written bytes before the initial timer check so that the first buffer written
is accounted. Set the threshold after which the timer is checked such that
the limit starts being computed as soon as possible, ie after the second
buffer is written. This prevents an initial burst of traffic and provides a
more accurate bandwidth limit. bz#2927, ok djm.
OpenBSD-Commit-ID: ff3ef76e4e43040ec198c2718d5682c36b255cb6
KEX. It shouldn't be sent in subsequent ones, but if it is present we should
ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy
these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
OpenBSD-Commit-ID: 91564118547f7807030ec537480303e2371902f9
authorized_keys) and -R (remove host from authorized_keys) options may accept
either a bare hostname or a [hostname]:port combo. bz#2935
OpenBSD-Commit-ID: 5535cf4ce78375968b0d2cd7aa316fa3eb176780
In 120a1ec74, loginmsg was changed from the legacy Buffer type
to struct sshbuf*, but it missed changing calls to
sys_auth_allowed_user and sys_auth_record_login which passed
loginmsg by address. Now that it's a pointer, just pass it directly.
This only affects AIX, unless there are out of tree users.
channel_init_channels() as we do it anyway in channel_handler_init() that we
call at the end of the function. Fix from Markus Schmidt via bz#2938
OpenBSD-Commit-ID: 74893638af49e3734f1e33a54af1b7ea533373ed
Matches in same pass as "Match canonical" but doesn't require
hostname canonicalisation be enabled. bz#2906 ok markus
OpenBSD-Commit-ID: fba1dfe9f6e0cabcd0e2b3be13f7a434199beffa
now always used for SIGUSR1 even when SIGINFO is not defined. This will make
things simpler in -portable.
OpenBSD-Regress-ID: 4ff0265b335820b0646d37beb93f036ded0dc43f
Don't call OpenSSL_add_all_algorithms() unless OpenSSL actually
supports it.
Move all libcrypto initialisation to a single function, and call that
from seed_rng() that is called early in each tool's main().
Prompted by patch from Rosen Penev
UNITTEST_FAST?= no # Skip slow tests (e.g. less intensive fuzzing).
UNITTEST_SLOW?= no # Include slower tests (e.g. more intensive fuzzing).
UNITTEST_VERBOSE?= no # Verbose test output (inc. per-test names).
useful if you want to run the tests as a smoke test to exercise the
functionality without waiting for all the fuzzers to run.
OpenBSD-Regress-ID: e04d82ebec86068198cd903acf1c67563c57315e
loading the default hostkeys. Hostkeys explicitly specified in the
configuration or on the command-line are still reported as errors, and
failure to load at least one host key remains a fatal error.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Based on patch from Dag-Erling Smørgrav via
https://github.com/openssh/openssh-portable/pull/103
ok markus@
OpenBSD-Commit-ID: ffc2e35a75d1008effaf05a5e27425041c27b684
/dev/null. Fixes mosh in proxycommand mode that was broken by the previous
ProxyCommand change that was reported by matthieu@. ok djm@ danj@
OpenBSD-Commit-ID: c6fc9641bc250221a0a81c6beb2e72d603f8add6
use-after-free faults if the ancestors are freed before the descendents.
Nothing in OpenSSH uses this deallocation pattern. Reported by Jann Horn
OpenBSD-Commit-ID: d93501d1d2734245aac802a252b9bb2eccdba0f2
socket around for the life of the connection; bz#2912; reported by Simon
Tatham; ok dtucker@
OpenBSD-Commit-ID: 4ded588301183d343dce3e8c5fc1398e35058478
PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were
specified, then authentication would always fail for RSA keys as the monitor
checks only the base key (not the signature algorithm) type against
*AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
OpenBSD-Commit-ID: 117bc3dc54578dbdb515a1d3732988cb5b00461b
If configure could not find a working OpenSSL installation it would
fall back to checking in /usr/local/ssl. This made sense back when
systems did not ship with OpenSSL, but most do and OpenSSL 1.1 doesn't
use that as a default any more. The fallback behaviour also meant
that if you pointed --with-ssl-dir at a specific directory and it
didn't work, it would silently use either the system libs or the ones
in /usr/local/ssl. If you want to use /usr/local/ssl you'll need to
pass configure --with-ssl-dir=/usr/local/ssl. ok djm@
ECDSA code in openssh-compat.h and libressl-api-compat.c needs to be
guarded by OPENSSL_HAS_ECC
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
dtucker@openbsd.org
djm@openbsd.org
Damien Miller
Kevin Adler
jmc@openbsd.org
Darren Tucker
schwarze@openbsd.org
Dag-Erling Smørgrav
Manoj Ampalam
Eneas U de Queiroz