don't dereference authctxt before testing != NULL, it
causes compilers to make assumptions; from Karsten Weiss
Upstream-ID: 794243aad1e976ebc717885b7a97a25e00c031b2
Account for timeouts in the integrity tests as failures.
If the first test in a series for a given MAC happens to modify the low
bytes of a packet length, then ssh will time out and this will be
interpreted as a test failure. Patch from cjwatson at debian.org via
bz#2658.
Upstream-Regress-ID: e7467613b0badedaa300bc6fc7495ec2f44e2fb9
Make forwarding test less racy by using unix domain
sockets instead of TCP ports where possible. Patch from cjwatson at
debian.org via bz#2659.
Upstream-Regress-ID: 4756375aac5916ef9d25452a1c1d5fa9e90299a9
Fix typo in ~C error message for bad port forward
cancellation. bz#2672, from Brad Marshall via Colin Watson and Ubuntu's
bugtracker.
Upstream-ID: 0d4a7e5ead6cc59c9a44b4c1e5435ab3aada09af
The POSIX APIs that that sockaddrs all ignore the s*_len
field in the incoming socket, so userspace doesn't need to set it unless it
has its own reasons for tracking the size along with the sockaddr.
ok phessler@ deraadt@ florian@
Upstream-ID: ca6e49e2f22f2b9e81d6d924b90ecd7e422e7437
sshd_config is documented to set
GSSAPIStrictAcceptorCheck=yes by default, so actually make it do this.
bz#2637 ok dtucker
Upstream-ID: 99ef8ac51f17f0f7aec166cb2e34228d4d72a665
Avoid confusing error message when attempting to use
ssh-keyscan built without SSH protocol v.1 to scan for v.1 keys; bz#2583
Upstream-ID: 5d214abd3a21337d67c6dcc5aa6f313298d0d165
Re-add '%k' token for AuthorizedKeysCommand which was
lost during the re-org in rev 1.235. bz#2656, from jboning at gmail.com.
Upstream-ID: 2884e203c02764d7b3fe7472710d9c24bdc73e38
check number of entries in SSH2_FXP_NAME response; avoids
unreachable overflow later. Reported by Jann Horn
Upstream-ID: b6b2b434a6d6035b1644ca44f24cd8104057420f
fix deadlock when keys/principals command produces a lot of
output and a key is matched early; bz#2655, patch from jboning AT gmail.com
Upstream-ID: e19456429bf99087ea994432c16d00a642060afe
Use LOGNAME to get current user and fall back to whoami if
not set. Mainly to benefit -portable since some platforms don't have whoami.
Upstream-Regress-ID: e3a16b7836a3ae24dc8f8a4e43fdf8127a60bdfa
Add regression test for AllowUsers and DenyUsers. Patch from
Zev Weiss <zev at bewilderbeest.net>
Upstream-Regress-ID: 8f1aac24d52728398871dac14ad26ea38b533fb9
revert to rev1.2; the new bits in this test depend on changes
to ssh that aren't yet committed
Upstream-Regress-ID: 828ffc2c7afcf65d50ff2cf3dfc47a073ad39123
Move the "stop sshd" code into its own helper function.
Patch from Zev Weiss <zev at bewilderbeest.net>, ok djm@
Upstream-Regress-ID: a113dea77df5bd97fb4633ea31f3d72dbe356329
regression test for certificates along with private key
with no public half. bz#2617, mostly from Adam Eijdenberg
Upstream-Regress-ID: 2e74dc2c726f4dc839609b3ce045466b69f01115
log connections dropped in excess of MaxStartups at
verbose LogLevel; bz#2613 based on diff from Tomas Kuthan; ok dtucker@
Upstream-ID: 703ae690dbf9b56620a6018f8a3b2389ce76d92b
Turkish locales are unique in their handling of the letters 'i' and
'I' (yes, they are different letters) and OpenSSH isn't remotely
prepared to deal with that. For now, the best we can do is to force
OpenSSH to use the C/POSIX locale and try to preserve the UTF-8
encoding if possible.
ok dtucker@
make IdentityFile successfully load and use certificates that
have no corresponding bare public key. E.g. just a private id_rsa and
certificate id_rsa-cert.pub (and no id_rsa.pub).
bz#2617 ok dtucker@
Upstream-ID: c1e9699b8c0e3b63cc4189e6972e3522b6292604
Fix public key authentication when multiple
authentication is in use. Instead of deleting and re-preparing the entire
keys list, just reset the 'used' flags; the keys list is already in a good
order (with already- tried keys at the back)
Analysis and patch from Vincent Brillault on bz#2642; ok dtucker@
Upstream-ID: 7123f12dc2f3bcaae715853035a97923d7300176
Unlink PidFile on SIGHUP and always recreate it when the
new sshd starts. Regression tests (and possibly other things) depend on the
pidfile being recreated after SIGHUP, and unlinking it means it won't contain
a stale pid if sshd fails to restart. ok djm@ markus@
Upstream-ID: 132dd6dda0c77dd49d2f15b2573b5794f6160870
add a whitelist of paths from which ssh-agent will load
(via ssh-pkcs11-helper) a PKCS#11 module; ok markus@
Upstream-ID: fe79769469d9cd6d26fe0dc15751b83ef2a06e8f
djm@openbsd.org
dtucker@openbsd.org
guenther@openbsd.org
jmc@openbsd.org
Darren Tucker
Damien Miller