5cbec4c259
- djm@cvs.openbsd.org 2013/03/06 23:36:53
...
[readconf.c]
g/c unused variable (-Wunused)
2013-04-23 15:17:12 +10:00
998cc56b65
- djm@cvs.openbsd.org 2013/03/06 23:35:23
...
[session.c]
fatal() when ChrootDirectory specified by running without root privileges;
ok markus@
2013-04-23 15:16:43 +10:00
62e9c4f9b6
- (djm) OpenBSD CVS Sync
...
- markus@cvs.openbsd.org 2013/03/05 20:16:09
[sshconnect2.c]
reset pubkey order on partial success; ok djm@
2013-04-23 15:15:49 +10:00
6332da2ae8
- (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support
...
platforms, such as Android, that lack struct passwd.pw_gecos. Report
and initial patch from Nathan Osman bz#2086; feedback tim@ ok dtucker@
2013-04-23 14:25:52 +10:00
ce1c9574fc
- (dtucker) [configure.ac] Use -Qunused-arguments to suppress warnings from
...
unused argument warnings (in particular, -fno-builtin-memset) from clang.
2013-04-18 21:36:19 +10:00
bc68f2451b
- (djm) [config.guess config.sub] Update to last versions before they switch
...
to GPL3. ok dtucker@
2013-04-18 11:26:25 +10:00
15fd19c4c9
- djm@cvs.openbsd.org 2013/02/22 22:09:01
...
[ssh.c]
Allow IdenityFile=none; ok markus deraadt (and dtucker for an earlier
version)
2013-04-05 11:22:26 +11:00
5d1d9541a7
- markus@cvs.openbsd.org 2013/02/22 19:13:56
...
[sshconnect.c]
support ProxyCommand=- (stdin/out already point to the proxy); ok djm@
2013-04-05 11:20:00 +11:00
aefa368243
- dtucker@cvs.openbsd.org 2013/02/22 04:45:09
...
[ssh.c readconf.c readconf.h]
Don't complain if IdentityFiles specified in system-wide configs are
missing. ok djm, deraadt
2013-04-05 11:18:35 +11:00
f3c3814243
- dtucker@cvs.openbsd.org 2013/02/19 02:12:47
...
[krl.c]
Remove bogus include. ok djm
(id sync only)
2013-04-05 11:16:52 +11:00
1910478c2d
- dtucker@cvs.openbsd.org 2013/02/17 23:16:57
...
[readconf.c ssh.c readconf.h sshconnect2.c]
Keep track of which IndentityFile options were manually supplied and which
were default options, and don't warn if the latter are missing.
ok markus@
2013-04-05 11:13:08 +11:00
c9627cdbc6
- (dtucker) [openbsd-compat/bsd-cygwin_util.{c,h}] Don't include windows.h
...
to avoid conflicting definitions of __int64, adding the required bits.
Patch from Corinna Vinschen.
2013-04-01 12:40:48 +11:00
75db01d2ce
- (tim) [Makefile.in] remove some duplication introduced in 20130220 commit.
2013-03-22 10:14:32 -07:00
221b4b2436
- (dtucker) [includes.h] Check if _GNU_SOURCE is already defined before
...
defining it again. Prevents warnings if someone, eg, sets it in CFLAGS.
2013-03-22 12:51:09 +11:00
c8a0f27c6d
- (dtucker) [configure.ac] Add stdlib.h to zlib check for exit() prototype.
2013-03-22 12:49:14 +11:00
eed8dc2610
- (djm) Release 6.2p1
2013-03-22 10:25:22 +11:00
83efe7c861
- (djm) [contrib/ssh-copy-id contrib/ssh-copy-id.1] Updated to Phil
...
Hands' greatly revised version.
2013-03-22 10:17:36 +11:00
63b4bcd04e
- (djm) [configure.ac log.c scp.c sshconnect2.c openbsd-compat/vis.c]
...
[openbsd-compat/vis.h] FreeBSD's strnvis isn't compatible with OpenBSD's
so mark it as broken. Patch from des AT des.no
2013-03-20 12:55:14 +11:00
aa86c3970f
- (tim) [configure.ac] OpenServer 5 wants lastlog even though it has none
...
of the bits the configure test looks for.
2013-03-16 20:55:46 -07:00
5852840190
- (djm) [session.c] FreeBSD needs setusercontext(..., LOGIN_SETUMASK) to
...
occur after UID switch; patch from John Marshall via des AT des.no;
ok dtucker@
2013-03-15 11:22:37 +11:00
f4db77d766
- (djm) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h]
...
Add a usleep replacement for platforms that lack it; ok dtucker
2013-03-15 10:34:25 +11:00
a2438bbd28
- (djm) [configure.ac] Disable utmp, wtmp and/or lastlog if the platform
...
is unable to successfully compile them. Based on patch from des AT
des.no
2013-03-15 10:23:07 +11:00
aa97d13fa2
- (dtucker) [auth.c configure.ac platform.c platform.h] Accept uid 2 ("bin")
...
in addition to root as an owner of system directories on AIX and HP-UX.
ok djm@
2013-03-12 11:31:05 +11:00
fe10a28e08
- (dtucker) [regress/Makefile regress/cipher-speed.sh regress/test-exec.sh]
...
Improve portability of cipher-speed test, based mostly on a patch from
Iain Morgan.
2013-03-12 11:19:40 +11:00
e4f4347822
- (djm) [configure.ac] Add a timeout to the select/rlimit test to give it a
...
chance to complete on broken systems; ok dtucker@
2013-03-08 12:14:22 +11:00
2b6ea47106
- (tim) [Makefile.in] Add another missing $(EXEEXT) I should have seen 3 days
...
ago.
2013-03-07 07:37:13 -08:00
4d1a0fe029
remove extra word
2013-03-07 20:14:34 +11:00
9243ef086f
- (dtucker) [defines.h] Remove SIZEOF_CHAR bits since the test for it is
...
was removed in configure.ac rev 1.481 as it was redundant.
2013-03-07 20:06:13 +11:00
b3cd503742
- (dtucker) [INSTALL] Bump documented autoconf version to what we're
...
currently using.
2013-03-07 12:33:35 +11:00
ff008ded7f
- (dtucker) [configure.ac] test that we can set number of file descriptors
...
to zero with setrlimit before enabling the rlimit sandbox. This affects
(at least) HPUX 11.11.
2013-03-06 17:48:48 +11:00
834a0d6d54
- (dtucker) [regress/forward-control.sh] Wait longer for the forwarding
...
connection to start so that the test works on slower machines.
2013-03-06 14:06:48 +11:00
ff8bda8f05
- (tim) [Makefile.in] Add missing $(EXEEXT). Found by Roumen Petrov.
2013-03-05 14:23:58 -08:00
29c7151d20
- (dtucker) [Makefile.in] Remove trailing "\" on PATHS, which caused obscure
...
build breakage on (at least) HP-UX 11.11. Found by Amit Kulkarni and Kevin
Brott.
2013-03-05 21:50:09 +11:00
fef9f7c3d1
add Amit.
2013-03-05 20:02:24 +11:00
5f0e54c892
- (dtucker) [configure.ac] use "=" for shell test and not "==". Spotted by
...
Kevin Brott.
2013-03-05 19:57:39 +11:00
43e5e60bad
- (djm) [regress/modpipe.c] Compilation fix for AIX and parsing fix for
...
HP/UX. Spotted by Kevin Brott
2013-03-05 09:49:00 +11:00
21f591b6d9
- (tim) [regress/krl.sh] keep old solaris awk from hanging.
2013-02-26 22:48:31 -08:00
ada7e17ae5
- (tim) [regress/integrity.sh] keep old solaris awk from hanging.
2013-02-26 21:49:09 -08:00
f9e2060ca9
- (tim) [regress/integrity.sh] shell portability fix.
2013-02-26 20:27:29 -08:00
a514bc05b1
- (tim) [regress/forward-control.sh] use sh in case login shell is csh.
2013-02-26 19:35:26 -08:00
c0cc7ce166
- (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
...
[contrib/suse/openssh.spec] Crank version numbers
2013-02-27 10:48:18 +11:00
6c21bb8c4a
- (djm) [regress/integrity.sh] Run sshd via $SUDO; fixes tinderbox breakage
...
for UsePAM=yes configuration
2013-02-26 19:41:30 +11:00
1e657d592d
- djm@cvs.openbsd.org 2013/02/20 08:27:50
...
[integrity.sh]
Add an option to modpipe that warns if the modification offset it not
reached in it's stream and turn it on for t-integrity. This should catch
cases where the session is not fuzzed for being too short (cf. my last
"oops" commit)
2013-02-26 18:58:06 +11:00
03978c61f3
- (dtucker) [configure.ac ssh-gss.h] bz#2073: additional #includes needed
...
to use Solaris native GSS libs. Patch from Pierre Ossman.
2013-02-25 11:24:44 +11:00
a423fefb89
welcome to 2013
2013-02-25 10:32:27 +11:00
b87f6b70f8
- (djm) [configure.ac includes.h loginrec.c mux.c sftp.c] Prefer
...
bsd/libutil.h to libutil.h to avoid deprecation warnings on Ubuntu.
ok tim
2013-02-23 09:12:23 +11:00
91f40d8592
- (djm) [configure.ac sandbox-seccomp-filter.c] Support for Linux
...
seccomp-bpf sandbox on ARM. Patch from shawnlandden AT gmail.com;
ok dtucker
2013-02-22 11:37:00 +11:00
a2b5a4c746
- (dtucker) [configure.ac] bz#2073: look for Solaris' differently-named
...
libgss too. Patch from Pierre Ossman, ok djm.
2013-02-22 10:43:15 +11:00
964de184a8
- (dtucker) [Makefile.in configure.ac] bz#2072: don't link krb5 libs to
...
ssh(1) since they're not needed. Patch from Pierre Ossman.
2013-02-22 10:39:59 +11:00
0ec7423692
- (tim) [regress/forward-control.sh] shell portability fix.
2013-02-20 21:37:55 -08:00
5acc6be981
- djm@cvs.openbsd.org 2013/02/20 08:29:27
...
[regress/modpipe.c]
s/Id/OpenBSD/ in RCS tag
2013-02-20 21:16:07 +11:00
283e575a7d
- djm@cvs.openbsd.org 2013/02/20 08:27:50
...
[regress/integrity.sh regress/modpipe.c]
Add an option to modpipe that warns if the modification offset it not
reached in it's stream and turn it on for t-integrity. This should catch
cases where the session is not fuzzed for being too short (cf. my last
"oops" commit)
2013-02-20 21:13:27 +11:00
c31db8cd6e
- (tim) [krl.c Makefile.in regress/Makefile regress/modpipe.c] remove unneeded
...
err.h include from krl.c. Additional portability fixes for modpipe. OK djm
2013-02-19 19:01:51 -08:00
c08b3ef6f4
- (tim) [regress/cipher-speed.sh regress/try-ciphers.sh] shell portability fix.
2013-02-19 11:53:29 -08:00
dae85cc3ad
- (djm) [regress/integrity.sh] Skip SHA2-based MACs on configurations that
...
lack support for SHA2.
2013-02-19 14:27:44 +11:00
b3764e1202
- djm@cvs.openbsd.org 2013/02/19 02:14:09
...
[integrity.sh]
oops, forgot to increase the output of the ssh command to ensure that
we actually reach $offset
2013-02-19 13:15:01 +11:00
0dc3bc908e
- djm@cvs.openbsd.org 2013/02/18 22:26:47
...
[integrity.sh]
crank the offset yet again; it was still fuzzing KEX one of Darren's
portable test hosts at 2800
2013-02-19 09:28:32 +11:00
33d52566bc
- djm@cvs.openbsd.org 2013/02/17 23:16:55
...
[integrity.sh]
make the ssh command generates some output to ensure that there are at
least offset+tries bytes in the stream.
2013-02-18 10:18:05 +11:00
5d7b9565bc
- djm@cvs.openbsd.org 2013/02/16 06:08:45
...
[integrity.sh]
make sure the fuzz offset is actually past the end of KEX for all KEX
types. diffie-hellman-group-exchange-sha256 requires an offset around
2700. Noticed via test failures in portable OpenSSH on platforms that
lack ECC and this the more byte-frugal ECDH KEX algorithms.
2013-02-16 17:32:31 +11:00
2991d288db
- (dtucker) [openbsd-compat/bsd-misc.c] Handle the case where setpgrp() takes
...
an argument. Pointed out by djm.
2013-02-15 14:55:38 +11:00
f32db83f41
- (dtucker) [openbsd-compat/openbsd-compat.h] Add prototype for strtoul,
...
group strto* function prototypes together.
2013-02-15 12:20:41 +11:00
5ceddc31cd
- dtucker@cvs.openbsd.org 2013/02/15 00:21:01
...
[sshconnect2.c]
Warn more loudly if an IdentityFile provided by the user cannot be read.
bz #1981 , ok djm@
2013-02-15 12:18:32 +11:00
8e6fb780e5
- (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoull.c
...
openbsd-compat/openbsd-compat.h] Add strtoull to compat library for
platforms that don't have it.
2013-02-15 12:13:01 +11:00
3c4a24c3e3
- (dtucker) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h]
...
Use getpgrp() if we don't have getpgid() (old BSDs, maybe others).
2013-02-15 11:41:35 +11:00
4018dc04da
- djm@cvs.openbsd.org 2013/02/14 21:35:59
...
[auth2-pubkey.c]
Correct error message that had a typo and was logging the wrong thing;
patch from Petr Lautrbach
2013-02-15 10:28:55 +11:00
91edc1ce2b
- (djm) [contrib/suse/rc.sshd] Use SSHD_BIN consistently; bz#2056 from
...
Iain Morgan
2013-02-15 10:23:44 +11:00
57f9218528
- (djm) [regress/integrity.sh] Start fuzzing from offset 2500 (instead
...
of 2300) to avoid clobbering the end of (non-MAC'd) KEX. Verified by
Iain Morgan
2013-02-14 10:32:33 +11:00
6d77d6ea2b
- (djm) [regress/krl.sh] typo; found by Iain Morgan
2013-02-14 10:31:03 +11:00
2653f5c0a6
- (djm) [regress/krl.sh] Don't use ecdsa keys in environment that lack ECC.
2013-02-14 10:14:51 +11:00
2f20de5e3f
- (djm) [regress/try-ciphers.sh] clean up CVS merge botch
2013-02-12 11:31:38 +11:00
58e2c5b394
- djm@cvs.openbsd.org 2013/02/11 23:58:51
...
[try-ciphers.sh]
remove acss here too
2013-02-12 11:16:57 +11:00
22e8a1e169
- dtucker@cvs.openbsd.org 2013/02/11 21:21:58
...
[sshd.c]
Add openssl version to debug output similar to the client. ok markus@
2013-02-12 11:04:48 +11:00
894926ebd8
- djm@cvs.openbsd.org 2013/02/10 23:35:24
...
[packet.c]
record "Received disconnect" messages at ERROR rather than INFO priority,
since they are abnormal and result in a non-zero ssh exit status; patch
from Iain Morgan in bz#2057; ok dtucker@
2013-02-12 11:03:58 +11:00
78d22713c7
- djm@cvs.openbsd.org 2013/02/10 23:32:10
...
[ssh-keygen.c]
append to moduli file when screening candidates rather than overwriting.
allows resumption of interrupted screen; patch from Christophe Garault
in bz#1957; ok dtucker@
2013-02-12 11:03:36 +11:00
fd05154dc4
- markus@cvs.openbsd.org 2013/02/10 21:19:34
...
[version.h]
openssh 6.2
2013-02-12 11:03:10 +11:00
d6d9fa0281
- djm@cvs.openbsd.org 2013/02/08 00:41:12
...
[sftp.c]
fix NULL deref when built without libedit and control characters
entered as command; debugging and patch from Iain Morgan an
Loganaden Velvindron in bz#1956
2013-02-12 11:02:46 +11:00
18de9133c2
- dtucker@cvs.openbsd.org 2013/02/06 00:22:21
...
[auth.c]
Fix comment, from jfree.e1 at gmail
2013-02-12 11:02:27 +11:00
1f583df8c3
- dtucker@cvs.openbsd.org 2013/02/06 00:20:42
...
[servconf.c sshd_config sshd_config.5]
Change default of MaxStartups to 10:30:100 to start doing random early
drop at 10 connections up to 100 connections. This will make it harder
to DoS as CPUs have come a long way since the original value was set
back in 2000. Prompted by nion at debian org, ok markus@
2013-02-12 11:02:08 +11:00
0cd2f8e5f8
- djm@cvs.openbsd.org 2013/01/27 10:06:12
...
[krl.c]
actually use the xrealloc() return value; spotted by xi.wang AT gmail.com
2013-02-12 11:01:39 +11:00
f0a8ded824
- djm@cvs.openbsd.org 2013/01/26 06:11:05
...
[Makefile.in acss.c acss.h cipher-acss.c cipher.c]
[openbsd-compat/openssl-compat.h]
remove ACSS, now that it is gone from libcrypto too
2013-02-12 11:00:34 +11:00
60565bcb5c
- djm@cvs.openbsd.org 2013/01/25 10:22:19
...
[krl.c]
redo last commit without the vi-vomit that snuck in:
skip serial lookup when cert's serial number is zero
(now with 100% better comment)
2013-02-12 10:56:42 +11:00
377d9a44f9
- krw@cvs.openbsd.org 2013/01/25 05:00:27
...
[krl.c]
Revert last. Breaks due to likely typo. Let djm@ fix later.
ok djm@ via dlg@
2013-02-12 10:55:16 +11:00
6045f5d574
- djm@cvs.openbsd.org 2013/01/24 22:08:56
...
[krl.c]
skip serial lookup when cert's serial number is zero
2013-02-12 10:54:54 +11:00
ea078462ea
- (djm) OpenBSD CVS Sync
...
- djm@cvs.openbsd.org 2013/01/24 21:45:37
[krl.c]
fix handling of (unused) KRL signatures; skip string in correct buffer
2013-02-12 10:54:37 +11:00
b6f73b3af6
- (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old
...
libcrypto that lacks EVP_CIPHER_CTX_ctrl
2013-02-11 10:39:12 +11:00
951b53b1be
- (dtucker) [configure.ac openbsd-compat/sys-tree.h] Test if compiler allows
...
__attribute__ on return values and work around if necessary. ok djm@
2013-02-08 11:50:09 +11:00
e7f50e1c18
- (djm) [contrib/redhat/sshd.init] treat RETVAL as an integer;
...
patch from Iain Morgan in bz#2059
2013-02-08 10:49:37 +11:00
5c3bbd76aa
- (djm) [configure.ac] Don't probe seccomp capability of running kernel
...
at configure time; the seccomp sandbox will fall back to rlimit at
runtime anyway. Patch from plautrba AT redhat.com in bz#2011
2013-02-07 10:11:05 +11:00
dc75d1fc04
- (djm) [regress/krl.sh] replacement for jot; most platforms lack it
2013-01-20 22:58:51 +11:00
d60b210830
- (djm) [openbsd-compat/sys-tree.h] Sync with OpenBSD. krl.c needs newer
...
version.
2013-01-20 22:49:58 +11:00
a7522d9fc0
- markus@cvs.openbsd.org 2013/01/19 12:34:55
...
[krl.c]
RB_INSERT does not remove existing elments; ok djm@
2013-01-20 22:35:31 +11:00
a0a7ee8bf4
- jmc@cvs.openbsd.org 2013/01/19 07:13:25
...
[ssh-keygen.1]
fix some formatting; ok djm
2013-01-20 22:35:06 +11:00
881a7a2c5d
- jmc@cvs.openbsd.org 2013/01/18 21:48:43
...
[ssh-keygen.1]
command-line (adj.) -> command line (n.);
2013-01-20 22:34:46 +11:00
072fdcd198
- jmc@cvs.openbsd.org 2013/01/18 08:39:04
...
[ssh-keygen.1]
add -Q to the options list; ok djm
2013-01-20 22:34:04 +11:00
72abeb709e
- jmc@cvs.openbsd.org 2013/01/18 08:00:49
...
[sshd_config.5]
tweak previous;
2013-01-20 22:33:44 +11:00
3d6d68b1e1
- jmc@cvs.openbsd.org 2013/01/18 07:59:46
...
[ssh-keygen.c]
-u before -V in usage();
2013-01-20 22:33:23 +11:00
ac5542b6b8
- jmc@cvs.openbsd.org 2013/01/18 07:57:47
...
[ssh-keygen.1]
tweak previous;
2013-01-20 22:33:02 +11:00
da5cc5d09a
- (djm) [cipher-aes.c cipher-ctr.c openbsd-compat/openssl-compat.h]
...
Move prototypes for replacement ciphers to openssl-compat.h; fix EVP
prototypes for openssl-1.0.0-fips.
2013-01-20 22:31:29 +11:00
13f5f768bc
- djm@cvs.openbsd.org 2013/01/18 03:00:32
...
[krl.c]
fix KRL generation bug for list sections
2013-01-18 15:32:03 +11:00
ebafebda85
- djm@cvs.openbsd.org 2013/01/18 00:45:29
...
[regress/Makefile regress/cert-userkey.sh regress/krl.sh]
Tests for Key Revocation Lists (KRLs)
2013-01-18 11:51:56 +11:00
f3747bf401
- djm@cvs.openbsd.org 2013/01/17 23:00:01
...
[auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5]
[krl.c krl.h PROTOCOL.krl]
add support for Key Revocation Lists (KRLs). These are a compact way to
represent lists of revoked keys and certificates, taking as little as
a single bit of incremental cost to revoke a certificate by serial number.
KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
2013-01-18 11:44:04 +11:00
b26699bbad
- (djm) [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh]
...
check for GCM support before testing GCM ciphers.
2013-01-17 14:31:57 +11:00
efa1c95092
- (djm) [regress/integrity.sh] repair botched merge
2013-01-12 23:10:47 +11:00
846dc7f21c
- djm@cvs.openbsd.org 2013/01/12 11:23:53
...
[regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh]
test AES-GCM modes; feedback markus@
2013-01-12 22:46:26 +11:00
c20eb8b8ea
- djm@cvs.openbsd.org 2013/01/12 11:22:04
...
[cipher.c]
improve error message for integrity failure in AES-GCM modes; ok markus@
2013-01-12 22:41:26 +11:00
1422c0887c
- djm@cvs.openbsd.org 2013/01/09 05:40:17
...
[ssh-keygen.c]
correctly initialise fingerprint type for fingerprinting PKCS#11 keys
2013-01-09 16:44:54 +11:00
d522c68872
- (djm) [cipher.c configure.ac openbsd-compat/openssl-compat.h]
...
Fix merge botch, automatically detect AES-GCM in OpenSSL, move a little
cipher compat code to openssl-compat.h
2013-01-09 16:42:47 +11:00
1d75abfe23
- markus@cvs.openbsd.org 2013/01/08 18:49:04
...
[PROTOCOL authfile.c cipher.c cipher.h kex.c kex.h monitor_wrap.c]
[myproposal.h packet.c ssh_config.5 sshd_config.5]
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling)
ok and feedback djm@
2013-01-09 16:12:19 +11:00
aa7ad3039c
- jmc@cvs.openbsd.org 2013/01/04 19:26:38
...
[sftp-server.8 sftp-server.c]
sftp-server.8: add argument name to -d
sftp-server.c: add -d to usage()
ok djm
2013-01-09 15:58:21 +11:00
ec77c954c8
- djm@cvs.openbsd.org 2013/01/03 23:22:58
...
[ssh-keygen.c]
allow fingerprinting of keys hosted in PKCS#11 tokens: ssh-keygen -lD ...
ok markus@
2013-01-09 15:58:00 +11:00
502ab0eff1
- djm@cvs.openbsd.org 2013/01/03 12:54:49
...
[sftp-server.8 sftp-server.c]
allow specification of an alternate start directory for sftp-server(8)
"I like this" markus@
2013-01-09 15:57:36 +11:00
3739c8f041
- djm@cvs.openbsd.org 2013/01/03 12:49:01
...
[PROTOCOL]
fix description of MAC calculation for EtM modes; ok markus@
2013-01-09 15:57:16 +11:00
441384453c
- djm@cvs.openbsd.org 2013/01/03 05:49:36
...
[servconf.h]
add a couple of ServerOptions members that should be copied to the privsep
child (for consistency, in this case they happen only to be accessed in
the monitor); ok dtucker@
2013-01-09 15:56:45 +11:00
697485d50a
- djm@cvs.openbsd.org 2013/01/02 00:33:49
...
[PROTOCOL.agent]
correct format description for SSH_AGENTC_ADD_RSA_ID_CONSTRAINED
bz#2051 from david AT lechnology.com
2013-01-09 15:56:13 +11:00
73298f420e
- djm@cvs.openbsd.org 2013/01/02 00:32:07
...
[clientloop.c mux.c]
channel_setup_local_fwd_listener() returns 0 on failure, not -ve
bz#2055 reported by mathieu.lacage AT gmail.com
2013-01-09 15:55:50 +11:00
4e14a58f3f
- dtucker@cvs.openbsd.org 2012/12/14 05:26:43
...
[auth.c]
use correct string in error message; from rustybsd at gmx.fr
2013-01-09 15:54:48 +11:00
0fc77297e6
- (dtucker) [Makefile.in] Add some scaffolding so that the new regress
...
tests will work with VPATH directories.
2012-12-17 15:59:42 +11:00
13cbff1e00
- (djm) [cipher.c] Fix missing prototype for compat code
2012-12-13 08:25:07 +11:00
25a02b0c95
- (djm) [configure.ac cipher-ctr.c] Adapt EVP AES CTR change to retain our
...
compat code for older OpenSSL
2012-12-13 08:18:56 +11:00
8c05da3326
- markus@cvs.openbsd.org 2012/12/12 16:45:52
...
[packet.c]
reset incoming_packet buffer for each new packet in EtM-case, too;
this happens if packets are parsed only parially (e.g. ignore
messages sent when su/sudo turn off echo); noted by sthen/millert
2012-12-13 07:18:59 +11:00
faabeb6b36
- (djm) [regress/Makefile] fix t-exec rule
2012-12-12 12:51:54 +11:00
37461d7391
- (djm) [regress/integrity.sh] Fix awk quoting, packet length skip
2012-12-12 12:37:32 +11:00
37834afe7b
- (djm) [mac.c] fix merge botch
2012-12-12 11:00:37 +11:00
ec7ce9ace4
- markus@cvs.openbsd.org 2012/12/11 23:12:13
...
[try-ciphers.sh]
add hmac-ripemd160-etm@openssh.com
2012-12-12 10:55:32 +11:00
1fb593a3f1
- markus@cvs.openbsd.org 2012/12/11 22:42:11
...
[regress/Makefile regress/modpipe.c regress/integrity.sh]
test the integrity of the packets; with djm@
2012-12-12 10:54:37 +11:00
1a45b63d7b
- markus@cvs.openbsd.org 2012/12/11 22:32:56
...
[regress/try-ciphers.sh]
add etm modes
2012-12-12 10:52:07 +11:00
74f13bdf26
- sthen@cvs.openbsd.org 2012/12/11 22:51:45
...
[mac.c]
fix typo, s/tem/etm in hmac-ripemd160-tem. ok markus@
2012-12-12 10:46:53 +11:00
af43a7ac2d
- markus@cvs.openbsd.org 2012/12/11 22:31:18
...
[PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h]
[packet.c ssh_config.5 sshd_config.5]
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms
that change the packet format and compute the MAC over the encrypted
message (including the packet size) instead of the plaintext data;
these EtM modes are considered more secure and used by default.
feedback and ok djm@
2012-12-12 10:46:31 +11:00
6a1937eac5
- markus@cvs.openbsd.org 2012/12/11 22:16:21
...
[monitor.c]
drain the log messages after receiving the keystate from the unpriv
child. otherwise it might block while sending. ok djm@
2012-12-12 10:44:38 +11:00
3e1027cd1f
- dtucker@cvs.openbsd.org 2012/12/07 01:51:35
...
[serverloop.c]
Cast signal to int for logging. A no-op on openbsd (they're always ints)
but will prevent warnings in portable. ok djm@
2012-12-07 13:07:46 +11:00
8a96522482
- markus@cvs.openbsd.org 2012/12/05 15:42:52
...
[ssh-add.c]
prevent double-free of comment; ok djm@
2012-12-07 13:07:02 +11:00
f9333d5246
- jmc@cvs.openbsd.org 2012/12/03 08:33:03
...
[ssh-add.1 sshd_config.5]
tweak previous;
2012-12-07 13:06:13 +11:00
3dfb877046
- dtucker@cvs.openbsd.org 2012/12/06 06:06:54
...
[regress/keys-command.sh]
Fix some problems with the keys-command test:
- use string comparison rather than numeric comparison
- check for existing KEY_COMMAND file and don't clobber if it exists
- clean up KEY_COMMAND file if we do create it.
- check that KEY_COMMAND is executable (which it won't be if eg /var/run
is mounted noexec).
ok djm.
2012-12-07 13:03:10 +11:00
96ce9a1e45
20121205
...
- (tim) [defines.h] Some platforms are missing ULLONG_MAX. Feedback djm@.
2012-12-04 07:50:03 -08:00
8b48982a56
- (djm) [configure.ac] Revert previous. configure.ac already does this
...
for us.
2012-12-03 12:35:55 +11:00
03af12e930
- (djm) [configure.ac] Turn on -g for gcc compilers. Helps pre-installation
...
debugging. ok dtucker@
2012-12-03 11:55:53 +11:00
55aca027ed
- djm@cvs.openbsd.org 2012/12/03 00:14:06
...
[auth2-chall.c ssh-keygen.c]
Fix compilation with -Wall -Werror (trivial type fixes)
2012-12-03 11:25:30 +11:00
999bd2d259
- djm@cvs.openbsd.org 2012/12/02 20:47:48
...
[Makefile regress/forward-control.sh]
regress for AllowTcpForwarding local/remote; ok markus@
2012-12-03 10:13:39 +11:00
771c43cee6
- djm@cvs.openbsd.org 2012/11/22 22:49:30
...
[regress/Makefile regress/keys-command.sh]
regress for AuthorizedKeysCommand; hints from markus@
2012-12-03 10:12:13 +11:00
6618e92509
- djm@cvs.openbsd.org 2012/10/19 05:10:42
...
[regress/cert-userkey.sh]
include a serial number when generating certs
2012-12-03 10:09:04 +11:00
fa51d8b6b2
- dtucker@cvs.openbsd.org 2012/10/05 02:20:48
...
[regress/cipher-speed.sh regress/try-ciphers.sh]
Add umac-128@openssh.com to the list of MACs to be tested
2012-12-03 10:08:25 +11:00
d27a026ab7
- dtucker@cvs.openbsd.org 2012/10/05 02:05:30
...
[regress/multiplex.sh]
Use 'kill -0' to test for the presence of a pid since it's more portable
2012-12-03 10:06:37 +11:00
15b05cfa17
- djm@cvs.openbsd.org 2012/12/02 20:34:10
...
[auth.c auth.h auth1.c auth2-chall.c auth2-gss.c auth2-jpake.c auth2.c]
[monitor.c monitor.h]
Fixes logging of partial authentication when privsep is enabled
Previously, we recorded "Failed xxx" since we reset authenticated before
calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used
for keyboard-interactive.
Fix multiple authentication when one of the methods is
keyboard-interactive.
ok markus@
2012-12-03 09:53:20 +11:00
aa5b3f8314
- djm@cvs.openbsd.org 2012/12/02 20:46:11
...
[auth-options.c channels.c servconf.c servconf.h serverloop.c session.c]
[sshd_config.5]
make AllowTcpForwarding accept "local" and "remote" in addition to its
current "yes"/"no" to allow the server to specify whether just local or
remote TCP forwarding is enabled. ok markus@
2012-12-03 09:50:54 +11:00
33a813613a
- djm@cvs.openbsd.org 2012/12/02 20:42:15
...
[ssh-add.1 ssh-add.c]
make deleting explicit keys "ssh-add -d" symmetric with adding keys -
try to delete the corresponding certificate too and respect the -k option
to allow deleting of the key only; feedback and ok markus@
2012-12-03 09:50:24 +11:00
cb6b68b209
- djm@cvs.openbsd.org 2012/12/02 20:26:11
...
[ssh_config.5 sshconnect2.c]
Make IdentitiesOnly apply to keys obtained from a PKCS11Provider.
This allows control of which keys are offered from tokens using
IdentityFile. ok markus@
2012-12-03 09:49:52 +11:00
cf6ef137b5
- (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD to get
...
TAILQ_FOREACH_SAFE needed for upcoming changes.
2012-12-03 09:37:56 +11:00
6f3b362fa8
- djm@cvs.openbsd.org 2012/11/14 02:32:15
...
[ssh-keygen.c]
allow the full range of unsigned serial numbers; 'fine' deraadt@
2012-11-14 19:04:33 +11:00
1e85469fcb
- djm@cvs.openbsd.org 2012/11/14 02:24:27
...
[auth2-pubkey.c]
fix username passed to helper program
prepare stdio fds before closefrom()
spotted by landry@
2012-11-14 19:04:02 +11:00
0120c41d6b
- jmc@cvs.openbsd.org 2012/09/26 17:34:38
...
[moduli.5]
last stage of rfc changes, using consistent Rs/Re blocks, and moving the
references into a STANDARDS section;
2012-11-07 08:36:00 +11:00
Damien Miller
Darren Tucker
Tim Rice