transfer ownership of stdout to the session channel by
dup2'ing /dev/null to fd 1. This allows propagation of remote stdout close to
the local side; reported by David Newall, ok markus@
Upstream-ID: 8d9ac18a11d89e6b0415f0cbf67b928ac67f0e79
add a "rdomain" criteria for the sshd_config Match
keyword to allow conditional configuration that depends on which rdomain(4) a
connection was recevied on. ok markus@
Upstream-ID: 27d8fd5a3f1bae18c9c6e533afdf99bff887a4fb
add sshd_config RDomain keyword to place sshd and the
subsequent user session (including the shell and any TCP/IP forwardings) into
the specified rdomain(4)
ok markus@
Upstream-ID: be2358e86346b5cacf20d90f59f980b87d1af0f5
Add optional rdomain qualifier to sshd_config's
ListenAddress option to allow listening on a different rdomain(4), e.g.
ListenAddress 0.0.0.0 rdomain 4
Upstream-ID: 24b6622c376feeed9e9be8b9605e593695ac9091
Expose devices allocated for tun/tap forwarding.
At the client, the device may be obtained from a new %T expansion
for LocalCommand.
At the server, the allocated devices will be listed in a
SSH_TUNNEL variable exposed to the environment of any user sessions
started after the tunnel forwarding was established.
ok markus
Upstream-ID: e61e53f8ae80566e9ddc0d67a5df5bdf2f3c9f9e
Add URI support to ssh, sftp and scp. For example
ssh://user@host or sftp://user@host/path. The connection parameters
described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since
the ssh fingerprint format in the draft uses md5 with no way to specify the
hash function type. OK djm@
Upstream-ID: 4ba3768b662d6722de59e6ecb00abf2d4bf9cacc
In the description of pattern-lists, clarify negated
matches by explicitly stating that a negated match will never yield a
positive result, and that at least one positive term in the pattern-list must
match. bz#1918
Upstream-ID: 652d2f9d993f158fc5f83cef4a95cd9d95ae6a14
trim permitrootlogin description somewhat, to avoid
ambiguity; original diff from walter alejandro iglesias, tweaked by sthen and
myself
ok sthen schwarze deraadt
Upstream-ID: 1749418b2bc073f3fdd25fe21f8263c3637fe5d2
BIO_get_mem_data() is supposed to take a char* as pointer
argument, so don't pass it a const char*
Upstream-ID: 1ccd91eb7f4dd4f0fa812d4f956987cd00b5f6ec
replace statically-sized arrays in ServerOptions with
dynamic ones managed by xrecallocarray, removing some arbitrary (though
large) limits and saving a bit of memory; "much nicer" markus@
Upstream-ID: 1732720b2f478fe929d6687ac7b0a97ff2efe9d2
fix (another) problem in PermitOpen introduced during the
channels.c refactor: the third and subsequent arguments to PermitOpen were
being silently ignored; ok markus@
Upstream-ID: 067c89f1f53cbc381628012ba776d6861e6782fd
We don't support openssl-1.1.x yet (see multiple threads on the
openssh-unix-dev@ mailing list for the reason), but previously
./configure would accept it and the compilation would subsequently
fail. This makes ./configure display an explicit error message and
abort.
ok dtucker@
On some platforms (AIX, maybe others) allocating zero bytes of memory
via the various *alloc functions returns NULL, which is permitted
by the standards. Autoconf has some macros for detecting this (with
the exception of calloc for some reason) so use these and if necessary
activate shims for them. ok djm@
fix inverted test on channel open failure path that
"upgraded" a transient failure into a fatal error; reported by sthen and also
seen by benno@; ok sthen@
Upstream-ID: b58b3fbb79ba224599c6cd6b60c934fc46c68472
write the correct buffer when tunnel forwarding; doesn't
matter on OpenBSD (they are the same) but does matter on portable where we
use an output filter to translate os-specific tun/tap headers
Upstream-ID: f1ca94eff48404827b12e1d12f6139ee99a72284
Add 'reverse' dynamic forwarding which combines dynamic
forwarding (-D) with remote forwarding (-R) where the remote-forwarded port
expects SOCKS-requests.
The SSH server code is unchanged and the parsing happens at the SSH
clients side. Thus the full SOCKS-request is sent over the forwarded
channel and the client parses c->output. Parsing happens in
channel_before_prepare_select(), _before_ the select bitmask is
computed in the pre[] handlers, but after network input processing
in the post[] handlers.
help and ok djm@
Upstream-ID: aa25a6a3851064f34fe719e0bf15656ad5a64b89
Use strsignal in debug message instead of casting for the
benefit of portable where sig_atomic_t might not be int. "much nicer"
deraadt@
Upstream-ID: 2dac6c1e40511c700bd90664cd263ed2299dcf79
Use explicit_bzero() instead of bzero() before free() to
prevent the compiler from optimizing away the bzero() call. OK djm@
Upstream-ID: cdc6197e64c9684c7250e23d60863ee1b53cef1d
djm@openbsd.org
millert@openbsd.org
jmc@openbsd.org
Damien Miller
benno@openbsd.org
dtucker@openbsd.org
Darren Tucker
markus@openbsd.org