10 VM is 32bit and the unit tests are slow.
# sol11 has 4 test configs so skip unit tests to speed up.
TEST_TARGET="tests SKIP_UNIT=1"
;;
esac
# If we have a local openssl/libressl, use that.
if [ -z "${LIBCRYPTOFLAGS}" ]; then
# last-match
for i in /usr/local /usr/local/ssl /usr/local/opt/openssl; do
if [ -x ${i}/bin/openssl ]; then
LIBCRYPTOFLAGS="--with-ssl-dir=${i}"
fi
done
fi
CONFIGFLAGS="${CONFIGFLAGS} ${LIBCRYPTOFLAGS}"
export LTESTS SUDO TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS
#!/bin/sh
. .github/configs $1
set -x
./configure ${CONFIGFLAGS}
#!/usr/bin/env bash
TARGETS=$@
. .github/configs $1 $2
TEST_TARGET="tests"
LTESTS="" # all tests by default
[ -z "${SUDO}" ] || ${SUDO} mkdir -p /var/empty
set -ex
for TARGET in $TARGETS; do
case $TARGET in
--without-openssl)
# When built without OpenSSL we can't do the file-based RSA key tests.
TEST_TARGET=t-exec
;;
esac
done
if [ -z "$LTESTS" ]; then
make $TEST_TARGET
if [ -z "${LTESTS}" ]; then
make ${TEST_TARGET} SKIP_LTESTS="${SKIP_LTESTS}"
result=$?
else
make $TEST_TARGET LTESTS="$LTESTS"
make ${TEST_TARGET} SKIP_LTESTS="${SKIP_LTESTS}" LTESTS="${LTESTS}"
result=$?
fi
if [ ! -z "${SSHD_CONFOPTS}" ]; then
echo "rerunning tests with TEST_SSH_SSHD_CONFOPTS='${SSHD_CONFOPTS}'"
make t-exec TEST_SSH_SSHD_CONFOPTS="${SSHD_CONFOPTS}"
result2=$?
if [ "${result2}" -ne 0 ]; then
result="${result2}"
fi
fi
if [ "$result" -ne "0" ]; then
for i in regress/failed*; do
echo -------------------------------------------------------------------------
......
#!/usr/bin/env bash
case $(./config.guess) in
*-darwin*)
brew install automake
exit 0
;;
esac
TARGETS=$@
PACKAGES=""
......@@ -11,29 +18,45 @@ set -ex
lsb_release -a
if [ "${TARGETS}" = "kitchensink" ]; then
TARGETS="kerberos5 libedit pam sk selinux"
fi
for TARGET in $TARGETS; do
case $TARGET in
""|--without-openssl|--without-zlib)
default|without-openssl|without-zlib)
# nothing to do
;;
"--with-kerberos5")
kerberos5)
PACKAGES="$PACKAGES heimdal-dev"
#PACKAGES="$PACKAGES libkrb5-dev"
;;
"--with-libedit")
libedit)
PACKAGES="$PACKAGES libedit-dev"
;;
"--with-pam")
*pam)
PACKAGES="$PACKAGES libpam0g-dev"
;;
"--with-security-key-builtin")
sk)
INSTALL_FIDO_PPA="yes"
PACKAGES="$PACKAGES libfido2-dev libu2f-host-dev"
;;
"--with-selinux")
selinux)
PACKAGES="$PACKAGES libselinux1-dev selinux-policy-dev"
;;
*) echo "Invalid option"
hardenedmalloc)
INSTALL_HARDENED_MALLOC=yes
;;
openssl-head)
INSTALL_OPENSSL_HEAD=yes
;;
libressl-head)
INSTALL_LIBRESSL_HEAD=yes
;;
valgrind*)
PACKAGES="$PACKAGES valgrind"
;;
*) echo "Invalid option '${TARGET}'"
exit 1
;;
esac
......@@ -49,3 +72,26 @@ if [ "x" != "x$PACKAGES" ]; then
sudo apt update -qq
sudo apt install -qy $PACKAGES
fi
if [ "${INSTALL_HARDENED_MALLOC}" = "yes" ]; then
(cd ${HOME} &&
git clone https://github.com/GrapheneOS/hardened_malloc.git &&
cd ${HOME}/hardened_malloc &&
make -j2 && sudo cp libhardened_malloc.so /usr/lib/)
fi
if [ "${INSTALL_OPENSSL_HEAD}" = "yes" ];then
(cd ${HOME} &&
git clone https://github.com/openssl/openssl.git &&
cd ${HOME}/openssl &&
./config no-threads no-engine no-fips no-shared --prefix=/opt/openssl/head &&
make -j2 && sudo make install_sw)
fi
if [ "${INSTALL_LIBRESSL_HEAD}" = "yes" ];then
(mkdir -p ${HOME}/libressl && cd ${HOME}/libressl &&
git clone https://github.com/libressl-portable/portable.git &&
cd ${HOME}/libressl/portable && sh update.sh && sh autogen.sh &&
./configure --prefix=/opt/libressl/head &&
make -j2 && sudo make install_sw)
fi
......@@ -7,22 +7,35 @@ on:
branches: [ master ]
jobs:
build:
runs-on: ubuntu-latest
ci:
if: github.repository != 'openssh/openssh-portable-selfhosted'
strategy:
fail-fast: false
matrix:
configs:
- ""
- "--with-kerberos5"
- "--with-libedit"
- "--with-pam"
- "--with-security-key-builtin"
- "--with-selinux"
- "--with-kerberos5 --with-libedit --with-pam --with-security-key-builtin --with-selinux"
- "--without-openssl --without-zlib"
# First we test all OSes in the default configuration.
os: [ubuntu-20.04, ubuntu-18.04, ubuntu-16.04, macos-10.15]
configs: [default]
# Then we include any extra configs we want to test for specific VMs.
# Valgrind slows things down quite a bit, so start them first.
include:
- { os: ubuntu-20.04, configs: valgrind-1 }
- { os: ubuntu-20.04, configs: valgrind-2 }
- { os: ubuntu-20.04, configs: pam }
- { os: ubuntu-20.04, configs: kitchensink }
- { os: ubuntu-20.04, configs: hardenedmalloc }
- { os: ubuntu-20.04, configs: libressl-head }
- { os: ubuntu-20.04, configs: openssl-head }
- { os: ubuntu-18.04, configs: pam }
- { os: ubuntu-18.04, configs: kerberos5 }
- { os: ubuntu-18.04, configs: libedit }
- { os: ubuntu-18.04, configs: sk }
- { os: ubuntu-18.04, configs: selinux }
- { os: ubuntu-18.04, configs: kitchensink }
- { os: ubuntu-18.04, configs: without-openssl }
- { os: ubuntu-16.04, configs: pam }
- { os: ubuntu-16.04, configs: kitchensink }
- { os: macos-10.15, configs: pam }
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v2
- name: setup CI system
......@@ -30,10 +43,21 @@ jobs:
- name: autoreconf
run: autoreconf
- name: configure
run: ./configure ${{ matrix.configs }}
run: ./.github/configure.sh ${{ matrix.configs }}
- name: make
run: make
run: make -j2
- name: install moduli
run: sudo sh -c "mkdir -p /usr/local/etc/; cp moduli /usr/local/etc/"
- name: make tests
run: ./.github/run_test.sh ${{ matrix.configs }}
env:
SUDO: sudo
TEST_SSH_UNSAFE_PERMISSIONS: 1
- name: save regress logs
if: failure()
uses: actions/upload-artifact@v2
with:
name: ${{ matrix.os }}-${{ matrix.configs }}-regress-logs
path: |
regress/*.log
regress/valgrind-out/
name: C/C++ CI self-hosted
on:
push:
branches: [ master, ci ]
jobs:
selfhosted:
if: github.repository == 'openssh/openssh-portable-selfhosted'
runs-on: ${{ matrix.os }}
env:
TARGET_HOST: ${{ matrix.os }}
SUDO: sudo
strategy:
fail-fast: false
# We use a matrix in two parts: firstly all of the VMs are tested with the
# default config. "vm" corresponds to a label associated with the worker.
matrix:
os: [bbone, dfly30, dfly48, dfly58, fbsd6, fbsd7, fbsd12, sol10, sol11]
configs:
- default
# Then we include any extra configs we want to test for specific VMs.
include:
- { os: dfly30, configs: without-openssl}
- { os: dfly48, configs: pam }
- { os: dfly58, configs: pam }
- { os: fbsd6, configs: pam }
- { os: fbsd7, configs: pam }
- { os: fbsd12, configs: pam }
- { os: sol10, configs: pam }
- { os: sol11, configs: pam }
- { os: sol11, configs: sol64 }
# - { os: sol11, configs: sol64-pam }
steps:
- uses: actions/checkout@v2
- name: autoreconf
run: autoreconf
- name: shutdown VM if running
run: vmshutdown
- name: startup VM
run: vmstartup
- name: configure
run: vmrun ./.github/configure.sh ${{ matrix.configs }}
- name: save config files
if: failure()
uses: actions/upload-artifact@v2
with:
name: ${{ matrix.os }}-${{ matrix.configs }}-config-files
path: |
config.h
config.log
- name: make
run: vmrun make
- name: install moduli
run: vmrun "sudo mkdir -p /usr/local/etc/; sudo cp moduli /usr/local/etc/"
- name: make tests
run: vmrun ./.github/run_test.sh ${{ matrix.configs }}
- name: save regress logs
if: failure()
uses: actions/upload-artifact@v2
with:
name: ${{ matrix.os }}-${{ matrix.configs }}-regress-logs
path: |
regress/*.log
regress/valgrind-out/
- name: shutdown VM
if: always()
run: vmshutdown
......@@ -21,6 +21,7 @@ d9b910e412d139141b072a905e66714870c38ac0 Makefile.inc
3bcae7a754db3fc5ad3cab63dd46774edb35b8ae moduli regen script update
52ff0e3205036147b2499889353ac082e505ea54 moduli update
07b5031e9f49f2b69ac5e85b8da4fc9e393992a0 Makefile.inc
cc12a9029833d222043aecd252d654965c351a69 moduli-gen Makefile
Old upstream tree:
......
This diff is collapsed.
1. Prerequisites
----------------
A C compiler. Any C89 or better compiler should work. Where supported,
......
......@@ -314,6 +314,68 @@ OpenSSH contains no GPL code.
* authorization. *
****************************************************************************/
The Blowfish cipher implementation is licensed by Niels Provis under
a 4-clause BSD license:
* Blowfish - a fast block cipher designed by Bruce Schneier
*
* Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by Niels Provos.
* 4. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Some replacement code is licensed by the NetBSD foundation under a
2-clause BSD license:
* Copyright (c) 2001 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
* by Todd Vierling.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
------
$OpenBSD: LICENCE,v 1.20 2017/04/30 23:26:16 djm Exp $
......@@ -95,7 +95,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
cipher-ctr.o cleanup.o \
compat.o fatal.o hostfile.o \
log.o match.o moduli.o nchan.o packet.o \
readpass.o ttymodes.o xmalloc.o addrmatch.o \
readpass.o ttymodes.o xmalloc.o addr.o addrmatch.o \
atomicio.o dispatch.o mac.o misc.o utf8.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-ecdsa-sk.o \
ssh-ed25519-sk.o ssh-rsa.o dh.o \
......@@ -106,7 +106,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
hmac.o sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
kexgexc.o kexgexs.o \
sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \
kexsntrup761x25519.o sntrup761.o kexgen.o \
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
sshbuf-io.o
......@@ -125,7 +125,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
monitor.o monitor_wrap.o auth-krb5.o \
auth2-gss.o gss-serv.o gss-serv-krb5.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \
srclimit.o sftp-server.o sftp-common.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
sandbox-solaris.o uidswap.o $(SKOBJS)
......@@ -289,8 +289,6 @@ clean: regressclean
rm -f regress/unittests/match/test_match$(EXEEXT)
rm -f regress/unittests/utf8/*.o
rm -f regress/unittests/utf8/test_utf8$(EXEEXT)
rm -f regress/misc/kexfuzz/*.o
rm -f regress/misc/kexfuzz/kexfuzz$(EXEEXT)
rm -f regress/misc/sk-dummy/*.o
rm -f regress/misc/sk-dummy/*.lo
rm -f regress/misc/sk-dummy/sk-dummy.so
......@@ -324,8 +322,6 @@ distclean: regressclean
rm -f regress/unittests/match/test_match
rm -f regress/unittests/utf8/*.o
rm -f regress/unittests/utf8/test_utf8
rm -f regress/misc/kexfuzz/*.o
rm -f regress/misc/kexfuzz/kexfuzz$(EXEEXT)
(cd openbsd-compat && $(MAKE) distclean)
if test -d pkg ; then \
rm -fr pkg ; \
......@@ -497,7 +493,6 @@ regress-prep:
$(MKDIR_P) `pwd`/regress/unittests/kex
$(MKDIR_P) `pwd`/regress/unittests/match
$(MKDIR_P) `pwd`/regress/unittests/utf8
$(MKDIR_P) `pwd`/regress/misc/kexfuzz
$(MKDIR_P) `pwd`/regress/misc/sk-dummy
[ -f `pwd`/regress/Makefile ] || \
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
......@@ -635,14 +630,6 @@ regress/unittests/utf8/test_utf8$(EXEEXT): \
regress/unittests/test_helper/libtest_helper.a \
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
MISC_KEX_FUZZ_OBJS=\
regress/misc/kexfuzz/kexfuzz.o \
$(SKOBJS)
regress/misc/kexfuzz/kexfuzz$(EXEEXT): ${MISC_KEX_FUZZ_OBJS} libssh.a
$(LD) -o $@ $(LDFLAGS) $(MISC_KEX_FUZZ_OBJS) \
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
# These all need to be compiled -fPIC, so they are treated differently.
SK_DUMMY_OBJS=\
regress/misc/sk-dummy/sk-dummy.lo \
......@@ -676,7 +663,6 @@ regress-unit-binaries: regress-prep $(REGRESSLIBS) \
regress/unittests/kex/test_kex$(EXEEXT) \
regress/unittests/match/test_match$(EXEEXT) \
regress/unittests/utf8/test_utf8$(EXEEXT) \
regress/misc/kexfuzz/kexfuzz$(EXEEXT)
tests: file-tests t-exec interop-tests unit
echo all tests passed
......
......@@ -292,6 +292,7 @@ has completed.
byte SSH_MSG_GLOBAL_REQUEST
string "hostkeys-00@openssh.com"
char 0 /* want-reply */
string[] hostkeys
Upon receiving this message, a client should check which of the
......@@ -465,6 +466,65 @@ respond with a SSH_FXP_STATUS message.
This extension is advertised in the SSH_FXP_VERSION hello with version
"1".
3.7. sftp: Extension request "lsetstat@openssh.com"
This request is like the "setstat" command, but sets file attributes on
symlinks. It is implemented as a SSH_FXP_EXTENDED request with the
following format:
uint32 id
string "lsetstat@openssh.com"
string path
ATTRS attrs
See the "setstat" command for more details.
This extension is advertised in the SSH_FXP_VERSION hello with version
"1".
3.8. sftp: Extension request "limits@openssh.com"
This request is used to determine various limits the server might impose.
Clients should not attempt to exceed these limits as the server might sever
the connection immediately.
uint32 id
string "limits@openssh.com"
The server will respond with a SSH_FXP_EXTENDED_REPLY reply:
uint32 id
uint64 max-packet-length
uint64 max-read-length
uint64 max-write-length
uint64 max-open-handles
The 'max-packet-length' applies to the total number of bytes in a
single SFTP packet. Servers SHOULD set this at least to 34000.
The 'max-read-length' is the largest length in a SSH_FXP_READ packet.
Even if the client requests a larger size, servers will usually respond
with a shorter SSH_FXP_DATA packet. Servers SHOULD set this at least to
32768.
The 'max-write-length' is the largest length in a SSH_FXP_WRITE packet
the server will accept. Servers SHOULD set this at least to 32768.
The 'max-open-handles' is the maximum number of active handles that the
server allows (e.g. handles created by SSH_FXP_OPEN and SSH_FXP_OPENDIR
packets). Servers MAY count internal file handles against this limit
(e.g. system logging or stdout/stderr), so clients SHOULD NOT expect to
open this many handles in practice.
If the server doesn't enforce a specific limit, then the field may be
set to 0. This implies the server relies on the OS to enforce limits
(e.g. available memory or file handles), and such limits might be
dynamic. The client SHOULD take care to not try to exceed reasonable
limits.
This extension is advertised in the SSH_FXP_VERSION hello with version
"1".
4. Miscellaneous changes
4.1 Public key format
......@@ -496,4 +556,4 @@ OpenSSH's connection multiplexing uses messages as described in
PROTOCOL.mux over a Unix domain socket for communications between a
master instance and later clients.
$OpenBSD: PROTOCOL,v 1.38 2020/07/05 23:59:45 djm Exp $