20131006
 - (djm) Release OpenSSH-6.7

20141003
 - (djm) [sshd_config.5] typo; from Iain Morgan

20141001
 - (djm) [openbsd-compat/Makefile.in openbsd-compat/kludge-fd_set.c]
   [openbsd-compat/openbsd-compat.h] Kludge around bad glibc
   _FORTIFY_SOURCE check that doesn't grok heap-allocated fd_sets;
   ok dtucker@

20140910
 - (djm) [sandbox-seccomp-filter.c] Allow mremap and exit for DietLibc;
   patch from Felix von Leitner; ok dtucker

20140908
 - (dtucker) [INSTALL] Update info about egd.  ok djm@

20140904
 - (djm) [openbsd-compat/arc4random.c] Zero seed after keying PRNG

20140903
 - (djm) [defines.h sshbuf.c] Move __predict_true|false to defines.h and
   conditionalise to avoid duplicate definition.
 - (djm) [contrib/cygwin/ssh-host-config] Fix old code leading to
   permissions/ACLs; from Corinna Vinschen

20140830
 - (djm) [openbsd-compat/openssl-compat.h] add
   OPENSSL_[RD]SA_MAX_MODULUS_BITS defines for OpenSSL that lacks them
 - (djm) [misc.c] Missing newline between functions
 - (djm) [openbsd-compat/openssl-compat.h] add include guard
 - (djm) [Makefile.in] Make TEST_SHELL a variable; "good idea" tim@

20140827
 - (djm) [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c]
   [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c]
   [regress/unittests/sshkey/common.c]
   [regress/unittests/sshkey/test_file.c]
   [regress/unittests/sshkey/test_fuzz.c]
   [regress/unittests/sshkey/test_sshkey.c] Don't include openssl/ec.h
   on !ECC OpenSSL systems
 - (djm) [monitor.c sshd.c] SIGXFSZ needs to be ignored in postauth
   monitor, not preauth; bz#2263
 - (djm) [openbsd-compat/explicit_bzero.c] implement explicit_bzero()
   using memset_s() where possible; improve fallback to indirect bzero
   via a volatile pointer to give it more of a chance to avoid being
   optimised away.

20140825
 - (djm) [bufec.c] Skip this file on !ECC OpenSSL
 - (djm) [INSTALL] Recommend libcrypto be built -fPIC, mention LibreSSL,
   update OpenSSL version requirement.

20140824
 - (djm) [sftp-server.c] Some systems (e.g. Irix) have prctl() but not
   PR_SET_DUMPABLE, so adjust ifdef; reported by Tom Christensen

20140823
 - (djm) [sshd.c] Ignore SIGXFSZ in preauth monitor child; can explode on
   lastlog writing on platforms with high UIDs; bz#2263
 - (djm) [configure.ac] We now require a working vsnprintf everywhere (not
   just for systems that lack asprintf); check for it always and extend
   test to catch more brokenness. Fixes builds on Solaris <= 9

20140822
 - (djm) [configure.ac] include leading zero characters in OpenSSL version
   number; fixes test for unsupported versions
 - (djm) [sshbuf-getput-crypto.c] Fix compilation when OpenSSL lacks ECC
 - (djm) [openbsd-compat/bsd-snprintf.c] Fix compilation failure (prototype/
   definition mismatch) and warning for broken/missing snprintf case.
 - (djm) [configure.ac] double braces to appease autoconf

20140821
 - (djm) [Makefile.in] fix reference to libtest_helper.a in sshkey test too.
 - (djm) [key.h] Fix ifdefs for no-ECC OpenSSL
 - (djm) [regress/unittests/test_helper/test_helper.c] Fix for systems that
   don't set __progname. Diagnosed by Tom Christensen.

20140820
 - (djm) [configure.ac] Check OpenSSL version is supported at configure time;
   suggested by Kevin Brott
 - (djm) [Makefile.in] refer to libtest_helper.a by explicit path rather than
   -L/-l; fixes linking problems on some platforms
 - (djm) [sshkey.h] Fix compilation when OpenSSL lacks ECC
 - (djm) [contrib/cygwin/README] Correct build instructions; from Corinna

20140819
 - (djm) [serverloop.c] Fix syntax error on Cygwin; from Corinna Vinschen
 - (djm) [sshbuf.h] Fix compilation on systems without OPENSSL_HAS_ECC.
 - (djm) [ssh-dss.c] Include openssl/dsa.h for DSA_SIG
 - (djm) [INSTALL contrib/caldera/openssh.spec contrib/cygwin/README]
   [contrib/redhat/openssh.spec contrib/suse/openssh.spec] Remove mentions
   of TCP wrappers.

20140811
 - (djm) [myproposal.h] Make curve25519 KEX dependent on
   HAVE_EVP_SHA256 instead of OPENSSL_HAS_ECC.

20140810
 - (djm) [README contrib/caldera/openssh.spec]
   [contrib/redhat/openssh.spec contrib/suse/openssh.spec] Update versions

20140801
 - (djm) [regress/multiplex.sh] Skip test for non-OpenBSD netcat. We need
   a better solution, but this will have to do for now.
 - (djm) [regress/multiplex.sh] Instruct nc not to quit as soon as stdin
   is closed; avoid regress failures when stdin is /dev/null
 - (djm) [regress/multiplex.sh] Use -d (detach stdin) flag to disassociate
   nc from stdin, it's more portable

20140730
 - OpenBSD CVS Sync
   - millert@cvs.openbsd.org 2014/07/24 22:57:10
     [ssh.1]
     Mention UNIX-domain socket forwarding too.  OK jmc@ deraadt@
   - dtucker@cvs.openbsd.org 2014/07/25 21:22:03
     [ssh-agent.c]
     Clear buffer used for handling messages.  This prevents keys being
     left in memory after they have been expired or deleted in some cases
     (but note that ssh-agent is setgid so you would still need root to
     access them).  Pointed out by Kevin Burns, ok deraadt
   - schwarze@cvs.openbsd.org 2014/07/28 15:40:08
     [sftp-server.8 sshd_config.5]
     some systems no longer need /dev/log;
     issue noticed by jirib;
     ok deraadt

20140725
 - (djm) [regress/multiplex.sh] restore incorrectly deleted line;
   pointed out by Christian Hesse

20140722
 - (djm) [regress/multiplex.sh] ssh mux master lost -N somehow;
   put it back
 - (djm) [regress/multiplex.sh] change the test for still-open Unix
   domain sockets to be robust against nc implementations that produce
   error messages.
 - (dtucker) [regress/unittests/sshkey/test_{file,fuzz,sshkey}.c] Wrap ecdsa-
   specific tests inside OPENSSL_HAS_ECC.
 - (dtucker) OpenBSD CVS Sync
   - dtucker@cvs.openbsd.org 2014/07/22 01:18:50
     [key.c]
     Prevent spam from key_load_private_pem during hostbased auth.  ok djm@
   - guenther@cvs.openbsd.org 2014/07/22 07:13:42
     [umac.c]
     Convert from <sys/endian.h> to the shiney new <endian.h>
     ok dtucker@, who also confirmed that -portable handles this already
     (ID sync only, includes.h pulls in endian.h if available.)
   - djm@cvs.openbsd.org 2014/07/22 01:32:12
     [regress/multiplex.sh]
     change the test for still-open Unix domain sockets to be robust against
     nc implementations that produce error messages. from -portable
     (Id sync only)
   - dtucker@cvs.openbsd.org 2014/07/22 23:23:22
     [regress/unittests/sshkey/mktestdata.sh]
     Sign test certs with ed25519 instead of ecdsa so that they'll work in
     -portable on platforms that don't have ECDSA in their OpenSSL.  ok djm
   - dtucker@cvs.openbsd.org 2014/07/22 23:57:40
     [regress/unittests/sshkey/mktestdata.sh]
     Add $OpenBSD tag to make syncs easier
   - dtucker@cvs.openbsd.org 2014/07/22 23:35:38
     [regress/unittests/sshkey/testdata/*]
     Regenerate test keys with certs signed with ed25519 instead of ecdsa.
     These can be used in -portable on platforms that don't support ECDSA.

20140721
 - OpenBSD CVS Sync
   - millert@cvs.openbsd.org 2014/07/15 15:54:15
     [forwarding.sh multiplex.sh]
     Add support for Unix domain socket forwarding.  A remote TCP port
     may be forwarded to a local Unix domain socket and vice versa or
     both ends may be a Unix domain socket.  This is a reimplementation
     of the streamlocal patches by William Ahern from:
         http://www.25thandclement.com/~william/projects/streamlocal.html
     OK djm@ markus@
 - (djm) [regress/multiplex.sh] Not all netcat accept the -N option.
 - (dtucker) [sshkey.c] ifdef out unused variable when compiling without
   OPENSSL_HAS_ECC.

20140721
 - (dtucker) [cipher.c openbsd-compat/openssl-compat.h] Restore the bits
   needed to build AES CTR mode against OpenSSL 0.9.8f and above.  ok djm
 - (dtucker) [regress/unittests/sshkey/
   {common,test_file,test_fuzz,test_sshkey}.c] Wrap stdint.h includes in
   ifdefs.

20140719
 - (tim) [openbsd-compat/port-uw.c] Include misc.h for fwd_opts, used
   in servconf.h.

20140718
 - OpenBSD CVS Sync
   - millert@cvs.openbsd.org 2014/07/15 15:54:14
     [PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
     [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
     [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
     [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
     [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
     [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
     [sshd_config.5 sshlogin.c]
     Add support for Unix domain socket forwarding.  A remote TCP port
     may be forwarded to a local Unix domain socket and vice versa or
     both ends may be a Unix domain socket.  This is a reimplementation
     of the streamlocal patches by William Ahern from:
         http://www.25thandclement.com/~william/projects/streamlocal.html
     OK djm@ markus@
   - jmc@cvs.openbsd.org 2014/07/16 14:48:57
     [ssh.1]
     add the streamlocal* options to ssh's -o list; millert says they're
     irrelevant for scp/sftp;
     ok markus millert
   - djm@cvs.openbsd.org 2014/07/17 00:10:56
     [sandbox-systrace.c]
     ifdef SYS_sendsyslog so this will compile without patching on -stable
   - djm@cvs.openbsd.org 2014/07/17 00:10:18
     [mux.c]
     preserve errno across syscall
   - djm@cvs.openbsd.org 2014/07/17 00:12:03
     [key.c]
     silence "incorrect passphrase" error spam; reported and ok dtucker@
   - djm@cvs.openbsd.org 2014/07/17 07:22:19
     [mux.c ssh.c]
     reflect stdio-forward ("ssh -W host:port ...") failures in exit status.
     previously we were always returning 0. bz#2255 reported by Brendan
     Germain; ok dtucker
   - djm@cvs.openbsd.org 2014/07/18 02:46:01
     [ssh-agent.c]
     restore umask around listener socket creation (dropped in streamlocal patch
     merge)
 - (dtucker) [auth2-gss.c gss-serv-krb5.c] Include misc.h for fwd_opts, used
   in servconf.h.
 - (dtucker) [Makefile.in] Add a t-exec target to run just the executable
   tests.
 - (dtucker) [key.c sshkey.c] Put new ecdsa bits inside ifdef OPENSSL_HAS_ECC.

20140717
 - (djm) [digest-openssl.c] Preserve array order when disabling digests.
   Reported by Petr Lautrbach.
 - OpenBSD CVS Sync
   - deraadt@cvs.openbsd.org 2014/07/11 08:09:54
     [sandbox-systrace.c]
     Permit use of SYS_sendsyslog from inside the sandbox.  Clock is ticking,
     update your kernels and sshd soon.. libc will start using sendsyslog()
     in about 4 days.
   - tedu@cvs.openbsd.org 2014/07/11 13:54:34
     [myproposal.h]
     by popular demand, add back hamc-sha1 to server proposal for better compat
     with many clients still in use. ok deraadt

20140715
 - (djm) [configure.ac] Delay checks for arc4random* until after libcrypto
   has been located; fixes builds agains libressl-portable

20140711
 - OpenBSD CVS Sync
   - benno@cvs.openbsd.org 2014/07/09 14:15:56
     [ssh-add.c]
     fix ssh-add crash while loading more than one key
     ok markus@

20140709
 - OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2014/07/07 08:19:12
     [ssh_config.5]
     mention that ProxyCommand is executed using shell "exec" to avoid
     a lingering process; bz#1977
   - djm@cvs.openbsd.org 2014/07/09 01:45:10
     [sftp.c]
     more useful error message when GLOB_NOSPACE occurs;
     bz#2254, patch from Orion Poplawski
   - djm@cvs.openbsd.org 2014/07/09 03:02:15
     [key.c]
     downgrade more error() to debug() to better match what old authfile.c
     did; suppresses spurious errors with hostbased authentication enabled
   - djm@cvs.openbsd.org 2014/07/06 07:42:03
     [multiplex.sh test-exec.sh]
     add a hook to the cleanup() function to kill $SSH_PID if it is set
     
     use it to kill the mux master started in multiplex.sh (it was being left
     around on fatal failures)
   - djm@cvs.openbsd.org 2014/07/07 08:15:26
     [multiplex.sh]
     remove forced-fatal that I stuck in there to test the new cleanup
     logic and forgot to remove...

20140706
 - OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2014/07/03 23:18:35
     [authfile.h]
     remove leakmalloc droppings
   - djm@cvs.openbsd.org 2014/07/05 23:11:48
     [channels.c]
     fix remote-forward cancel regression; ok markus@

20140704
 - OpenBSD CVS Sync
   - jsing@cvs.openbsd.org 2014/07/03 12:42:16
     [cipher-chachapoly.c]
     Call chacha_ivsetup() immediately before chacha_encrypt_bytes() - this
     makes it easier to verify that chacha_encrypt_bytes() is only called once
     per chacha_ivsetup() call.
     ok djm@
   - djm@cvs.openbsd.org 2014/07/03 22:23:46
     [sshconnect.c]
     when rekeying, skip file/DNS lookup if it is the same as the key sent
     during initial key exchange. bz#2154 patch from Iain Morgan; ok markus@
   - djm@cvs.openbsd.org 2014/07/03 22:33:41
     [channels.c]
     allow explicit ::1 and 127.0.0.1 forwarding bind addresses when
     GatewayPorts=no; allows client to choose address family;
     bz#2222 ok markus@
   - djm@cvs.openbsd.org 2014/07/03 22:40:43
     [servconf.c servconf.h session.c sshd.8 sshd_config.5]
     Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is
     executed, mirroring the no-user-rc authorized_keys option;
     bz#2160; ok markus@

20140703
 - (djm) [digest-openssl.c configure.ac] Disable RIPEMD160 if libcrypto
   doesn't support it.
 - (djm) [monitor_fdpass.c] Use sys/poll.h if poll.h doesn't exist;
   bz#2237
 - OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2014/07/03 01:45:38
     [sshkey.c]
     make Ed25519 keys' title fit properly in the randomart border; bz#2247
     based on patch from Christian Hesse
   - djm@cvs.openbsd.org 2014/07/03 03:11:03
     [ssh-agent.c]
     Only cleanup agent socket in the main agent process and not in any
     subprocesses it may have started (e.g. forked askpass). Fixes
     agent sockets being zapped when askpass processes fatal();
     bz#2236 patch from Dmitry V. Levin
   - djm@cvs.openbsd.org 2014/07/03 03:15:01
     [ssh-add.c]
     make stdout line-buffered; saves partial output getting lost when
     ssh-add fatal()s part-way through (e.g. when listing keys from an
     agent that supports key types that ssh-add doesn't);
     bz#2234, reported by Phil Pennock
   - djm@cvs.openbsd.org 2014/07/03 03:26:43
     [digest-openssl.c]
     use EVP_Digest() for one-shot hash instead of creating, updating,
     finalising and destroying a context.
     bz#2231, based on patch from Timo Teras
   - djm@cvs.openbsd.org 2014/07/03 03:34:09
     [gss-serv.c session.c ssh-keygen.c]
     standardise on NI_MAXHOST for gethostname() string lengths; about
     1/2 the cases were using it already. Fixes bz#2239 en passant
   - djm@cvs.openbsd.org 2014/07/03 03:47:27
     [ssh-keygen.c]
     When hashing or removing hosts using ssh-keygen, don't choke on
     @revoked markers and don't remove @cert-authority markers;
     bz#2241, reported by mlindgren AT runelind.net
   - djm@cvs.openbsd.org 2014/07/03 04:36:45
     [digest.h]
     forward-declare struct sshbuf so consumers don't need to include sshbuf.h
   - djm@cvs.openbsd.org 2014/07/03 05:32:36
     [ssh_config.5]
     mention '%%' escape sequence in HostName directives and how it may
     be used to specify IPv6 link-local addresses
   - djm@cvs.openbsd.org 2014/07/03 05:38:17
     [ssh.1]
     document that -g will only work in the multiplexed case if applied to
     the mux master
   - djm@cvs.openbsd.org 2014/07/03 06:39:19
     [ssh.c ssh_config.5]
     Add a %C escape sequence for LocalCommand and ControlPath that expands
     to a unique identifer based on a has of the tuple of (local host,
     remote user, hostname, port).
     
     Helps avoid exceeding sockaddr_un's miserly pathname limits for mux
     control paths.
     
     bz#2220, based on patch from mancha1 AT zoho.com; ok markus@
   - jmc@cvs.openbsd.org 2014/07/03 07:45:27
     [ssh_config.5]
     escape %C since groff thinks it part of an Rs/Re block;
   - djm@cvs.openbsd.org 2014/07/03 11:16:55
     [auth.c auth.h auth1.c auth2.c]
     make the "Too many authentication failures" message include the
     user, source address, port and protocol in a format similar to the
     authentication success / failure messages; bz#2199, ok dtucker

20140702
 - OpenBSD CVS Sync
   - deraadt@cvs.openbsd.org 2014/06/13 08:26:29
     [sandbox-systrace.c]
     permit SYS_getentropy
     from matthew
   - matthew@cvs.openbsd.org 2014/06/18 02:59:13
     [sandbox-systrace.c]
     Now that we have a dedicated getentropy(2) system call for
     arc4random(3), we can disallow __sysctl(2) in OpenSSH's systrace
     sandbox.
     
     ok djm
   - naddy@cvs.openbsd.org 2014/06/18 15:42:09
     [sshbuf-getput-crypto.c]
     The ssh_get_bignum functions must accept the same range of bignums
     the corresponding ssh_put_bignum functions create.  This fixes the
     use of 16384-bit RSA keys (bug reported by Eivind Evensen).
     ok djm@
   - djm@cvs.openbsd.org 2014/06/24 00:52:02
     [krl.c]
     fix bug in KRL generation: multiple consecutive revoked certificate
     serial number ranges could be serialised to an invalid format.
     
     Readers of a broken KRL caused by this bug will fail closed, so no
     should-have-been-revoked key will be accepted.
   - djm@cvs.openbsd.org 2014/06/24 01:13:21
     [Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c
     [auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c
     [cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h
     [digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h
     [hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h
     [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c
     [ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c
     [ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c
     [sshconnect2.c sshd.c sshkey.c sshkey.h
     [openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h]
     New key API: refactor key-related functions to be more library-like,
     existing API is offered as a set of wrappers.
     
     with and ok markus@
     
     Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
     Dempsky and Ron Bowes for a detailed review a few months ago.
     NB. This commit also removes portable OpenSSH support for OpenSSL
     <0.9.8e.
   - djm@cvs.openbsd.org 2014/06/24 02:19:48
     [ssh.c]
     don't fatal() when hostname canonicalisation fails with a
     ProxyCommand in use; continue and allow the ProxyCommand to
     connect anyway (e.g. to a host with a name outside the DNS
     behind a bastion)
   - djm@cvs.openbsd.org 2014/06/24 02:21:01
     [scp.c]
     when copying local->remote fails during read, don't send uninitialised
     heap to the remote end. Reported by Jann Horn
   - deraadt@cvs.openbsd.org 2014/06/25 14:16:09
     [sshbuf.c]
     unblock SIGSEGV before raising it
     ok djm
   - markus@cvs.openbsd.org 2014/06/27 16:41:56
     [channels.c channels.h clientloop.c ssh.c]
     fix remote fwding with same listen port but different listen address
     with gerhard@, ok djm@
   - markus@cvs.openbsd.org 2014/06/27 18:50:39
     [ssh-add.c]
     fix loading of private keys
   - djm@cvs.openbsd.org 2014/06/30 12:54:39
     [key.c]
     suppress spurious error message when loading key with a passphrase;
     reported by kettenis@ ok markus@
   - djm@cvs.openbsd.org 2014/07/02 04:59:06
     [cipher-3des1.c]
     fix ssh protocol 1 on the server that regressed with the sshkey change
     (sometimes fatal() after auth completed), make file return useful status
     codes.
     NB. Id sync only for these two. They were bundled into the sshkey merge
     above, since it was easier to sync the entire file and then apply
     portable-specific changed atop it.
   - djm@cvs.openbsd.org 2014/04/30 05:32:00
     [regress/Makefile]
     unit tests for new buffer API; including basic fuzz testing
     NB. Id sync only.
   - djm@cvs.openbsd.org 2014/05/21 07:04:21
     [regress/integrity.sh]
     when failing because of unexpected output, show the offending output
   - djm@cvs.openbsd.org 2014/06/24 01:04:43
     [regress/krl.sh]
     regress test for broken consecutive revoked serial number ranges
   - djm@cvs.openbsd.org 2014/06/24 01:14:17
     [Makefile.in regress/Makefile regress/unittests/Makefile]
     [regress/unittests/sshkey/Makefile]
     [regress/unittests/sshkey/common.c]
     [regress/unittests/sshkey/common.h]
     [regress/unittests/sshkey/mktestdata.sh]
     [regress/unittests/sshkey/test_file.c]
     [regress/unittests/sshkey/test_fuzz.c]
     [regress/unittests/sshkey/test_sshkey.c]
     [regress/unittests/sshkey/tests.c]
     [regress/unittests/sshkey/testdata/dsa_1]
     [regress/unittests/sshkey/testdata/dsa_1-cert.fp]
     [regress/unittests/sshkey/testdata/dsa_1-cert.pub]
     [regress/unittests/sshkey/testdata/dsa_1.fp]
     [regress/unittests/sshkey/testdata/dsa_1.fp.bb]
     [regress/unittests/sshkey/testdata/dsa_1.param.g]
     [regress/unittests/sshkey/testdata/dsa_1.param.priv]
     [regress/unittests/sshkey/testdata/dsa_1.param.pub]
     [regress/unittests/sshkey/testdata/dsa_1.pub]
     [regress/unittests/sshkey/testdata/dsa_1_pw]
     [regress/unittests/sshkey/testdata/dsa_2]
     [regress/unittests/sshkey/testdata/dsa_2.fp]
     [regress/unittests/sshkey/testdata/dsa_2.fp.bb]
     [regress/unittests/sshkey/testdata/dsa_2.pub]
     [regress/unittests/sshkey/testdata/dsa_n]
     [regress/unittests/sshkey/testdata/dsa_n_pw]
     [regress/unittests/sshkey/testdata/ecdsa_1]
     [regress/unittests/sshkey/testdata/ecdsa_1-cert.fp]
     [regress/unittests/sshkey/testdata/ecdsa_1-cert.pub]
     [regress/unittests/sshkey/testdata/ecdsa_1.fp]
     [regress/unittests/sshkey/testdata/ecdsa_1.fp.bb]
     [regress/unittests/sshkey/testdata/ecdsa_1.param.curve]
     [regress/unittests/sshkey/testdata/ecdsa_1.param.priv]
     [regress/unittests/sshkey/testdata/ecdsa_1.param.pub]
     [regress/unittests/sshkey/testdata/ecdsa_1.pub]
     [regress/unittests/sshkey/testdata/ecdsa_1_pw]
     [regress/unittests/sshkey/testdata/ecdsa_2]
     [regress/unittests/sshkey/testdata/ecdsa_2.fp]
     [regress/unittests/sshkey/testdata/ecdsa_2.fp.bb]
     [regress/unittests/sshkey/testdata/ecdsa_2.param.curve]
     [regress/unittests/sshkey/testdata/ecdsa_2.param.priv]
     [regress/unittests/sshkey/testdata/ecdsa_2.param.pub]
     [regress/unittests/sshkey/testdata/ecdsa_2.pub]
     [regress/unittests/sshkey/testdata/ecdsa_n]
     [regress/unittests/sshkey/testdata/ecdsa_n_pw]
     [regress/unittests/sshkey/testdata/ed25519_1]
     [regress/unittests/sshkey/testdata/ed25519_1-cert.fp]
     [regress/unittests/sshkey/testdata/ed25519_1-cert.pub]
     [regress/unittests/sshkey/testdata/ed25519_1.fp]
     [regress/unittests/sshkey/testdata/ed25519_1.fp.bb]
     [regress/unittests/sshkey/testdata/ed25519_1.pub]
     [regress/unittests/sshkey/testdata/ed25519_1_pw]
     [regress/unittests/sshkey/testdata/ed25519_2]
     [regress/unittests/sshkey/testdata/ed25519_2.fp]
     [regress/unittests/sshkey/testdata/ed25519_2.fp.bb]
     [regress/unittests/sshkey/testdata/ed25519_2.pub]
     [regress/unittests/sshkey/testdata/pw]
     [regress/unittests/sshkey/testdata/rsa1_1]
     [regress/unittests/sshkey/testdata/rsa1_1.fp]
     [regress/unittests/sshkey/testdata/rsa1_1.fp.bb]
     [regress/unittests/sshkey/testdata/rsa1_1.param.n]
     [regress/unittests/sshkey/testdata/rsa1_1.pub]
     [regress/unittests/sshkey/testdata/rsa1_1_pw]
     [regress/unittests/sshkey/testdata/rsa1_2]
     [regress/unittests/sshkey/testdata/rsa1_2.fp]
     [regress/unittests/sshkey/testdata/rsa1_2.fp.bb]
     [regress/unittests/sshkey/testdata/rsa1_2.param.n]
     [regress/unittests/sshkey/testdata/rsa1_2.pub]
     [regress/unittests/sshkey/testdata/rsa_1]
     [regress/unittests/sshkey/testdata/rsa_1-cert.fp]
     [regress/unittests/sshkey/testdata/rsa_1-cert.pub]
     [regress/unittests/sshkey/testdata/rsa_1.fp]
     [regress/unittests/sshkey/testdata/rsa_1.fp.bb]
     [regress/unittests/sshkey/testdata/rsa_1.param.n]
     [regress/unittests/sshkey/testdata/rsa_1.param.p]
     [regress/unittests/sshkey/testdata/rsa_1.param.q]
     [regress/unittests/sshkey/testdata/rsa_1.pub]
     [regress/unittests/sshkey/testdata/rsa_1_pw]
     [regress/unittests/sshkey/testdata/rsa_2]
     [regress/unittests/sshkey/testdata/rsa_2.fp]
     [regress/unittests/sshkey/testdata/rsa_2.fp.bb]
     [regress/unittests/sshkey/testdata/rsa_2.param.n]
     [regress/unittests/sshkey/testdata/rsa_2.param.p]
     [regress/unittests/sshkey/testdata/rsa_2.param.q]
     [regress/unittests/sshkey/testdata/rsa_2.pub]
     [regress/unittests/sshkey/testdata/rsa_n]
     [regress/unittests/sshkey/testdata/rsa_n_pw]
     unit and fuzz tests for new key API
 - (djm) [sshkey.c] Conditionalise inclusion of util.h
 - (djm) [regress/Makefile] fix execution of sshkey unit/fuzz test

20140618
 - (tim) [openssh/session.c] Work around to get chroot sftp working on UnixWare

20140617
 - (dtucker) [entropy.c openbsd-compat/openssl-compat.{c,h}
   openbsd-compat/regress/{.cvsignore,Makefile.in,opensslvertest.c}]
   Move the OpenSSL header/library version test into its own function and add
   tests for it. Fix it to allow fix version upgrades (but not downgrades).
   Prompted by chl@ via OpenSMTPD (issue #462) and Debian (bug #748150).
   ok djm@ chl@

20140616
 - (dtucker) [defines.h] Fix undef of _PATH_MAILDIR.  From rak at debian via
   OpenSMTPD and chl@

20140612
 - (dtucker) [configure.ac] Remove tcpwrappers support, support has already
   been removed from sshd.c.

20140611
 - (dtucker) [defines.h] Add va_copy if we don't already have it, taken from
   openbsd-compat/bsd-asprintf.c.
 - (dtucker) [regress/unittests/sshbuf/*.c regress/unittests/test_helper/*]
   Wrap stdlib.h include an ifdef for platforms that don't have it.
 - (tim) [regress/unittests/test_helper/test_helper.h] Add includes.h for
   u_intXX_t types.

20140610
 - (dtucker) [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c
   regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] Only do NISTP256
   curve tests if OpenSSL has them.
 - (dtucker) [myprosal.h] Don't include curve25519-sha256@libssh.org in
   the proposal if the version of OpenSSL we're using doesn't support ECC.
 - (dtucker) [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] ifdef
   ECC variable too.
 - (dtucker) OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2014/06/05 22:17:50
     [sshconnect2.c]
     fix inverted test that caused PKCS#11 keys that were explicitly listed
     not to be preferred. Reported by Dirk-Willem van Gulik
   - dtucker@cvs.openbsd.org 2014/06/10 21:46:11
     [sshbuf.h]
     Group ECC functions together to make things a little easier in -portable.
     "doesn't bother me" deraadt@
 - (dtucker) [sshbuf.h] Only declare ECC functions if building without
   OpenSSL or if OpenSSL has ECC.
 - (dtucker) [openbsd-compat/arc4random.c] Use explicit_bzero instead of an
   assigment that might get optimized out.  ok djm@
 - (dtucker) [bufaux.c bufbn.c bufec.c buffer.c] Pull in includes.h for
   compat stuff, specifically whether or not OpenSSL has ECC.

20140527
 - (djm) [cipher.c] Fix merge botch.
 - (djm) [contrib/cygwin/ssh-host-config] Updated Cygwin ssh-host-config
   from Corinna Vinschen, fixing a number of bugs and preparing for
   Cygwin 1.7.30.
 - (djm) [configure.ac openbsd-compat/bsd-cygwin_util.c]
   [openbsd-compat/bsd-cygwin_util.h] On Cygwin, determine privilege
   separation user at runtime, since it may need to be a domain account.
   Patch from Corinna Vinschen.

20140522
 - (djm) [Makefile.in] typo in path

20140521
 - (djm) [commit configure.ac defines.h sshpty.c] don't attempt to use
   vhangup on Linux. It doens't work for non-root users, and for them
   it just messes up the tty settings.
 - (djm) [misc.c] Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC
   when it is available. It takes into account time spent suspended,
   thereby ensuring timeouts (e.g. for expiring agent keys) fire
   correctly. bz#2228 reported by John Haxby

20140519
 - (djm) [rijndael.c rijndael.h] Sync with newly-ressurected versions ine
   OpenBSD
 - OpenBSD CVS Sync
   - logan@cvs.openbsd.org 2014/04/20 09:24:26
     [dns.c dns.h ssh-keygen.c]
     Add support for SSHFP DNS records for ED25519 key types.
     OK from djm@
   - logan@cvs.openbsd.org 2014/04/21 14:36:16
     [sftp-client.c sftp-client.h sftp.c]
     Implement sftp upload resume support.
     OK from djm@, with input from guenther@, mlarkin@ and
     okan@
   - logan@cvs.openbsd.org 2014/04/22 10:07:12
     [sftp.c]
     Sort the sftp command list.
     OK from djm@
   - logan@cvs.openbsd.org 2014/04/22 12:42:04
     [sftp.1]
     Document sftp upload resume.
     OK from djm@, with feedback from okan@.
   - jmc@cvs.openbsd.org 2014/04/22 14:16:30
     [sftp.1]
     zap eol whitespace;
   - djm@cvs.openbsd.org 2014/04/23 12:42:34
     [readconf.c]
     don't record duplicate IdentityFiles
   - djm@cvs.openbsd.org 2014/04/28 03:09:18
     [authfile.c bufaux.c buffer.h channels.c krl.c mux.c packet.c packet.h]
     [ssh-keygen.c]
     buffer_get_string_ptr's return should be const to remind
     callers that futzing with it will futz with the actual buffer
     contents
   - djm@cvs.openbsd.org 2014/04/29 13:10:30
     [clientloop.c serverloop.c]
     bz#1818 - don't send channel success/failre replies on channels that
     have sent a close already; analysis and patch from Simon Tatham;
     ok markus@
   - markus@cvs.openbsd.org 2014/04/29 18:01:49
     [auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c]
     [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c]
     [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
     [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c]
     make compiling against OpenSSL optional (make OPENSSL=no);
     reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
     allows us to explore further options; with and ok djm
   - dtucker@cvs.openbsd.org 2014/04/29 19:58:50
     [sftp.c]
     Move nulling of variable next to where it's freed.  ok markus@
   - dtucker@cvs.openbsd.org 2014/04/29 20:36:51
     [sftp.c]
     Don't attempt to append a nul quote char to the filename.  Should prevent
     fatal'ing with "el_insertstr failed" when there's a single quote char
     somewhere in the string.  bz#2238, ok markus@
   - djm@cvs.openbsd.org 2014/04/30 05:29:56
     [bufaux.c bufbn.c bufec.c buffer.c buffer.h sshbuf-getput-basic.c]
     [sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c sshbuf.h ssherr.c]
     [ssherr.h]
     New buffer API; the first installment of the conversion/replacement
     of OpenSSH's internals to make them usable as a standalone library.
     
     This includes a set of wrappers to make it compatible with the
     existing buffer API so replacement can occur incrementally.
     
     With and ok markus@
     
     Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
     Dempsky and Ron Bowes for a detailed review.
   - naddy@cvs.openbsd.org 2014/04/30 19:07:48
     [mac.c myproposal.h umac.c]
     UMAC can use our local fallback implementation of AES when OpenSSL isn't
     available.  Glue code straight from Ted Krovetz's original umac.c.
     ok markus@
   - djm@cvs.openbsd.org 2014/05/02 03:27:54
     [chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c]
     [misc.h poly1305.h ssh-pkcs11.c defines.h]
     revert __bounded change; it causes way more problems for portable than
     it solves; pointed out by dtucker@
   - markus@cvs.openbsd.org 2014/05/03 17:20:34
     [monitor.c packet.c packet.h]
     unbreak compression, by re-init-ing the compression code in the
     post-auth child. the new buffer code is more strict, and requires
     buffer_init() while the old code was happy after a bzero();
     originally from djm@
   - logan@cvs.openbsd.org 2014/05/05 07:02:30
     [sftp.c]
     Zap extra whitespace.
     
     OK from djm@ and dtucker@
 - (djm) [configure.ac] Unconditionally define WITH_OPENSSL until we write
   portability glue to support building without libcrypto
 - (djm) [Makefile.in configure.ac sshbuf-getput-basic.c]
   [sshbuf-getput-crypto.c sshbuf.c] compilation and portability fixes
 - OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2014/03/13 20:44:49
     [login-timeout.sh]
     this test is a sorry mess of race conditions; add another sleep
     to avoid a failure on slow machines (at least until I find a
     better way)
   - djm@cvs.openbsd.org 2014/04/21 22:15:37
     [dhgex.sh integrity.sh kextype.sh rekey.sh try-ciphers.sh]
     repair regress tests broken by server-side default cipher/kex/mac changes
     by ensuring that the option under test is included in the server's
     algorithm list
   - dtucker@cvs.openbsd.org 2014/05/03 18:46:14
     [proxy-connect.sh]
     Add tests for with and without compression, with and without privsep.
   - logan@cvs.openbsd.org 2014/05/04 10:40:59
     [connect-privsep.sh]
     Remove the Z flag from the list of malloc options as it
     was removed from malloc.c 10 days ago.
     
     OK from miod@
 - (djm) [regress/unittests/Makefile]
   [regress/unittests/Makefile.inc]
   [regress/unittests/sshbuf/Makefile]
   [regress/unittests/sshbuf/test_sshbuf.c]
   [regress/unittests/sshbuf/test_sshbuf_fixed.c]
   [regress/unittests/sshbuf/test_sshbuf_fuzz.c]
   [regress/unittests/sshbuf/test_sshbuf_getput_basic.c]
   [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c]
   [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c]
   [regress/unittests/sshbuf/test_sshbuf_misc.c]
   [regress/unittests/sshbuf/tests.c]
   [regress/unittests/test_helper/Makefile]
   [regress/unittests/test_helper/fuzz.c]
   [regress/unittests/test_helper/test_helper.c]
   [regress/unittests/test_helper/test_helper.h]
   Import new unit tests from OpenBSD; not yet hooked up to build.
 - (djm) [regress/Makefile Makefile.in]
   [regress/unittests/sshbuf/test_sshbuf.c
   [regress/unittests/sshbuf/test_sshbuf_fixed.c]
   [regress/unittests/sshbuf/test_sshbuf_fuzz.c]
   [regress/unittests/sshbuf/test_sshbuf_getput_basic.c]
   [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c]
   [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c]
   [regress/unittests/sshbuf/test_sshbuf_misc.c]
   [regress/unittests/sshbuf/tests.c]
   [regress/unittests/test_helper/fuzz.c]
   [regress/unittests/test_helper/test_helper.c]
   Hook new unit tests into the build and "make tests"
 - (djm) [sshbuf.c] need __predict_false

20140430
 - (dtucker) [defines.h] Define __GNUC_PREREQ__ macro if we don't already
   have it.  Only attempt to use __attribute__(__bounded__) for gcc.

20140420
 - OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2014/03/03 22:22:30
     [session.c]
     ignore enviornment variables with embedded '=' or '\0' characters;
     spotted by Jann Horn; ok deraadt@
     Id sync only - portable already has this.
   - djm@cvs.openbsd.org 2014/03/12 04:44:58
     [ssh-keyscan.c]
     scan for Ed25519 keys by default too
   - djm@cvs.openbsd.org 2014/03/12 04:50:32
     [auth-bsdauth.c ssh-keygen.c]
     don't count on things that accept arguments by reference to clear
     things for us on error; most things do, but it's unsafe form.
   - djm@cvs.openbsd.org 2014/03/12 04:51:12
     [authfile.c]
     correct test that kdf name is not "none" or "bcrypt"
   - naddy@cvs.openbsd.org 2014/03/12 13:06:59
     [ssh-keyscan.1]
     scan for Ed25519 keys by default too
   - deraadt@cvs.openbsd.org 2014/03/15 17:28:26
     [ssh-agent.c ssh-keygen.1 ssh-keygen.c]
     Improve usage() and documentation towards the standard form. 
     In particular, this line saves a lot of man page reading time.
       usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
                         [-N new_passphrase] [-C comment] [-f output_keyfile]
     ok schwarze jmc
   - tedu@cvs.openbsd.org 2014/03/17 19:44:10
     [ssh.1]
     old descriptions of des and blowfish are old. maybe ok deraadt
   - tedu@cvs.openbsd.org 2014/03/19 14:42:44
     [scp.1]
     there is no need for rcp anymore
     ok deraadt millert
   - markus@cvs.openbsd.org 2014/03/25 09:40:03
     [myproposal.h]
     trimm default proposals.
     
     This commit removes the weaker pre-SHA2 hashes, the broken ciphers
     (arcfour), and the broken modes (CBC) from the default configuration
     (the patch only changes the default, all the modes are still available
     for the config files).
     
     ok djm@, reminded by tedu@ & naddy@ and discussed with many
   - deraadt@cvs.openbsd.org 2014/03/26 17:16:26
     [myproposal.h]
     The current sharing of myproposal[] between both client and server code
     makes the previous diff highly unpallatable.  We want to go in that
     direction for the server, but not for the client.  Sigh.
     Brought up by naddy.
   - markus@cvs.openbsd.org 2014/03/27 23:01:27
     [myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
     disable weak proposals in sshd, but keep them in ssh; ok djm@
   - djm@cvs.openbsd.org 2014/03/26 04:55:35
     [chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c
     [misc.h poly1305.h ssh-pkcs11.c]
     use __bounded(...) attribute recently added to sys/cdefs.h instead of
     longform __attribute__(__bounded(...));
     
     for brevity and a warning free compilation with llvm/clang
   - tedu@cvs.openbsd.org 2014/03/26 19:58:37
     [sshd.8 sshd.c]
     remove libwrap support. ok deraadt djm mfriedl
   - naddy@cvs.openbsd.org 2014/03/28 05:17:11
     [ssh_config.5 sshd_config.5]
     sync available and default algorithms, improve algorithm list formatting
     help from jmc@ and schwarze@, ok deraadt@
   - jmc@cvs.openbsd.org 2014/03/31 13:39:34
     [ssh-keygen.1]
     the text for the -K option was inserted in the wrong place in -r1.108;
     fix From: Matthew Clarke
   - djm@cvs.openbsd.org 2014/04/01 02:05:27
     [ssh-keysign.c]
     include fingerprint of key not found
     use arc4random_buf() instead of loop+arc4random()
   - djm@cvs.openbsd.org 2014/04/01 03:34:10
     [sshconnect.c]
     When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
     certificate keys to plain keys and attempt SSHFP resolution.
     
     Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
     dialog by offering only certificate keys.
     
     Reported by mcv21 AT cam.ac.uk
   - djm@cvs.openbsd.org 2014/04/01 05:32:57
     [packet.c]
     demote a debug3 to PACKET_DEBUG; ok markus@
   - djm@cvs.openbsd.org 2014/04/12 04:55:53
     [sshd.c]
     avoid crash at exit: check that pmonitor!=NULL before dereferencing;
     bz#2225, patch from kavi AT juniper.net
   - djm@cvs.openbsd.org 2014/04/16 23:22:45
     [bufaux.c]
     skip leading zero bytes in buffer_put_bignum2_from_string();
     reported by jan AT mojzis.com; ok markus@
   - djm@cvs.openbsd.org 2014/04/16 23:28:12
     [ssh-agent.1]
     remove the identity files from this manpage - ssh-agent doesn't deal
     with them at all and the same information is duplicated in ssh-add.1
     (which does deal with them); prodded by deraadt@
   - djm@cvs.openbsd.org 2014/04/18 23:52:25
     [compat.c compat.h sshconnect2.c sshd.c version.h]
     OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
     using the curve25519-sha256@libssh.org KEX exchange method to fail
     when connecting with something that implements the spec properly.
     
     Disable this KEX method when speaking to one of the affected
     versions.
     
     reported by Aris Adamantiadis; ok markus@
   - djm@cvs.openbsd.org 2014/04/19 05:54:59
     [compat.c]
     missing wildcard; pointed out by naddy@
   - tedu@cvs.openbsd.org 2014/04/19 14:53:48
     [ssh-keysign.c sshd.c]
     Delete futile calls to RAND_seed. ok djm
     NB. Id sync only. This only applies to OpenBSD's libcrypto slashathon
   - tedu@cvs.openbsd.org 2014/04/19 18:15:16
     [sshd.8]
     remove some really old rsh references
   - tedu@cvs.openbsd.org 2014/04/19 18:42:19
     [ssh.1]
     delete .xr to hosts.equiv. there's still an unfortunate amount of
     documentation referring to rhosts equivalency in here.
   - djm@cvs.openbsd.org 2014/04/20 02:30:25
     [misc.c misc.h umac.c]
     use get/put_u32 to load values rather than *((UINT32 *)p) that breaks on
     strict-alignment architectures; reported by and ok stsp@
   - djm@cvs.openbsd.org 2014/04/20 02:49:32
     [compat.c]
     add a canonical 6.6 + curve25519 bignum fix fake version that I can
     recommend people use ahead of the openssh-6.7 release

20140401
 - (djm) On platforms that support it, use prctl() to prevent sftp-server
   from accessing /proc/self/{mem,maps}; patch from jann AT thejh.net
 - (djm) Use full release (e.g. 6.5p1) in debug output rather than just
   version. From des@des.no

20140317
 - (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to
   remind myself to add sandbox violation logging via the log socket.

20140314
 - (tim) [opensshd.init.in] Add support for ed25519

20140313
 - (djm) Release OpenSSH 6.6

20140304
 - OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2014/03/03 22:22:30
     [session.c]
     ignore enviornment variables with embedded '=' or '\0' characters;
     spotted by Jann Horn; ok deraadt@

20140301
 - (djm) [regress/Makefile] Disable dhgex regress test; it breaks when
   no moduli file exists at the expected location.

20140228
 - OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2014/02/27 00:41:49
     [bufbn.c]
     fix unsigned overflow that could lead to reading a short ssh protocol
     1 bignum value; found by Ben Hawkes; ok deraadt@
   - djm@cvs.openbsd.org 2014/02/27 08:25:09
     [bufbn.c]
     off by one in range check
   - djm@cvs.openbsd.org 2014/02/27 22:47:07
     [sshd_config.5]
     bz#2184 clarify behaviour of a keyword that appears in multiple
     matching Match blocks; ok dtucker@
   - djm@cvs.openbsd.org 2014/02/27 22:57:40
     [version.h]
     openssh-6.6
   - dtucker@cvs.openbsd.org 2014/01/19 23:43:02
     [regress/sftp-chroot.sh]
     Don't use -q on sftp as it suppresses logging, instead redirect the
     output to the regress logfile.
   - dtucker@cvs.openbsd.org 2014/01/20 00:00:30
     [sregress/ftp-chroot.sh]
     append to rather than truncating the log file
   - dtucker@cvs.openbsd.org 2014/01/25 04:35:32
     [regress/Makefile regress/dhgex.sh]
     Add a test for DH GEX sizes
   - djm@cvs.openbsd.org 2014/01/26 10:22:10
     [regress/cert-hostkey.sh]
     automatically generate revoked keys from listed keys rather than
     manually specifying each type; from portable
     (Id sync only)
   - djm@cvs.openbsd.org 2014/01/26 10:49:17
     [scp-ssh-wrapper.sh scp.sh]
     make sure $SCP is tested on the remote end rather than whichever one
     happens to be in $PATH; from portable
     (Id sync only)
   - djm@cvs.openbsd.org 2014/02/27 20:04:16
     [login-timeout.sh]
     remove any existing LoginGraceTime from sshd_config before adding
     a specific one for the test back in
   - djm@cvs.openbsd.org 2014/02/27 21:21:25
     [agent-ptrace.sh agent.sh]
     keep return values that are printed in error messages;
     from portable
     (Id sync only)
 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
   [contrib/suse/openssh.spec] Crank version numbers
 - (djm) [regress/host-expand.sh] Add RCS Id

20140227
 - OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2014/02/26 20:18:37
     [ssh.c]
     bz#2205: avoid early hostname lookups unless canonicalisation is enabled;
     ok dtucker@ markus@
