wrap all moduli-related code in #ifdef WITH_OPENSSL.
based on patch from Reuben Hawkins; bz#2388 feedback and ok dtucker@
Upstream-ID: d80cfc8be3e6ec65b3fac9e87c4466533b31b7cf
Increase the allowed length of the known host file name
in the log message to be consistent with other cases. Part of bz#1993, ok
deraadt.
Upstream-ID: a9e97567be49f25daf286721450968251ff78397
Reorder client proposal to prefer
diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1. ok djm@
Upstream-ID: 552c08d47347c3ee1a9a57d88441ab50abe17058
Add a stronger (4k bit) fallback group that sshd can use
when the moduli file is missing or broken, sourced from RFC3526. bz#2302, ok
markus@ (earlier version), djm@
Upstream-ID: b635215746a25a829d117673d5e5a76d4baee7f4
support PKCS#11 devices with external PIN entry devices
bz#2240, based on patch from Dirk-Willem van Gulik; feedback and ok dtucker@
Upstream-ID: 504568992b55a8fc984375242b1bd505ced61b0d
Cap DH-GEX group size at 4kbits for Cisco implementations.
Some of them will choke when asked for preferred sizes >4k instead of
returning the 4k group that they do have. bz#2209, ok djm@
Upstream-ID: 54b863a19713446b7431f9d06ad0532b4fcfef8d
Reorder EscapeChar option parsing to avoid a single-byte
out- of-bounds read. bz#2396 from Jaak Ristioja; ok dtucker@
Upstream-ID: 1dc6b5b63d1c8d9a88619da0b27ade461d79b060
add knob to relax GSSAPI host credential check for
multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker
(kerberos/GSSAPI is not compiled by default on OpenBSD)
Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d
Support "ssh-keygen -lF hostname" to find search known_hosts
and print key hashes. Already advertised by ssh-keygen(1), but not delivered
by code; ok dtucker@
Upstream-ID: 459e0e2bf39825e41b0811c336db2d56a1c23387
add AuthorizedPrincipalsCommand that allows getting
authorized_principals from a subprocess rather than a file, which is quite
useful in deployments with large userbases
feedback and ok markus@
Upstream-ID: aa1bdac7b16fc6d2fa3524ef08f04c7258d247f6
support arguments to AuthorizedKeysCommand
bz#2081 loosely based on patch by Sami Hartikainen
feedback and ok markus@
Upstream-ID: b080387a14aa67dddd8ece67c00f268d626541f7
refactor: split base64 encoding of pubkey into its own
sshkey_to_base64() function and out of sshkey_write(); ok markus@
Upstream-ID: 54fc38f5832e9b91028900819bda46c3959a0c1a
getentropy() and sendsyslog() have been around long
enough. openssh-portable may want the #ifdef's but not base. discussed with
djm few weeks back
Upstream-ID: 0506a4334de108e3fb6c66f8d6e0f9c112866926
Use a salted hash of the lock passphrase instead of plain
text and do constant-time comparisons of it. Should prevent leaking any
information about it via timing, pointed out by Ryan Castellucci. Add a 0.1s
incrementing delay for each failed unlock attempt up to 10s. ok markus@
(earlier version), djm@
Upstream-ID: c599fcc325aa1cc65496b25220b622d22208c85f
- tedu@cvs.openbsd.org 2015/01/12 03:20:04
[bcrypt_pbkdf.c]
rename blocks to words. bcrypt "blocks" are unrelated to blowfish blocks,
nor are they the same size.
Remove pattern length argument from match_pattern_list(), we
only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.
ok markus@
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal()
to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
a couple of parse targets were missing activep checks,
causing them to be misapplied in match context; bz#2272 diagnosis and
original patch from Sami Hartikainen ok dtucker@
prevent authorized_keys options picked up on public key
tests without a corresponding private key authentication being applied to
other authentication methods. Reported by halex@, ok markus@
Don't make parsing of authorized_keys' environment=
option conditional on PermitUserEnv - always parse it, but only use the
result if the option is enabled. This prevents the syntax of authorized_keys
changing depending on which sshd_config options were enabled.
bz#2329; based on patch from coladict AT gmail.com, ok dtucker@
Remove pattern length argument from match_pattern_list(), we
only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.
ok markus@
Add a simple regression test for sshd's configuration
parser. Right now, all it does is run the output of sshd -T back through
itself and ensure the output is valid and invariant.
Damien Miller
djm@openbsd.org
dtucker@openbsd.org
Darren Tucker
jsg@openbsd.org
deraadt@openbsd.org