Commit Graph

106 Commits

Author SHA1 Message Date
dtucker@openbsd.org 8570177195 upstream: Don't send IUTF8 to servers that don't like them.
Some SSH servers eg "ConfD" drop the connection if the client sends the
new IUTF8 (RFC8160) terminal mode even if it's not set.  Add a bug bit
for such servers and avoid sending IUTF8 to them.  ok djm@

OpenBSD-Commit-ID: 26425855402d870c3c0a90491e72e2a8a342ceda
2018-02-16 23:25:48 +11:00
djm@openbsd.org 14b5c635d1 upstream commit
Drop compatibility hacks for some ancient SSH
implementations, including ssh.com <=2.* and OpenSSH <= 3.*.

These versions were all released in or before 2001 and predate the
final SSH RFCs. The hacks in question aren't necessary for RFC-
compliant SSH implementations.

ok markus@

OpenBSD-Commit-ID: 4be81c67db57647f907f4e881fb9341448606138
2018-01-23 16:40:29 +11:00
dtucker@openbsd.org 2985d4062e upstream commit
Make WinSCP patterns for SSH_OLD_DHGEX more specific to
exclude WinSCP 5.10.x and up.  bz#2748, from martin at winscp.net, ok djm@

Upstream-ID: 6fd7c32e99af3952db007aa180e73142ddbc741a
2017-07-28 13:08:37 +10:00
djm@openbsd.org 97f4d3083b upstream commit
remove compat20/compat13/compat15 variables

ok markus@

Upstream-ID: 43802c035ceb3fef6c50c400e4ecabf12354691c
2017-05-01 09:42:37 +10:00
djm@openbsd.org 99f95ba826 upstream commit
remove options.protocol and client Protocol
configuration knob

ok markus@

Upstream-ID: 5a967f5d06e2d004b0235457b6de3a9a314e9366
2017-05-01 09:38:46 +10:00
djm@openbsd.org 56912dea6e upstream commit
unifdef WITH_SSH1 ok markus@

Upstream-ID: 9716e62a883ef8826c57f4d33b4a81a9cc7755c7
2017-05-01 09:37:40 +10:00
djm@openbsd.org 68bc8cfa76 upstream commit
support =- for removing methods from algorithms lists,
e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like
it" markus@

Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d
2017-02-04 10:08:15 +11:00
dtucker@openbsd.org 7ec4946fb6 upstream commit
Back out 'plug memleak'.

Upstream-ID: 4faacdde136c24a961e24538de373660f869dbc0
2016-06-06 11:25:37 +10:00
dtucker@openbsd.org a0cb7778fb upstream commit
Plug mem leak in filter_proposal.  ok djm@

Upstream-ID: bf968da7cfcea2a41902832e7d548356a4e2af34
2016-06-06 11:25:37 +10:00
djm@openbsd.org 8543d4ef6f upstream commit
Better compat matching for WinSCP, add compat matching
 for FuTTY (fork of PuTTY); ok markus@ deraadt@

Upstream-ID: 24001d1ac115fa3260fbdc329a4b9aeb283c5389
2015-08-20 13:07:42 +10:00
djm@openbsd.org b6ea0e5730 upstream commit
add Cisco to the list of clients that choke on the
 hostkeys update extension. Pointed out by Howard Kash

Upstream-ID: c9eadde28ecec056c73d09ee10ba4570dfba7e84
2015-07-29 19:35:41 +10:00
dtucker@openbsd.org b1dc2b3368 upstream commit
Add "PuTTY_Local:" to the clients to which we do not
 offer DH-GEX. This was the string that was used for development versions
 prior to September 2014 and they don't do RFC4419 DH-GEX, but unfortunately
 there are some extant products based on those versions.  bx2424 from Jay
 Rouman, ok markus@ djm@

Upstream-ID: be34d41e18b966832fe09ca243d275b81882e1d5
2015-07-15 15:38:02 +10:00
dtucker@openbsd.org b282fec1aa upstream commit
Cap DH-GEX group size at 4kbits for Cisco implementations.
 Some of them will choke when asked for preferred sizes >4k instead of
 returning the 4k group that they do have.  bz#2209, ok djm@

Upstream-ID: 54b863a19713446b7431f9d06ad0532b4fcfef8d
2015-05-27 13:47:19 +10:00
djm@openbsd.org e661a86353 upstream commit
Remove pattern length argument from match_pattern_list(), we
 only ever use it for strlen(pattern).

Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.

ok markus@
2015-05-10 11:38:04 +10:00
dtucker@openbsd.org ea139507be upstream commit
Blacklist DH-GEX for specific PuTTY versions known to
 send non-RFC4419 DH-GEX messages rather than all versions of PuTTY.
 According to Simon Tatham, 0.65 and newer versions will send RFC4419 DH-GEX
 messages.  ok djm@
2015-05-08 13:32:57 +10:00
dtucker@openbsd.org b58234f00e upstream commit
WinSCP doesn't implement RFC4419 DH-GEX so flag it so we
 don't offer that KEX method.  ok markus@
2015-05-08 13:32:56 +10:00
djm@openbsd.org 318be28cda upstream commit
deprecate ancient, pre-RFC4419 and undocumented
 SSH2_MSG_KEX_DH_GEX_REQUEST_OLD message; ok markus@ deraadt@ "seems
 reasonable" dtucker@
2015-04-13 14:37:20 +10:00
dtucker@openbsd.org d8f391caef upstream commit
Don't send hostkey advertisments
 (hostkeys-00@openssh.com) to current versions of Tera Term as they can't
 handle them.  Newer versions should be OK.  Patch from Bryan Drewery and
 IWAMOTO Kouichi, ok djm@
2015-04-13 14:37:19 +10:00
djm@openbsd.org 4492a4f222 upstream commit
treat Protocol=1,2|2,1 as Protocol=2 when compiled
 without SSH1 support; ok dtucker@ millert@
2015-04-13 14:37:17 +10:00
markus@openbsd.org 48b3b2ba75 upstream commit
store compat flags in struct ssh; ok djm@
2015-01-20 09:19:40 +11:00
djm@openbsd.org 5c0dafd38b upstream commit
another -Wpointer-sign from clang
2014-10-13 11:39:23 +11:00
Damien Miller b628cc4c3e - djm@cvs.openbsd.org 2014/04/20 02:49:32
[compat.c]
     add a canonical 6.6 + curve25519 bignum fix fake version that I can
     recommend people use ahead of the openssh-6.7 release
2014-04-20 13:33:58 +10:00
Damien Miller 0e6b67423b - djm@cvs.openbsd.org 2014/04/19 05:54:59
[compat.c]
     missing wildcard; pointed out by naddy@
2014-04-20 13:27:01 +10:00
Damien Miller 9395b28223 - djm@cvs.openbsd.org 2014/04/18 23:52:25
[compat.c compat.h sshconnect2.c sshd.c version.h]
     OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
     using the curve25519-sha256@libssh.org KEX exchange method to fail
     when connecting with something that implements the spec properly.

     Disable this KEX method when speaking to one of the affected
     versions.

     reported by Aris Adamantiadis; ok markus@
2014-04-20 13:25:30 +10:00
Damien Miller 324541e526 - djm@cvs.openbsd.org 2013/12/30 23:52:28
[auth2-hostbased.c auth2-pubkey.c compat.c compat.h ssh-rsa.c]
     [sshconnect.c sshconnect2.c sshd.c]
     refuse RSA keys from old proprietary clients/servers that use the
     obsolete RSA+MD5 signature scheme. it will still be possible to connect
     with these clients/servers but only DSA keys will be accepted, and we'll
     deprecate them entirely in a future release. ok markus@
2013-12-31 12:25:40 +11:00
Darren Tucker a627d42e51 - djm@cvs.openbsd.org 2013/05/17 00:13:13
[xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c
     ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c
     gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c
     auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c
     servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c
     auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c
     sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c
     kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c
     kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c
     monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c
     ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c
     sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c
     ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c
     dns.c packet.c readpass.c authfd.c moduli.c]
     bye, bye xfree(); ok markus@
2013-06-02 07:31:17 +10:00
Darren Tucker 00c1518a4d - djm@cvs.openbsd.org 2012/08/17 01:30:00
[compat.c sshconnect.c]
     Send client banner immediately, rather than waiting for the server to
     move first for SSH protocol 2 connections (the default). Patch based on
     one in bz#1999 by tls AT panix.com, feedback dtucker@ ok markus@
2012-09-06 21:21:56 +10:00
Darren Tucker 68afb8c5f2 - markus@cvs.openbsd.org 2011/09/23 07:45:05
[mux.c readconf.h channels.h compat.h compat.c ssh.c readconf.c channels.c     version.h]
     unbreak remote portforwarding with dynamic allocated listen ports:
     1) send the actual listen port in the open message (instead of 0).
        this allows multiple forwardings with a dynamic listen port
     2) update the matching permit-open entry, so we can identify where
        to connect to
     report: den at skbkontur.ru and P. Szczygielski
     feedback and ok djm@
2011-10-02 18:59:03 +11:00
Damien Miller 456e6f0ebb - markus@cvs.openbsd.org 2008/09/11 14:22:37
[compat.c compat.h nchan.c ssh.c]
     only send eow and no-more-sessions requests to openssh 5 and newer;
     fixes interop problems with broken ssh v2 implementations; ok djm@
2008-11-03 19:20:10 +11:00
Damien Miller 1ec462658e - djm@cvs.openbsd.org 2006/12/12 03:58:42
[channels.c compat.c compat.h]
     bz #1019: some ssh.com versions apparently can't cope with the
     remote port forwarding bind_address being a hostname, so send
     them an address for cases where they are not explicitly
     specified (wildcard or localhost bind).  reported by daveroth AT
     acm.org; ok dtucker@ deraadt@
2007-01-05 16:26:45 +11:00
Damien Miller d783435315 - deraadt@cvs.openbsd.org 2006/08/03 03:34:42
[OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c]
     [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
     [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c]
     [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ]
     [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c]
     [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c]
     [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
     [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c]
     [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
     [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c]
     [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c]
     [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c]
     [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c]
     [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h]
     [serverloop.c session.c session.h sftp-client.c sftp-common.c]
     [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
     [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c]
     [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c]
     [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c]
     [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h]
     [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h]
     almost entirely get rid of the culture of ".h files that include .h files"
     ok djm, sort of ok stevesk
     makes the pain stop in one easy step
     NB. portable commit contains everything *except* removing includes.h, as
     that will take a fair bit more work as we move headers that are required
     for portability workarounds to defines.h. (also, this step wasn't "easy")
2006-08-05 12:39:39 +10:00
Damien Miller e7a1e5cf63 - stevesk@cvs.openbsd.org 2006/07/26 13:57:17
[authfd.c authfile.c dh.c canohost.c channels.c clientloop.c compat.c]
     [hostfile.c kex.c log.c misc.c moduli.c monitor.c packet.c readpass.c]
     [scp.c servconf.c session.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
     [ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c sshconnect.c]
     [sshconnect1.c sshd.c xmalloc.c]
     move #include <stdlib.h> out of includes.h
2006-08-05 11:34:19 +10:00
Damien Miller e3476ed03b - stevesk@cvs.openbsd.org 2006/07/22 20:48:23
[atomicio.c auth-options.c auth-passwd.c auth-rhosts.c auth-rsa.c]
     [auth.c auth1.c auth2-chall.c auth2-hostbased.c auth2-passwd.c auth2.c]
     [authfd.c authfile.c bufaux.c bufbn.c buffer.c canohost.c channels.c]
     [cipher-3des1.c cipher-bf1.c cipher-ctr.c cipher.c clientloop.c]
     [compat.c deattack.c dh.c dns.c gss-genr.c gss-serv.c hostfile.c]
     [includes.h kex.c kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c log.c]
     [mac.c match.c md-sha256.c misc.c moduli.c monitor.c monitor_fdpass.c]
     [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c rsa.c]
     [progressmeter.c readconf.c readpass.c scp.c servconf.c serverloop.c]
     [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c sftp.c]
     [ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
     [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c sshconnect2.c]
     [sshd.c sshlogin.c sshpty.c ttymodes.c uidswap.c xmalloc.c]
     move #include <string.h> out of includes.h
2006-07-24 14:13:33 +10:00
Damien Miller 57c30117c1 - djm@cvs.openbsd.org 2006/03/25 13:17:03
[atomicio.c auth-bsdauth.c auth-chall.c auth-options.c auth-passwd.c]
     [auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth-skey.c auth.c auth1.c]
     [auth2-chall.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
     [auth2-passwd.c auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c]
     [buffer.c canohost.c channels.c cipher-3des1.c cipher-bf1.c]
     [cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c compress.c]
     [deattack.c dh.c dispatch.c fatal.c groupaccess.c hostfile.c kex.c]
     [kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c]
     [mac.c match.c md-sha256.c misc.c monitor.c monitor_fdpass.c]
     [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c progressmeter.c]
     [readconf.c readpass.c rsa.c scard.c scp.c servconf.c serverloop.c]
     [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c]
     [sftp.c ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
     [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c]
     [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c]
     [uidswap.c uuencode.c xmalloc.c]
     Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
     Theo nuked - our scripts to sync -portable need them in the files
2006-03-26 14:24:48 +11:00
Damien Miller b0fb6872ed - deraadt@cvs.openbsd.org 2006/03/19 18:51:18
[atomicio.c auth-bsdauth.c auth-chall.c auth-krb5.c auth-options.c]
     [auth-pam.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c]
     [auth-shadow.c auth-skey.c auth.c auth1.c auth2-chall.c]
     [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c]
     [auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c buffer.c]
     [canohost.c channels.c cipher-3des1.c cipher-acss.c cipher-aes.c]
     [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
     [compress.c deattack.c dh.c dispatch.c dns.c entropy.c fatal.c]
     [groupaccess.c hostfile.c includes.h kex.c kexdh.c kexdhc.c]
     [kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c loginrec.c]
     [loginrec.h logintest.c mac.c match.c md-sha256.c md5crypt.c misc.c]
     [monitor.c monitor_fdpass.c monitor_mm.c monitor_wrap.c msg.c]
     [nchan.c packet.c progressmeter.c readconf.c readpass.c rsa.c]
     [scard.c scp.c servconf.c serverloop.c session.c sftp-client.c]
     [sftp-common.c sftp-glob.c sftp-server.c sftp.c ssh-add.c]
     [ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
     [ssh-rand-helper.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c]
     [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c]
     [uidswap.c uuencode.c xmalloc.c openbsd-compat/bsd-arc4random.c]
     [openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-cygwin_util.c]
     [openbsd-compat/bsd-getpeereid.c openbsd-compat/bsd-misc.c]
     [openbsd-compat/bsd-nextstep.c openbsd-compat/bsd-snprintf.c]
     [openbsd-compat/bsd-waitpid.c openbsd-compat/fake-rfc2553.c]
     RCSID() can die
2006-03-26 00:03:21 +11:00
Damien Miller f91ee4c3de - djm@cvs.openbsd.org 2005/03/01 10:09:52
[auth-options.c channels.c channels.h clientloop.c compat.c compat.h]
     [misc.c misc.h readconf.c readconf.h servconf.c ssh.1 ssh.c ssh_config.5]
     [sshd_config.5]
     bz#413: allow optional specification of bind address for port forwardings.
     Patch originally by Dan Astorian, but worked on by several people
     Adds GatewayPorts=clientspecified option on server to allow remote
     forwards to bind to client-specified ports.
2005-03-01 21:24:33 +11:00
Darren Tucker 655a5e0987 - markus@cvs.openbsd.org 2003/11/02 11:01:03
[auth2-gss.c compat.c compat.h sshconnect2.c]
     remove support for SSH_BUG_GSSAPI_BER; simon@sxw.org.uk
2003-11-03 20:09:03 +11:00
Damien Miller 7630ee2fa6 - markus@cvs.openbsd.org 2003/08/29 10:03:15
[compat.c compat.h]
     SSH_BUG_K5USER is unused; ok henning@
2003-09-02 22:52:00 +10:00
Darren Tucker 0efd155c3c - markus@cvs.openbsd.org 2003/08/22 10:56:09
[auth2.c auth2-gss.c auth.h compat.c compat.h gss-genr.c gss-serv-krb5.c
     gss-serv.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c
     readconf.h servconf.c servconf.h session.c session.h ssh-gss.h
     ssh_config.5 sshconnect2.c sshd_config sshd_config.5]
     support GSS API user authentication; patches from Simon Wilkinson,
     stripped down and tested by Jakob and myself.
2003-08-26 11:49:55 +10:00
Damien Miller d558092522 - (djm) RCSID sync w/ OpenBSD 2003-05-14 13:40:06 +10:00
Damien Miller 996acd2476 *** empty log message *** 2003-04-09 20:59:48 +10:00
Damien Miller d32090426b - markus@cvs.openbsd.org 2003/04/01 10:31:26
[compat.c compat.h kex.c]
     bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@;
     tested by ho@ and myself
2003-04-01 21:44:37 +10:00
Damien Miller e9264973ad - (djm) OpenBSD CVS Sync
- mickey@cvs.openbsd.org 2002/09/27 10:42:09
     [compat.c compat.h sshd.c]
     add a generic match for a prober, such as sie big brother;
     idea from stevesk@; markus@ ok
2002-09-30 11:59:21 +10:00
Damien Miller a0e4559d72 - (djm) OpenBSD CVS Sync
- stevesk@cvs.openbsd.org 2002/09/19 14:53:14
     [compat.c]
2002-09-22 01:25:35 +10:00
Ben Lindstrom c822638794 - markus@cvs.openbsd.org 2002/04/10 08:21:47
[auth1.c compat.c compat.h]
     strip '@' from username only for KerbV and known broken clients, bug #204

Don't mind me.. I just commited a changelog with no patch. <sigh>
2002-04-10 16:22:09 +00:00
Ben Lindstrom cf15944c23 - markus@cvs.openbsd.org 2002/03/25 21:13:51
[channels.c channels.h compat.c compat.h nchan.c]
     don't send stderr data after EOF, accept this from older known (broken)
     sshd servers only, fixes http://bugzilla.mindrot.org/show_bug.cgi?id=179
2002-03-26 03:26:24 +00:00
Damien Miller 4e431d4b8e - markus@cvs.openbsd.org 2002/03/06 00:24:39
[compat.c]
     compat.c
2002-03-07 12:59:02 +11:00
Damien Miller 6d6c5d202f - markus@cvs.openbsd.org 2002/03/06 00:23:27
[compat.c dh.c]
     undo
2002-03-07 12:58:42 +11:00
Damien Miller 6ba693f70e - OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/03/06 00:20:54
     [compat.c dh.c]
     compat.c
2002-03-07 12:58:24 +11:00
Damien Miller 914bef437e - markus@cvs.openbsd.org 2002/01/21 22:30:12
[cipher.c compat.c myproposal.h]
     remove "rijndael-*", just use "aes-" since this how rijndael is called
     in the drafts; ok stevesk@
2002-01-22 23:34:35 +11:00