05c8997b33
- markus@cvs.openbsd.org 2010/12/14 11:59:06
...
[sshconnect.c]
don't mention key type in key-changed-warning, since we also print
this warning if a new key type appears. ok djm@
2011-01-06 22:42:04 +11:00
907998df72
- jmc@cvs.openbsd.org 2010/12/09 14:13:33
...
[scp.1 scp.c]
scp.1: grammer fix
scp.c: add -3 to usage()
2011-01-06 22:41:21 +11:00
f12114366b
- markus@cvs.openbsd.org 2010/12/08 22:46:03
...
[scp.1 scp.c]
add a new -3 option to scp: Copies between two remote hosts are
transferred through the local host. Without this option the data
is copied directly between the two remote hosts. ok djm@ (bugzilla #1837 )
2011-01-06 22:40:30 +11:00
30a69e7bba
- (djm) [configure.ac Makefile.in] Use mandoc as preferred manpage
...
formatter if it is present, followed by nroff and groff respectively.
Fixes distprep target on OpenBSD (which has bumped groff/nroff to ports
in favour of mandoc). feedback and ok tim
2011-01-04 08:16:27 +11:00
d197fd64a1
- (djm) [Makefile.in] revert local hack I didn't intend to commit
2011-01-03 14:48:14 +11:00
41bccf75af
- (djm) [configure.ac] Check whether libdes is needed when building
...
with Heimdal krb5 support. On OpenBSD this library no longer exists,
so linking it unconditionally causes a build failure; ok dtucker
2011-01-02 21:53:07 +11:00
4a06f9271f
- (djm) [loginrec.c] Fix some fd leaks on error paths. ok dtucker
2011-01-02 21:43:59 +11:00
928362dc03
- djm@cvs.openbsd.org 2010/12/08 04:02:47
...
[ssh_config.5 sshd_config.5]
explain that IPQoS arguments are separated by whitespace; iirc requested
by jmc@ a while back
2010-12-26 14:26:45 +11:00
4288c53d04
- djm@cvs.openbsd.org 2010/12/04 00:21:19
...
[regress/sftp-cmds.sh]
adjust for hard-link support
2010-12-05 09:45:50 +11:00
7e1a5a4e1b
- (dtucker) [regress/Makefile] Id sync.
2010-12-05 09:29:31 +11:00
094f1e9934
- djm@cvs.openbsd.org 2010/12/04 13:31:37
...
[hostfile.c]
fix fd leak; spotted and ok dtucker
2010-12-05 09:03:31 +11:00
af1f909254
- djm@cvs.openbsd.org 2010/12/04 00:18:01
...
[sftp-server.c sftp.1 sftp-client.h sftp.c PROTOCOL sftp-client.c]
add a protocol extension to support a hard link operation. It is
available through the "ln" command in the client. The old "ln"
behaviour of creating a symlink is available using its "-s" option
or through the preexisting "symlink" command; based on a patch from
miklos AT szeredi.hu in bz#1555; ok markus@
2010-12-05 09:02:47 +11:00
adab6f1299
- djm@cvs.openbsd.org 2010/12/03 23:55:27
...
[auth-rsa.c]
move check for revoked keys to run earlier (in auth_rsa_key_allowed)
bz#1829; patch from ldv AT altlinux.org; ok markus@
2010-12-05 09:01:47 +11:00
7336b904ff
- (dtucker) OpenBSD CVS Sync
...
- djm@cvs.openbsd.org 2010/12/03 23:49:26
[schnorr.c]
check that g^x^q === 1 mod p; recommended by JPAKE author Feng Hao
(this code is still disabled, but apprently people are treating it as
a reference implementation)
2010-12-05 09:00:30 +11:00
37bb7568ab
- (dtucker) openbsd-compat/openssl-compat.c] remove sleep leftover from
...
debugging. Spotted by djm.
2010-12-05 08:46:05 +11:00
ebdef76b5d
- (dtucker) [configure.ac moduli.c openbsd-compat/openssl-compat.{c,h}] Add
...
shims for the new, non-deprecated OpenSSL key generation functions for
platforms that don't have the new interfaces.
2010-12-04 23:20:50 +11:00
d89745b9e7
- (djm) [openbsd-compat/bindresvport.c] Use arc4random_uniform(range)
...
instead of (arc4random() % range)
2010-12-03 10:50:26 +11:00
d925dcd8a5
- djm@cvs.openbsd.org 2010/11/29 23:45:51
...
[auth.c hostfile.c hostfile.h ssh.c ssh_config.5 sshconnect.c]
[sshconnect.h sshconnect2.c]
automatically order the hostkeys requested by the client based on
which hostkeys are already recorded in known_hosts. This avoids
hostkey warnings when connecting to servers with new ECDSA keys
that are preferred by default; with markus@
2010-12-01 12:21:51 +11:00
03c0e533de
- markus@cvs.openbsd.org 2010/11/29 18:57:04
...
[authfile.c]
correctly load comment for encrypted rsa1 keys;
report/fix Joachim Schipper; ok djm@
2010-12-01 12:03:39 +11:00
87dc0a4188
- djm@cvs.openbsd.org 2010/11/26 05:52:49
...
[scp.c]
Pass through ssh command-line flags and options when doing remote-remote
transfers, e.g. to enable agent forwarding which is particularly useful
in this case; bz#1837 ok dtucker@
2010-12-01 12:03:19 +11:00
f80c3deaaf
- djm@cvs.openbsd.org 2010/11/25 04:10:09
...
[session.c]
replace close() loop for fds 3->64 with closefrom();
ok markus deraadt dtucker
2010-12-01 12:02:59 +11:00
b7f827ae45
- djm@cvs.openbsd.org 2010/11/24 01:24:14
...
[channels.c]
remove a debug() that pollutes stderr on client connecting to a server
in debug mode (channel_close_fds is called transitively from the session
code post-fork); bz#1719, ok dtucker
2010-12-01 12:02:35 +11:00
d0fdd6818c
- djm@cvs.openbsd.org 2010/11/23 23:57:24
...
[clientloop.c]
avoid NULL deref on receiving a channel request on an unknown or invalid
channel; report bz#1842 from jchadima AT redhat.com; ok dtucker@
2010-12-01 12:02:14 +11:00
6a740e7b92
- djm@cvs.openbsd.org 2010/11/23 02:35:50
...
[auth.c]
use strict_modes already passed as function argument over referencing
global options.strict_modes
2010-12-01 12:01:51 +11:00
a232792783
- djm@cvs.openbsd.org 2010/11/21 10:57:07
...
[authfile.c]
Refactor internals of private key loading and saving to work on memory
buffers rather than directly on files. This will make a few things
easier to do in the future; ok markus@
2010-12-01 12:01:21 +11:00
2cd629349d
- djm@cvs.openbsd.org 2010/11/21 01:01:13
...
[clientloop.c misc.c misc.h ssh-agent.1 ssh-agent.c]
honour $TMPDIR for client xauth and ssh-agent temporary directories;
feedback and ok markus@
2010-12-01 11:50:35 +11:00
188ea814b1
- OpenBSD CVS Sync
...
- deraadt@cvs.openbsd.org 2010/11/20 05:12:38
[auth2-pubkey.c]
clean up cases of ;;
2010-12-01 11:50:14 +11:00
73de86ac5a
- (djm) [defines.h] Add IP DSCP defines
2010-11-24 10:50:04 +11:00
4b6cbf7aab
- (dtucker) [packet.c] Remove redundant local declaration of "int tos".
2010-11-24 10:46:37 +11:00
88e341e1ca
- (djm) [loginrec.c] Relax permission requirement on btmp logs to allow
...
group read/write. ok dtucker@
2010-11-24 10:36:15 +11:00
d995712383
- (dtucker) [platform.c session.c] Move the getluid call out of session.c and
...
into the platform-specific code Only affects SCO, tested by and ok tim@.
2010-11-24 10:09:13 +11:00
9e0ff7afc8
- (dtucker) Bug #1840 : fix warning when configuring --with-ssl-engine, patch
...
from vapier at gentoo org.
2010-11-22 17:59:00 +11:00
0a1847347d
- jmc@cvs.openbsd.org 2010/11/18 15:01:00
...
[scp.1 sftp.1 ssh.1 sshd_config.5]
add IPQoS to the various -o lists, and zap some trailing whitespace;
2010-11-20 15:21:03 +11:00
8e1ea4e5a3
- jmc@cvs.openbsd.org 2010/11/15 07:40:14
...
[ssh_config.5]
libary -> library;
2010-11-20 15:20:10 +11:00
0dac6fb6b2
- djm@cvs.openbsd.org 2010/11/13 23:27:51
...
[clientloop.c misc.c misc.h packet.c packet.h readconf.c readconf.h]
[servconf.c servconf.h session.c ssh.c ssh_config.5 sshd_config.5]
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of
hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
2010-11-20 15:19:38 +11:00
4499f4cc20
- djm@cvs.openbsd.org 2010/11/10 01:33:07
...
[kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c moduli.c]
use only libcrypto APIs that are retained with OPENSSL_NO_DEPRECATED.
these have been around for years by this time. ok markus
2010-11-20 15:15:49 +11:00
7a221a1591
- djm@cvs.openbsd.org 2010/11/05 02:46:47
...
[packet.c]
whitespace KNF
2010-11-20 15:14:29 +11:00
dd190ddfd7
- (djm) [servconf.c ssh-add.c ssh-keygen.c] don't look for ECDSA keys on
...
platforms that don't support ECC. Fixes some spurious warnings reported
by tim@
2010-11-11 14:17:02 +11:00
c7a8af03a0
- (tim) [configure.ac openbsd-compat/bsd-misc.h openbsd-compat/bsd-misc.c] Add
...
support for platforms missing isblank(). ok djm@
2010-11-08 14:26:23 -08:00
e426f5e932
- (tim) [regress/kextype.sh] Not all platforms have time in /usr/bin.
...
Feedback from dtucker@
2010-11-08 09:15:14 -08:00
c10aeaa8f2
- (tim) [regress/kextype.sh] Shell portability fix.
2010-11-07 13:03:11 -08:00
522262f8b3
- (tim) [regress/Makefile] Fixes to allow building/testing outside source
...
tree.
2010-11-07 13:00:27 -08:00
d1ece6e4a2
- (dtucker) [platform.c] includes.h instead of defines.h so that we get
...
the correct typedefs.
2010-11-07 18:05:54 +11:00
9283d8cbc5
- (dtucker) [platform.c] Need servconf.h and extern options.
2010-11-05 18:56:08 +11:00
f619d1cad9
- (dtucker) [regress/kextype.sh] Make sha256 test depend on ECC. This is not
...
strictly correct since while ECC requires sha256 the reverse is not true
however it does prevent spurious test failures.
2010-11-05 18:41:50 +11:00
345178d951
- (dtucker) [regress/kextype.sh] Add missing "test".
2010-11-05 18:35:52 +11:00
eab5f0df90
- (dtucker) [Makefile configure.ac regress/Makefile regress/keytype.sh]
...
Import recent changes to regress/Makefile, pass a flag to enable ECC tests
from configure through to regress/Makefile and use it in the tests.
2010-11-05 18:23:38 +11:00
b69e033e67
- (dtucker) [regress/keytype.sh] Import new test.
2010-11-05 18:19:15 +11:00
b12fe272a0
- (dtucker) [platform.c platform.h session.c] Move the Cygwin special-case
...
check into platform.c
2010-11-05 14:47:01 +11:00
cc12418e18
- (dtucker) [platform.c session.c] Move PAM credential establishment for the
...
non-LOGIN_CAP case into platform.c.
2010-11-05 13:32:52 +11:00
0b2ee6452c
- (dtucker) [platform.c session.c] Move irix setusercontext fragment into
...
platform.c.
2010-11-05 13:29:25 +11:00
676b912e78
- (dtucker) platform.c session.c] Move aix_usrinfo frament into platform.c.
2010-11-05 13:11:04 +11:00
7a8afe3186
- (dtucker) platform.c session.c] Move the USE_LIBIAF fragment into
...
platform.c
2010-11-05 13:07:24 +11:00
728d8371a1
- (dtucker) [platform.c session.c] Move the PAM credential establishment for
...
the LOGIN_CAP case into platform.c.
2010-11-05 13:00:05 +11:00
fd4d8aa2cb
- (dtucker) [platform.c] Only call setpgrp on BSDI if running as root to
...
retain previous behavior.
2010-11-05 12:50:41 +11:00
44a97be0cc
- (dtucker) [platform.c session.c] Move the BSDI setpgrp into platform.c.
2010-11-05 12:45:18 +11:00
4db380701d
- (dtucker) [platform.c session.c] Move the AIX setpcred+chroot hack into
...
platform.c
2010-11-05 12:41:13 +11:00
920612e45a
- (dtucker) [platform.c platform.h session.c] Add a platform hook to run
...
after the user's groups are established and move the selinux calls into it.
2010-11-05 12:36:15 +11:00
97528353c2
- (dtucker) [configure.ac platform.{c,h} session.c
...
openbsd-compat/port-solaris.{c,h}] Bug #1824 : Add Solaris Project support.
Patch from cory.erickson at csu mnscu edu with a bit of rework from me.
ok djm@
2010-11-05 12:03:05 +11:00
34ee4204c6
- (djm) [loginrec.c loginrec.h] Use correct uid_t/pid_t types instead of
...
int. Should fix bz#1817 cleanly; ok dtucker@
2010-11-05 10:52:37 +11:00
0733121194
- djm@cvs.openbsd.org 2010/11/04 02:45:34
...
[sftp-server.c]
umask should be parsed as octal. reported by candland AT xmission.com;
ok markus@
2010-11-05 10:20:31 +11:00
55fa56505b
- jmc@cvs.openbsd.org 2010/10/28 18:33:28
...
[scp.1 ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5]
knock out some "-*- nroff -*-" lines;
2010-11-05 10:20:14 +11:00
b472a90d4c
- djm@cvs.openbsd.org 2010/10/28 11:22:09
...
[authfile.c key.c key.h ssh-keygen.c]
fix a possible NULL deref on loading a corrupt ECDH key
store ECDH group information in private keys files as "named groups"
rather than as a set of explicit group parameters (by setting
the OPENSSL_EC_NAMED_CURVE flag). This makes for shorter key files and
retrieves the group's OpenSSL NID that we need for various things.
2010-11-05 10:19:49 +11:00
3a0e9f6479
- djm@cvs.openbsd.org 2010/09/22 12:26:05
...
[regress/Makefile regress/kextype.sh]
regress test for each of the key exchange algorithms that we support
2010-11-05 10:16:34 +11:00
54b1f3121d
- (dtucker) [defines.h] Use SIZE_T_MAX for SIZE_MAX for platforms that have a
...
native one.
2010-10-25 16:54:28 +11:00
bdd3e67c19
- (tim) [openbsd-compat/glob.h] Remove sys/cdefs.h include that came with
...
1.12 to unbreak Solaris build.
ok djm@
2010-10-24 18:35:55 -07:00
7bc236de21
- (dtucker) [defines.h] Add SIZE_MAX for the benefit of platforms that don't
...
have it.
2010-10-24 11:58:43 +11:00
d633fef471
- (dtucker) [regress/cert-userkey.sh] Disable ECC-based tests on platforms
...
which don't have ECC support in libcrypto.
2010-10-24 11:33:07 +11:00
bfd9b1be41
- (dtucker) [regress/cert-hostkey.sh] Disable ECC-based tests on platforms
...
which don't have ECC support in libcrypto.
2010-10-24 11:19:26 +11:00
d78739ab90
- sthen@cvs.openbsd.org 2010/10/23 22:06:12
...
[sftp.c]
escape '[' in filename tab-completion; fix a type while there.
ok djm@
2010-10-24 10:56:32 +11:00
a53939332d
- (dtucker) [includes.h] Add missing ifdef GLOB_HAS_GL_STATV to fix build.
2010-10-24 10:47:30 +11:00
6fd2d7de4b
- djm@cvs.openbsd.org 2010/08/31 12:24:09
...
[regress/cert-hostkey.sh regress/cert-userkey.sh]
tests for ECDSA certificates
2010-10-21 15:27:14 +11:00
68512c0341
- OpenBSD CVS Sync
...
- dtucker@cvs.openbsd.org 2010/10/12 02:22:24
[mux.c]
Typo in confirmation message. bz#1827, patch from imorgan at nas nasa gov
2010-10-21 15:21:11 +11:00
9c0c31d2db
- (djm) [sshconnect.c] Need signal.h for prototype for kill(2)
2010-10-12 13:30:44 +11:00
47e57bfab4
- (djm) [canohost.c] Zero a4 instead of addr to better match type.
...
bz#1825, reported by foo AT mailinator.com
2010-10-12 13:28:12 +11:00
1f78980099
- (djm) [configure.ac] Use = instead of == in shell tests. Patch from
...
dr AT vasco.com
2010-10-11 22:35:22 +11:00
88b844f19b
- (djm) [openbsd-compat/Makefile.in] Actually link timingsafe_bcmp
2010-10-07 22:19:23 +11:00
80e9953938
- (djm) [cipher-acss.c] Add missing header.
2010-10-07 22:12:08 +11:00
37f4f1892f
- (djm) [openbsd-compat/glob.c] restore ARG_MAX compat code.
2010-10-07 22:10:38 +11:00
45fcdaa1cf
- djm@cvs.openbsd.org 2010/10/06 21:10:21
...
[sshconnect.c]
swapped args to kill(2)
2010-10-07 22:07:58 +11:00
a41ccca643
- djm@cvs.openbsd.org 2010/10/06 06:39:28
...
[clientloop.c ssh.c sshconnect.c sshconnect.h]
kill proxy command on fatal() (we already kill it on clean exit);
ok markus@
2010-10-07 22:07:32 +11:00
38d9a965bf
- djm@cvs.openbsd.org 2010/10/05 05:13:18
...
[sftp.c sshconnect.c]
use default shell /bin/sh if $SHELL is ""; ok markus@
2010-10-07 22:07:11 +11:00
9a3d0dc062
- djm@cvs.openbsd.org 2010/10/01 23:05:32
...
[cipher-3des1.c cipher-bf1.c cipher-ctr.c openbsd-compat/openssl-compat.h]
adapt to API changes in openssl-1.0.0a
NB. contains compat code to select correct API for older OpenSSL
2010-10-07 22:06:42 +11:00
c54b02c4eb
- djm@cvs.openbsd.org 2010/09/30 11:04:51
...
[servconf.c]
prevent free() of string in .rodata when overriding AuthorizedKeys in
a Match block; patch from rein AT basefarm.no
2010-10-07 21:40:17 +11:00
68e2e56ea9
- djm@cvs.openbsd.org 2010/09/26 22:26:33
...
[sftp.c]
when performing an "ls" in columnated (short) mode, only call
ioctl(TIOCGWINSZ) once to get the window width instead of per-
filename
2010-10-07 21:39:55 +11:00
a6e121aaa0
- djm@cvs.openbsd.org 2010/09/25 09:30:16
...
[sftp.c configure.ac openbsd-compat/glob.c openbsd-compat/glob.h]
make use of new glob(3) GLOB_KEEPSTAT extension to save extra server
rountrips to fetch per-file stat(2) information.
NB. update openbsd-compat/ glob(3) implementation from OpenBSD libc to
match.
2010-10-07 21:39:17 +11:00
aa18063baf
- matthew@cvs.openbsd.org 2010/09/24 13:33:00
...
[misc.c misc.h configure.ac openbsd-compat/openbsd-compat.h]
[openbsd-compat/timingsafe_bcmp.c]
Add timingsafe_bcmp(3) to libc, mention that it's already in the
kernel in kern(9), and remove it from OpenSSH.
ok deraadt@, djm@
NB. re-added under openbsd-compat/ for portable OpenSSH
2010-10-07 21:25:27 +11:00
2beb32f290
- jmc@cvs.openbsd.org 2010/09/23 13:36:46
...
[scp.1 sftp.1]
add KexAlgorithms to the -o list;
2010-09-24 22:16:03 +10:00
56883e194f
- jmc@cvs.openbsd.org 2010/09/23 13:34:43
...
[sftp.c]
add [-l limit] to usage();
2010-09-24 22:15:39 +10:00
65e42f87fe
- djm@cvs.openbsd.org 2010/09/22 22:58:51
...
[atomicio.c atomicio.h misc.c misc.h scp.c sftp-client.c]
[sftp-client.h sftp.1 sftp.c]
add an option per-read/write callback to atomicio
factor out bandwidth limiting code from scp(1) into a generic bandwidth
limiter that can be attached using the atomicio callback mechanism
add a bandwidth limit option to sftp(1) using the above
"very nice" markus@
2010-09-24 22:15:11 +10:00
7fe2b1fec3
- jmc@cvs.openbsd.org 2010/09/22 08:30:08
...
[ssh.1 ssh_config.5]
ssh.1: add kexalgorithms to the -o list
ssh_config.5: format the kexalgorithms in a more consistent
(prettier!) way
ok djm
2010-09-24 22:11:53 +10:00
d5f62bf280
- djm@cvs.openbsd.org 2010/09/22 05:01:30
...
[kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c readconf.c readconf.h]
[servconf.c servconf.h ssh_config.5 sshconnect2.c sshd.c sshd_config.5]
add a KexAlgorithms knob to the client and server configuration to allow
selection of which key exchange methods are used by ssh(1) and sshd(8)
and their order of preference.
ok markus@
2010-09-24 22:11:14 +10:00
603134e077
- djm@cvs.openbsd.org 2010/09/20 07:19:27
...
[mux.c]
"atomically" create the listening mux socket by binding it on a temorary
name and then linking it into position after listen() has succeeded.
this allows the mux clients to determine that the server socket is
either ready or stale without races. stale server sockets are now
automatically removed
ok deraadt
2010-09-24 22:07:55 +10:00
18e1cab1a1
- djm@cvs.openbsd.org 2010/09/20 04:54:07
...
[jpake.c]
missing #include
2010-09-24 22:07:17 +10:00
f7540cd5c4
- djm@cvs.openbsd.org 2010/09/20 04:50:53
...
[jpake.c schnorr.c]
check that received values are smaller than the group size in the
disabled and unfinished J-PAKE code.
avoids catastrophic security failure found by Sebastien Martini
2010-09-24 22:03:24 +10:00
857b02e37f
- djm@cvs.openbsd.org 2010/09/20 04:41:47
...
[ssh.c]
install a SIGCHLD handler to reap expiried child process; ok markus@
2010-09-24 22:02:56 +10:00
881adf74eb
- jmc@cvs.openbsd.org 2010/09/19 21:30:05
...
[sftp.1]
more wacky macro fixing;
2010-09-24 22:01:54 +10:00
1ca9469318
- djm@cvs.openbsd.org 2010/09/11 21:44:20
...
[ssh.1]
mention RFC 5656 for ECC stuff
2010-09-24 22:01:22 +10:00
6186bbc7fb
- naddy@cvs.openbsd.org 2010/09/10 15:19:29
...
[ssh-keygen.1]
* mention ECDSA in more places
* less repetition in FILES section
* SSHv1 keys are still encrypted with 3DES
help and ok jmc@
2010-09-24 22:00:54 +10:00
8ccb7392e7
- (dtucker) [kex.h key.c packet.h ssh-agent.c ssh.c] A few more ECC ifdefs
...
for missing headers and compiler warnings.
2010-09-10 12:28:24 +10:00
Damien Miller
Darren Tucker
Tim Rice