add an XXX reminder for getting correct key paths from sshd_config

consistent check for NULL as noted by Nicholas Lemonias; ok djm@

update to new API (key_fingerprint => sshkey_fingerprint)
check sshkey_fingerprint return values;
ok markus

sync ssh-keysign, ssh-keygen and some dependencies to the new
buffer/key API; mostly mechanical, ok markus@

deprecate key_load_private_pem() and sshkey_load_private_pem()
interfaces. Refactor the generic key loading API to not require
pathnames to be specified (they weren't really used).

Fixes a few other

deprecate key_load_private_pem() and sshkey_load_private_pem()
interfaces. Refactor the generic key loading API to not require
pathnames to be specified (they weren't really used).

Fixes a few other things en passant:

Makes ed25519 keys work for hostbased authentication (ssh-keysign
previously used the PEM-only routines).

Fixes key comment regression bz#2306: key pathnames were being lost as
comment fields.

ok markus@

show more ...

Add FingerprintHash option to control algorithm used for key
fingerprints. Default changes from MD5 to SHA256 and format
from hex to base64.

Feedback and ok naddy@ markus@

Tweak config reparsing with host canonicalisation

Make the second pass through the config files always run when
hostname canonicalisation is enabled.

Add a "Match canonical" criteria that allows ss

Tweak config reparsing with host canonicalisation

Make the second pass through the config files always run when
hostname canonicalisation is enabled.

Add a "Match canonical" criteria that allows ssh_config Match
blocks to trigger only in the second config pass.

Add a -G option to ssh that causes it to parse its configuration
and dump the result to stdout, similar to "sshd -T"

Allow ssh_config Port options set in the second config parse
phase to be applied (they were being ignored).

bz#2267 bz#2286; ok markus

show more ...

make compiling against OpenSSL optional (make OPENSSL=no);
reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
allows us to explore further options; with and ok djm

Delete futile calls to RAND_seed. ok djm

include fingerprint of key not found
use arc4random_buf() instead of loop+arc4random()

support ed25519 keys (hostkeys and user identities) using the public domain
ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html
feedback, help & ok djm@

add a "Match" keyword to ssh_config that allows matching on hostname,
user and result of arbitrary commands. "nice work" markus@

bye, bye xfree(); ok markus@

make hostbased auth with ECDSA keys work correctly. Based on patch
by harvey.eneman AT oracle.com in bz#1858; ok markus@ (pre-lock)

reintroduce commit from tedu@, which I pulled out for release engineering:

OpenSSL_add_all_algorithms is the name of the function we have a man page
for, so use that. ok djm

backout previous temporarily; discussed with deraadt@

OpenSSL_add_all_algorithms is the name of the function we have a man page
for, so use that. ok djm

clean for -Wuninitialized

enable certificates for hostbased authentication, from Iain Morgan;
"looks ok" markus@

Make HostBased authentication work with a ProxyCommand. bz #1569, patch
from imorgan at nas nasa gov, ok djm@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdlib.h> out of includes.h

move #include <string.h> out of includes.h

move #include <unistd.h> out of includes.h

move #include <fcntl.h> out of includes.h