[PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h]
[packet.c ssh_config.5 sshd_config.5]
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms
that change the packet format and compute the MAC over the encrypted
message (including the packet size) instead of the plaintext data;
these EtM modes are considered more secure and used by default.
feedback and ok djm@
[regress/keys-command.sh]
Fix some problems with the keys-command test:
- use string comparison rather than numeric comparison
- check for existing KEY_COMMAND file and don't clobber if it exists
- clean up KEY_COMMAND file if we do create it.
- check that KEY_COMMAND is executable (which it won't be if eg /var/run
is mounted noexec).
ok djm.
[auth.c auth.h auth1.c auth2-chall.c auth2-gss.c auth2-jpake.c auth2.c]
[monitor.c monitor.h]
Fixes logging of partial authentication when privsep is enabled
Previously, we recorded "Failed xxx" since we reset authenticated before
calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used
for keyboard-interactive.
Fix multiple authentication when one of the methods is
keyboard-interactive.
ok markus@
[auth-options.c channels.c servconf.c servconf.h serverloop.c session.c]
[sshd_config.5]
make AllowTcpForwarding accept "local" and "remote" in addition to its
current "yes"/"no" to allow the server to specify whether just local or
remote TCP forwarding is enabled. ok markus@
[ssh-add.1 ssh-add.c]
make deleting explicit keys "ssh-add -d" symmetric with adding keys -
try to delete the corresponding certificate too and respect the -k option
to allow deleting of the key only; feedback and ok markus@
[ssh_config.5 sshconnect2.c]
Make IdentitiesOnly apply to keys obtained from a PKCS11Provider.
This allows control of which keys are offered from tokens using
IdentityFile. ok markus@
openbsd-compat/bsd-setres_id.c openbsd-compat/bsd-setres_id.h
openbsd-compat/openbsd-compat.h] Move the fallback code for setting uids
and gids from uidswap.c to the compat library, which allows it to work with
the new setresuid calls in auth2-pubkey. with tim@, ok djm@
[auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c]
[sshd_config.5]
Support multiple required authentication via an AuthenticationMethods
option. This option lists one or more comma-separated lists of
authentication method names. Successful completion of all the methods in
any list is required for authentication to complete;
feedback and ok markus@
[auth2-pubkey.c sshd.c sshd_config.5]
Remove default of AuthorizedCommandUser. Administrators are now expected
to explicitly specify a user. feedback and ok markus@
[auth-rsa.c auth.c auth.h auth2-pubkey.c servconf.c servconf.h]
[sshd.c sshd_config sshd_config.5]
new sshd_config option AuthorizedKeysCommand to support fetching
authorized_keys from a command in addition to (or instead of) from
the filesystem. The command is run as the target server user unless
another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback
and ok markus@
[regress/multiplex.sh]
use -Ocheck and waiting for completions by PID to make multiplexing test
less racy and (hopefully) more reliable on slow hardware.
[regress/multiplex.sh]
Log -O cmd output to the log file and make logging consistent with the
other tests. Test clean shutdown of an existing channel when testing
"stop".
[clientloop.c]
when muxmaster is run with -N, make it shut down gracefully when a client
sends it "-O stop" rather than hanging around (bz#1985). ok djm@
[clientloop.c]
Make the escape command help (~?) context sensitive so that only commands
that will work in the current session are shown. ok markus@
(note: previous commit with this description was a mistake on my part while
pulling changes from OpenBSD)
[clientloop.c log.c ssh.1 log.h]
Add ~v and ~V escape sequences to raise and lower the logging level
respectively. Man page help from jmc, ok deraadt jmc
[compat.c sshconnect.c]
Send client banner immediately, rather than waiting for the server to
move first for SSH protocol 2 connections (the default). Patch based on
one in bz#1999 by tls AT panix.com, feedback dtucker@ ok markus@
[clientloop.c clientloop.h mux.c]
Force a clean shutdown of ControlMaster client sessions when the ~. escape
sequence is used. This means that ~. should now work in mux clients even
if the server is no longer responding. Found by tedu, ok djm.
[servconf.c servconf.h sshd.c sshd_config]
Turn on systrace sandboxing of pre-auth sshd by default for new installs
by shipping a config that overrides the current UsePrivilegeSeparation=yes
default. Make it easier to flip the default in the future by adding too.
[ssh.c]
move setting of tty_flag to after config parsing so RequestTTY options
are correctly picked up. bz#1995 patch from przemoc AT gmail.com;
ok dtucker@
[mux.c]
fix memory leak of passed-in environment variables and connection
context when new session message is malformed; bz#2003 from Bert.Wesarg
AT googlemail.com
[moduli.c ssh-keygen.1 ssh-keygen.c]
Add options to specify starting line number and number of lines to process
when screening moduli candidates. This allows processing of different
parts of a candidate moduli file in parallel. man page help jmc@, ok djm@
[sandbox-systrace.c sshd.c]
fix a during the load of the sandbox policies (child can still make
the read-syscall and wait forever for systrace-answers) by replacing
the read/write synchronisation with SIGSTOP/SIGCONT;
report and help hshoexer@; ok djm@, dtucker@
[regress/try-ciphers.sh regress/cipher-speed.sh]
Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed
from draft6 of the spec and will not be in the RFC when published. Patch
from mdb at juniper net via bz#2023, ok markus
Damien Miller
Darren Tucker
Tim Rice