TCP connect. The connection phase of the SSH session is time-sensitive (due
to server side login grace periods) and is frequently interactive (e.g.
entering passwords). The ultimate interactive/bulk TOS/DSCP will be set after
authentication completes.
ok dtucker@
OpenBSD-Commit-ID: f31ab10d9233363a6d2c9996007083ba43a093f1
report the type because it is ambiguous as to whether it referred to the
known or new host key. bz3216; ok dtucker@
OpenBSD-Commit-ID: 2d5ce4a83dbcf44e340a572e361decad8aab7bad
read-only directory, ensure that the directory is created with write and
execute permissions in the interim so that we can actually complete the
transfer, then set the directory permission as the final step. (The execute
bit is only likely to be an issue with a non-POSIX server). bz#3222, ok djm@
OpenBSD-Commit-ID: a82606212f2796e31f0e1af94a63355a7ad5d903
find_by_key_ctx struct. Initializing a single member should be enough
(the spec says the remainder should be initialized as per the static
rules) but some GCCs warn on this which prevents us testing with -Werror
on those. ok deraadt@ djm@
OpenBSD-Commit-ID: 687126e60a27d30f02614760ef3c3ae4e8d6af28
make it easier to determine which connection they are associated with in
cases like scp -3, ProxyJump, etc. bz#3224 ok dtucker
OpenBSD-Commit-ID: 67e6189b04b46c867662f8a6759cf3ecb5f59170
It was only set by the recently removed AC_HEADER_TIME macro, replace
with simple inclusions of both sys/time.h and time.h. Should prevent
mis-detection of struct timespec.
any other host names/addresses already associated with the key. E.g.
> The authenticity of host 'test (10.0.0.1)' can't be established.
> ECDSA key fingerprint is SHA256:milU4MODXm8iJQI18wlsbPG7Yup+34fuNNmV08qDnax.
> This host key is known by the following other names/addresses:
> ~/.ssh/known_hosts:1: host.example.org,10.0.0.1
> ~/.ssh/known_hosts:2: [hashed name]
> ~/.ssh/known_hosts:3: [hashed name]
> ~/.ssh/known_hosts:4: host
> ~/.ssh/known_hosts:5: [host]:2222
> Are you sure you want to continue connecting (yes/no/[fingerprint])?
feedback and ok markus@
OpenBSD-Commit-ID: f6f58a77b49f1368b5883b3a1f776447cfcc7ef4
ConnectTimeout is specified, capping the effective value (for most platforms)
at 24 days. bz#3229, ok djm@
OpenBSD-Commit-ID: 62d4c4b7b87d111045f8e9f28b5b532d17ac5bc0
This is a mitigation for a buffer overflow in Solaris' PAM username
handling (CVE-2020-14871), and is only enabled for Sun-derived PAM
implementations. This is not a problem in sshd itself, it only
prevents sshd from being used as a vector to attack Solaris' PAM.
It does not prevent the bug in PAM from being exploited via some other
PAM application.
Based on github PR#212 from Mike Scott but implemented slightly
differently. ok tim@ djm@
Preprocessor directives inside macro calls, such as the new log macros,
are undefined behaviour and do not work with, eg old GCCs. Put the
entire log call inside the ifdef for OPENSSL_HAS_NISTP521.
The log calls are themselves now macros, and preprocessor directives inside
macro arguments are undefined behaviour which some compilers (eg old GCCs)
choke on. It also makes the code tidier. ok deraadt@
OpenBSD-Commit-ID: cc12a9029833d222043aecd252d654965c351a69
We needed a mkdtemp() that accepted template paths that did not
end in XXXXXX a long time ago for KRB4, but that code is long
deprecated. We no longer need to replace mkdtemp() for strictly
following POSIX. ok dtucker@
dtucker@openbsd.org
djm@openbsd.org
Darren Tucker
Damien Miller
claudio@openbsd.org
Duncan Eastoe