Validate address ranges for AllowUser/DenyUsers at
configuration load time and refuse to accept bad ones. It was previously
possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and
these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for
a previous diff version)
Upstream-ID: 9dfcdd9672b06e65233ea4434c38226680d40bfb
Improve pkcs11_add_provider() logging: demote some
excessively verbose error()s to debug()s, include PKCS#11 provider name and
slot in log messages where possible. bz#2610, based on patch from Jakub Jelen
Upstream-ID: 3223ef693cfcbff9079edfc7e89f55bf63e1973d
Fix logic in add_local_forward() that inverted a test
when code was refactored out into bind_permitted(). This broke ssh port
forwarding for non-priv ports as a non root user.
ok dtucker@ 'looks good' deraadt@
Upstream-ID: ddb8156ca03cc99997de284ce7777536ff9570c9
getdefaultproj() returns a pointer so test it for NULL inequality
instead of >0. Fixes compiler warning and is more correct. Patch from
David Binderman.
Factor out "can bind to low ports" check into its own function. This will
make it easier for Portable to support platforms with permissions models
other than uid==0 (eg bz#2625). ok djm@, "doesn't offend me too much"
deraadt@.
Upstream-ID: 86213df4183e92b8f189a6d2dac858c994bfface
When tearing down ControlMaster connecctions, don't
pollute stderr when LogLevel=quiet. Patch from Tim Kuijsten via tech@.
Upstream-ID: d9b3a68b2a7c2f2fc7f74678e29a4618d55ceced
Make links to openssh.com HTTPS now that it's supported, point release
notes link to the HTML release notes page, and update a couple of other
links and bits of text.
Remove channel_input_port_forward_request(); the only caller
was the recently-removed SSH1 server code so it's now dead code. ok markus@
Upstream-ID: 05453983230a1f439562535fec2818f63f297af9
Install a signal handler for tty-generated signals and
wait for the ssh child to suspend before suspending sftp. This lets ssh
restore the terminal mode as needed when it is suspended at the password
prompt. OK dtucker@
Upstream-ID: a31c1f42aa3e2985dcc91e46e6a17bd22e372d69
Author: miller@openbsd.org:
Avoid generate SIGTTOU when restoring the terminal mode. If we get
SIGTTOU it means the process is not in the foreground process group
which, in most cases, means that the shell has taken control of the tty.
Requiring the user the fg the process in this case doesn't make sense
and can result in both SIGTSTP and SIGTTOU being sent which can lead to
the process being suspended again immediately after being brought into
the foreground.
fix the KEX fuzzer - the previous method of obtaining the
packet contents was broken. This now uses the new per-packet input hook, so
it sees exact post-decrypt packets and doesn't have to pass packet integrity
checks. ok markus@
Upstream-Regress-ID: 402fb6ffabd97de590e8e57b25788949dce8d2fd
In ssh tests set REGRESS_FAIL_EARLY with ?= so that the
environment can change it. OK djm@
Upstream-Regress-ID: 77bcb50e47b68c7209c7f0a5a020d73761e5143b
Add a per-packet input hook that is called with the
decrypted packet contents. This will be used for fuzzing; ok markus@
Upstream-ID: a3221cee6b1725dd4ae1dd2c13841b4784cb75dc
Unregister the KEXINIT handler after message has been
received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
allocation of up to 128MB -- until the connection is closed. Reported by
shilei-c at 360.cn
Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
revision 1.23
date: 2010/05/14 13:30:34; author: millert; state: Exp; lines: +41 -39;
Defer installing signal handlers until echo is disabled so that we
get suspended normally when not the foreground process. Fix potential
infinite loop when restoring terminal settings if process is in the
background when restore occurs. OK miod@
tidy up the formatting in this file. more specifically,
replace .Dq, which looks appalling, with .Cm, where appropriate;
Upstream-ID: ff8e90aa0343d9bb56f40a535e148607973cc738
Add a makefile rule to create the ssh library when
regress needs it. This allows to run the ssh regression tests without doing
a "make build" before. Discussed with dtucker@ and djm@; OK djm@
Upstream-Regress-ID: ce489bd53afcd471225a125b4b94565d4717c025
Allow to run ssh regression tests as root. If the user
is already root, the test should not expect that SUDO is set. If ssh needs
another user, use sudo or doas to switch from root if necessary. OK dtucker@
Upstream-Regress-ID: b464e55185ac4303529e3e6927db41683aaeace2
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux
client speaks the ssh-packet protocol directly over unix-domain socket. - mux
server acts as a proxy, translates channel IDs and relays to the server. - no
filedescriptor passing necessary. - combined with unix-domain forwarding it's
even possible to run mux client and server on different machines. feedback
& ok djm@
Upstream-ID: 666a2fb79f58e5c50e246265fb2b9251e505c25b
put back some pre-auth zlib bits that I shouldn't have
removed - they are still used by the client. Spotted by naddy@
Upstream-ID: 80919468056031037d56a1f5b261c164a6f90dc2
restore pre-auth compression support in the client -- the
previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
Upstream-ID: d23696ed72a228dacd4839dd9f2dec424ba2016b
Remove support for pre-authentication compression. Doing
compression early in the protocol probably seemed reasonable in the 1990s,
but today it's clearly a bad idea in terms of both cryptography (cf. multiple
compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed
the assistance of a complex shared-memory manager that made the
required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security
check in the shared memory manager found by Stack
(http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd
for >10 years.
Upstream-ID: 32af9771788d45a0779693b41d06ec199d849caf
Avoid a theoretical signed integer overflow should
BN_num_bytes() ever violate its manpage and return a negative value. Improve
order of tests to avoid confusing increasingly pedantic compilers.
Reported by Guido Vranken from stack (css.csail.mit.edu/stack)
unstable optimisation analyser output. ok deraadt@
Upstream-ID: f8508c830c86d8f36c113985e52bf8eedae23505
organise the token stuff into a separate section; ok
markus for an earlier version of the diff ok/tweaks djm
Upstream-ID: 81a6daa506a4a5af985fce7cf9e59699156527c8
djm@openbsd.org
Darren Tucker
Damien Miller
jsg@openbsd.org
dtucker@openbsd.org
millert@openbsd.org
jmc@openbsd.org
natano@openbsd.org
bluhm@openbsd.org
markus@openbsd.org