[readconf.c readconf.h ssh-keysign.c ssh.c ssh_config.5]
add a "Match" keyword to ssh_config that allows matching on hostname,
user and result of arbitrary commands. "nice work" markus@
[sftp-client.c]
rename flag arguments to be more clear and consistent.
reorder some internal function arguments to make adding additional flags
easier.
no functional change
[sftp-server.8 sftp-server.c]
Add ability to whitelist and/or blacklist sftp protocol requests by name.
Refactor dispatch loop and consolidate read-only mode checks.
Make global variables static, since sftp-server is linked into sshd(8).
ok dtucker@
[dh.c dh.h]
Increase the size of the Diffie-Hellman groups requested for a each
symmetric key size. New values from NIST Special Publication 800-57 with
the upper limit specified by RFC4419. Pointed out by Peter Backes, ok
djm@.
[channels.c]
bz#1297 - tell the client (via packet_send_debug) when their preferred
listen address has been overridden by the server's GatewayPorts;
ok dtucker@
[progressmeter.c]
store the initial file offset so the progress meter doesn't freak out
when resuming sftp transfers. bz#2137; patch from Iain Morgan; ok dtucker@
[ssh_config]
Remove gssapi config parts from ssh_config, as was already done for
sshd_config. Req by/ok ajacoutot@
ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular
[channels.c]
avoid unaligned access in code that reused a buffer to send a
struct in_addr in a reply; simpler just use use buffer_put_int();
from portable; spotted by and ok dtucker@
[sshd_config]
Remove commented-out kerberos/gssapi config options from sample config,
kerberos support is currently not enabled in ssh in OpenBSD. Discussed with
various people; ok deraadt@
ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular
[ssh-keygen.c sshconnect1.c sshd.c]
All the instances of arc4random_stir() are bogus, since arc4random()
does this itself, inside itself, and has for a very long time.. Actually,
this was probably reducing the entropy available.
ok djm
ID SYNC ONLY for portable; we don't trust other arc4random implementations
to do this right.
[ssh-keygen.c]
improve batch processing a bit by making use of the quite flag a bit
more often and exit with a non zero code if asked to find a hostname
in a known_hosts file and it wasn't there;
originally from reyk@, ok djm
[sshd.c]
Stir PRNG after post-accept fork. The child gets a different PRNG state
anyway via rexec and explicit privsep reseeds, but it's good to be sure.
ok markus@
[readconf.c readconf.h ssh_config.5 sshconnect.c]
Add a ssh_config ProxyUseFDPass option that supports the use of
ProxyCommands that establish a connection and then pass a connected
file descriptor back to ssh(1). This allows the ProxyCommand to exit
rather than have to shuffle data back and forth and enables ssh to use
getpeername, etc. to obtain address information just like it does with
regular directly-connected sockets. ok markus@
[sftp-client.c]
two problems found by a to-be-committed regress test: 1) msg_id was not
being initialised so was starting at a random value from the heap
(harmless, but confusing). 2) some error conditions were not being
propagated back to the caller
[sftp-client.c sftp-client.h sftp.c]
add a "-l" flag for the rename command to force it to use the silly
standard SSH_FXP_RENAME command instead of the POSIX-rename- like
posix-rename@openssh.com extension.
intended for use in regress tests, so no documentation.
CLOCK_MONOTONIC...) fails. Some older versions of RHEL have the
CLOCK_MONOTONIC define but don't actually support it. Found and tested
by Kevin Brott, ok djm.
Damien Miller
Darren Tucker