09d3e12512
- djm@cvs.openbsd.org 2012/10/30 21:29:55
...
[auth-rsa.c auth.c auth.h auth2-pubkey.c servconf.c servconf.h]
[sshd.c sshd_config sshd_config.5]
new sshd_config option AuthorizedKeysCommand to support fetching
authorized_keys from a command in addition to (or instead of) from
the filesystem. The command is run as the target server user unless
another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback
and ok markus@
2012-10-31 08:58:58 +11:00
07daed505f
- (djm) OpenBSD CVS Sync
...
- markus@cvs.openbsd.org 2012/10/05 12:34:39
[sftp.c]
fix signed vs unsigned warning; feedback & ok: djm@
2012-10-31 08:57:55 +11:00
c0e5cbe222
- (tim) [buildpkg.sh.in] Double up on some backslashes so they end up in
...
the generated file as intended.
2012-10-18 21:38:58 -07:00
cc8e9ffdd1
- [Makefile.in] "Using $< in a non-suffix rule context is a GNUmake idiom"
2012-10-05 15:41:06 +10:00
50ce447ef9
- [umac.c] Enforce allowed umac output sizes. From djm@.
2012-10-05 12:11:33 +10:00
ee4ad778d7
- dtucker@cvs.openbsd.org 2012/09/10 01:51:19
...
[regress/multiplex.sh]
use -Ocheck and waiting for completions by PID to make multiplexing test
less racy and (hopefully) more reliable on slow hardware.
2012-10-05 12:04:10 +10:00
9b2c0360cf
- dtucker@cvs.openbsd.org 2012/09/10 00:49:21
...
[regress/multiplex.sh]
Log -O cmd output to the log file and make logging consistent with the
other tests. Test clean shutdown of an existing channel when testing
"stop".
2012-10-05 11:45:39 +10:00
6fc5aa8b2e
- dtucker@cvs.openbsd.org 2012/09/09 11:51:25
...
[multiplex.sh]
Add test for ssh -Ostop
2012-10-05 11:43:57 +10:00
189e5bad5c
- dtucker@cvs.openbsd.org 2012/09/06 04:11:07
...
[regress/try-ciphers.sh]
Restore missing space. (Id sync only).
2012-10-05 11:41:52 +10:00
992faad1f1
- [Makefile umac.c] Add special-case target to build umac128.o.
2012-10-05 11:38:24 +10:00
427e409e99
- markus@cvs.openbsd.org 2012/10/04 13:21:50
...
[myproposal.h ssh_config.5 umac.h sshd_config.5 ssh.1 sshd.8 mac.c]
add umac128 variant; ok djm@ at n2k12
(note: further Makefile work is required)
2012-10-05 11:02:39 +10:00
0dc283b13a
- djm@cvs.openbsd.org 2012/10/02 07:07:45
...
[ssh-keygen.c]
fix -z option, broken in revision 1.215
2012-10-05 10:52:51 +10:00
3a7c04105a
- naddy@cvs.openbsd.org 2012/10/01 13:59:51
...
[monitor_wrap.c]
pasto; ok djm@
2012-10-05 10:51:59 +10:00
628a3fdce2
- jmc@cvs.openbsd.org 2012/09/26 16:12:13
...
[ssh.1]
last stage of rfc changes, using consistent Rs/Re blocks, and moving the
references into a STANDARDS section;
2012-10-05 10:50:15 +10:00
17146d369c
- dtucker@cvs.openbsd.org 2012/09/21 10:55:04
...
[sftp.c]
Fix handling of filenames containing escaped globbing characters and
escape "#" and "*". Patch from Jean-Marc Robert via tech@, ok djm.
2012-10-05 10:46:16 +10:00
191fcc6e4e
- dtucker@cvs.openbsd.org 2012/09/21 10:53:07
...
[sftp.c]
Fix improper handling of absolute paths when PWD is part of the completed
path. Patch from Jean-Marc Robert via tech@, ok djm.
2012-10-05 10:45:01 +10:00
063018d9f6
- dtucker@cvs.openbsd.org 2012/09/18 10:36:12
...
[sftp.c]
Add bounds check on sftp tab-completion. Part of a patch from from
Jean-Marc Robert via tech@, ok djm
2012-10-05 10:43:58 +10:00
302889a1b0
- markus@cvs.openbsd.org 2012/09/17 13:04:11
...
[packet.c]
clear old keys on rekeing; ok djm
2012-10-05 10:42:53 +10:00
0af2405ebf
- (dtucker) OpenBSD CVS Sync
...
- djm@cvs.openbsd.org 2012/09/17 09:54:44
[sftp.c]
an XXX for later
2012-10-05 10:41:25 +10:00
26b9e3b0c5
- markus@cvs.openbsd.org 2012/09/14 16:51:34
...
[sshconnect.c]
remove unused variable
2012-09-17 13:25:44 +10:00
bb6cc07cf4
- dtucker@cvs.openbsd.org 2012/09/13 23:37:36
...
[servconf.c]
Fix comment line length
2012-09-17 13:25:06 +10:00
86dc9b4110
Fix author's name for RFC6594 SSHFP change
2012-09-07 18:08:23 +10:00
48bf4b0ca3
- dtucker@cvs.openbsd.org 2012/09/07 06:34:21
...
[clientloop.c]
when muxmaster is run with -N, make it shut down gracefully when a client
sends it "-O stop" rather than hanging around (bz#1985). ok djm@
2012-09-07 16:38:53 +10:00
ca0d0fd806
- dtucker@cvs.openbsd.org 2012/09/07 01:10:21
...
[clientloop.c]
Merge escape help text for ~v and ~V; ok djm@
2012-09-07 11:22:24 +10:00
f111d40604
- dtucker@cvs.openbsd.org 2012/09/07 00:30:19
...
[clientloop.c]
Print '^Z' instead of a raw ^Z when the sequence is not supported. ok djm@
2012-09-07 11:21:42 +10:00
83d0af6907
- jmc@cvs.openbsd.org 2012/09/06 13:57:42
...
[ssh.1]
missing letter in previous;
2012-09-07 11:21:03 +10:00
92a39cfa09
- dtucker@cvs.openbsd.org 2012/09/06 09:50:13
...
[clientloop.c]
Make the escape command help (~?) context sensitive so that only commands
that will work in the current session are shown. ok markus@
(note: previous commit with this description was a mistake on my part while
pulling changes from OpenBSD)
2012-09-07 11:20:20 +10:00
241995382e
bz#2039: add acknowledgement of the original authors of the ECDSA SSHFP DNS
...
work. From Ondřej Surý.
2012-09-07 10:44:34 +10:00
29bf4040b4
- dtucker@cvs.openbsd.org 2012/09/06 09:50:13
...
[clientloop.c]
Make the escape command help (~?) context sensitive so that only commands
that will work in the current session are shown. ok markus@
2012-09-06 21:26:34 +10:00
50a48d025f
- dtucker@cvs.openbsd.org 2012/09/06 04:37:39
...
[clientloop.c log.c ssh.1 log.h]
Add ~v and ~V escape sequences to raise and lower the logging level
respectively. Man page help from jmc, ok deraadt jmc
2012-09-06 21:25:37 +10:00
00c1518a4d
- djm@cvs.openbsd.org 2012/08/17 01:30:00
...
[compat.c sshconnect.c]
Send client banner immediately, rather than waiting for the server to
move first for SSH protocol 2 connections (the default). Patch based on
one in bz#1999 by tls AT panix.com, feedback dtucker@ ok markus@
2012-09-06 21:21:56 +10:00
f09a8a6c6d
- djm@cvs.openbsd.org 2012/08/17 01:25:58
...
[ssh-keygen.c]
print details of which host lines were deleted when using
"ssh-keygen -R host"; ok markus@
2012-09-06 21:20:39 +10:00
ae608bdd83
- djm@cvs.openbsd.org 2012/08/17 01:22:56
...
[kex.c]
add some comments about better handling first-KEX-follows notifications
from the server. Nothing uses these right now. No binary change
2012-09-06 21:19:51 +10:00
66cb0e0733
- dtucker@cvs.openbsd.org 2012/08/17 00:45:45
...
[clientloop.c clientloop.h mux.c]
Force a clean shutdown of ControlMaster client sessions when the ~. escape
sequence is used. This means that ~. should now work in mux clients even
if the server is no longer responding. Found by tedu, ok djm.
2012-09-06 21:19:05 +10:00
3ee50c5d9f
- jmc@cvs.openbsd.org 2012/08/15 18:25:50
...
[ssh-keygen.1]
a little more info on certificate validity;
requested by Ross L Richardson, and provided by djm
2012-09-06 21:18:11 +10:00
23e4b80a60
- (dtucker) [moduli] Import new moduli file.
2012-08-30 10:42:47 +10:00
4eb0a532ef
- (djm) Release openssh-6.1
2012-08-29 10:26:20 +10:00
318541854f
- (dtucker) [openbsd-compat/bsd-cygwin_util.h] define WIN32_LEAN_AND_MEAN
...
for compatibility with future mingw-w64 headers. Patch from vinschen at
redhat com.
2012-08-28 19:57:19 +10:00
39a9d2c933
- (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
...
[contrib/suse/openssh.spec] Update version numbers
2012-08-22 21:57:13 +10:00
38fe66230f
- markus@cvs.openbsd.org 2012/07/22 18:19:21
...
[version.h]
openssh 6.1
2012-07-31 12:23:16 +10:00
46cb75a258
- dtucker@cvs.openbsd.org 2012/07/13 01:35:21
...
[servconf.c]
handle long comments in config files better. bz#2025, ok markus
2012-07-31 12:22:37 +10:00
1cce103b3e
fix truncated entry
2012-07-31 12:22:18 +10:00
5a5c2b9063
- djm@cvs.openbsd.org 2012/07/10 02:19:15
...
[servconf.c servconf.h sshd.c sshd_config]
Turn on systrace sandboxing of pre-auth sshd by default for new installs
by shipping a config that overrides the current UsePrivilegeSeparation=yes
default. Make it easier to flip the default in the future by adding too.
2012-07-31 12:21:34 +10:00
709a1e90d9
- jmc@cvs.openbsd.org 2012/07/06 06:38:03
...
[ssh-keygen.c]
missing full stop in usage();
2012-07-31 12:20:43 +10:00
d809a4bc28
Import regened moduli file.
2012-07-20 10:42:06 +10:00
fff9f095e2
- djm@cvs.openbsd.org 2012/07/06 01:47:38
...
[ssh.c]
move setting of tty_flag to after config parsing so RequestTTY options
are correctly picked up. bz#1995 patch from przemoc AT gmail.com;
ok dtucker@
2012-07-06 13:45:01 +10:00
ab523b0246
- djm@cvs.openbsd.org 2012/07/06 01:37:21
...
[mux.c]
fix memory leak of passed-in environment variables and connection
context when new session message is malformed; bz#2003 from Bert.Wesarg
AT googlemail.com
2012-07-06 13:44:43 +10:00
dfceafe8b1
- dtucker@cvs.openbsd.org 2012/07/06 00:41:59
...
[moduli.c ssh-keygen.1 ssh-keygen.c]
Add options to specify starting line number and number of lines to process
when screening moduli candidates. This allows processing of different
parts of a candidate moduli file in parallel. man page help jmc@, ok djm@
2012-07-06 13:44:19 +10:00
77eab7b024
- (djm) [configure.ac] Recursively expand $(bindir) to ensure it has no
...
unexpanded $(prefix) embedded. bz#2007 patch from nix-corp AT
esperi.org.uk; ok dtucker@
2012-07-06 11:49:28 +10:00
a0433a7096
- (djm) [sandbox-seccomp-filter.c] fallback to rlimit if seccomp filter is
...
not available. Allows use of sshd compiled on host with a filter-capable
kernel on hosts that lack the support. bz#2011 ok dtucker@
2012-07-06 10:27:10 +10:00
34f702ae64
- (dtucker) [configure.ac openbsd-compat/bsd-misc.h] Add setlinebuf for
...
platforms that don't have it. "looks good" tim@
2012-07-04 08:50:09 +10:00
d545a4b974
- (dtucker) [configure.ac sandbox-rlimit.c] Test whether or not
...
setrlimit(RLIMIT_FSIZE, rl_zero) and skip it if it's not supported. Its
benefit is minor, so it's not worth disabling the sandbox if it doesn't
work.
2012-07-03 22:48:31 +10:00
60395f91c6
- (dtucker) [configure.ac] Detect platforms that can't use select(2) with
...
setrlimit(RLIMIT_NOFILE, rl_zero) and disable the rlimit sandbox on those.
2012-07-03 14:31:18 +10:00
6ea5dc6bb8
- (dtucker) [regress/test-exec.sh] Correct uname for cygwin/w2k.
2012-07-03 01:11:28 +10:00
ec1e15d51a
- (dtucker) [regress/reexec.sh regress/sftp-cmds.sh regress/test-exec.sh]
...
Move cygwin detection to test-exec and use to skip reexec test on cygwin.
2012-07-03 01:06:49 +10:00
369ceedce2
- dtucker@cvs.openbsd.org 2012/07/02 14:37:06
...
[regress/connect-privsep.sh]
remove exit from end of test since it prevents reporting failure
2012-07-03 00:53:18 +10:00
4908d44e67
- dtucker@cvs.openbsd.org 2012/07/02 12:13:26
...
[ssh-pkcs11-helper.c sftp-client.c]
fix a couple of "assigned but not used" warnings. ok markus@
2012-07-02 22:15:38 +10:00
7b30501bf5
- dtucker@cvs.openbsd.org 2012/07/02 08:50:03
...
[ssh.c]
set interactive ToS for forwarded X11 sessions. ok djm@
2012-07-02 18:55:09 +10:00
3b4b2d3021
- markus@cvs.openbsd.org 2012/06/30 14:35:09
...
[sandbox-systrace.c sshd.c]
fix a during the load of the sandbox policies (child can still make
the read-syscall and wait forever for systrace-answers) by replacing
the read/write synchronisation with SIGSTOP/SIGCONT;
report and help hshoexer@; ok djm@, dtucker@
2012-07-02 18:54:31 +10:00
ecbf14aa53
- naddy@cvs.openbsd.org 2012/06/29 13:57:25
...
[ssh_config.5 sshd_config.5]
match the documented MAC order of preference to the actual one;
ok dtucker@
2012-07-02 18:53:37 +10:00
14a9d2515b
- (dtucker) [key.c] ifdef out sha256 key types on platforms that don't have
...
the required functions in libcrypto.
2012-06-30 20:05:02 +10:00
3886f95d42
- (dtucker) [myproposal.h] Remove trailing backslash to fix compile error
2012-06-30 19:47:01 +10:00
a08c20763a
- dtucker@cvs.openbsd.org 2012/06/28 05:07:45
...
[regress/try-ciphers.sh regress/cipher-speed.sh]
Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed
from draft6 of the spec and will not be in the RFC when published. Patch
from mdb at juniper net via bz#2023, ok markus
2012-06-30 15:08:53 +10:00
2920bc145c
- dtucker@cvs.openbsd.org 2012/06/26 12:06:59
...
[regress/connect-privsep.sh]
test sandbox with every malloc option
2012-06-30 15:06:28 +10:00
ff32d7c9d2
- djm@cvs.openbsd.org 2012/06/01 00:52:52
...
[regress/sftp-cmds.sh]
don't delete .* on cleanup due to unintended env expansion; pointed out in
bz#2014 by openssh AT roumenpetrov.info
2012-06-30 15:04:13 +10:00
4430a86c14
- djm@cvs.openbsd.org 2012/06/01 00:47:35
...
[multiplex.sh forwarding.sh]
append to rather than truncate test log; bz#2013 from openssh AT
roumenpetrov.
2012-06-30 15:03:28 +10:00
301390316c
- dtucker@cvs.openbsd.org 2012/05/13 01:42:32
...
[regress/addrmatch.sh]
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests
to match. Feedback and ok djm@ markus@.
2012-06-30 15:01:22 +10:00
ee3c196ec7
- naddy@cvs.openbsd.org 2012/06/29 13:57:25
...
[ssh_config.5 sshd_config.5]
match the documented MAC order of preference to the actual one; ok dtucker@
(actual patch accidentally committed with previous)
2012-06-30 08:35:59 +10:00
db4f8e8618
- dtucker@cvs.openbsd.org 2012/06/28 05:07:45
...
[mac.c myproposal.h ssh_config.5 sshd_config.5]
Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed
from draft6 of the spec and will not be in the RFC when published. Patch
from mdb at juniper net via bz#2023, ok markus.
2012-06-30 08:34:59 +10:00
560de922b1
- dtucker@cvs.openbsd.org 2012/06/26 11:02:30
...
[sandbox-systrace.c]
Add mquery to the list of allowed syscalls for "UsePrivilegeSeparation
sandbox" since malloc now uses it. From johnw.mail at gmail com.
2012-06-30 08:33:53 +10:00
ea8582931f
- dtucker@cvs.openbsd.org 2012/06/22 14:36:33
...
[sftp.c]
Remove unused variable leftover from tab-completion changes.
From Steve.McClellan at radisys com, ok markus@
2012-06-30 08:33:32 +10:00
5f58a87768
- dtucker@cvs.openbsd.org 2012/06/22 12:30:26
...
[monitor.c sshconnect2.c]
remove dead code following 'for (;;)' loops.
From Steve.McClellan at radisys com, ok markus@
2012-06-30 08:33:17 +10:00
97f43bbfc9
- dtucker@cvs.openbsd.org 2012/06/21 00:16:07
...
[addrmatch.c]
fix strlcpy truncation check. from carsten at debian org, ok markus
2012-06-30 08:32:29 +10:00
8908da7dce
- (dtucker) [openbsd-compat/getrrsetbyname-ldns.c] bz #2022 : prevent null
...
pointer deref in the client when built with LDNS and using DNSSEC with a
CNAME. Patch from gregdlg+mr at hochet info.
2012-06-28 15:21:32 +10:00
62dcd63f5e
- (dtucker) [contrib/cygwin/ssh-host-config] Ensure that user sshd runs as
...
can logon as a service. Patch from vinschen at redhat com.
2012-06-22 22:02:42 +10:00
6c6da33d31
- djm@cvs.openbsd.org 2012/06/20 04:42:58
...
[clientloop.c serverloop.c]
initialise accept() backoff timer to avoid EINVAL from select(2) in
rekeying
2012-06-20 22:31:26 +10:00
f8268503d1
- jmc@cvs.openbsd.org 2012/06/19 21:35:54
...
[sshd_config.5]
tweak previous; ok markus
2012-06-20 21:54:15 +10:00
c24da77015
- markus@cvs.openbsd.org 2012/06/19 18:25:28
...
[servconf.c servconf.h sshd_config.5]
sshd_config: extend Match to allow AcceptEnv and {Allow,Deny}{Users,Groups}
this allows 'Match LocalPort 1022' combined with 'AllowUser bauer'
ok djm@ (back in March)
2012-06-20 21:53:58 +10:00
36378c6413
- dtucker@cvs.openbsd.org 2012/06/18 12:17:18
...
[ssh.1]
Clarify description of -W. Noted by Steve.McClellan at radisys com, ok jmc
2012-06-20 21:53:25 +10:00
b9902cf6f6
- dtucker@cvs.openbsd.org 2012/06/18 12:07:07
...
[ssh.1 sshd.8]
Remove mention of 'three' key files since there are now four. From
Steve.McClellan at radisys com.
2012-06-20 21:52:58 +10:00
7192433633
- dtucker@cvs.openbsd.org 2012/06/18 11:49:58
...
[ssh_config.5]
RSA instead of DSA twice. From Steve.McClellan at radisys com
2012-06-20 21:52:38 +10:00
276dcfd7f7
- dtucker@cvs.openbsd.org 2012/06/18 11:43:53
...
[jpake.c]
correct sizeof usage. patch from saw at online.de, ok deraadt
2012-06-20 21:52:18 +10:00
2e7decfcc0
- djm@cvs.openbsd.org 2012/06/01 01:01:22
...
[mux.c]
fix memory leak when mux socket creation fails; bz#2002 from bert.wesarg
AT googlemail.com
2012-06-20 21:52:00 +10:00
7f12157c0a
- djm@cvs.openbsd.org 2012/06/01 00:49:35
...
[PROTOCOL.mux]
correct types of port numbers (integers, not strings); bz#2004 from
bert.wesarg AT googlemail.com
2012-06-20 21:51:29 +10:00
3bde12aeef
- djm@cvs.openbsd.org 2012/05/23 03:28:28
...
[dns.c dns.h key.c key.h ssh-keygen.c]
add support for RFC6594 SSHFP DNS records for ECDSA key types.
patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@
2012-06-20 21:51:11 +10:00
ac58ce86e6
- djm@cvs.openbsd.org 2012/01/07 21:11:36
...
[mux.c]
fix double-free in new session handler
NB. Id sync only
2012-06-20 21:50:47 +10:00
140df63e1f
- djm@cvs.openbsd.org 2011/12/04 23:16:12
...
[mux.c]
revert:
> revision 1.32
> date: 2011/12/02 00:41:56; author: djm; state: Exp; lines: +4 -1
> fix bz#1948: ssh -f doesn't fork for multiplexed connection.
> ok dtucker@
it interacts badly with ControlPersist
2012-06-20 21:46:57 +10:00
efc6fc995d
- djm@cvs.openbsd.org 2011/12/02 00:41:56
...
[mux.c]
fix bz#1948: ssh -f doesn't fork for multiplexed connection.
ok dtucker@
2012-06-20 21:44:56 +10:00
ba9ea3200d
- dtucker@cvs.openbsd.org 2012/05/19 06:30:30
...
[sshd_config.5]
Document PermitOpen none. bz#2001, patch from Loganaden Velvindron
2012-05-19 19:37:33 +10:00
fbcf827559
- (dtucker) OpenBSD CVS Sync
...
- dtucker@cvs.openbsd.org 2012/05/13 01:42:32
[servconf.h servconf.c sshd.8 sshd.c auth.c sshd_config.5]
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests
to match. Feedback and ok djm@ markus@.
2012-05-19 19:37:01 +10:00
593538911a
- (dtucker) [configure.ac contrib/Makefile] bz#1996: use AC_PATH_TOOL to find
...
pkg-config so it does the right thing when cross-compiling. Patch from
cjwatson at debian org.
2012-05-19 15:24:37 +10:00
d0494fdb29
- (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch
...
from cjwatson at debian org.
2012-05-19 14:25:39 +10:00
e1a3ddf992
- (dtucker) [configure.ac] Include <sys/param.h> rather than <sys/types.h>
...
to fix building on some plaforms. Fom bowman at math utah edu and
des at des no.
2012-05-04 11:05:45 +10:00
d0d3fff483
- (dtucker) [regress/addrmatch.sh] skip tests when running on a non-ipv6
...
platform rather than exiting early, so that we still clean up and return
status to test-exec.sh
2012-04-27 10:55:39 +10:00
025bfd11d9
- (djm) [auth-krb5.c] Save errno across calls that might modify it;
...
ok dtucker@
2012-04-26 09:52:15 +10:00
7584cb1ac4
- (djm) [auth-passwd.c] Handle crypt() returning NULL; from Paul Wouters
...
via Niels
2012-04-26 09:51:26 +10:00
ba77e1f673
- djm@cvs.openbsd.org 2012/04/23 08:18:17
...
[channels.c]
fix function proto/source mismatch
2012-04-23 18:21:05 +10:00
70b2d5550b
- jmc@cvs.openbsd.org 2012/04/20 16:26:22
...
[ssh.1]
use "brackets" instead of "braces", for consistency;
2012-04-22 11:26:10 +10:00
4922315d1d
- djm@cvs.openbsd.org 2012/04/20 03:24:23
...
[sftp.c]
setlinebuf(3) is more readable than setvbuf(.., _IOLBF, ...)
2012-04-22 11:25:47 +10:00
8fef9ebbab
- djm@cvs.openbsd.org 2012/04/12 02:43:55
...
[sshd_config sshd_config.5]
mention AuthorizedPrincipalsFile=none default
2012-04-22 11:25:10 +10:00
23528816dc
- djm@cvs.openbsd.org 2012/04/12 02:42:32
...
[servconf.c servconf.h sshd.c sshd_config sshd_config.5]
VersionAddendum option to allow server operators to append some arbitrary
text to the SSH-... banner; ok deraadt@ "don't care" markus@
2012-04-22 11:24:43 +10:00
839f743464
- djm@cvs.openbsd.org 2012/04/11 13:34:17
...
[ssh-keyscan.1 ssh-keyscan.c]
now that sshd defaults to offering ECDSA keys, ssh-keyscan should also
look for them by default; bz#1971
2012-04-22 11:24:21 +10:00
a116d13c4d
- djm@cvs.openbsd.org 2012/04/11 13:26:40
...
[sshd.c]
don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a
while; ok deraadt@ markus@
2012-04-22 11:23:46 +10:00
9fed161e67
- djm@cvs.openbsd.org 2012/04/11 13:17:54
...
[auth.c]
Support "none" as an argument for AuthorizedPrincipalsFile to indicate
no file should be read.
2012-04-22 11:21:43 +10:00
a6508753db
- djm@cvs.openbsd.org 2012/04/11 13:16:19
...
[channels.c channels.h clientloop.c serverloop.c]
don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a
while; ok deraadt@ markus@
2012-04-22 11:21:10 +10:00
c6081482b2
- dtucker@cvs.openbsd.org 2012/03/29 23:54:36
...
[channels.c channels.h servconf.c]
Add PermitOpen none option based on patch from Loganaden Velvindron
(bz #1949 ). ok djm@
2012-04-22 11:18:53 +10:00
48348fc3b4
- djm@cvs.openbsd.org 2012/03/28 07:23:22
...
[PROTOCOL.certkeys]
explain certificate extensions/crit split rationale. Mention requirement
that each appear at most once per cert.
2012-04-22 11:08:30 +10:00
29cd188887
- guenther@cvs.openbsd.org 2012/03/15 03:10:27
...
[session.c]
root should always be excluded from the test for /etc/nologin instead
of having it always enforced even when marked as ignorenologin. This
regressed when the logic was incompletely flipped around in rev 1.251
ok halex@ millert@
2012-04-22 11:08:10 +10:00
a563cced06
- djm@cvs.openbsd.org 2012/02/29 11:21:26
...
[ssh-keygen.c]
allow conversion of RSA1 keys to public PEM and PKCS8; "nice" markus@
2012-04-22 11:07:28 +10:00
d5dacb43fa
- (djm) Release openssh-6.0
2012-04-20 15:01:01 +10:00
bf2304167b
- (djm) [README] Update URL to release notes.
2012-04-20 14:11:04 +10:00
8beb320390
- (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
...
[contrib/suse/openssh.spec] Update for release 6.0
2012-04-20 10:58:34 +10:00
398c0ffe0e
- (djm) [configure.ac] Fix compilation error on FreeBSD, whose libutil
...
contains openpty() but not login()
2012-04-19 21:46:35 +10:00
e0956e3834
- (djm) [Makefile.in configure.ac sandbox-seccomp-filter.c] Add sandbox
...
mode for Linux's new seccomp filter; patch from Will Drewry; feedback
and ok dtucker@
2012-04-04 11:27:54 +10:00
ce1ec9d4e2
- (djm) [openbsd-compat/bsd-cygwin_util.h] #undef _WIN32 to avoid incorrect
...
assumptions when building on Cygwin; patch from Corinna Vinschen
2012-03-30 14:07:05 +11:00
4d55734c16
- (djm) [entropy.c] bz#1991: relax OpenSSL version test to allow running
...
openssh binaries on a newer fix release than they were compiled on.
with and ok dtucker@
2012-03-30 11:34:27 +11:00
67ccc86506
- (dtucker) [contrib/redhat/openssh.spec] Bug #1992 : remove now-gone WARNING
...
file from spec file. From crighter at nuclioss com.
2012-03-30 10:19:56 +11:00
54c38d24c6
- (djm) [packet.c] bz#1963: Fix IPQoS not being set on non-mapped v4-in-v6
...
addressed connections. ok dtucker@
2012-03-09 10:28:07 +11:00
7bf7b889b3
- (djm) [openbsd-compat/port-linux.c] bz#1960: fix crash on SELinux
...
systems where sshd is run in te wrong context. Patch from Sven
Vermeulen; ok dtucker@
2012-03-09 10:25:16 +11:00
93a2d41505
- (dtucker) [audit-bsm.c configure.ac] bug #1968 : enable workarounds for BSM
...
audit breakage in Solaris 11. Patch from Magnus Johansson.
2012-02-24 10:40:41 +11:00
a3f297de91
- (tim) [regress/keytype.sh] stderr redirection needs to be inside back quote
...
to work. Spotted by Angel Gonzalez
2012-02-14 23:01:42 -08:00
f79b5d38a1
- (tim) [defines.h] move chunk introduced in 1.125 before MAXPATHLEN so
...
it actually works.
2012-02-14 20:13:05 -08:00
e3609c935c
- (tim) [openbsd-compat/bsd-misc.h sshd.c] Fix conflicting return type for
...
unsetenv due to rev 1.14 change to setenv.c. Cast unsetenv to void in sshd.c
ok dtucker@
2012-02-14 10:03:30 -08:00
7b7901c330
- (djm) [openbsd-compat/bsd-cygwin_util.c] Add PROGRAMFILES to list of
...
preserved Cygwin environment variables; from Corinna Vinschen
2012-02-14 06:38:36 +11:00
db854559be
- markus@cvs.openbsd.org 2012/02/09 20:00:18
...
[version.h]
move from 6.0-beta to 6.0
2012-02-11 08:19:44 +11:00
72de982def
- markus@cvs.openbsd.org 2012/01/25 19:40:09
...
[packet.c packet.h]
packet_read_poll() is not used anymore.
2012-02-11 08:19:21 +11:00
5d0077008f
- markus@cvs.openbsd.org 2012/01/25 19:36:31
...
[authfile.c]
memleak in key_load_file(); from Jan Klemkow
2012-02-11 08:19:02 +11:00
1de2cfe9a9
- markus@cvs.openbsd.org 2012/01/25 19:26:43
...
[packet.c]
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying;
ok dtucker@, djm@
2012-02-11 08:18:43 +11:00
8d60be5487
- dtucker@cvs.openbsd.org 2012/01/18 21:46:43
...
[clientloop.c]
Ensure that $DISPLAY contains only valid characters before using it to
extract xauth data so that it can't be used to play local shell
metacharacter games. Report from r00t_ati at ihteam.net, ok markus.
2012-02-11 08:18:17 +11:00
fb12c6d8bb
- miod@cvs.openbsd.org 2012/01/16 20:34:09
...
[ssh-pkcs11-client.c]
Fix a memory leak in pkcs11_rsa_private_encrypt(), reported by Jan Klemkow.
While there, be sure to buffer_clear() between send_msg() and recv_msg().
ok markus@
2012-02-11 08:17:52 +11:00
83ba8e6056
- miod@cvs.openbsd.org 2012/01/08 13:17:11
...
[ssh-ecdsa.c]
Fix memory leak in ssh_ecdsa_verify(); from Loganaden Velvindron,
ok markus@
2012-02-11 08:17:27 +11:00
2ec0342ed4
- djm@cvs.openbsd.org 2012/01/07 21:11:36
...
[mux.c]
fix double-free in new session handler
2012-02-11 08:16:28 +11:00
a2876db5e6
- djm@cvs.openbsd.org 2012/01/05 00:16:56
...
[monitor.c]
memleak on error path
2012-02-11 08:16:06 +11:00
b56e4930ae
- (djm) [ssh-keygen.c] Don't fail in do_gen_all_hostkeys on platforms
...
that don't support ECC. Patch from Phil Oleson
2012-02-06 07:41:27 +11:00
e9b3ad73ba
- (dtucker) [configure.ac mac.c openbsd-compat/openssl-compat.h] Add
...
null implementation of HMAC_CTX_init for the benefit of old versions
of OpenSSL that don't have it.
2012-01-17 14:03:34 +11:00
8ed4de8f1d
- djm@cvs.openbsd.org 2011/12/07 05:44:38
...
[auth2.c dh.c packet.c roaming.h roaming_client.c roaming_common.c]
fix some harmless and/or unreachable int overflows;
reported Xi Wang, ok markus@
2011-12-19 10:52:50 +11:00
913ddff40d
- djm@cvs.openbsd.org 2011/12/04 23:16:12
...
[mux.c]
revert:
> revision 1.32
> date: 2011/12/02 00:41:56; author: djm; state: Exp; lines: +4 -1
> fix bz#1948: ssh -f doesn't fork for multiplexed connection.
> ok dtucker@
it interacts badly with ControlPersist
2011-12-19 10:52:21 +11:00
d0e582c6da
- djm@cvs.openbsd.org 2011/12/02 00:43:57
...
[mac.c]
fix bz#1934: newer OpenSSL versions will require HMAC_CTX_Init before
HMAC_init (this change in policy seems insane to me)
ok dtucker@
2011-12-19 10:51:39 +11:00
5360dff2a0
- djm@cvs.openbsd.org 2011/12/02 00:41:56
...
[mux.c]
fix bz#1948: ssh -f doesn't fork for multiplexed connection.
ok dtucker@
2011-12-19 10:51:11 +11:00
47d8115e53
- oga@cvs.openbsd.org 2011/11/16 12:24:28
...
[sftp.c]
Don't leak list in complete_cmd_parse if there are no commands found.
Discovered when I was ``borrowing'' this code for something else.
ok djm@
2011-11-25 13:53:48 +11:00
4a725ef6a5
- (dtucker) [configure.ac] Set _FORTIFY_SOURCE. ok djm@
2011-11-21 16:38:48 +11:00
aa3cbd1b5b
- (dtucker) [INSTALL LICENCE configure.ac openbsd-compat/Makefile.in
...
openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/getrrsetbyname.c]
bz 1320: Add optional support for LDNS, a BSD licensed DNS resolver library
which supports DNSSEC. Patch from Simon Vallet (svallet at genoscope cns fr)
with some rework from myself and djm. ok djm.
2011-11-04 11:25:24 +11:00
be4032ba1e
- dtucker@cvs.openbsd.org 011/11/04 00:09:39
...
[moduli]
regenerated moduli file; ok deraadt
2011-11-04 11:16:06 +11:00
9c5d553d58
- djm@cvs.openbsd.org 2011/10/24 02:13:13
...
[session.c]
bz#1859: send tty break to pty master instead of (probably already
closed) slave side; "looks good" markus@
2011-11-04 10:55:24 +11:00
2d6665d944
- djm@cvs.openbsd.org 2011/10/24 02:10:46
...
[ssh.c]
bz#1943: unbreak stdio forwarding when ControlPersist is in user - ssh
was incorrectly requesting the forward in both the control master and
slave. skip requesting it in the master to fix. ok markus@
2011-11-04 10:54:22 +11:00
8a057953d2
- djm@cvs.openbsd.org 2011/10/19 10:39:48
...
[umac.c]
typo in comment; patch from Michael W. Bombardieri
2011-11-04 10:53:31 +11:00
9ee09cfce6
- djm@cvs.openbsd.org 2011/10/19 00:06:10
...
[moduli.c]
s/tmpfile/tmp/ to make this -Wshadow clean
2011-11-04 10:52:43 +11:00
e68cf84ac8
- djm@cvs.openbsd.org 2011/10/18 23:37:42
...
[ssh-add.c]
add -k to usage(); reminded by jmc@
2011-11-04 10:51:51 +11:00
45c66d7ad4
- djm@cvs.openbsd.org 2011/10/18 05:15:28
...
[ssh.c]
ssh(1): skip attempting to create ~/.ssh when -F is passed; ok markus@
2011-11-04 10:50:40 +11:00
9f157abbb6
- (dtucker) [contrib/cygwin/Makefile] Continue if installing a doc file
...
fails. Patch from Corinna Vinschen.
2011-10-25 09:37:57 +11:00
8f4279e4ab
- djm@cvs.openbsd.org 2011/10/18 05:00:48
...
[ssh-add.1 ssh-add.c]
new "ssh-add -k" option to load plain keys (skipping certificates);
"looks ok" markus@
2011-10-18 16:06:33 +11:00
c51a5ab2c6
- djm@cvs.openbsd.org 2011/10/18 04:58:26
...
[auth-options.c key.c]
remove explict search for \0 in packet strings, this job is now done
implicitly by buffer_get_cstring; ok markus
2011-10-18 16:06:14 +11:00
91f3eaec88
- stsp@cvs.openbsd.org 2011/10/16 15:51:39
...
[moduli.c]
add missing includes to unbreak tree; fix from rpointel
2011-10-18 16:05:55 +11:00
927d82bc6a
- jmc@cvs.openbsd.org 2011/10/16 15:02:41
...
[ssh-keygen.c]
put -K in the right place (usage());
2011-10-18 16:05:38 +11:00
390d0561fc
- dtucker@cvs.openbsd.org 2011/10/16 11:02:46
...
[moduli.c ssh-keygen.1 ssh-keygen.c]
Add optional checkpoints for moduli screening. feedback & ok deraadt
2011-10-18 16:05:19 +11:00
d3e6990c4c
- djm@cvs.openbsd.org 2011/10/04 14:17:32
...
[sftp-glob.c]
silence error spam for "ls */foo" in directory with files; bz#1683
2011-10-18 16:04:57 +11:00
2e13560ff5
- djm@cvs.openbsd.org 2011/09/30 21:22:49
...
[sshd.c]
fix inverted test that caused logspam; spotted by henning@
2011-10-02 19:10:13 +11:00
95125e5f43
ChangeLog entry for sshd.c rev 1.409
2011-10-02 19:09:07 +11:00
af1a60ec4f
- djm@cvs.openbsd.org 2011/09/25 05:44:47
...
[auth2-pubkey.c]
improve the AuthorizedPrincipalsFile debug log message to include
file and line number
2011-10-02 18:59:59 +11:00
68afb8c5f2
- markus@cvs.openbsd.org 2011/09/23 07:45:05
...
[mux.c readconf.h channels.h compat.h compat.c ssh.c readconf.c channels.c version.h]
unbreak remote portforwarding with dynamic allocated listen ports:
1) send the actual listen port in the open message (instead of 0).
this allows multiple forwardings with a dynamic listen port
2) update the matching permit-open entry, so we can identify where
to connect to
report: den at skbkontur.ru and P. Szczygielski
feedback and ok djm@
2011-10-02 18:59:03 +11:00
1338b9e067
- dtucker@cvs.openbsd.org 2011/09/23 00:22:04
...
[channels.c auth-options.c servconf.c channels.h sshd.8]
Add wildcard support to PermitOpen, allowing things like "PermitOpen
localhost:*". bz #1857 , ok djm markus.
2011-10-02 18:57:35 +11:00
036876cd7d
- (dtucker) [openbsd-compat/mktemp.c] Fix compiler warning. ok djm
2011-10-01 18:46:12 +10:00
b54f50e5d0
- (dtucker) [configure.ac openbsd-compat/Makefile.in
...
openbsd-compat/strnlen.c] Add strnlen to the compat library.
2011-09-29 23:17:18 +10:00
5ffe1c4b43
- (djm) [configure.ac defines.h] No need to detect sizeof(char); patch
...
from des AT des.no
2011-09-29 11:11:51 +10:00
d1a74580f8
- (djm) [openbsd-compat/setenv.c] Forklift upgrade, including inclusion
...
of static __findenv() function from upstream setenv.c
2011-09-23 11:26:34 +10:00
3e6fe87ef9
- otto@cvs.openbsd.org 2008/12/09 19:38:38
...
[openbsd-compat/inet_ntop.c]
fix inet_ntop(3) prototype; ok millert@ libc to be bumbed very soon
2011-09-23 11:16:09 +10:00
64efe9671d
- (djm) [openbsd-compat/sha2.c openbsd-compat/sha2.h] Remove OpenBSD rcsid
...
marker. The upstream API has changed (function and structure names)
enough to put it out of sync with other providers of this interface.
2011-09-23 11:13:00 +10:00
4888671343
- (djm) [openbsd-compat/mktemp.c] forklift upgrade to -current version.
...
The file was totally rewritten between what we had in tree and -current.
2011-09-23 10:56:29 +10:00
3a359b3228
- millert@cvs.openbsd.org 2008/08/21 16:54:44
...
[mktemp.c]
Remove useless code, the kernel will set errno appropriately if an
element in the path does not exist. OK deraadt@ pvalchev@
2011-09-23 10:47:29 +10:00
dc0e09b41c
- deraadt@cvs.openbsd.org 2008/07/22 21:47:45
...
[mktemp.c]
use arc4random_uniform(); ok djm millert
2011-09-23 10:46:48 +10:00
cd92790fcb
- (djm) [openbsd-compat/getgrouplist.c] Remove OpenBSD rcsid marker: the
...
upstream version is YPified and we don't want this
2011-09-23 10:44:03 +10:00
834e820317
- tobias@cvs.openbsd.org 2007/10/21 11:09:30
...
[mktemp.c]
Comment fix about time consumption of _gettemp.
FreeBSD did this in revision 1.20.
OK deraadt@, krw@
2011-09-23 10:42:02 +10:00
acdf3fbdba
- (djm) [openbsd-compat/getcwd.c] Remove OpenBSD rcsid marker since we no
...
longer want to sync this file (OpenBSD uses a __getcwd syscall now, we
want this longhand version)
2011-09-23 10:40:50 +10:00
add1e20802
- millert@cvs.openbsd.org 2006/05/05 15:27:38
...
[strlcpy.c]
Convert do {} while loop -> while {} for clarity. No binary change
on most architectures. From Oliver Smith. OK deraadt@ and henning@
2011-09-23 10:38:01 +10:00
d7be70d052
- djm@cvs.openbsd.org 2011/09/22 06:29:03
...
[sftp.c]
don't let remote_glob() implicitly sort its results in do_globbed_ls() -
in all likelihood, they will be resorted anyway
2011-09-22 21:43:06 +10:00
57c38ac7d5
- markus@cvs.openbsd.org 2011/09/12 08:46:15
...
[sftp-client.c]
fix leak in do_lsreaddir(); ok djm
2011-09-22 21:42:45 +10:00
3decdba425
- markus@cvs.openbsd.org 2011/09/11 16:07:26
...
[sftp-client.c]
fix leaks in do_hardlink() and do_readlink(); bz#1921
from Loganaden Velvindron
2011-09-22 21:41:05 +10:00
1bcbd0a9de
- okan@cvs.openbsd.org 2011/09/11 06:59:05
...
[ssh.1]
document new -O cancel command; ok djm@
2011-09-22 21:40:45 +10:00
ff773644e6
- markus@cvs.openbsd.org 2011/09/10 22:26:34
...
[channels.c channels.h clientloop.c ssh.1]
support cancellation of local/dynamic forwardings from ~C commandline;
ok & feedback djm@
2011-09-22 21:39:48 +10:00
f6dff7cd2f
- djm@cvs.openbsd.org 2011/09/09 22:46:44
...
[channels.c channels.h clientloop.h mux.c ssh.c]
support for cancelling local and remote port forwards via the multiplex
socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request
the cancellation of the specified forwardings; ok markus@
2011-09-22 21:38:52 +10:00
9ee2c606c1
- djm@cvs.openbsd.org 2011/09/09 22:38:21
...
[sshd.c]
kill the preauth privsep child on fatal errors in the monitor;
ok markus@
2011-09-22 21:38:30 +10:00
0603d98b4e
- djm@cvs.openbsd.org 2011/09/09 22:37:01
...
[scp.c]
suppress adding '--' to remote commandlines when the first argument
does not start with '-'. saves breakage on some difficult-to-upgrade
embedded/router platforms; feedback & ok dtucker ok markus
2011-09-22 21:38:00 +10:00
4cb855b070
- djm@cvs.openbsd.org 2011/09/09 00:44:07
...
[PROTOCOL.mux]
MUX_C_CLOSE_FWD includes forward type in message (though it isn't
implemented anyway)
2011-09-22 21:37:38 +10:00
f6e758cdba
- djm@cvs.openbsd.org 2011/09/09 00:43:00
...
[ssh_config.5 sshd_config.5]
fix typo in IPQoS parsing: there is no "AF14" class, but there is
an "AF21" class. Spotted by giesen AT snickers.org; ok markus stevesk
2011-09-22 21:37:13 +10:00
6232a16a9a
- deraadt@cvs.openbsd.org 2011/09/07 02:18:31
...
[ssh-keygen.1]
typo (they vs the) found by Lawrence Teo
2011-09-22 21:36:00 +10:00
e029673f1f
- jmc@cvs.openbsd.org 2011/09/05 07:01:44
...
[scp.1]
knock out a useless Ns;
2011-09-22 21:34:56 +10:00
2918e030fc
- djm@cvs.openbsd.org 2011/09/05 05:59:08
...
[misc.c]
fix typo in IPQoS parsing: there is no "AF14" class, but there is
an "AF21" class. Spotted by giesen AT snickers.org; ok markus stevesk
2011-09-22 21:34:35 +10:00
e577772a89
- djm@cvs.openbsd.org 2011/09/05 05:56:13
...
[scp.1 sftp.1]
mention ControlPersist and KbdInteractiveAuthentication in the -o
verbiage in these pages too (prompted by jmc@)
2011-09-22 21:34:15 +10:00
efad727517
- djm@cvs.openbsd.org 2011/08/26 01:45:15
...
[ssh.1]
Add some missing ssh_config(5) options that can be used in ssh(1)'s
-o argument. Patch from duclare AT guu.fi
2011-09-22 21:33:53 +10:00
e128a50e35
- djm@cvs.openbsd.org 2011/09/22 06:27:29
...
[glob.c]
fix GLOB_KEEPSTAT without GLOB_NOSORT; the implicit sort was being
applied only to the gl_pathv vector and not the corresponding gl_statv
array. reported in OpenSSH bz#1935; feedback and okay matthew@
2011-09-22 21:22:21 +10:00
c4bf7dde92
- stsp@cvs.openbsd.org 2011/09/20 10:18:46
...
[glob.c]
In glob(3), limit recursion during matching attempts. Similar to
fnmatch fix. Also collapse consecutive '*' (from NetBSD).
ok miod deraadt
2011-09-22 21:21:48 +10:00
e01a627047
- pyr@cvs.openbsd.org 2011/05/12 07:15:10
...
[openbsd-compat/glob.c]
When the max number of items for a directory has reached GLOB_LIMIT_READDIR
an error is returned but closedir() is not called.
spotted and fix provided by Frank Denis obsd-tech@pureftpd.org
ok otto@, millert@
2011-09-22 21:20:21 +10:00
e8a82c5faf
- (dtucker) [entropy.h] Bug #1932 : remove old definition of init_rng. From
...
Colin Watson.
2011-09-09 11:29:40 +10:00
022ee24197
- (djm) [contrib/redhat/openssh.spec] Correct restorcon => restorecon
2011-09-07 09:15:02 +10:00
fb9d8173f0
- (djm) [README version.h] Correct version
2011-09-07 09:11:53 +10:00
8e4a71e952
- (djm) Release OpenSSH-5.9
2011-09-05 15:39:20 +10:00
86dcd3e45a
- (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
...
[contrib/suse/openssh.spec] Update version numbers.
2011-09-05 10:29:04 +10:00
0dd24e02ec
- (dtucker) [ssh-keygen.c ssh-pkcs11.c] Bug #1929 : add null implementations
...
ofsh-pkcs11.cpkcs_init and pkcs_terminate for building without dlopen support.
2011-09-04 19:59:26 +10:00
6efd94f32e
- (djm) [regress/connect-privsep.sh regress/test-exec.sh] demote fatal
...
regress errors for the sandbox to warnings. ok tim dtucker
2011-09-04 19:04:16 +10:00
58ac11a2bd
- (djm) [openbsd-compat/port-linux.c] Suppress logging when attempting
...
to switch SELinux context away from unconfined_t, based on patch from
Jan Chadima; bz#1919 ok dtucker@
2011-08-29 16:09:52 +10:00
4438354870
- (dtucker) [auth-skey.c] Add log.h to fix build --with-skey.
2011-08-28 04:50:16 +10:00
a6e60616be
- (tim) [configure.ac] Typo in error message spotted by Andy Tsouladze
2011-08-17 21:48:22 -07:00
2df1bec086
- (djm) [regress/cipher-speed.sh regress/try-ciphers.sh] disable HMAC-SHA2
...
MAC tests for platforms that hack EVP_SHA2 support
2011-08-17 12:25:46 +10:00
062fa30532
- djm@cvs.openbsd.org 2011/08/02 01:23:41
...
[regress/cipher-speed.sh regress/try-ciphers.sh]
add SHA256/SHA512 based HMAC modes
2011-08-17 12:10:02 +10:00
faf4d80420
- markus@cvs.openbsd.org 2011/06/30 22:44:43
...
[connect-privsep.sh]
test with sandbox enabled; ok djm@
2011-08-17 12:09:19 +10:00
9231c8bde4
- dtucker@cvs.openbsd.org 2011/06/03 05:35:10
...
[regress/cfgmatch.sh]
use OBJ to find test configs, patch from Tim Rice
2011-08-17 12:08:15 +10:00
44a6c9340a
- (djm) [contrib/ssh-copy-id] Missing backlslash; spotted by
...
bisson AT archlinux.org
2011-08-17 12:01:44 +10:00
1a91c0f163
- (djm) [configure.ac] error out if the host lacks the necessary bits for
...
an explicitly requested sandbox type
2011-08-17 11:59:25 +10:00
9c08312968
- (djm) [ openbsd-compat/bsd-cygwin_util.c openbsd-compat/bsd-cygwin_util.h]
...
binary_pipe is no longer required on Cygwin; patch from Corinna Vinschen
2011-08-17 11:31:07 +10:00
a1226828ad
- (tim) [mac.c myproposal.h] Wrap SHA256 and SHA512 in ifdefs for
...
OpenSSL 0.9.7. ok djm
2011-08-16 17:29:01 -07:00
d1eb1dd5ed
- (djm) [contrib/ssh-copy-id] Fix failure for cases where the path to the
...
identify file contained whitespace. bz#1828 patch from gwenael.lambrouin
AT gmail.com; ok dtucker@
2011-08-12 11:22:47 +10:00
2db9977c06
- (djm) [contrib/redhat/openssh.spec contrib/redhat/sshd.init]
...
[contrib/suse/openssh.spec contrib/suse/rc.sshd] Updated RHEL and SLES
init scrips from imorgan AT nas.nasa.gov
2011-08-12 11:02:35 +10:00
4d47ec9c89
- (dtucker) [openbsd-compat/port-linux.c] Bug 1924: Improve selinux context
...
change error by reporting old and new context names Patch from
jchadima at redhat.
2011-08-12 10:12:53 +10:00
ddccfb4b98
- dtucker@cvs.openbsd.org 2011/08/07 12:55:30
...
[sftp.1]
typo, fix from Laurent Gautrot
2011-08-07 23:12:26 +10:00
91e6b57729
- jmc@cvs.openbsd.org 2010/10/14 20:41:28
...
[moduli.5]
probabalistic -> probabilistic; from naddy
2011-08-07 23:10:56 +10:00
f279474f1b
- sobrado@cvs.openbsd.org 2009/10/28 08:56:54
...
[moduli.5]
"Diffie-Hellman" is the usual spelling for the cryptographic protocol
first published by Whitfield Diffie and Martin Hellman in 1976.
ok jmc@
2011-08-07 23:10:11 +10:00
578451ddda
- (dtucker) OpenBSD CVS Sync
...
- jmc@cvs.openbsd.org 2008/06/26 06:59:39
[moduli.5]
tweak previous;
2011-08-07 23:09:20 +10:00
765f8c4eff
- djm@cvs.openbsd.org 2011/08/02 23:15:03
...
[ssh.c]
typo in comment
2011-08-06 06:18:16 +10:00
c471860d25
- djm@cvs.openbsd.org 2011/08/02 23:13:01
...
[version.h]
crank now, release later
2011-08-06 06:17:48 +10:00
20bd4535c0
- djm@cvs.openbsd.org 2011/08/02 01:22:11
...
[mac.c myproposal.h ssh.1 ssh_config.5 sshd.8 sshd_config.5]
Add new SHA256 and SHA512 based HMAC modes from
http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
Patch from mdb AT juniper.net; feedback and ok markus@
2011-08-06 06:17:30 +10:00
adb467fb69
- markus@cvs.openbsd.org 2011/08/01 19:18:15
...
[gss-serv.c]
prevent post-auth resource exhaustion (int overflow leading to 4GB malloc);
report Adam Zabrock; ok djm@, deraadt@
2011-08-06 06:16:46 +10:00
35e48198a8
- djm@cvs.openbsd.org 2011/07/29 14:42:45
...
[sandbox-systrace.c]
fail open(2) with EPERM rather than SIGKILLing the whole process. libc
will call open() to do strerror() when NLS is enabled;
feedback and ok markus@
2011-08-06 06:16:23 +10:00
6ea5e44871
- tedu@cvs.openbsd.org 2011/07/06 18:09:21
...
[authfd.c]
bzero the agent address. the kernel was for a while very cranky about
these things. evne though that's fixed, always good to initialize
memory. ok deraadt djm
2011-08-06 06:16:00 +10:00
7741ce8bd2
- djm@cvs.openbsd.org 2011/06/23 23:35:42
...
[monitor.c]
ignore EINTR errors from poll()
2011-08-06 06:15:15 +10:00
cd5e52ee78
- (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for
...
Darwin/OS X using sandbox_init() + setrlimit(); feedback and testing
markus@
2011-06-27 07:18:18 +10:00
dcbd41e7af
- djm@cvs.openbsd.org 2011/06/23 09:34:13
...
[sshd.c ssh-sandbox.h sandbox.h sandbox-rlimit.c sandbox-systrace.c]
[sandbox-null.c]
rename sandbox.h => ssh-sandbox.h to make things easier for portable
2011-06-23 19:45:51 +10:00
80b62e3738
- (djm) [sandbox-null.c] Dummy sandbox for platforms that don't support
...
setrlimit(2)
2011-06-23 19:03:18 +10:00
6d7b4377dd
- djm@cvs.openbsd.org 2011/06/22 22:08:42
...
[channels.c channels.h clientloop.c clientloop.h mux.c ssh.c]
hook up a channel confirm callback to warn the user then requested X11
forwarding was refused by the server; ok markus@
2011-06-23 08:31:57 +10:00
69ff1df952
- djm@cvs.openbsd.org 2011/06/22 21:57:01
...
[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c]
[sandbox-systrace.c sandbox.h configure.ac Makefile.in]
introduce sandboxing of the pre-auth privsep child using systrace(4).
This introduces a new "UsePrivilegeSeparation=sandbox" option for
sshd_config that applies mandatory restrictions on the syscalls the
privsep child can perform. This prevents a compromised privsep child
from being used to attack other hosts (by opening sockets and proxying)
or probing local kernel attack surface.
The sandbox is implemented using systrace(4) in unsupervised "fast-path"
mode, where a list of permitted syscalls is supplied. Any syscall not
on the list results in SIGKILL being sent to the privsep child. Note
that this requires a kernel with the new SYSTR_POLICY_KILL option.
UsePrivilegeSeparation=sandbox will become the default in the future
so please start testing it now.
feedback dtucker@; ok markus@
2011-06-23 08:30:03 +10:00
82c558761d
- OpenBSD CVS Sync
...
- djm@cvs.openbsd.org 2011/06/22 21:47:28
[servconf.c]
reuse the multistate option arrays to pretty-print options for "sshd -T"
2011-06-23 08:20:30 +10:00
4ac99c366c
- djm@cvs.openbsd.org 2011/06/17 21:57:25
...
[clientloop.c]
setproctitle for a mux master that has been gracefully stopped;
bz#1911 from Bert.Wesarg AT googlemail.com
2011-06-20 14:43:31 +10:00
33322127ec
- djm@cvs.openbsd.org 2011/06/17 21:47:35
...
[servconf.c]
factor out multi-choice option parsing into a parse_multistate label
and some support structures; ok dtucker@
2011-06-20 14:43:11 +10:00
f145a5be1c
- djm@cvs.openbsd.org 2011/06/17 21:46:16
...
[sftp-server.c]
the protocol version should be unsigned; bz#1913 reported by mb AT
smartftp.com
2011-06-20 14:42:51 +10:00
8f0bf237d4
- djm@cvs.openbsd.org 2011/06/17 21:44:31
...
[log.c log.h monitor.c monitor.h monitor_wrap.c monitor_wrap.h sshd.c]
make the pre-auth privsep slave log via a socketpair shared with the
monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
2011-06-20 14:42:23 +10:00
e7ac2bd42a
- markus@cvs.openbsd.org 2011/06/14 22:49:18
...
[authfile.c]
make sure key_parse_public/private_rsa1() no longer consumes its input
buffer. fixes ssh-add for passphrase-protected ssh1-keys;
noted by naddy@; ok djm@
2011-06-20 14:23:25 +10:00
6029e076b2
- djm@cvs.openbsd.org 2011/06/04 00:10:26
...
[ssh_config.5]
explain IdentifyFile's semantics a little better, prompted by bz#1898
ok dtucker jmc
2011-06-20 14:22:49 +10:00
bc481570d1
- (tim) [regress/cfgmatch.sh] Build/test out of tree fix.
2011-06-02 22:26:19 -07:00
bf4d05a37c
- dtucker@cvs.openbsd.org 2011/06/03 00:29:52
...
[regress/dynamic-forward.sh]
Retry establishing the port forwarding after a small delay, should make
the tests less flaky when the previous test is slow to shut down and free
up the port.
2011-06-03 14:19:02 +10:00
75e035c34e
- dtucker@cvs.openbsd.org 2011/05/31 02:03:34
...
[regress/dynamic-forward.sh]
work around startup and teardown races; caught by deraadt
2011-06-03 14:18:17 +10:00
260c8fbc4d
- dtucker@cvs.openbsd.org 2011/05/31 02:01:58
...
[regress/dynamic-forward.sh]
back out revs 1.6 and 1.5 since it's not reliable
2011-06-03 14:17:27 +10:00
3e78a516a0
- dtucker@cvs.openbsd.org 2011/06/03 01:37:40
...
[ssh-agent.c]
Check current parent process ID against saved one to determine if the parent
has exited, rather than attempting to send a zero signal, since the latter
won't work if the parent has changed privs. bz#1905, patch from Daniel Kahn
Gillmor, ok djm@
2011-06-03 14:14:16 +10:00
c09182f613
- (djm) [configure.ac] enable setproctitle emulation for OS X
2011-06-03 12:11:38 +10:00
ea2c1a4dc6
- djm@cvs.openbsd.org 2011/06/03 00:54:38
...
[ssh.c]
bz#1883 - setproctitle() to identify mux master; patch from Bert.Wesarg
AT googlemail.com; ok dtucker@
NB. includes additional portability code to enable setproctitle emulation
on platforms that don't support it.
2011-06-03 12:10:22 +10:00
c3c7227ccc
add missing changelog entry
2011-06-03 11:20:06 +10:00
90f42b0705
- (tim) [configure.ac defines.h] Run test program to detect system mail
...
directory. Add --with-maildir option to override. Fixed OpenServer 6
getting it wrong. Fixed many systems having MAIL=/var/mail//username
ok dtucker
2011-06-02 18:17:49 -07:00
c412c1567b
- (dtucker) [README version.h contrib/caldera/openssh.spec
...
contrib/redhat/openssh.spec contrib/suse/openssh.spec] Pull the version
bumps from the 5.8p2 branch into HEAD. ok djm.
2011-06-03 10:35:23 +10:00
8cb3587336
- djm@cvs.openbsd.org 2011/05/23 03:31:31
...
[regress/cfgmatch.sh]
include testing of multiple/overridden AuthorizedKeysFiles
refactor to simply daemon start/stop and get rid of racy constructs
2011-05-29 21:59:10 +10:00
295ee63ab2
- djm@cvs.openbsd.org 2011/05/24 07:15:47
...
[readconf.c readconf.h ssh.c ssh_config.5 sshconnect.c sshconnect2.c]
Remove undocumented legacy options UserKnownHostsFile2 and
GlobalKnownHostsFile2 by making UserKnownHostsFile/GlobalKnownHostsFile
accept multiple paths per line and making their defaults include
known_hosts2; ok markus
2011-05-29 21:42:31 +10:00
04bb56ef10
- djm@cvs.openbsd.org 2011/05/23 07:24:57
...
[authfile.c]
read in key comments for v.2 keys (though note that these are not
passed over the agent protocol); bz#439, based on patch from binder
AT arago.de; ok markus@
2011-05-29 21:42:08 +10:00
b9132fc427
- jmc@cvs.openbsd.org 2011/05/23 07:10:21
...
[sshd.8 sshd_config.5]
tweak previous; ok djm
2011-05-29 21:41:40 +10:00
Damien Miller
Tim Rice
Darren Tucker