openssh-portable

Commit Graph

Author	SHA1	Message	Date
Darren Tucker	ca0d0fd806	- dtucker@cvs.openbsd.org 2012/09/07 01:10:21 [clientloop.c] Merge escape help text for ~v and ~V; ok djm@	2012-09-07 11:22:24 +10:00
Darren Tucker	f111d40604	- dtucker@cvs.openbsd.org 2012/09/07 00:30:19 [clientloop.c] Print '^Z' instead of a raw ^Z when the sequence is not supported. ok djm@	2012-09-07 11:21:42 +10:00
Darren Tucker	83d0af6907	- jmc@cvs.openbsd.org 2012/09/06 13:57:42 [ssh.1] missing letter in previous;	2012-09-07 11:21:03 +10:00
Darren Tucker	92a39cfa09	- dtucker@cvs.openbsd.org 2012/09/06 09:50:13 [clientloop.c] Make the escape command help (~?) context sensitive so that only commands that will work in the current session are shown. ok markus@ (note: previous commit with this description was a mistake on my part while pulling changes from OpenBSD)	2012-09-07 11:20:20 +10:00
Darren Tucker	241995382e	bz#2039: add acknowledgement of the original authors of the ECDSA SSHFP DNS work. From Ondřej Surý.	2012-09-07 10:44:34 +10:00
Darren Tucker	29bf4040b4	- dtucker@cvs.openbsd.org 2012/09/06 09:50:13 [clientloop.c] Make the escape command help (~?) context sensitive so that only commands that will work in the current session are shown. ok markus@	2012-09-06 21:26:34 +10:00
Darren Tucker	50a48d025f	- dtucker@cvs.openbsd.org 2012/09/06 04:37:39 [clientloop.c log.c ssh.1 log.h] Add ~v and ~V escape sequences to raise and lower the logging level respectively. Man page help from jmc, ok deraadt jmc	2012-09-06 21:25:37 +10:00
Darren Tucker	00c1518a4d	- djm@cvs.openbsd.org 2012/08/17 01:30:00 [compat.c sshconnect.c] Send client banner immediately, rather than waiting for the server to move first for SSH protocol 2 connections (the default). Patch based on one in bz#1999 by tls AT panix.com, feedback dtucker@ ok markus@	2012-09-06 21:21:56 +10:00
Darren Tucker	f09a8a6c6d	- djm@cvs.openbsd.org 2012/08/17 01:25:58 [ssh-keygen.c] print details of which host lines were deleted when using "ssh-keygen -R host"; ok markus@	2012-09-06 21:20:39 +10:00
Darren Tucker	ae608bdd83	- djm@cvs.openbsd.org 2012/08/17 01:22:56 [kex.c] add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change	2012-09-06 21:19:51 +10:00
Darren Tucker	66cb0e0733	- dtucker@cvs.openbsd.org 2012/08/17 00:45:45 [clientloop.c clientloop.h mux.c] Force a clean shutdown of ControlMaster client sessions when the ~. escape sequence is used. This means that ~. should now work in mux clients even if the server is no longer responding. Found by tedu, ok djm.	2012-09-06 21:19:05 +10:00
Darren Tucker	3ee50c5d9f	- jmc@cvs.openbsd.org 2012/08/15 18:25:50 [ssh-keygen.1] a little more info on certificate validity; requested by Ross L Richardson, and provided by djm	2012-09-06 21:18:11 +10:00
Darren Tucker	23e4b80a60	- (dtucker) [moduli] Import new moduli file.	2012-08-30 10:42:47 +10:00
Damien Miller	4eb0a532ef	- (djm) Release openssh-6.1	2012-08-29 10:26:20 +10:00
Darren Tucker	318541854f	- (dtucker) [openbsd-compat/bsd-cygwin_util.h] define WIN32_LEAN_AND_MEAN for compatibility with future mingw-w64 headers. Patch from vinschen at redhat com.	2012-08-28 19:57:19 +10:00
Damien Miller	39a9d2c933	- (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] Update version numbers	2012-08-22 21:57:13 +10:00
Damien Miller	38fe66230f	- markus@cvs.openbsd.org 2012/07/22 18:19:21 [version.h] openssh 6.1	2012-07-31 12:23:16 +10:00
Damien Miller	46cb75a258	- dtucker@cvs.openbsd.org 2012/07/13 01:35:21 [servconf.c] handle long comments in config files better. bz#2025, ok markus	2012-07-31 12:22:37 +10:00
Damien Miller	1cce103b3e	fix truncated entry	2012-07-31 12:22:18 +10:00
Damien Miller	5a5c2b9063	- djm@cvs.openbsd.org 2012/07/10 02:19:15 [servconf.c servconf.h sshd.c sshd_config] Turn on systrace sandboxing of pre-auth sshd by default for new installs by shipping a config that overrides the current UsePrivilegeSeparation=yes default. Make it easier to flip the default in the future by adding too.	2012-07-31 12:21:34 +10:00
Damien Miller	709a1e90d9	- jmc@cvs.openbsd.org 2012/07/06 06:38:03 [ssh-keygen.c] missing full stop in usage();	2012-07-31 12:20:43 +10:00
Darren Tucker	d809a4bc28	Import regened moduli file.	2012-07-20 10:42:06 +10:00
Damien Miller	fff9f095e2	- djm@cvs.openbsd.org 2012/07/06 01:47:38 [ssh.c] move setting of tty_flag to after config parsing so RequestTTY options are correctly picked up. bz#1995 patch from przemoc AT gmail.com; ok dtucker@	2012-07-06 13:45:01 +10:00
Damien Miller	ab523b0246	- djm@cvs.openbsd.org 2012/07/06 01:37:21 [mux.c] fix memory leak of passed-in environment variables and connection context when new session message is malformed; bz#2003 from Bert.Wesarg AT googlemail.com	2012-07-06 13:44:43 +10:00
Damien Miller	dfceafe8b1	- dtucker@cvs.openbsd.org 2012/07/06 00:41:59 [moduli.c ssh-keygen.1 ssh-keygen.c] Add options to specify starting line number and number of lines to process when screening moduli candidates. This allows processing of different parts of a candidate moduli file in parallel. man page help jmc@, ok djm@	2012-07-06 13:44:19 +10:00
Damien Miller	77eab7b024	- (djm) [configure.ac] Recursively expand $(bindir) to ensure it has no unexpanded $(prefix) embedded. bz#2007 patch from nix-corp AT esperi.org.uk; ok dtucker@	2012-07-06 11:49:28 +10:00
Damien Miller	a0433a7096	- (djm) [sandbox-seccomp-filter.c] fallback to rlimit if seccomp filter is not available. Allows use of sshd compiled on host with a filter-capable kernel on hosts that lack the support. bz#2011 ok dtucker@	2012-07-06 10:27:10 +10:00
Darren Tucker	34f702ae64	- (dtucker) [configure.ac openbsd-compat/bsd-misc.h] Add setlinebuf for platforms that don't have it. "looks good" tim@	2012-07-04 08:50:09 +10:00
Darren Tucker	d545a4b974	- (dtucker) [configure.ac sandbox-rlimit.c] Test whether or not setrlimit(RLIMIT_FSIZE, rl_zero) and skip it if it's not supported. Its benefit is minor, so it's not worth disabling the sandbox if it doesn't work.	2012-07-03 22:48:31 +10:00
Darren Tucker	60395f91c6	- (dtucker) [configure.ac] Detect platforms that can't use select(2) with setrlimit(RLIMIT_NOFILE, rl_zero) and disable the rlimit sandbox on those.	2012-07-03 14:31:18 +10:00
Darren Tucker	6ea5dc6bb8	- (dtucker) [regress/test-exec.sh] Correct uname for cygwin/w2k.	2012-07-03 01:11:28 +10:00
Darren Tucker	ec1e15d51a	- (dtucker) [regress/reexec.sh regress/sftp-cmds.sh regress/test-exec.sh] Move cygwin detection to test-exec and use to skip reexec test on cygwin.	2012-07-03 01:06:49 +10:00
Darren Tucker	369ceedce2	- dtucker@cvs.openbsd.org 2012/07/02 14:37:06 [regress/connect-privsep.sh] remove exit from end of test since it prevents reporting failure	2012-07-03 00:53:18 +10:00
Darren Tucker	4908d44e67	- dtucker@cvs.openbsd.org 2012/07/02 12:13:26 [ssh-pkcs11-helper.c sftp-client.c] fix a couple of "assigned but not used" warnings. ok markus@	2012-07-02 22:15:38 +10:00
Darren Tucker	7b30501bf5	- dtucker@cvs.openbsd.org 2012/07/02 08:50:03 [ssh.c] set interactive ToS for forwarded X11 sessions. ok djm@	2012-07-02 18:55:09 +10:00
Darren Tucker	3b4b2d3021	- markus@cvs.openbsd.org 2012/06/30 14:35:09 [sandbox-systrace.c sshd.c] fix a during the load of the sandbox policies (child can still make the read-syscall and wait forever for systrace-answers) by replacing the read/write synchronisation with SIGSTOP/SIGCONT; report and help hshoexer@; ok djm@, dtucker@	2012-07-02 18:54:31 +10:00
Darren Tucker	ecbf14aa53	- naddy@cvs.openbsd.org 2012/06/29 13:57:25 [ssh_config.5 sshd_config.5] match the documented MAC order of preference to the actual one; ok dtucker@	2012-07-02 18:53:37 +10:00
Darren Tucker	14a9d2515b	- (dtucker) [key.c] ifdef out sha256 key types on platforms that don't have the required functions in libcrypto.	2012-06-30 20:05:02 +10:00
Darren Tucker	3886f95d42	- (dtucker) [myproposal.h] Remove trailing backslash to fix compile error	2012-06-30 19:47:01 +10:00
Darren Tucker	a08c20763a	- dtucker@cvs.openbsd.org 2012/06/28 05:07:45 [regress/try-ciphers.sh regress/cipher-speed.sh] Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed from draft6 of the spec and will not be in the RFC when published. Patch from mdb at juniper net via bz#2023, ok markus	2012-06-30 15:08:53 +10:00
Darren Tucker	2920bc145c	- dtucker@cvs.openbsd.org 2012/06/26 12:06:59 [regress/connect-privsep.sh] test sandbox with every malloc option	2012-06-30 15:06:28 +10:00
Darren Tucker	ff32d7c9d2	- djm@cvs.openbsd.org 2012/06/01 00:52:52 [regress/sftp-cmds.sh] don't delete .* on cleanup due to unintended env expansion; pointed out in bz#2014 by openssh AT roumenpetrov.info	2012-06-30 15:04:13 +10:00
Darren Tucker	4430a86c14	- djm@cvs.openbsd.org 2012/06/01 00:47:35 [multiplex.sh forwarding.sh] append to rather than truncate test log; bz#2013 from openssh AT roumenpetrov.	2012-06-30 15:03:28 +10:00
Darren Tucker	301390316c	- dtucker@cvs.openbsd.org 2012/05/13 01:42:32 [regress/addrmatch.sh] Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.	2012-06-30 15:01:22 +10:00
Damien Miller	ee3c196ec7	- naddy@cvs.openbsd.org 2012/06/29 13:57:25 [ssh_config.5 sshd_config.5] match the documented MAC order of preference to the actual one; ok dtucker@ (actual patch accidentally committed with previous)	2012-06-30 08:35:59 +10:00
Damien Miller	db4f8e8618	- dtucker@cvs.openbsd.org 2012/06/28 05:07:45 [mac.c myproposal.h ssh_config.5 sshd_config.5] Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed from draft6 of the spec and will not be in the RFC when published. Patch from mdb at juniper net via bz#2023, ok markus.	2012-06-30 08:34:59 +10:00
Damien Miller	560de922b1	- dtucker@cvs.openbsd.org 2012/06/26 11:02:30 [sandbox-systrace.c] Add mquery to the list of allowed syscalls for "UsePrivilegeSeparation sandbox" since malloc now uses it. From johnw.mail at gmail com.	2012-06-30 08:33:53 +10:00
Damien Miller	ea8582931f	- dtucker@cvs.openbsd.org 2012/06/22 14:36:33 [sftp.c] Remove unused variable leftover from tab-completion changes. From Steve.McClellan at radisys com, ok markus@	2012-06-30 08:33:32 +10:00
Damien Miller	5f58a87768	- dtucker@cvs.openbsd.org 2012/06/22 12:30:26 [monitor.c sshconnect2.c] remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@	2012-06-30 08:33:17 +10:00
Damien Miller	97f43bbfc9	- dtucker@cvs.openbsd.org 2012/06/21 00:16:07 [addrmatch.c] fix strlcpy truncation check. from carsten at debian org, ok markus	2012-06-30 08:32:29 +10:00
Darren Tucker	8908da7dce	- (dtucker) [openbsd-compat/getrrsetbyname-ldns.c] bz #2022 : prevent null pointer deref in the client when built with LDNS and using DNSSEC with a CNAME. Patch from gregdlg+mr at hochet info.	2012-06-28 15:21:32 +10:00
Darren Tucker	62dcd63f5e	- (dtucker) [contrib/cygwin/ssh-host-config] Ensure that user sshd runs as can logon as a service. Patch from vinschen at redhat com.	2012-06-22 22:02:42 +10:00
Damien Miller	6c6da33d31	- djm@cvs.openbsd.org 2012/06/20 04:42:58 [clientloop.c serverloop.c] initialise accept() backoff timer to avoid EINVAL from select(2) in rekeying	2012-06-20 22:31:26 +10:00
Damien Miller	f8268503d1	- jmc@cvs.openbsd.org 2012/06/19 21:35:54 [sshd_config.5] tweak previous; ok markus	2012-06-20 21:54:15 +10:00
Damien Miller	c24da77015	- markus@cvs.openbsd.org 2012/06/19 18:25:28 [servconf.c servconf.h sshd_config.5] sshd_config: extend Match to allow AcceptEnv and {Allow,Deny}{Users,Groups} this allows 'Match LocalPort 1022' combined with 'AllowUser bauer' ok djm@ (back in March)	2012-06-20 21:53:58 +10:00
Damien Miller	36378c6413	- dtucker@cvs.openbsd.org 2012/06/18 12:17:18 [ssh.1] Clarify description of -W. Noted by Steve.McClellan at radisys com, ok jmc	2012-06-20 21:53:25 +10:00
Damien Miller	b9902cf6f6	- dtucker@cvs.openbsd.org 2012/06/18 12:07:07 [ssh.1 sshd.8] Remove mention of 'three' key files since there are now four. From Steve.McClellan at radisys com.	2012-06-20 21:52:58 +10:00
Damien Miller	7192433633	- dtucker@cvs.openbsd.org 2012/06/18 11:49:58 [ssh_config.5] RSA instead of DSA twice. From Steve.McClellan at radisys com	2012-06-20 21:52:38 +10:00
Damien Miller	276dcfd7f7	- dtucker@cvs.openbsd.org 2012/06/18 11:43:53 [jpake.c] correct sizeof usage. patch from saw at online.de, ok deraadt	2012-06-20 21:52:18 +10:00
Damien Miller	2e7decfcc0	- djm@cvs.openbsd.org 2012/06/01 01:01:22 [mux.c] fix memory leak when mux socket creation fails; bz#2002 from bert.wesarg AT googlemail.com	2012-06-20 21:52:00 +10:00
Damien Miller	7f12157c0a	- djm@cvs.openbsd.org 2012/06/01 00:49:35 [PROTOCOL.mux] correct types of port numbers (integers, not strings); bz#2004 from bert.wesarg AT googlemail.com	2012-06-20 21:51:29 +10:00
Damien Miller	3bde12aeef	- djm@cvs.openbsd.org 2012/05/23 03:28:28 [dns.c dns.h key.c key.h ssh-keygen.c] add support for RFC6594 SSHFP DNS records for ECDSA key types. patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@	2012-06-20 21:51:11 +10:00
Damien Miller	ac58ce86e6	- djm@cvs.openbsd.org 2012/01/07 21:11:36 [mux.c] fix double-free in new session handler NB. Id sync only	2012-06-20 21:50:47 +10:00
Damien Miller	140df63e1f	- djm@cvs.openbsd.org 2011/12/04 23:16:12 [mux.c] revert: > revision 1.32 > date: 2011/12/02 00:41:56; author: djm; state: Exp; lines: +4 -1 > fix bz#1948: ssh -f doesn't fork for multiplexed connection. > ok dtucker@ it interacts badly with ControlPersist	2012-06-20 21:46:57 +10:00
Damien Miller	efc6fc995d	- djm@cvs.openbsd.org 2011/12/02 00:41:56 [mux.c] fix bz#1948: ssh -f doesn't fork for multiplexed connection. ok dtucker@	2012-06-20 21:44:56 +10:00
Darren Tucker	ba9ea3200d	- dtucker@cvs.openbsd.org 2012/05/19 06:30:30 [sshd_config.5] Document PermitOpen none. bz#2001, patch from Loganaden Velvindron	2012-05-19 19:37:33 +10:00
Darren Tucker	fbcf827559	- (dtucker) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2012/05/13 01:42:32 [servconf.h servconf.c sshd.8 sshd.c auth.c sshd_config.5] Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.	2012-05-19 19:37:01 +10:00
Darren Tucker	593538911a	- (dtucker) [configure.ac contrib/Makefile] bz#1996: use AC_PATH_TOOL to find pkg-config so it does the right thing when cross-compiling. Patch from cjwatson at debian org.	2012-05-19 15:24:37 +10:00
Darren Tucker	d0494fdb29	- (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch from cjwatson at debian org.	2012-05-19 14:25:39 +10:00
Darren Tucker	e1a3ddf992	- (dtucker) [configure.ac] Include <sys/param.h> rather than <sys/types.h> to fix building on some plaforms. Fom bowman at math utah edu and des at des no.	2012-05-04 11:05:45 +10:00
Darren Tucker	d0d3fff483	- (dtucker) [regress/addrmatch.sh] skip tests when running on a non-ipv6 platform rather than exiting early, so that we still clean up and return status to test-exec.sh	2012-04-27 10:55:39 +10:00
Damien Miller	025bfd11d9	- (djm) [auth-krb5.c] Save errno across calls that might modify it; ok dtucker@	2012-04-26 09:52:15 +10:00
Damien Miller	7584cb1ac4	- (djm) [auth-passwd.c] Handle crypt() returning NULL; from Paul Wouters via Niels	2012-04-26 09:51:26 +10:00
Damien Miller	ba77e1f673	- djm@cvs.openbsd.org 2012/04/23 08:18:17 [channels.c] fix function proto/source mismatch	2012-04-23 18:21:05 +10:00
Damien Miller	70b2d5550b	- jmc@cvs.openbsd.org 2012/04/20 16:26:22 [ssh.1] use "brackets" instead of "braces", for consistency;	2012-04-22 11:26:10 +10:00
Damien Miller	4922315d1d	- djm@cvs.openbsd.org 2012/04/20 03:24:23 [sftp.c] setlinebuf(3) is more readable than setvbuf(.., _IOLBF, ...)	2012-04-22 11:25:47 +10:00
Damien Miller	8fef9ebbab	- djm@cvs.openbsd.org 2012/04/12 02:43:55 [sshd_config sshd_config.5] mention AuthorizedPrincipalsFile=none default	2012-04-22 11:25:10 +10:00
Damien Miller	23528816dc	- djm@cvs.openbsd.org 2012/04/12 02:42:32 [servconf.c servconf.h sshd.c sshd_config sshd_config.5] VersionAddendum option to allow server operators to append some arbitrary text to the SSH-... banner; ok deraadt@ "don't care" markus@	2012-04-22 11:24:43 +10:00
Damien Miller	839f743464	- djm@cvs.openbsd.org 2012/04/11 13:34:17 [ssh-keyscan.1 ssh-keyscan.c] now that sshd defaults to offering ECDSA keys, ssh-keyscan should also look for them by default; bz#1971	2012-04-22 11:24:21 +10:00
Damien Miller	a116d13c4d	- djm@cvs.openbsd.org 2012/04/11 13:26:40 [sshd.c] don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a while; ok deraadt@ markus@	2012-04-22 11:23:46 +10:00
Damien Miller	9fed161e67	- djm@cvs.openbsd.org 2012/04/11 13:17:54 [auth.c] Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.	2012-04-22 11:21:43 +10:00
Damien Miller	a6508753db	- djm@cvs.openbsd.org 2012/04/11 13:16:19 [channels.c channels.h clientloop.c serverloop.c] don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a while; ok deraadt@ markus@	2012-04-22 11:21:10 +10:00
Damien Miller	c6081482b2	- dtucker@cvs.openbsd.org 2012/03/29 23:54:36 [channels.c channels.h servconf.c] Add PermitOpen none option based on patch from Loganaden Velvindron (bz #1949). ok djm@	2012-04-22 11:18:53 +10:00
Damien Miller	48348fc3b4	- djm@cvs.openbsd.org 2012/03/28 07:23:22 [PROTOCOL.certkeys] explain certificate extensions/crit split rationale. Mention requirement that each appear at most once per cert.	2012-04-22 11:08:30 +10:00
Damien Miller	29cd188887	- guenther@cvs.openbsd.org 2012/03/15 03:10:27 [session.c] root should always be excluded from the test for /etc/nologin instead of having it always enforced even when marked as ignorenologin. This regressed when the logic was incompletely flipped around in rev 1.251 ok halex@ millert@	2012-04-22 11:08:10 +10:00
Damien Miller	a563cced06	- djm@cvs.openbsd.org 2012/02/29 11:21:26 [ssh-keygen.c] allow conversion of RSA1 keys to public PEM and PKCS8; "nice" markus@	2012-04-22 11:07:28 +10:00
Damien Miller	d5dacb43fa	- (djm) Release openssh-6.0	2012-04-20 15:01:01 +10:00
Damien Miller	bf2304167b	- (djm) [README] Update URL to release notes.	2012-04-20 14:11:04 +10:00
Damien Miller	8beb320390	- (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] Update for release 6.0	2012-04-20 10:58:34 +10:00
Damien Miller	398c0ffe0e	- (djm) [configure.ac] Fix compilation error on FreeBSD, whose libutil contains openpty() but not login()	2012-04-19 21:46:35 +10:00
Damien Miller	e0956e3834	- (djm) [Makefile.in configure.ac sandbox-seccomp-filter.c] Add sandbox mode for Linux's new seccomp filter; patch from Will Drewry; feedback and ok dtucker@	2012-04-04 11:27:54 +10:00
Damien Miller	ce1ec9d4e2	- (djm) [openbsd-compat/bsd-cygwin_util.h] #undef _WIN32 to avoid incorrect assumptions when building on Cygwin; patch from Corinna Vinschen	2012-03-30 14:07:05 +11:00
Damien Miller	4d55734c16	- (djm) [entropy.c] bz#1991: relax OpenSSL version test to allow running openssh binaries on a newer fix release than they were compiled on. with and ok dtucker@	2012-03-30 11:34:27 +11:00
Darren Tucker	67ccc86506	- (dtucker) [contrib/redhat/openssh.spec] Bug #1992 : remove now-gone WARNING file from spec file. From crighter at nuclioss com.	2012-03-30 10:19:56 +11:00
Damien Miller	54c38d24c6	- (djm) [packet.c] bz#1963: Fix IPQoS not being set on non-mapped v4-in-v6 addressed connections. ok dtucker@	2012-03-09 10:28:07 +11:00
Damien Miller	7bf7b889b3	- (djm) [openbsd-compat/port-linux.c] bz#1960: fix crash on SELinux systems where sshd is run in te wrong context. Patch from Sven Vermeulen; ok dtucker@	2012-03-09 10:25:16 +11:00
Darren Tucker	93a2d41505	- (dtucker) [audit-bsm.c configure.ac] bug #1968 : enable workarounds for BSM audit breakage in Solaris 11. Patch from Magnus Johansson.	2012-02-24 10:40:41 +11:00
Tim Rice	a3f297de91	- (tim) [regress/keytype.sh] stderr redirection needs to be inside back quote to work. Spotted by Angel Gonzalez	2012-02-14 23:01:42 -08:00
Tim Rice	f79b5d38a1	- (tim) [defines.h] move chunk introduced in 1.125 before MAXPATHLEN so it actually works.	2012-02-14 20:13:05 -08:00
Tim Rice	e3609c935c	- (tim) [openbsd-compat/bsd-misc.h sshd.c] Fix conflicting return type for unsetenv due to rev 1.14 change to setenv.c. Cast unsetenv to void in sshd.c ok dtucker@	2012-02-14 10:03:30 -08:00
Damien Miller	7b7901c330	- (djm) [openbsd-compat/bsd-cygwin_util.c] Add PROGRAMFILES to list of preserved Cygwin environment variables; from Corinna Vinschen	2012-02-14 06:38:36 +11:00
Damien Miller	db854559be	- markus@cvs.openbsd.org 2012/02/09 20:00:18 [version.h] move from 6.0-beta to 6.0	2012-02-11 08:19:44 +11:00
Damien Miller	72de982def	- markus@cvs.openbsd.org 2012/01/25 19:40:09 [packet.c packet.h] packet_read_poll() is not used anymore.	2012-02-11 08:19:21 +11:00
Damien Miller	5d0077008f	- markus@cvs.openbsd.org 2012/01/25 19:36:31 [authfile.c] memleak in key_load_file(); from Jan Klemkow	2012-02-11 08:19:02 +11:00
Damien Miller	1de2cfe9a9	- markus@cvs.openbsd.org 2012/01/25 19:26:43 [packet.c] do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@	2012-02-11 08:18:43 +11:00
Damien Miller	8d60be5487	- dtucker@cvs.openbsd.org 2012/01/18 21:46:43 [clientloop.c] Ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. Report from r00t_ati at ihteam.net, ok markus.	2012-02-11 08:18:17 +11:00
Damien Miller	fb12c6d8bb	- miod@cvs.openbsd.org 2012/01/16 20:34:09 [ssh-pkcs11-client.c] Fix a memory leak in pkcs11_rsa_private_encrypt(), reported by Jan Klemkow. While there, be sure to buffer_clear() between send_msg() and recv_msg(). ok markus@	2012-02-11 08:17:52 +11:00
Damien Miller	83ba8e6056	- miod@cvs.openbsd.org 2012/01/08 13:17:11 [ssh-ecdsa.c] Fix memory leak in ssh_ecdsa_verify(); from Loganaden Velvindron, ok markus@	2012-02-11 08:17:27 +11:00
Damien Miller	2ec0342ed4	- djm@cvs.openbsd.org 2012/01/07 21:11:36 [mux.c] fix double-free in new session handler	2012-02-11 08:16:28 +11:00
Damien Miller	a2876db5e6	- djm@cvs.openbsd.org 2012/01/05 00:16:56 [monitor.c] memleak on error path	2012-02-11 08:16:06 +11:00
Damien Miller	b56e4930ae	- (djm) [ssh-keygen.c] Don't fail in do_gen_all_hostkeys on platforms that don't support ECC. Patch from Phil Oleson	2012-02-06 07:41:27 +11:00
Darren Tucker	e9b3ad73ba	- (dtucker) [configure.ac mac.c openbsd-compat/openssl-compat.h] Add null implementation of HMAC_CTX_init for the benefit of old versions of OpenSSL that don't have it.	2012-01-17 14:03:34 +11:00
Damien Miller	8ed4de8f1d	- djm@cvs.openbsd.org 2011/12/07 05:44:38 [auth2.c dh.c packet.c roaming.h roaming_client.c roaming_common.c] fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@	2011-12-19 10:52:50 +11:00
Damien Miller	913ddff40d	- djm@cvs.openbsd.org 2011/12/04 23:16:12 [mux.c] revert: > revision 1.32 > date: 2011/12/02 00:41:56; author: djm; state: Exp; lines: +4 -1 > fix bz#1948: ssh -f doesn't fork for multiplexed connection. > ok dtucker@ it interacts badly with ControlPersist	2011-12-19 10:52:21 +11:00
Damien Miller	d0e582c6da	- djm@cvs.openbsd.org 2011/12/02 00:43:57 [mac.c] fix bz#1934: newer OpenSSL versions will require HMAC_CTX_Init before HMAC_init (this change in policy seems insane to me) ok dtucker@	2011-12-19 10:51:39 +11:00
Damien Miller	5360dff2a0	- djm@cvs.openbsd.org 2011/12/02 00:41:56 [mux.c] fix bz#1948: ssh -f doesn't fork for multiplexed connection. ok dtucker@	2011-12-19 10:51:11 +11:00
Damien Miller	47d8115e53	- oga@cvs.openbsd.org 2011/11/16 12:24:28 [sftp.c] Don't leak list in complete_cmd_parse if there are no commands found. Discovered when I was ``borrowing'' this code for something else. ok djm@	2011-11-25 13:53:48 +11:00
Darren Tucker	4a725ef6a5	- (dtucker) [configure.ac] Set _FORTIFY_SOURCE. ok djm@	2011-11-21 16:38:48 +11:00
Darren Tucker	aa3cbd1b5b	- (dtucker) [INSTALL LICENCE configure.ac openbsd-compat/Makefile.in openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/getrrsetbyname.c] bz 1320: Add optional support for LDNS, a BSD licensed DNS resolver library which supports DNSSEC. Patch from Simon Vallet (svallet at genoscope cns fr) with some rework from myself and djm. ok djm.	2011-11-04 11:25:24 +11:00
Darren Tucker	be4032ba1e	- dtucker@cvs.openbsd.org 011/11/04 00:09:39 [moduli] regenerated moduli file; ok deraadt	2011-11-04 11:16:06 +11:00
Darren Tucker	9c5d553d58	- djm@cvs.openbsd.org 2011/10/24 02:13:13 [session.c] bz#1859: send tty break to pty master instead of (probably already closed) slave side; "looks good" markus@	2011-11-04 10:55:24 +11:00
Darren Tucker	2d6665d944	- djm@cvs.openbsd.org 2011/10/24 02:10:46 [ssh.c] bz#1943: unbreak stdio forwarding when ControlPersist is in user - ssh was incorrectly requesting the forward in both the control master and slave. skip requesting it in the master to fix. ok markus@	2011-11-04 10:54:22 +11:00
Darren Tucker	8a057953d2	- djm@cvs.openbsd.org 2011/10/19 10:39:48 [umac.c] typo in comment; patch from Michael W. Bombardieri	2011-11-04 10:53:31 +11:00
Darren Tucker	9ee09cfce6	- djm@cvs.openbsd.org 2011/10/19 00:06:10 [moduli.c] s/tmpfile/tmp/ to make this -Wshadow clean	2011-11-04 10:52:43 +11:00
Darren Tucker	e68cf84ac8	- djm@cvs.openbsd.org 2011/10/18 23:37:42 [ssh-add.c] add -k to usage(); reminded by jmc@	2011-11-04 10:51:51 +11:00
Darren Tucker	45c66d7ad4	- djm@cvs.openbsd.org 2011/10/18 05:15:28 [ssh.c] ssh(1): skip attempting to create ~/.ssh when -F is passed; ok markus@	2011-11-04 10:50:40 +11:00
Darren Tucker	9f157abbb6	- (dtucker) [contrib/cygwin/Makefile] Continue if installing a doc file fails. Patch from Corinna Vinschen.	2011-10-25 09:37:57 +11:00
Damien Miller	8f4279e4ab	- djm@cvs.openbsd.org 2011/10/18 05:00:48 [ssh-add.1 ssh-add.c] new "ssh-add -k" option to load plain keys (skipping certificates); "looks ok" markus@	2011-10-18 16:06:33 +11:00
Damien Miller	c51a5ab2c6	- djm@cvs.openbsd.org 2011/10/18 04:58:26 [auth-options.c key.c] remove explict search for \0 in packet strings, this job is now done implicitly by buffer_get_cstring; ok markus	2011-10-18 16:06:14 +11:00
Damien Miller	91f3eaec88	- stsp@cvs.openbsd.org 2011/10/16 15:51:39 [moduli.c] add missing includes to unbreak tree; fix from rpointel	2011-10-18 16:05:55 +11:00
Damien Miller	927d82bc6a	- jmc@cvs.openbsd.org 2011/10/16 15:02:41 [ssh-keygen.c] put -K in the right place (usage());	2011-10-18 16:05:38 +11:00
Damien Miller	390d0561fc	- dtucker@cvs.openbsd.org 2011/10/16 11:02:46 [moduli.c ssh-keygen.1 ssh-keygen.c] Add optional checkpoints for moduli screening. feedback & ok deraadt	2011-10-18 16:05:19 +11:00
Damien Miller	d3e6990c4c	- djm@cvs.openbsd.org 2011/10/04 14:17:32 [sftp-glob.c] silence error spam for "ls */foo" in directory with files; bz#1683	2011-10-18 16:04:57 +11:00
Darren Tucker	2e13560ff5	- djm@cvs.openbsd.org 2011/09/30 21:22:49 [sshd.c] fix inverted test that caused logspam; spotted by henning@	2011-10-02 19:10:13 +11:00
Darren Tucker	95125e5f43	ChangeLog entry for sshd.c rev 1.409	2011-10-02 19:09:07 +11:00
Darren Tucker	af1a60ec4f	- djm@cvs.openbsd.org 2011/09/25 05:44:47 [auth2-pubkey.c] improve the AuthorizedPrincipalsFile debug log message to include file and line number	2011-10-02 18:59:59 +11:00
Darren Tucker	68afb8c5f2	- markus@cvs.openbsd.org 2011/09/23 07:45:05 [mux.c readconf.h channels.h compat.h compat.c ssh.c readconf.c channels.c version.h] unbreak remote portforwarding with dynamic allocated listen ports: 1) send the actual listen port in the open message (instead of 0). this allows multiple forwardings with a dynamic listen port 2) update the matching permit-open entry, so we can identify where to connect to report: den at skbkontur.ru and P. Szczygielski feedback and ok djm@	2011-10-02 18:59:03 +11:00
Darren Tucker	1338b9e067	- dtucker@cvs.openbsd.org 2011/09/23 00:22:04 [channels.c auth-options.c servconf.c channels.h sshd.8] Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857, ok djm markus.	2011-10-02 18:57:35 +11:00
Darren Tucker	036876cd7d	- (dtucker) [openbsd-compat/mktemp.c] Fix compiler warning. ok djm	2011-10-01 18:46:12 +10:00
Darren Tucker	b54f50e5d0	- (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strnlen.c] Add strnlen to the compat library.	2011-09-29 23:17:18 +10:00
Damien Miller	5ffe1c4b43	- (djm) [configure.ac defines.h] No need to detect sizeof(char); patch from des AT des.no	2011-09-29 11:11:51 +10:00
Damien Miller	d1a74580f8	- (djm) [openbsd-compat/setenv.c] Forklift upgrade, including inclusion of static __findenv() function from upstream setenv.c	2011-09-23 11:26:34 +10:00
Damien Miller	3e6fe87ef9	- otto@cvs.openbsd.org 2008/12/09 19:38:38 [openbsd-compat/inet_ntop.c] fix inet_ntop(3) prototype; ok millert@ libc to be bumbed very soon	2011-09-23 11:16:09 +10:00
Damien Miller	64efe9671d	- (djm) [openbsd-compat/sha2.c openbsd-compat/sha2.h] Remove OpenBSD rcsid marker. The upstream API has changed (function and structure names) enough to put it out of sync with other providers of this interface.	2011-09-23 11:13:00 +10:00
Damien Miller	4888671343	- (djm) [openbsd-compat/mktemp.c] forklift upgrade to -current version. The file was totally rewritten between what we had in tree and -current.	2011-09-23 10:56:29 +10:00
Damien Miller	3a359b3228	- millert@cvs.openbsd.org 2008/08/21 16:54:44 [mktemp.c] Remove useless code, the kernel will set errno appropriately if an element in the path does not exist. OK deraadt@ pvalchev@	2011-09-23 10:47:29 +10:00
Damien Miller	dc0e09b41c	- deraadt@cvs.openbsd.org 2008/07/22 21:47:45 [mktemp.c] use arc4random_uniform(); ok djm millert	2011-09-23 10:46:48 +10:00
Damien Miller	cd92790fcb	- (djm) [openbsd-compat/getgrouplist.c] Remove OpenBSD rcsid marker: the upstream version is YPified and we don't want this	2011-09-23 10:44:03 +10:00
Damien Miller	834e820317	- tobias@cvs.openbsd.org 2007/10/21 11:09:30 [mktemp.c] Comment fix about time consumption of _gettemp. FreeBSD did this in revision 1.20. OK deraadt@, krw@	2011-09-23 10:42:02 +10:00
Damien Miller	acdf3fbdba	- (djm) [openbsd-compat/getcwd.c] Remove OpenBSD rcsid marker since we no longer want to sync this file (OpenBSD uses a __getcwd syscall now, we want this longhand version)	2011-09-23 10:40:50 +10:00
Damien Miller	add1e20802	- millert@cvs.openbsd.org 2006/05/05 15:27:38 [strlcpy.c] Convert do {} while loop -> while {} for clarity. No binary change on most architectures. From Oliver Smith. OK deraadt@ and henning@	2011-09-23 10:38:01 +10:00
Damien Miller	d7be70d052	- djm@cvs.openbsd.org 2011/09/22 06:29:03 [sftp.c] don't let remote_glob() implicitly sort its results in do_globbed_ls() - in all likelihood, they will be resorted anyway	2011-09-22 21:43:06 +10:00
Damien Miller	57c38ac7d5	- markus@cvs.openbsd.org 2011/09/12 08:46:15 [sftp-client.c] fix leak in do_lsreaddir(); ok djm	2011-09-22 21:42:45 +10:00
Damien Miller	3decdba425	- markus@cvs.openbsd.org 2011/09/11 16:07:26 [sftp-client.c] fix leaks in do_hardlink() and do_readlink(); bz#1921 from Loganaden Velvindron	2011-09-22 21:41:05 +10:00
Damien Miller	1bcbd0a9de	- okan@cvs.openbsd.org 2011/09/11 06:59:05 [ssh.1] document new -O cancel command; ok djm@	2011-09-22 21:40:45 +10:00
Damien Miller	ff773644e6	- markus@cvs.openbsd.org 2011/09/10 22:26:34 [channels.c channels.h clientloop.c ssh.1] support cancellation of local/dynamic forwardings from ~C commandline; ok & feedback djm@	2011-09-22 21:39:48 +10:00
Damien Miller	f6dff7cd2f	- djm@cvs.openbsd.org 2011/09/09 22:46:44 [channels.c channels.h clientloop.h mux.c ssh.c] support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings; ok markus@	2011-09-22 21:38:52 +10:00
Damien Miller	9ee2c606c1	- djm@cvs.openbsd.org 2011/09/09 22:38:21 [sshd.c] kill the preauth privsep child on fatal errors in the monitor; ok markus@	2011-09-22 21:38:30 +10:00
Damien Miller	0603d98b4e	- djm@cvs.openbsd.org 2011/09/09 22:37:01 [scp.c] suppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms; feedback & ok dtucker ok markus	2011-09-22 21:38:00 +10:00
Damien Miller	4cb855b070	- djm@cvs.openbsd.org 2011/09/09 00:44:07 [PROTOCOL.mux] MUX_C_CLOSE_FWD includes forward type in message (though it isn't implemented anyway)	2011-09-22 21:37:38 +10:00
Damien Miller	f6e758cdba	- djm@cvs.openbsd.org 2011/09/09 00:43:00 [ssh_config.5 sshd_config.5] fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class. Spotted by giesen AT snickers.org; ok markus stevesk	2011-09-22 21:37:13 +10:00
Damien Miller	6232a16a9a	- deraadt@cvs.openbsd.org 2011/09/07 02:18:31 [ssh-keygen.1] typo (they vs the) found by Lawrence Teo	2011-09-22 21:36:00 +10:00
Damien Miller	e029673f1f	- jmc@cvs.openbsd.org 2011/09/05 07:01:44 [scp.1] knock out a useless Ns;	2011-09-22 21:34:56 +10:00
Damien Miller	2918e030fc	- djm@cvs.openbsd.org 2011/09/05 05:59:08 [misc.c] fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class. Spotted by giesen AT snickers.org; ok markus stevesk	2011-09-22 21:34:35 +10:00
Damien Miller	e577772a89	- djm@cvs.openbsd.org 2011/09/05 05:56:13 [scp.1 sftp.1] mention ControlPersist and KbdInteractiveAuthentication in the -o verbiage in these pages too (prompted by jmc@)	2011-09-22 21:34:15 +10:00
Damien Miller	efad727517	- djm@cvs.openbsd.org 2011/08/26 01:45:15 [ssh.1] Add some missing ssh_config(5) options that can be used in ssh(1)'s -o argument. Patch from duclare AT guu.fi	2011-09-22 21:33:53 +10:00
Damien Miller	e128a50e35	- djm@cvs.openbsd.org 2011/09/22 06:27:29 [glob.c] fix GLOB_KEEPSTAT without GLOB_NOSORT; the implicit sort was being applied only to the gl_pathv vector and not the corresponding gl_statv array. reported in OpenSSH bz#1935; feedback and okay matthew@	2011-09-22 21:22:21 +10:00
Damien Miller	c4bf7dde92	- stsp@cvs.openbsd.org 2011/09/20 10:18:46 [glob.c] In glob(3), limit recursion during matching attempts. Similar to fnmatch fix. Also collapse consecutive '*' (from NetBSD). ok miod deraadt	2011-09-22 21:21:48 +10:00
Damien Miller	e01a627047	- pyr@cvs.openbsd.org 2011/05/12 07:15:10 [openbsd-compat/glob.c] When the max number of items for a directory has reached GLOB_LIMIT_READDIR an error is returned but closedir() is not called. spotted and fix provided by Frank Denis obsd-tech@pureftpd.org ok otto@, millert@	2011-09-22 21:20:21 +10:00
Darren Tucker	e8a82c5faf	- (dtucker) [entropy.h] Bug #1932 : remove old definition of init_rng. From Colin Watson.	2011-09-09 11:29:40 +10:00
Damien Miller	022ee24197	- (djm) [contrib/redhat/openssh.spec] Correct restorcon => restorecon	2011-09-07 09:15:02 +10:00
Damien Miller	fb9d8173f0	- (djm) [README version.h] Correct version	2011-09-07 09:11:53 +10:00
Damien Miller	8e4a71e952	- (djm) Release OpenSSH-5.9	2011-09-05 15:39:20 +10:00
Damien Miller	86dcd3e45a	- (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] Update version numbers.	2011-09-05 10:29:04 +10:00
Darren Tucker	0dd24e02ec	- (dtucker) [ssh-keygen.c ssh-pkcs11.c] Bug #1929 : add null implementations ofsh-pkcs11.cpkcs_init and pkcs_terminate for building without dlopen support.	2011-09-04 19:59:26 +10:00
Damien Miller	6efd94f32e	- (djm) [regress/connect-privsep.sh regress/test-exec.sh] demote fatal regress errors for the sandbox to warnings. ok tim dtucker	2011-09-04 19:04:16 +10:00
Damien Miller	58ac11a2bd	- (djm) [openbsd-compat/port-linux.c] Suppress logging when attempting to switch SELinux context away from unconfined_t, based on patch from Jan Chadima; bz#1919 ok dtucker@	2011-08-29 16:09:52 +10:00
Darren Tucker	4438354870	- (dtucker) [auth-skey.c] Add log.h to fix build --with-skey.	2011-08-28 04:50:16 +10:00
Tim Rice	a6e60616be	- (tim) [configure.ac] Typo in error message spotted by Andy Tsouladze	2011-08-17 21:48:22 -07:00
Damien Miller	2df1bec086	- (djm) [regress/cipher-speed.sh regress/try-ciphers.sh] disable HMAC-SHA2 MAC tests for platforms that hack EVP_SHA2 support	2011-08-17 12:25:46 +10:00
Damien Miller	062fa30532	- djm@cvs.openbsd.org 2011/08/02 01:23:41 [regress/cipher-speed.sh regress/try-ciphers.sh] add SHA256/SHA512 based HMAC modes	2011-08-17 12:10:02 +10:00
Damien Miller	faf4d80420	- markus@cvs.openbsd.org 2011/06/30 22:44:43 [connect-privsep.sh] test with sandbox enabled; ok djm@	2011-08-17 12:09:19 +10:00
Damien Miller	9231c8bde4	- dtucker@cvs.openbsd.org 2011/06/03 05:35:10 [regress/cfgmatch.sh] use OBJ to find test configs, patch from Tim Rice	2011-08-17 12:08:15 +10:00
Damien Miller	44a6c9340a	- (djm) [contrib/ssh-copy-id] Missing backlslash; spotted by bisson AT archlinux.org	2011-08-17 12:01:44 +10:00
Damien Miller	1a91c0f163	- (djm) [configure.ac] error out if the host lacks the necessary bits for an explicitly requested sandbox type	2011-08-17 11:59:25 +10:00
Damien Miller	9c08312968	- (djm) [ openbsd-compat/bsd-cygwin_util.c openbsd-compat/bsd-cygwin_util.h] binary_pipe is no longer required on Cygwin; patch from Corinna Vinschen	2011-08-17 11:31:07 +10:00
Tim Rice	a1226828ad	- (tim) [mac.c myproposal.h] Wrap SHA256 and SHA512 in ifdefs for OpenSSL 0.9.7. ok djm	2011-08-16 17:29:01 -07:00
Damien Miller	d1eb1dd5ed	- (djm) [contrib/ssh-copy-id] Fix failure for cases where the path to the identify file contained whitespace. bz#1828 patch from gwenael.lambrouin AT gmail.com; ok dtucker@	2011-08-12 11:22:47 +10:00
Damien Miller	2db9977c06	- (djm) [contrib/redhat/openssh.spec contrib/redhat/sshd.init] [contrib/suse/openssh.spec contrib/suse/rc.sshd] Updated RHEL and SLES init scrips from imorgan AT nas.nasa.gov	2011-08-12 11:02:35 +10:00
Darren Tucker	4d47ec9c89	- (dtucker) [openbsd-compat/port-linux.c] Bug 1924: Improve selinux context change error by reporting old and new context names Patch from jchadima at redhat.	2011-08-12 10:12:53 +10:00
Darren Tucker	ddccfb4b98	- dtucker@cvs.openbsd.org 2011/08/07 12:55:30 [sftp.1] typo, fix from Laurent Gautrot	2011-08-07 23:12:26 +10:00
Darren Tucker	91e6b57729	- jmc@cvs.openbsd.org 2010/10/14 20:41:28 [moduli.5] probabalistic -> probabilistic; from naddy	2011-08-07 23:10:56 +10:00
Darren Tucker	f279474f1b	- sobrado@cvs.openbsd.org 2009/10/28 08:56:54 [moduli.5] "Diffie-Hellman" is the usual spelling for the cryptographic protocol first published by Whitfield Diffie and Martin Hellman in 1976. ok jmc@	2011-08-07 23:10:11 +10:00
Darren Tucker	578451ddda	- (dtucker) OpenBSD CVS Sync - jmc@cvs.openbsd.org 2008/06/26 06:59:39 [moduli.5] tweak previous;	2011-08-07 23:09:20 +10:00
Damien Miller	765f8c4eff	- djm@cvs.openbsd.org 2011/08/02 23:15:03 [ssh.c] typo in comment	2011-08-06 06:18:16 +10:00
Damien Miller	c471860d25	- djm@cvs.openbsd.org 2011/08/02 23:13:01 [version.h] crank now, release later	2011-08-06 06:17:48 +10:00
Damien Miller	20bd4535c0	- djm@cvs.openbsd.org 2011/08/02 01:22:11 [mac.c myproposal.h ssh.1 ssh_config.5 sshd.8 sshd_config.5] Add new SHA256 and SHA512 based HMAC modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt Patch from mdb AT juniper.net; feedback and ok markus@	2011-08-06 06:17:30 +10:00
Damien Miller	adb467fb69	- markus@cvs.openbsd.org 2011/08/01 19:18:15 [gss-serv.c] prevent post-auth resource exhaustion (int overflow leading to 4GB malloc); report Adam Zabrock; ok djm@, deraadt@	2011-08-06 06:16:46 +10:00
Damien Miller	35e48198a8	- djm@cvs.openbsd.org 2011/07/29 14:42:45 [sandbox-systrace.c] fail open(2) with EPERM rather than SIGKILLing the whole process. libc will call open() to do strerror() when NLS is enabled; feedback and ok markus@	2011-08-06 06:16:23 +10:00
Damien Miller	6ea5e44871	- tedu@cvs.openbsd.org 2011/07/06 18:09:21 [authfd.c] bzero the agent address. the kernel was for a while very cranky about these things. evne though that's fixed, always good to initialize memory. ok deraadt djm	2011-08-06 06:16:00 +10:00
Damien Miller	7741ce8bd2	- djm@cvs.openbsd.org 2011/06/23 23:35:42 [monitor.c] ignore EINTR errors from poll()	2011-08-06 06:15:15 +10:00
Damien Miller	cd5e52ee78	- (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for Darwin/OS X using sandbox_init() + setrlimit(); feedback and testing markus@	2011-06-27 07:18:18 +10:00
Damien Miller	dcbd41e7af	- djm@cvs.openbsd.org 2011/06/23 09:34:13 [sshd.c ssh-sandbox.h sandbox.h sandbox-rlimit.c sandbox-systrace.c] [sandbox-null.c] rename sandbox.h => ssh-sandbox.h to make things easier for portable	2011-06-23 19:45:51 +10:00
Damien Miller	80b62e3738	- (djm) [sandbox-null.c] Dummy sandbox for platforms that don't support setrlimit(2)	2011-06-23 19:03:18 +10:00
Damien Miller	6d7b4377dd	- djm@cvs.openbsd.org 2011/06/22 22:08:42 [channels.c channels.h clientloop.c clientloop.h mux.c ssh.c] hook up a channel confirm callback to warn the user then requested X11 forwarding was refused by the server; ok markus@	2011-06-23 08:31:57 +10:00
Damien Miller	69ff1df952	- djm@cvs.openbsd.org 2011/06/22 21:57:01 [servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c] [sandbox-systrace.c sandbox.h configure.ac Makefile.in] introduce sandboxing of the pre-auth privsep child using systrace(4). This introduces a new "UsePrivilegeSeparation=sandbox" option for sshd_config that applies mandatory restrictions on the syscalls the privsep child can perform. This prevents a compromised privsep child from being used to attack other hosts (by opening sockets and proxying) or probing local kernel attack surface. The sandbox is implemented using systrace(4) in unsupervised "fast-path" mode, where a list of permitted syscalls is supplied. Any syscall not on the list results in SIGKILL being sent to the privsep child. Note that this requires a kernel with the new SYSTR_POLICY_KILL option. UsePrivilegeSeparation=sandbox will become the default in the future so please start testing it now. feedback dtucker@; ok markus@	2011-06-23 08:30:03 +10:00
Damien Miller	82c558761d	- OpenBSD CVS Sync - djm@cvs.openbsd.org 2011/06/22 21:47:28 [servconf.c] reuse the multistate option arrays to pretty-print options for "sshd -T"	2011-06-23 08:20:30 +10:00
Damien Miller	4ac99c366c	- djm@cvs.openbsd.org 2011/06/17 21:57:25 [clientloop.c] setproctitle for a mux master that has been gracefully stopped; bz#1911 from Bert.Wesarg AT googlemail.com	2011-06-20 14:43:31 +10:00
Damien Miller	33322127ec	- djm@cvs.openbsd.org 2011/06/17 21:47:35 [servconf.c] factor out multi-choice option parsing into a parse_multistate label and some support structures; ok dtucker@	2011-06-20 14:43:11 +10:00
Damien Miller	f145a5be1c	- djm@cvs.openbsd.org 2011/06/17 21:46:16 [sftp-server.c] the protocol version should be unsigned; bz#1913 reported by mb AT smartftp.com	2011-06-20 14:42:51 +10:00
Damien Miller	8f0bf237d4	- djm@cvs.openbsd.org 2011/06/17 21:44:31 [log.c log.h monitor.c monitor.h monitor_wrap.c monitor_wrap.h sshd.c] make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@	2011-06-20 14:42:23 +10:00
Damien Miller	e7ac2bd42a	- markus@cvs.openbsd.org 2011/06/14 22:49:18 [authfile.c] make sure key_parse_public/private_rsa1() no longer consumes its input buffer. fixes ssh-add for passphrase-protected ssh1-keys; noted by naddy@; ok djm@	2011-06-20 14:23:25 +10:00
Damien Miller	6029e076b2	- djm@cvs.openbsd.org 2011/06/04 00:10:26 [ssh_config.5] explain IdentifyFile's semantics a little better, prompted by bz#1898 ok dtucker jmc	2011-06-20 14:22:49 +10:00
Tim Rice	bc481570d1	- (tim) [regress/cfgmatch.sh] Build/test out of tree fix.	2011-06-02 22:26:19 -07:00
Darren Tucker	bf4d05a37c	- dtucker@cvs.openbsd.org 2011/06/03 00:29:52 [regress/dynamic-forward.sh] Retry establishing the port forwarding after a small delay, should make the tests less flaky when the previous test is slow to shut down and free up the port.	2011-06-03 14:19:02 +10:00
Darren Tucker	75e035c34e	- dtucker@cvs.openbsd.org 2011/05/31 02:03:34 [regress/dynamic-forward.sh] work around startup and teardown races; caught by deraadt	2011-06-03 14:18:17 +10:00
Darren Tucker	260c8fbc4d	- dtucker@cvs.openbsd.org 2011/05/31 02:01:58 [regress/dynamic-forward.sh] back out revs 1.6 and 1.5 since it's not reliable	2011-06-03 14:17:27 +10:00
Darren Tucker	3e78a516a0	- dtucker@cvs.openbsd.org 2011/06/03 01:37:40 [ssh-agent.c] Check current parent process ID against saved one to determine if the parent has exited, rather than attempting to send a zero signal, since the latter won't work if the parent has changed privs. bz#1905, patch from Daniel Kahn Gillmor, ok djm@	2011-06-03 14:14:16 +10:00
Damien Miller	c09182f613	- (djm) [configure.ac] enable setproctitle emulation for OS X	2011-06-03 12:11:38 +10:00
Damien Miller	ea2c1a4dc6	- djm@cvs.openbsd.org 2011/06/03 00:54:38 [ssh.c] bz#1883 - setproctitle() to identify mux master; patch from Bert.Wesarg AT googlemail.com; ok dtucker@ NB. includes additional portability code to enable setproctitle emulation on platforms that don't support it.	2011-06-03 12:10:22 +10:00
Darren Tucker	c3c7227ccc	add missing changelog entry	2011-06-03 11:20:06 +10:00
Tim Rice	90f42b0705	- (tim) [configure.ac defines.h] Run test program to detect system mail directory. Add --with-maildir option to override. Fixed OpenServer 6 getting it wrong. Fixed many systems having MAIL=/var/mail//username ok dtucker	2011-06-02 18:17:49 -07:00
Darren Tucker	c412c1567b	- (dtucker) [README version.h contrib/caldera/openssh.spec contrib/redhat/openssh.spec contrib/suse/openssh.spec] Pull the version bumps from the 5.8p2 branch into HEAD. ok djm.	2011-06-03 10:35:23 +10:00
Damien Miller	8cb3587336	- djm@cvs.openbsd.org 2011/05/23 03:31:31 [regress/cfgmatch.sh] include testing of multiple/overridden AuthorizedKeysFiles refactor to simply daemon start/stop and get rid of racy constructs	2011-05-29 21:59:10 +10:00
Damien Miller	295ee63ab2	- djm@cvs.openbsd.org 2011/05/24 07:15:47 [readconf.c readconf.h ssh.c ssh_config.5 sshconnect.c sshconnect2.c] Remove undocumented legacy options UserKnownHostsFile2 and GlobalKnownHostsFile2 by making UserKnownHostsFile/GlobalKnownHostsFile accept multiple paths per line and making their defaults include known_hosts2; ok markus	2011-05-29 21:42:31 +10:00
Damien Miller	04bb56ef10	- djm@cvs.openbsd.org 2011/05/23 07:24:57 [authfile.c] read in key comments for v.2 keys (though note that these are not passed over the agent protocol); bz#439, based on patch from binder AT arago.de; ok markus@	2011-05-29 21:42:08 +10:00
Damien Miller	b9132fc427	- jmc@cvs.openbsd.org 2011/05/23 07:10:21 [sshd.8 sshd_config.5] tweak previous; ok djm	2011-05-29 21:41:40 +10:00
Damien Miller	201f425d29	- djm@cvs.openbsd.org 2011/05/23 03:52:55 [sshconnect.c] remove extra newline	2011-05-29 21:41:03 +10:00
Damien Miller	1dd66e5f74	- djm@cvs.openbsd.org 2011/05/23 03:33:38 [auth.c] make secure_filename() spam debug logs less	2011-05-29 21:40:42 +10:00
Damien Miller	d8478b6a9b	OpenBSD CVS Sync - djm@cvs.openbsd.org 2011/05/23 03:30:07 [auth-rsa.c auth.c auth.h auth2-pubkey.c monitor.c monitor_wrap.c pathnames.h servconf.c servconf.h sshd.8 sshd_config sshd_config.5] allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :) feedback and ok markus@ dtucker@	2011-05-29 21:39:36 +10:00
Damien Miller	acacced70b	- dtucker@cvs.openbsd.org 2011/05/20 06:32:30 [dynamic-forward.sh] fix dumb error in dynamic-forward test	2011-05-20 19:08:40 +10:00
Damien Miller	7b9451f382	- dtucker@cvs.openbsd.org 2011/05/20 05:19:50 [dynamic-forward.sh] Prevent races in dynamic forwarding test; ok djm	2011-05-20 19:08:11 +10:00
Damien Miller	3045b45a03	- djm@cvs.openbsd.org 2011/05/20 02:43:36 [cert-hostkey.sh] another attempt to generate a v00 ECDSA key that broke the test ID sync only - portable already had this somehow	2011-05-20 19:07:45 +10:00
Damien Miller	f67188fe13	- djm@cvs.openbsd.org 2011/05/17 07:13:31 [regress/cert-userkey.sh] fatal() if asked to generate a legacy ECDSA cert (these don't exist) and fix the regress test that was trying to generate them :)	2011-05-20 19:06:48 +10:00
Damien Miller	f2e407e2dd	- djm@cvs.openbsd.org 2011/05/20 03:25:45 [monitor.c monitor_wrap.c servconf.c servconf.h] use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering "this is at once beautiful and horrible" + ok dtucker@	2011-05-20 19:04:14 +10:00
Damien Miller	c2411909c7	- dtucker@cvs.openbsd.org 2011/05/20 02:00:19 [servconf.c] Add comment documenting what should be after the preauth check. ok djm	2011-05-20 19:03:49 +10:00
Damien Miller	5d74e58e62	- djm@cvs.openbsd.org 2011/05/20 00:55:02 [servconf.c] the options TrustedUserCAKeys, RevokedKeysFile, AuthorizedKeysFile and AuthorizedPrincipalsFile were not being correctly applied in Match blocks, despite being overridable there; ok dtucker@	2011-05-20 19:03:31 +10:00
Damien Miller	8f639fe722	- djm@cvs.openbsd.org 2011/05/17 07:13:31 [key.c] fatal() if asked to generate a legacy ECDSA cert (these don't exist) and fix the regress test that was trying to generate them :)	2011-05-20 19:03:08 +10:00
Damien Miller	814ace0875	- OpenBSD CVS Sync - djm@cvs.openbsd.org 2011/05/15 08:09:01 [authfd.c monitor.c serverloop.c] use FD_CLOEXEC consistently; patch from zion AT x96.org	2011-05-20 19:02:47 +10:00
Damien Miller	ec2eaa3daf	- (djm) [servconf.c] remove leftover droppings of AuthorizedKeysFile2	2011-05-20 18:57:14 +10:00
Damien Miller	989bb7f0c5	- (djm) [aclocal.m4 configure.ac] since gcc-4.x ignores all -Wno-options options, we should corresponding -W-option when trying to determine whether it is accepted. Also includes a warning fix on the program fragment uses (bad main() return type). bz#1900 and bz#1901 reported by g.esp AT free.fr; ok dtucker@	2011-05-20 18:56:30 +10:00
Damien Miller	14684a1f84	- (djm) [session.c] call setexeccon() before executing passwd for pw changes; bz#1891 reported by jchadima AT redhat.com; ok dtucker@	2011-05-20 11:23:07 +10:00
Damien Miller	23f425b48b	- (djm) [packet.c] unbreak portability #endif	2011-05-15 08:58:15 +10:00
Damien Miller	9d276b8d68	- djm@cvs.openbsd.org 2011/05/13 00:05:36 [authfile.c] warn on unexpected key type in key_parse_private_type()	2011-05-15 08:51:43 +10:00
Damien Miller	7c1b2c4ea8	- djm@cvs.openbsd.org 2011/05/11 04:47:06 [auth.c auth.h auth2-pubkey.c pathnames.h servconf.c servconf.h] remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@	2011-05-15 08:51:05 +10:00
Damien Miller	3219824f2d	- djm@cvs.openbsd.org 2011/05/10 05:46:46 [authfile.c] despam debug() logs by detecting that we are trying to load a private key in key_try_load_public() and returning early; ok markus@	2011-05-15 08:50:32 +10:00
Damien Miller	555f3b856f	- djm@cvs.openbsd.org 2011/05/08 12:52:01 [PROTOCOL.mux clientloop.c clientloop.h mux.c] improve our behaviour when TTY allocation fails: if we are in RequestTTY=auto mode (the default), then do not treat at TTY allocation error as fatal but rather just restore the local TTY to cooked mode and continue. This is more graceful on devices that never allocate TTYs. If RequestTTY is set to "yes" or "force", then failure to allocate a TTY is fatal. ok markus@	2011-05-15 08:48:05 +10:00
Damien Miller	f4b32aad05	- jmc@cvs.openbsd.org 2011/05/07 23:20:25 [ssh.1] +.It RequestTTY	2011-05-15 08:47:43 +10:00
Damien Miller	486dd2eadb	- jmc@cvs.openbsd.org 2011/05/07 23:19:39 [ssh_config.5] - tweak previous - come consistency fixes ok djm	2011-05-15 08:47:18 +10:00
Damien Miller	c067f62560	- djm@cvs.openbsd.org 2011/05/06 22:20:10 [PROTOCOL.mux] fix numbering; from bert.wesarg AT googlemail.com	2011-05-15 08:46:54 +10:00
Damien Miller	a6bbbe4658	- djm@cvs.openbsd.org 2011/05/06 21:38:58 [ssh.c] fix dropping from previous diff	2011-05-15 08:46:29 +10:00
Damien Miller	21771e22d3	- djm@cvs.openbsd.org 2011/05/06 21:34:32 [clientloop.c mux.c readconf.c readconf.h ssh.c ssh_config.5] Add a RequestTTY ssh_config option to allow configuration-based control over tty allocation (like -t/-T); ok markus@	2011-05-15 08:45:50 +10:00
Damien Miller	fe92421772	- djm@cvs.openbsd.org 2011/05/06 21:31:38 [readconf.c ssh_config.5] support negated Host matching, e.g. Host *.example.org !c.example.org User mekmitasdigoat Will match "a.example.org", "b.example.org", but not "c.example.org" ok markus@	2011-05-15 08:44:45 +10:00
Damien Miller	dfc85fa181	- djm@cvs.openbsd.org 2011/05/06 21:18:02 [ssh.c ssh_config.5] add a %L expansion (short-form of the local host name) for ControlPath; sync some more expansions with LocalCommand; ok markus@	2011-05-15 08:44:02 +10:00
Damien Miller	d2ac5d74b4	- djm@cvs.openbsd.org 2011/05/06 21:14:05 [packet.c packet.h] set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@	2011-05-15 08:43:13 +10:00
Damien Miller	78c40c321b	- djm@cvs.openbsd.org 2011/05/06 02:05:41 [sshconnect2.c] fix memory leak; bz#1849 ok dtucker@	2011-05-15 08:36:59 +10:00
Damien Miller	58a77e2eac	- djm@cvs.openbsd.org 2011/05/06 01:09:53 [sftp.1] mention that IPv6 addresses must be enclosed in square brackets; bz#1845	2011-05-15 08:36:29 +10:00
Damien Miller	fd53abd00b	- dtucker@cvs.openbsd.org 2011/05/06 01:03:35 [sshd_config] clarify language about overriding defaults. bz#1892, from Petr Cerny	2011-05-15 08:36:02 +10:00
Damien Miller	60432d8cf2	- djm@cvs.openbsd.org 2011/05/05 05:12:08 [mux.c] gracefully fall back when ControlPath is too large for a sockaddr_un. ok markus@ as part of a larger diff	2011-05-15 08:34:46 +10:00
Darren Tucker	d6548fe4cf	- (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882 : fix --with-ssl-engine which was broken with the change from deprecated SSLeay_add_all_algorithms(). ok djm	2011-05-10 11:13:36 +10:00
Darren Tucker	343f75fa19	- (dtucker) [openbsd-compat/regress/closefromtest.c] Bug #1875 : add prototype for closefrom() in test code. Report from Dan Wallis via Gentoo.	2011-05-06 10:43:50 +10:00
Tim Rice	9abb697d4f	- (tim) [defines.h] Deal with platforms that do not have S_IFSOCK ok djm@	2011-05-04 23:06:59 -07:00
Tim Rice	19d8181b86	- (tim) [configure.ac] Add AC_LANG_SOURCE to OPENSSH_CHECK_CFLAG_COMPILE so autoreconf 2.68 is happy.	2011-05-04 21:44:25 -07:00
Damien Miller	2ce12ef1ac	- djm@cvs.openbsd.org 2011/05/04 21:15:29 [authfile.c authfile.h ssh-add.c] allow "ssh-add - < key"; feedback and ok markus@	2011-05-05 14:17:18 +10:00
Damien Miller	8cb1cda1e3	- djm@cvs.openbsd.org 2011/04/18 00:46:05 [ssh-keygen.c] certificate options are supposed to be packed in lexical order of option name (though we don't actually enforce this at present). Move one up that was out of sequence	2011-05-05 14:16:56 +10:00
Damien Miller	6c3eec7ab2	- djm@cvs.openbsd.org 2011/04/17 22:42:42 [PROTOCOL.mux clientloop.c clientloop.h mux.c ssh.1 ssh.c] allow graceful shutdown of multiplexing: request that a mux server removes its listener socket and refuse future multiplexing requests; ok markus@	2011-05-05 14:16:22 +10:00
Damien Miller	ad21032e65	- djm@cvs.openbsd.org 2011/04/13 04:09:37 [ssh-keygen.1] mention valid -b sizes for ECDSA keys; bz#1862	2011-05-05 14:15:54 +10:00
Damien Miller	085c90fa20	- djm@cvs.openbsd.org 2011/04/13 04:02:48 [ssh-keygen.1] improve wording; bz#1861	2011-05-05 14:15:33 +10:00
Damien Miller	26b57ce6c2	- djm@cvs.openbsd.org 2011/04/12 05:32:49 [sshd.c] exit with 0 status on SIGTERM; bz#1879	2011-05-05 14:15:09 +10:00
Damien Miller	884b63a061	- djm@cvs.openbsd.org 2011/04/12 04:23:50 [ssh-keygen.c] fix -Wshadow	2011-05-05 14:14:52 +10:00
Damien Miller	9147586599	- stevesk@cvs.openbsd.org 2011/03/29 18:54:17 [misc.c misc.h servconf.c] print ipqos friendly string for sshd -T; ok markus # sshd -Tf sshd_config\|grep ipqos ipqos lowdelay throughput	2011-05-05 14:14:34 +10:00
Damien Miller	044f4a6cc3	- stevesk@cvs.openbsd.org 2011/03/24 22:14:54 [ssh-keygen.c] use strcasecmp() for "clear" cert permission option also; ok djm	2011-05-05 14:14:08 +10:00
Damien Miller	3ca1eb373f	- jmc@cvs.openbsd.org 2011/03/24 15:29:30 [ssh-keygen.1] zap trailing whitespace;	2011-05-05 14:13:50 +10:00
Damien Miller	111431963e	- stevesk@cvs.openbsd.org 2011/03/23 16:50:04 [ssh-keygen.c] remove -d, documentation removed >10 years ago; ok markus	2011-05-05 14:13:25 +10:00
Damien Miller	4a4d161545	- stevesk@cvs.openbsd.org 2011/03/23 16:24:56 [ssh-keygen.1] -q not used in /etc/rc now so remove statement.	2011-05-05 14:06:39 +10:00
Damien Miller	58f1bafb3d	- stevesk@cvs.openbsd.org 2011/03/23 15:16:22 [ssh-keygen.1 ssh-keygen.c] Add -A option. For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment. This will be used by /etc/rc to generate new host keys. Idea from deraadt. ok deraadt	2011-05-05 14:06:15 +10:00
Damien Miller	c5219e701e	- okan@cvs.openbsd.org 2011/03/15 10:36:02 [ssh-keyscan.c] use timerclear macro ok djm@	2011-05-05 14:05:12 +10:00
Damien Miller	b2da7d185e	- djm@cvs.openbsd.org 2011/03/10 11:34:25 [auth.h] allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock	2011-05-05 14:04:50 +10:00
Damien Miller	3fcdfd55a3	- OpenBSD CVS Sync - djm@cvs.openbsd.org 2011/03/10 02:52:57 [auth2-gss.c auth2.c] allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock	2011-05-05 14:04:11 +10:00
Damien Miller	f22019bdbf	- (djm) [Makefile.in WARNING.RNG aclocal.m4 buildpkg.sh.in configure.ac] [entropy.c ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c] [ssh-keysign.c ssh-pkcs11-helper.c ssh-rand-helper.8 ssh-rand-helper.c] [ssh.c ssh_prng_cmds.in sshd.c contrib/aix/buildbff.sh] [regress/README.regress] Remove ssh-rand-helper and all its tentacles. PRNGd seeding has been rolled into entropy.c directly. Thanks to tim@ for testing on affected platforms.	2011-05-05 13:48:37 +10:00
Damien Miller	68790fedef	- (djm) [defines.h] Move up include of netinet/ip.h for IPTOS definitions.	2011-05-05 11:19:13 +10:00
Damien Miller	db59a3fb22	(whitespace change to test sync to hg)	2011-03-28 15:07:06 +11:00
Darren Tucker	e541aaaf0f	- (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the Cygwin-specific service installer script ssh-host-config. The actual functionality is the same, the revisited version is just more exact when it comes to check for problems which disallow to run certain aspects of the script. So, part of this script and the also rearranged service helper script library "csih" is to check if all the tools required to run the script are available on the system. The new script also is more thorough to inform the user why the script failed. Patch from vinschen at redhat com.	2011-02-21 21:41:29 +11:00
Damien Miller	0588beba39	- djm@cvs.openbsd.org 2011/02/16 00:31:14 [ssh-keysign.c] make hostbased auth with ECDSA keys work correctly. Based on patch by harvey.eneman AT oracle.com in bz#1858; ok markus@ (pre-lock)	2011-02-18 09:18:45 +11:00
Darren Tucker	ea676a6422	- (dtucker) [contrib/cygwin/ssh-{host,user}-config] Add ECDSA key generation and simplify. Patch from Corinna Vinschen.	2011-02-06 13:31:23 +11:00
Darren Tucker	3b9617ecbd	- (dtucker) [openbsd-compat/port-linux.c] Bug #1851 : fix syntax error in selinux code. Patch from Leonardo Chiquitto.	2011-02-06 13:24:35 +11:00
Damien Miller	0d30b092ce	- (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] update versions in docs and spec files. - Release OpenSSH 5.8p1	2011-02-04 12:43:36 +11:00
Damien Miller	a69812707d	- djm@cvs.openbsd.org 2011/02/04 00:44:43 [version.h] openssh-5.8	2011-02-04 11:47:20 +11:00
Damien Miller	0a5f0129a3	- djm@cvs.openbsd.org 2011/02/04 00:44:21 [key.c] fix uninitialised nonce variable; reported by Mateusz Kocielski	2011-02-04 11:47:01 +11:00
Damien Miller	b407dd8d05	- djm@cvs.openbsd.org 2011/01/31 21:42:15 [PROTOCOL.mux] cut'n'pasto; from bert.wesarg AT googlemail.com	2011-02-04 11:46:39 +11:00
Damien Miller	d4a5504cb1	- (djm) [openbsd-compat/port-linux.c] Check whether SELinux is enabled before attempting setfscreatecon(). Check whether matchpathcon() succeeded before using its result. Patch from cjwatson AT debian.org; bz#1851	2011-01-28 10:30:18 +11:00
Tim Rice	648f876566	20110127 - (tim) [configure.ac] Consistent M4 quoting throughout, updated obsolete AC_TRY_COMPILE with AC_COMPILE_IFELSE, updated obsolete AC_TRY_LINK with AC_LINK_IFELSE, updated obsolete AC_TRY_RUN with AC_RUN_IFELSE, misc white space changes for consistency/readability. Makes autoconf 2.68 happy. "Nice work" djm	2011-01-26 12:38:57 -08:00
Tim Rice	d069c48207	20110127 - (tim) [config.guess config.sub] Sync with upstream.	2011-01-26 12:32:12 -08:00
Damien Miller	71adf127e8	- (djm) [configure.ac Makefile.in ssh.c openbsd-compat/port-linux.c openbsd-compat/port-linux.h] Move SELinux-specific code from ssh.c to port-linux.c to avoid compilation errors. Add -lselinux to ssh when building with SELinux support to avoid linking failure; report from amk AT spamfence.net; ok dtucker	2011-01-25 12:16:15 +11:00
Damien Miller	6f8f04b860	- (djm) Release 5.7p1	2011-01-22 20:25:11 +11:00
Damien Miller	4a5eb41cee	trim entries older than 5.5p1	2011-01-22 20:24:34 +11:00
Damien Miller	966accc533	- (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] update versions in docs and spec files.	2011-01-22 20:23:10 +11:00
Damien Miller	ad4b1adf95	- OpenBSD CVS Sync - djm@cvs.openbsd.org 2011/01/22 09:18:53 [version.h] crank to OpenSSH-5.7	2011-01-22 20:21:33 +11:00
Darren Tucker	79241377df	- (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] Add RSA_get_default_method() for the benefit of openssl versions that don't have it (at least openssl-engine-0.9.6b). Found and tested by Kevin Brott, ok djm@.	2011-01-22 09:37:01 +11:00
Damien Miller	e323ebc250	- (djm) [configure.ac] Disable ECC on OpenSSL <0.9.8g. Releases prior to 0.9.8 lacked it, and 0.9.8a through 0.9.8d have proven buggy in pre- release testing (random crashes and failure to load ECC keys). ok dtucker@	2011-01-19 23:12:27 +11:00
Tim Rice	15e1b4dea7	- (tim) [contrib/caldera/openssh.spec] Use CFLAGS from Makefile instead of RPM so build completes. Signatures were changed to .asc since 4.1p1.	2011-01-18 20:47:04 -08:00
Darren Tucker	ea52a82969	- (dtucker) [LICENCE Makefile.in audit-bsm.c audit-linux.c audit.c audit.h configure.ac defines.h loginrec.c] Bug #1402: add linux audit subsystem support, based on patches from Tomas Mraz and jchadima at redhat.	2011-01-17 21:15:27 +11:00
Darren Tucker	263d43d2a5	- (dtucker) [openbsd-compat/port-linux.c] Fix minor bug caught by -Werror on the tinderbox.	2011-01-17 18:50:22 +11:00
Tim Rice	6dfcd34042	- (tim) [regress/agent-getpeereid.sh] shell portability fix.	2011-01-16 22:53:56 -08:00
Damien Miller	58497780ab	- (djm) [configure.ac regress/agent-getpeereid.sh regress/multiplex.sh] [regress/sftp-glob.sh regress/test-exec.sh] Rework how feature tests are disabled on platforms that do not support them; add a "config_defined()" shell function that greps for defines in config.h and use them to decide on feature tests. Convert a couple of existing grep's over config.h to use the new function Add a define "FILESYSTEM_NO_BACKSLASH" for filesystem that can't represent backslash characters in filenames, enable it for Cygwin and use it to turn of tests for quotes backslashes in sftp-glob.sh. based on discussion with vinschen AT redhat.com and dtucker@; ok dtucker@	2011-01-17 16:17:09 +11:00
Darren Tucker	0c93adc7c1	- (dtucker) [openbsd-compat/port-linux.c] Bug #1838 : Add support for the new Linux OOM-killer magic values that changed in 2.6.36 kernels, with fallback to the old values. Feedback from vapier at gentoo org and djm, ok djm.	2011-01-17 11:55:59 +11:00
Damien Miller	1ccbfa88b1	- (djm) [regress/agent-getpeereid.sh] leave stdout attached when running ssh-add to avoid $SUDO failures on Linux	2011-01-17 11:52:40 +11:00
Damien Miller	fd3669eb26	- (djm) [regress/agent-ptrace.sh] Fix false failure on OS X by adding its unique snowflake of a gdb error to the ones we look for.	2011-01-17 11:20:18 +11:00
Damien Miller	369c0e8eef	- (djm) [regress/Makefile] use $TEST_SSH_KEYGEN instead of the one in $PATH, fix cleanup of droppings; reported by openssh AT roumenpetrov.info; ok dtucker@	2011-01-17 10:51:40 +11:00
Damien Miller	cfd6e4f57f	- djm@cvs.openbsd.org 2011/01/16 12:05:59 [clientloop.c] a couple more tweaks to the post-close protocol 1 stderr/stdout flush: now that we use atomicio(), convert them from while loops to if statements add test and cast to compile cleanly with -Wsigned	2011-01-16 23:18:33 +11:00
Damien Miller	6fb6fd5662	- djm@cvs.openbsd.org 2011/01/16 11:50:36 [sshconnect.c] reset the SIGPIPE handler when forking to execute child processes; ok dtucker@	2011-01-16 23:17:45 +11:00
Damien Miller	4791f9dcec	- djm@cvs.openbsd.org 2011/01/16 11:50:05 [clientloop.c] Use atomicio when flushing protocol 1 std{out,err} buffers at session close. This was a latent bug exposed by setting a SIGCHLD handler and spotted by kevin.brott AT gmail.com; ok dtucker@	2011-01-16 23:16:53 +11:00
Darren Tucker	50c61f88ab	- (dtucker) [Makefile.in configure.ac regress/kextype.sh] Skip sha256-based on configurations that don't have it.	2011-01-16 18:28:09 +11:00
Darren Tucker	08f83883f5	not February yet...	2011-01-16 18:24:04 +11:00
Tim Rice	c5c346b101	- (tim) [regress/cert-hostkey.sh] Add missing TEST_SSH_ECC guard around some ecdsa bits.	2011-01-13 22:36:14 -08:00
Tim Rice	02d99da976	- (tim) [regress/cert-hostkey.sh] Typo. Missing $ on variable name.	2011-01-13 22:20:27 -08:00
Damien Miller	e9b40487fa	- (djm) [Makefile.in] Use shell test to disable ecdsa key generating in host-key-force target rather than a substitution that is replaced with a comment so that the Makefile.in is still a syntactically valid Makefile (useful to run the distprep target)	2011-01-14 14:47:37 +11:00
Damien Miller	42747df8b7	- djm@cvs.openbsd.org 2011/01/13 21:55:25 [PROTOCOL.mux] correct protocol names and add a couple of missing protocol number defines; patch from bert.wesarg AT googlemail.com	2011-01-14 12:01:50 +11:00
Damien Miller	445c9a507d	- djm@cvs.openbsd.org 2011/01/13 21:54:53 [mux.c] correct error messages; patch from bert.wesarg AT googlemail.com	2011-01-14 12:01:29 +11:00
Damien Miller	5278806e39	- (djm) [regress/kextype.sh] Testing diffie-hellman-group-exchange-sha256 should not depend on ECC support	2011-01-13 22:05:14 +11:00
Damien Miller	9b16086e74	- (djm) [myproposal.h] Fix reversed OPENSSL_VERSION_NUMBER test and bad #define that was causing diffie-hellman-group-exchange-sha256 to be incorrectly disabled	2011-01-13 22:00:20 +11:00
Damien Miller	cbaf8e6ec1	- (djm) [regress/Makefile] add a few more generated files to the clean target	2011-01-13 21:08:27 +11:00
Damien Miller	ff22df538e	- (djm) [entropy.c] cast OPENSSL_VERSION_NUMBER to u_long to avoid gcc warning on platforms where it defaults to int	2011-01-13 21:05:27 +11:00
Tim Rice	9b87a5ce3c	- (tim) [Makefile.in configure.ac opensshd.init.in] Add support for generating ecdsa keys. ok djm.	2011-01-12 22:35:43 -08:00
Tim Rice	cce927c25f	- (tim) [Makefile.in] test the ECC bits if we have the capability. ok djm	2011-01-12 19:06:31 -08:00
Damien Miller	1708cb7d0d	- (djm) [misc.c] include time.h for nanosleep() prototype	2011-01-13 12:21:34 +11:00
Damien Miller	134d02a494	- (djm) [configure.ac] Fix broken test for gcc >= 4.4 with per-compiler flag tests that don't depend on gcc version at all; suggested by and ok dtucker@	2011-01-12 16:00:37 +11:00
Damien Miller	945aa0c744	- (djm) [configure.ac] Turn on -Wno-unused-result for gcc >= 4.4 to avoid silly warnings on write() calls we don't care succeed or not.	2011-01-12 13:34:02 +11:00
Damien Miller	4927aaf446	- djm@cvs.openbsd.org 2011/01/12 01:53:14 avoid some integer overflows mostly with GLOB_APPEND and GLOB_DOOFFS and sanity check arguments (these will be unnecessary when we switch struct glob members from being type into to size_t in the future); "looks ok" tedu@ feedback guenther@	2011-01-12 13:32:03 +11:00
Damien Miller	b66e917831	- nicm@cvs.openbsd.org 2010/10/08 21:48:42 [openbsd-compat/glob.c] Extend GLOB_LIMIT to cover readdir and stat and bump the malloc limit from ARG_MAX to 64K. Fixes glob-using programs (notably ftp) able to be triggered to hit resource limits. Idea from a similar NetBSD change, original problem reported by jasper@. ok millert tedu jasper	2011-01-12 13:30:18 +11:00
Damien Miller	821de0ad2e	- djm@cvs.openbsd.org 2011/01/11 06:13:10 [clientloop.c ssh-keygen.c sshd.c] some unsigned long long casts that make things a bit easier for portable without resorting to dropping PRIu64 formats everywhere	2011-01-11 17:20:29 +11:00
Damien Miller	a256c8d680	- djm@cvs.openbsd.org 2011/01/11 06:06:09 [sshlogin.c] fd leak on error paths; from zinovik@ NB. Id sync only; we use loginrec.c that was also audited and fixed recently	2011-01-11 17:20:05 +11:00
Damien Miller	b73b6fd916	- djm@cvs.openbsd.org 2011/01/08 10:51:51 [clientloop.c] use host and not options.hostname, as the latter may have unescaped substitution characters	2011-01-11 17:18:56 +11:00
Damien Miller	81ad4b1fc0	- (djm) [platform.c] Some missing includes that show up under -Werror	2011-01-11 17:02:23 +11:00
Tim Rice	076a3b9ced	- (tim) [regress/host-expand.sh] Fix for building outside of read only source tree.	2011-01-10 12:56:26 -08:00
Damien Miller	e63b7f2821	- (djm) [Makefile.in] list ssh_host_ecdsa key in PATHSUBS; spotted by openssh AT roumenpetrov.info	2011-01-09 09:19:50 +11:00
Damien Miller	996384d500	- (djm) [regress/keytype.sh] s/echo -n/echon/ to repair failing regress test on OSX and others. Reported by imorgan AT nas.nasa.gov	2011-01-08 21:58:20 +11:00
Damien Miller	ed3a8eb65f	- djm@cvs.openbsd.org 2011/01/06 23:01:35 [sshconnect.c] reset SIGCHLD handler to SIG_DFL when execuring LocalCommand; ok markus@	2011-01-07 10:02:52 +11:00
Damien Miller	7d06b00032	- djm@cvs.openbsd.org 2011/01/06 22:46:21 [regress/Makefile regress/host-expand.sh] regress test for LocalCommand %n expansion from bert.wesarg AT googlemail.com; ok markus@	2011-01-07 09:54:20 +11:00
Damien Miller	64abf31425	- djm@cvs.openbsd.org 2011/01/06 22:23:02 [clientloop.c] when exiting due to ServerAliveTimeout, mention the hostname that caused it (useful with backgrounded controlmaster)	2011-01-07 09:51:52 +11:00
Damien Miller	83f8a4014d	- djm@cvs.openbsd.org 2011/01/06 22:23:53 [ssh.c] unbreak %n expansion in LocalCommand; patch from bert.wesarg AT googlemail.com; ok markus@	2011-01-07 09:51:17 +11:00
Damien Miller	322125b960	- (djm) [regress/cert-hostkey.sh regress/cert-userkey.sh] fix shell test for no-ECC case. Patch from cristian.ionescu-idbohrn AT axis.com	2011-01-07 09:50:08 +11:00
Damien Miller	8ad960b4ba	- otto@cvs.openbsd.org 2011/01/04 20:44:13 [ssh-keyscan.c] handle ecdsa-sha2 with various key lengths; hint and ok djm@	2011-01-06 22:44:44 +11:00
Damien Miller	de53fd04b1	- djm@cvs.openbsd.org 2010/12/24 21:41:48 [auth-options.c] don't send the actual forced command in a debug message; ok markus deraadt	2011-01-06 22:44:18 +11:00
Damien Miller	106079c06d	- djm@cvs.openbsd.org 2010/12/15 00:49:27 [readpass.c] fix ControlMaster=ask regression reset SIGCHLD handler before fork (and restore it after) so we don't miss the the askpass child's exit status. Correct test for exit status/signal to account for waitpid() failure; with claudio@ ok claudio@ markus@	2011-01-06 22:43:44 +11:00
Damien Miller	05c8997b33	- markus@cvs.openbsd.org 2010/12/14 11:59:06 [sshconnect.c] don't mention key type in key-changed-warning, since we also print this warning if a new key type appears. ok djm@	2011-01-06 22:42:04 +11:00
Damien Miller	907998df72	- jmc@cvs.openbsd.org 2010/12/09 14:13:33 [scp.1 scp.c] scp.1: grammer fix scp.c: add -3 to usage()	2011-01-06 22:41:21 +11:00
Damien Miller	f12114366b	- markus@cvs.openbsd.org 2010/12/08 22:46:03 [scp.1 scp.c] add a new -3 option to scp: Copies between two remote hosts are transferred through the local host. Without this option the data is copied directly between the two remote hosts. ok djm@ (bugzilla #1837)	2011-01-06 22:40:30 +11:00
Damien Miller	30a69e7bba	- (djm) [configure.ac Makefile.in] Use mandoc as preferred manpage formatter if it is present, followed by nroff and groff respectively. Fixes distprep target on OpenBSD (which has bumped groff/nroff to ports in favour of mandoc). feedback and ok tim	2011-01-04 08:16:27 +11:00
Damien Miller	d197fd64a1	- (djm) [Makefile.in] revert local hack I didn't intend to commit	2011-01-03 14:48:14 +11:00
Damien Miller	41bccf75af	- (djm) [configure.ac] Check whether libdes is needed when building with Heimdal krb5 support. On OpenBSD this library no longer exists, so linking it unconditionally causes a build failure; ok dtucker	2011-01-02 21:53:07 +11:00
Damien Miller	4a06f9271f	- (djm) [loginrec.c] Fix some fd leaks on error paths. ok dtucker	2011-01-02 21:43:59 +11:00
Damien Miller	928362dc03	- djm@cvs.openbsd.org 2010/12/08 04:02:47 [ssh_config.5 sshd_config.5] explain that IPQoS arguments are separated by whitespace; iirc requested by jmc@ a while back	2010-12-26 14:26:45 +11:00
Darren Tucker	4288c53d04	- djm@cvs.openbsd.org 2010/12/04 00:21:19 [regress/sftp-cmds.sh] adjust for hard-link support	2010-12-05 09:45:50 +11:00
Darren Tucker	7e1a5a4e1b	- (dtucker) [regress/Makefile] Id sync.	2010-12-05 09:29:31 +11:00
Darren Tucker	094f1e9934	- djm@cvs.openbsd.org 2010/12/04 13:31:37 [hostfile.c] fix fd leak; spotted and ok dtucker	2010-12-05 09:03:31 +11:00
Darren Tucker	af1f909254	- djm@cvs.openbsd.org 2010/12/04 00:18:01 [sftp-server.c sftp.1 sftp-client.h sftp.c PROTOCOL sftp-client.c] add a protocol extension to support a hard link operation. It is available through the "ln" command in the client. The old "ln" behaviour of creating a symlink is available using its "-s" option or through the preexisting "symlink" command; based on a patch from miklos AT szeredi.hu in bz#1555; ok markus@	2010-12-05 09:02:47 +11:00
Darren Tucker	adab6f1299	- djm@cvs.openbsd.org 2010/12/03 23:55:27 [auth-rsa.c] move check for revoked keys to run earlier (in auth_rsa_key_allowed) bz#1829; patch from ldv AT altlinux.org; ok markus@	2010-12-05 09:01:47 +11:00
Darren Tucker	7336b904ff	- (dtucker) OpenBSD CVS Sync - djm@cvs.openbsd.org 2010/12/03 23:49:26 [schnorr.c] check that g^x^q === 1 mod p; recommended by JPAKE author Feng Hao (this code is still disabled, but apprently people are treating it as a reference implementation)	2010-12-05 09:00:30 +11:00
Darren Tucker	37bb7568ab	- (dtucker) openbsd-compat/openssl-compat.c] remove sleep leftover from debugging. Spotted by djm.	2010-12-05 08:46:05 +11:00
Darren Tucker	ebdef76b5d	- (dtucker) [configure.ac moduli.c openbsd-compat/openssl-compat.{c,h}] Add shims for the new, non-deprecated OpenSSL key generation functions for platforms that don't have the new interfaces.	2010-12-04 23:20:50 +11:00
Damien Miller	d89745b9e7	- (djm) [openbsd-compat/bindresvport.c] Use arc4random_uniform(range) instead of (arc4random() % range)	2010-12-03 10:50:26 +11:00
Damien Miller	d925dcd8a5	- djm@cvs.openbsd.org 2010/11/29 23:45:51 [auth.c hostfile.c hostfile.h ssh.c ssh_config.5 sshconnect.c] [sshconnect.h sshconnect2.c] automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@	2010-12-01 12:21:51 +11:00
Damien Miller	03c0e533de	- markus@cvs.openbsd.org 2010/11/29 18:57:04 [authfile.c] correctly load comment for encrypted rsa1 keys; report/fix Joachim Schipper; ok djm@	2010-12-01 12:03:39 +11:00
Damien Miller	87dc0a4188	- djm@cvs.openbsd.org 2010/11/26 05:52:49 [scp.c] Pass through ssh command-line flags and options when doing remote-remote transfers, e.g. to enable agent forwarding which is particularly useful in this case; bz#1837 ok dtucker@	2010-12-01 12:03:19 +11:00
Damien Miller	f80c3deaaf	- djm@cvs.openbsd.org 2010/11/25 04:10:09 [session.c] replace close() loop for fds 3->64 with closefrom(); ok markus deraadt dtucker	2010-12-01 12:02:59 +11:00
Damien Miller	b7f827ae45	- djm@cvs.openbsd.org 2010/11/24 01:24:14 [channels.c] remove a debug() that pollutes stderr on client connecting to a server in debug mode (channel_close_fds is called transitively from the session code post-fork); bz#1719, ok dtucker	2010-12-01 12:02:35 +11:00
Damien Miller	d0fdd6818c	- djm@cvs.openbsd.org 2010/11/23 23:57:24 [clientloop.c] avoid NULL deref on receiving a channel request on an unknown or invalid channel; report bz#1842 from jchadima AT redhat.com; ok dtucker@	2010-12-01 12:02:14 +11:00
Damien Miller	6a740e7b92	- djm@cvs.openbsd.org 2010/11/23 02:35:50 [auth.c] use strict_modes already passed as function argument over referencing global options.strict_modes	2010-12-01 12:01:51 +11:00
Damien Miller	a232792783	- djm@cvs.openbsd.org 2010/11/21 10:57:07 [authfile.c] Refactor internals of private key loading and saving to work on memory buffers rather than directly on files. This will make a few things easier to do in the future; ok markus@	2010-12-01 12:01:21 +11:00
Damien Miller	2cd629349d	- djm@cvs.openbsd.org 2010/11/21 01:01:13 [clientloop.c misc.c misc.h ssh-agent.1 ssh-agent.c] honour $TMPDIR for client xauth and ssh-agent temporary directories; feedback and ok markus@	2010-12-01 11:50:35 +11:00
Damien Miller	188ea814b1	- OpenBSD CVS Sync - deraadt@cvs.openbsd.org 2010/11/20 05:12:38 [auth2-pubkey.c] clean up cases of ;;	2010-12-01 11:50:14 +11:00
Damien Miller	73de86ac5a	- (djm) [defines.h] Add IP DSCP defines	2010-11-24 10:50:04 +11:00
Darren Tucker	4b6cbf7aab	- (dtucker) [packet.c] Remove redundant local declaration of "int tos".	2010-11-24 10:46:37 +11:00
Damien Miller	88e341e1ca	- (djm) [loginrec.c] Relax permission requirement on btmp logs to allow group read/write. ok dtucker@	2010-11-24 10:36:15 +11:00
Darren Tucker	d995712383	- (dtucker) [platform.c session.c] Move the getluid call out of session.c and into the platform-specific code Only affects SCO, tested by and ok tim@.	2010-11-24 10:09:13 +11:00
Darren Tucker	9e0ff7afc8	- (dtucker) Bug #1840 : fix warning when configuring --with-ssl-engine, patch from vapier at gentoo org.	2010-11-22 17:59:00 +11:00
Damien Miller	0a1847347d	- jmc@cvs.openbsd.org 2010/11/18 15:01:00 [scp.1 sftp.1 ssh.1 sshd_config.5] add IPQoS to the various -o lists, and zap some trailing whitespace;	2010-11-20 15:21:03 +11:00
Damien Miller	8e1ea4e5a3	- jmc@cvs.openbsd.org 2010/11/15 07:40:14 [ssh_config.5] libary -> library;	2010-11-20 15:20:10 +11:00
Damien Miller	0dac6fb6b2	- djm@cvs.openbsd.org 2010/11/13 23:27:51 [clientloop.c misc.c misc.h packet.c packet.h readconf.c readconf.h] [servconf.c servconf.h session.c ssh.c ssh_config.5 sshd_config.5] allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput. bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@	2010-11-20 15:19:38 +11:00
Damien Miller	4499f4cc20	- djm@cvs.openbsd.org 2010/11/10 01:33:07 [kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c moduli.c] use only libcrypto APIs that are retained with OPENSSL_NO_DEPRECATED. these have been around for years by this time. ok markus	2010-11-20 15:15:49 +11:00
Damien Miller	7a221a1591	- djm@cvs.openbsd.org 2010/11/05 02:46:47 [packet.c] whitespace KNF	2010-11-20 15:14:29 +11:00
Damien Miller	dd190ddfd7	- (djm) [servconf.c ssh-add.c ssh-keygen.c] don't look for ECDSA keys on platforms that don't support ECC. Fixes some spurious warnings reported by tim@	2010-11-11 14:17:02 +11:00
Tim Rice	c7a8af03a0	- (tim) [configure.ac openbsd-compat/bsd-misc.h openbsd-compat/bsd-misc.c] Add support for platforms missing isblank(). ok djm@	2010-11-08 14:26:23 -08:00
Tim Rice	e426f5e932	- (tim) [regress/kextype.sh] Not all platforms have time in /usr/bin. Feedback from dtucker@	2010-11-08 09:15:14 -08:00
Tim Rice	c10aeaa8f2	- (tim) [regress/kextype.sh] Shell portability fix.	2010-11-07 13:03:11 -08:00
Tim Rice	522262f8b3	- (tim) [regress/Makefile] Fixes to allow building/testing outside source tree.	2010-11-07 13:00:27 -08:00
Darren Tucker	d1ece6e4a2	- (dtucker) [platform.c] includes.h instead of defines.h so that we get the correct typedefs.	2010-11-07 18:05:54 +11:00
Darren Tucker	9283d8cbc5	- (dtucker) [platform.c] Need servconf.h and extern options.	2010-11-05 18:56:08 +11:00
Darren Tucker	f619d1cad9	- (dtucker) [regress/kextype.sh] Make sha256 test depend on ECC. This is not strictly correct since while ECC requires sha256 the reverse is not true however it does prevent spurious test failures.	2010-11-05 18:41:50 +11:00
Darren Tucker	345178d951	- (dtucker) [regress/kextype.sh] Add missing "test".	2010-11-05 18:35:52 +11:00
Darren Tucker	eab5f0df90	- (dtucker) [Makefile configure.ac regress/Makefile regress/keytype.sh] Import recent changes to regress/Makefile, pass a flag to enable ECC tests from configure through to regress/Makefile and use it in the tests.	2010-11-05 18:23:38 +11:00
Darren Tucker	b69e033e67	- (dtucker) [regress/keytype.sh] Import new test.	2010-11-05 18:19:15 +11:00
Darren Tucker	b12fe272a0	- (dtucker) [platform.c platform.h session.c] Move the Cygwin special-case check into platform.c	2010-11-05 14:47:01 +11:00
Darren Tucker	cc12418e18	- (dtucker) [platform.c session.c] Move PAM credential establishment for the non-LOGIN_CAP case into platform.c.	2010-11-05 13:32:52 +11:00
Darren Tucker	0b2ee6452c	- (dtucker) [platform.c session.c] Move irix setusercontext fragment into platform.c.	2010-11-05 13:29:25 +11:00
Darren Tucker	676b912e78	- (dtucker) platform.c session.c] Move aix_usrinfo frament into platform.c.	2010-11-05 13:11:04 +11:00
Darren Tucker	7a8afe3186	- (dtucker) platform.c session.c] Move the USE_LIBIAF fragment into platform.c	2010-11-05 13:07:24 +11:00
Darren Tucker	728d8371a1	- (dtucker) [platform.c session.c] Move the PAM credential establishment for the LOGIN_CAP case into platform.c.	2010-11-05 13:00:05 +11:00
Darren Tucker	fd4d8aa2cb	- (dtucker) [platform.c] Only call setpgrp on BSDI if running as root to retain previous behavior.	2010-11-05 12:50:41 +11:00
Darren Tucker	44a97be0cc	- (dtucker) [platform.c session.c] Move the BSDI setpgrp into platform.c.	2010-11-05 12:45:18 +11:00
Darren Tucker	4db380701d	- (dtucker) [platform.c session.c] Move the AIX setpcred+chroot hack into platform.c	2010-11-05 12:41:13 +11:00
Darren Tucker	920612e45a	- (dtucker) [platform.c platform.h session.c] Add a platform hook to run after the user's groups are established and move the selinux calls into it.	2010-11-05 12:36:15 +11:00
Darren Tucker	97528353c2	- (dtucker) [configure.ac platform.{c,h} session.c openbsd-compat/port-solaris.{c,h}] Bug #1824: Add Solaris Project support. Patch from cory.erickson at csu mnscu edu with a bit of rework from me. ok djm@	2010-11-05 12:03:05 +11:00
Damien Miller	34ee4204c6	- (djm) [loginrec.c loginrec.h] Use correct uid_t/pid_t types instead of int. Should fix bz#1817 cleanly; ok dtucker@	2010-11-05 10:52:37 +11:00
Damien Miller	0733121194	- djm@cvs.openbsd.org 2010/11/04 02:45:34 [sftp-server.c] umask should be parsed as octal. reported by candland AT xmission.com; ok markus@	2010-11-05 10:20:31 +11:00
Damien Miller	55fa56505b	- jmc@cvs.openbsd.org 2010/10/28 18:33:28 [scp.1 ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5] knock out some "-- nroff --" lines;	2010-11-05 10:20:14 +11:00
Damien Miller	b472a90d4c	- djm@cvs.openbsd.org 2010/10/28 11:22:09 [authfile.c key.c key.h ssh-keygen.c] fix a possible NULL deref on loading a corrupt ECDH key store ECDH group information in private keys files as "named groups" rather than as a set of explicit group parameters (by setting the OPENSSL_EC_NAMED_CURVE flag). This makes for shorter key files and retrieves the group's OpenSSL NID that we need for various things.	2010-11-05 10:19:49 +11:00
Damien Miller	3a0e9f6479	- djm@cvs.openbsd.org 2010/09/22 12:26:05 [regress/Makefile regress/kextype.sh] regress test for each of the key exchange algorithms that we support	2010-11-05 10:16:34 +11:00
Darren Tucker	54b1f3121d	- (dtucker) [defines.h] Use SIZE_T_MAX for SIZE_MAX for platforms that have a native one.	2010-10-25 16:54:28 +11:00
Tim Rice	bdd3e67c19	- (tim) [openbsd-compat/glob.h] Remove sys/cdefs.h include that came with 1.12 to unbreak Solaris build. ok djm@	2010-10-24 18:35:55 -07:00
Darren Tucker	7bc236de21	- (dtucker) [defines.h] Add SIZE_MAX for the benefit of platforms that don't have it.	2010-10-24 11:58:43 +11:00
Darren Tucker	d633fef471	- (dtucker) [regress/cert-userkey.sh] Disable ECC-based tests on platforms which don't have ECC support in libcrypto.	2010-10-24 11:33:07 +11:00
Darren Tucker	bfd9b1be41	- (dtucker) [regress/cert-hostkey.sh] Disable ECC-based tests on platforms which don't have ECC support in libcrypto.	2010-10-24 11:19:26 +11:00
Darren Tucker	d78739ab90	- sthen@cvs.openbsd.org 2010/10/23 22:06:12 [sftp.c] escape '[' in filename tab-completion; fix a type while there. ok djm@	2010-10-24 10:56:32 +11:00
Darren Tucker	a53939332d	- (dtucker) [includes.h] Add missing ifdef GLOB_HAS_GL_STATV to fix build.	2010-10-24 10:47:30 +11:00
Damien Miller	6fd2d7de4b	- djm@cvs.openbsd.org 2010/08/31 12:24:09 [regress/cert-hostkey.sh regress/cert-userkey.sh] tests for ECDSA certificates	2010-10-21 15:27:14 +11:00
Damien Miller	68512c0341	- OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2010/10/12 02:22:24 [mux.c] Typo in confirmation message. bz#1827, patch from imorgan at nas nasa gov	2010-10-21 15:21:11 +11:00
Damien Miller	9c0c31d2db	- (djm) [sshconnect.c] Need signal.h for prototype for kill(2)	2010-10-12 13:30:44 +11:00
Damien Miller	47e57bfab4	- (djm) [canohost.c] Zero a4 instead of addr to better match type. bz#1825, reported by foo AT mailinator.com	2010-10-12 13:28:12 +11:00
Damien Miller	1f78980099	- (djm) [configure.ac] Use = instead of == in shell tests. Patch from dr AT vasco.com	2010-10-11 22:35:22 +11:00
Damien Miller	88b844f19b	- (djm) [openbsd-compat/Makefile.in] Actually link timingsafe_bcmp	2010-10-07 22:19:23 +11:00
Damien Miller	80e9953938	- (djm) [cipher-acss.c] Add missing header.	2010-10-07 22:12:08 +11:00
Damien Miller	37f4f1892f	- (djm) [openbsd-compat/glob.c] restore ARG_MAX compat code.	2010-10-07 22:10:38 +11:00
Damien Miller	45fcdaa1cf	- djm@cvs.openbsd.org 2010/10/06 21:10:21 [sshconnect.c] swapped args to kill(2)	2010-10-07 22:07:58 +11:00
Damien Miller	a41ccca643	- djm@cvs.openbsd.org 2010/10/06 06:39:28 [clientloop.c ssh.c sshconnect.c sshconnect.h] kill proxy command on fatal() (we already kill it on clean exit); ok markus@	2010-10-07 22:07:32 +11:00
Damien Miller	38d9a965bf	- djm@cvs.openbsd.org 2010/10/05 05:13:18 [sftp.c sshconnect.c] use default shell /bin/sh if $SHELL is ""; ok markus@	2010-10-07 22:07:11 +11:00
Damien Miller	9a3d0dc062	- djm@cvs.openbsd.org 2010/10/01 23:05:32 [cipher-3des1.c cipher-bf1.c cipher-ctr.c openbsd-compat/openssl-compat.h] adapt to API changes in openssl-1.0.0a NB. contains compat code to select correct API for older OpenSSL	2010-10-07 22:06:42 +11:00
Damien Miller	c54b02c4eb	- djm@cvs.openbsd.org 2010/09/30 11:04:51 [servconf.c] prevent free() of string in .rodata when overriding AuthorizedKeys in a Match block; patch from rein AT basefarm.no	2010-10-07 21:40:17 +11:00
Damien Miller	68e2e56ea9	- djm@cvs.openbsd.org 2010/09/26 22:26:33 [sftp.c] when performing an "ls" in columnated (short) mode, only call ioctl(TIOCGWINSZ) once to get the window width instead of per- filename	2010-10-07 21:39:55 +11:00
Damien Miller	a6e121aaa0	- djm@cvs.openbsd.org 2010/09/25 09:30:16 [sftp.c configure.ac openbsd-compat/glob.c openbsd-compat/glob.h] make use of new glob(3) GLOB_KEEPSTAT extension to save extra server rountrips to fetch per-file stat(2) information. NB. update openbsd-compat/ glob(3) implementation from OpenBSD libc to match.	2010-10-07 21:39:17 +11:00
Damien Miller	aa18063baf	- matthew@cvs.openbsd.org 2010/09/24 13:33:00 [misc.c misc.h configure.ac openbsd-compat/openbsd-compat.h] [openbsd-compat/timingsafe_bcmp.c] Add timingsafe_bcmp(3) to libc, mention that it's already in the kernel in kern(9), and remove it from OpenSSH. ok deraadt@, djm@ NB. re-added under openbsd-compat/ for portable OpenSSH	2010-10-07 21:25:27 +11:00
Damien Miller	2beb32f290	- jmc@cvs.openbsd.org 2010/09/23 13:36:46 [scp.1 sftp.1] add KexAlgorithms to the -o list;	2010-09-24 22:16:03 +10:00
Damien Miller	56883e194f	- jmc@cvs.openbsd.org 2010/09/23 13:34:43 [sftp.c] add [-l limit] to usage();	2010-09-24 22:15:39 +10:00
Damien Miller	65e42f87fe	- djm@cvs.openbsd.org 2010/09/22 22:58:51 [atomicio.c atomicio.h misc.c misc.h scp.c sftp-client.c] [sftp-client.h sftp.1 sftp.c] add an option per-read/write callback to atomicio factor out bandwidth limiting code from scp(1) into a generic bandwidth limiter that can be attached using the atomicio callback mechanism add a bandwidth limit option to sftp(1) using the above "very nice" markus@	2010-09-24 22:15:11 +10:00
Damien Miller	7fe2b1fec3	- jmc@cvs.openbsd.org 2010/09/22 08:30:08 [ssh.1 ssh_config.5] ssh.1: add kexalgorithms to the -o list ssh_config.5: format the kexalgorithms in a more consistent (prettier!) way ok djm	2010-09-24 22:11:53 +10:00
Damien Miller	d5f62bf280	- djm@cvs.openbsd.org 2010/09/22 05:01:30 [kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c readconf.c readconf.h] [servconf.c servconf.h ssh_config.5 sshconnect2.c sshd.c sshd_config.5] add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference. ok markus@	2010-09-24 22:11:14 +10:00
Damien Miller	603134e077	- djm@cvs.openbsd.org 2010/09/20 07:19:27 [mux.c] "atomically" create the listening mux socket by binding it on a temorary name and then linking it into position after listen() has succeeded. this allows the mux clients to determine that the server socket is either ready or stale without races. stale server sockets are now automatically removed ok deraadt	2010-09-24 22:07:55 +10:00
Damien Miller	18e1cab1a1	- djm@cvs.openbsd.org 2010/09/20 04:54:07 [jpake.c] missing #include	2010-09-24 22:07:17 +10:00
Damien Miller	f7540cd5c4	- djm@cvs.openbsd.org 2010/09/20 04:50:53 [jpake.c schnorr.c] check that received values are smaller than the group size in the disabled and unfinished J-PAKE code. avoids catastrophic security failure found by Sebastien Martini	2010-09-24 22:03:24 +10:00
Damien Miller	857b02e37f	- djm@cvs.openbsd.org 2010/09/20 04:41:47 [ssh.c] install a SIGCHLD handler to reap expiried child process; ok markus@	2010-09-24 22:02:56 +10:00
Damien Miller	881adf74eb	- jmc@cvs.openbsd.org 2010/09/19 21:30:05 [sftp.1] more wacky macro fixing;	2010-09-24 22:01:54 +10:00
Damien Miller	1ca9469318	- djm@cvs.openbsd.org 2010/09/11 21:44:20 [ssh.1] mention RFC 5656 for ECC stuff	2010-09-24 22:01:22 +10:00
Damien Miller	6186bbc7fb	- naddy@cvs.openbsd.org 2010/09/10 15:19:29 [ssh-keygen.1] * mention ECDSA in more places * less repetition in FILES section * SSHv1 keys are still encrypted with 3DES help and ok jmc@	2010-09-24 22:00:54 +10:00
Darren Tucker	8ccb7392e7	- (dtucker) [kex.h key.c packet.h ssh-agent.c ssh.c] A few more ECC ifdefs for missing headers and compiler warnings.	2010-09-10 12:28:24 +10:00
Damien Miller	6af914a15c	- (djm) [authfd.c authfile.c bufec.c buffer.h configure.ac kex.h kexecdh.c] [kexecdhc.c kexecdhs.c key.c key.h myproposal.h packet.c readconf.c] [ssh-agent.c ssh-ecdsa.c ssh-keygen.c ssh.c] Disable ECDH and ECDSA on platforms that don't have the requisite OpenSSL support. ok dtucker@	2010-09-10 11:39:26 +10:00
Damien Miller	041ab7c1e7	- djm@cvs.openbsd.org 2010/09/09 10:45:45 [kex.c kex.h kexecdh.c key.c key.h monitor.c ssh-ecdsa.c] ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases. This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client. ok naddy@	2010-09-10 11:23:34 +10:00
Damien Miller	3796ab47d3	- deraadt@cvs.openbsd.org 2010/09/08 04:13:31 [compress.c] work around name-space collisions some buggy compilers (looking at you gcc, at least in earlier versions, but this does not forgive your current transgressions) seen between zlib and openssl ok djm	2010-09-10 11:20:59 +10:00
Damien Miller	bf0423e550	- djm@cvs.openbsd.org 2010/09/08 03:54:36 [authfile.c] typo	2010-09-10 11:20:38 +10:00
Damien Miller	80ed82aaf4	- naddy@cvs.openbsd.org 2010/09/06 17:10:19 [sshd_config] add ssh_host_ecdsa_key to /etc; from Mattieu Baptiste <mattieu.b@gmail.com> ok deraadt@	2010-09-10 11:20:11 +10:00

... 7 8 9 10 11 ...

6514 Commits