58e2c5b394
- djm@cvs.openbsd.org 2013/02/11 23:58:51
...
[try-ciphers.sh]
remove acss here too
2013-02-12 11:16:57 +11:00
22e8a1e169
- dtucker@cvs.openbsd.org 2013/02/11 21:21:58
...
[sshd.c]
Add openssl version to debug output similar to the client. ok markus@
2013-02-12 11:04:48 +11:00
894926ebd8
- djm@cvs.openbsd.org 2013/02/10 23:35:24
...
[packet.c]
record "Received disconnect" messages at ERROR rather than INFO priority,
since they are abnormal and result in a non-zero ssh exit status; patch
from Iain Morgan in bz#2057; ok dtucker@
2013-02-12 11:03:58 +11:00
78d22713c7
- djm@cvs.openbsd.org 2013/02/10 23:32:10
...
[ssh-keygen.c]
append to moduli file when screening candidates rather than overwriting.
allows resumption of interrupted screen; patch from Christophe Garault
in bz#1957; ok dtucker@
2013-02-12 11:03:36 +11:00
fd05154dc4
- markus@cvs.openbsd.org 2013/02/10 21:19:34
...
[version.h]
openssh 6.2
2013-02-12 11:03:10 +11:00
d6d9fa0281
- djm@cvs.openbsd.org 2013/02/08 00:41:12
...
[sftp.c]
fix NULL deref when built without libedit and control characters
entered as command; debugging and patch from Iain Morgan an
Loganaden Velvindron in bz#1956
2013-02-12 11:02:46 +11:00
18de9133c2
- dtucker@cvs.openbsd.org 2013/02/06 00:22:21
...
[auth.c]
Fix comment, from jfree.e1 at gmail
2013-02-12 11:02:27 +11:00
1f583df8c3
- dtucker@cvs.openbsd.org 2013/02/06 00:20:42
...
[servconf.c sshd_config sshd_config.5]
Change default of MaxStartups to 10:30:100 to start doing random early
drop at 10 connections up to 100 connections. This will make it harder
to DoS as CPUs have come a long way since the original value was set
back in 2000. Prompted by nion at debian org, ok markus@
2013-02-12 11:02:08 +11:00
0cd2f8e5f8
- djm@cvs.openbsd.org 2013/01/27 10:06:12
...
[krl.c]
actually use the xrealloc() return value; spotted by xi.wang AT gmail.com
2013-02-12 11:01:39 +11:00
f0a8ded824
- djm@cvs.openbsd.org 2013/01/26 06:11:05
...
[Makefile.in acss.c acss.h cipher-acss.c cipher.c]
[openbsd-compat/openssl-compat.h]
remove ACSS, now that it is gone from libcrypto too
2013-02-12 11:00:34 +11:00
60565bcb5c
- djm@cvs.openbsd.org 2013/01/25 10:22:19
...
[krl.c]
redo last commit without the vi-vomit that snuck in:
skip serial lookup when cert's serial number is zero
(now with 100% better comment)
2013-02-12 10:56:42 +11:00
377d9a44f9
- krw@cvs.openbsd.org 2013/01/25 05:00:27
...
[krl.c]
Revert last. Breaks due to likely typo. Let djm@ fix later.
ok djm@ via dlg@
2013-02-12 10:55:16 +11:00
6045f5d574
- djm@cvs.openbsd.org 2013/01/24 22:08:56
...
[krl.c]
skip serial lookup when cert's serial number is zero
2013-02-12 10:54:54 +11:00
ea078462ea
- (djm) OpenBSD CVS Sync
...
- djm@cvs.openbsd.org 2013/01/24 21:45:37
[krl.c]
fix handling of (unused) KRL signatures; skip string in correct buffer
2013-02-12 10:54:37 +11:00
b6f73b3af6
- (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old
...
libcrypto that lacks EVP_CIPHER_CTX_ctrl
2013-02-11 10:39:12 +11:00
951b53b1be
- (dtucker) [configure.ac openbsd-compat/sys-tree.h] Test if compiler allows
...
__attribute__ on return values and work around if necessary. ok djm@
2013-02-08 11:50:09 +11:00
e7f50e1c18
- (djm) [contrib/redhat/sshd.init] treat RETVAL as an integer;
...
patch from Iain Morgan in bz#2059
2013-02-08 10:49:37 +11:00
5c3bbd76aa
- (djm) [configure.ac] Don't probe seccomp capability of running kernel
...
at configure time; the seccomp sandbox will fall back to rlimit at
runtime anyway. Patch from plautrba AT redhat.com in bz#2011
2013-02-07 10:11:05 +11:00
dc75d1fc04
- (djm) [regress/krl.sh] replacement for jot; most platforms lack it
2013-01-20 22:58:51 +11:00
d60b210830
- (djm) [openbsd-compat/sys-tree.h] Sync with OpenBSD. krl.c needs newer
...
version.
2013-01-20 22:49:58 +11:00
a7522d9fc0
- markus@cvs.openbsd.org 2013/01/19 12:34:55
...
[krl.c]
RB_INSERT does not remove existing elments; ok djm@
2013-01-20 22:35:31 +11:00
a0a7ee8bf4
- jmc@cvs.openbsd.org 2013/01/19 07:13:25
...
[ssh-keygen.1]
fix some formatting; ok djm
2013-01-20 22:35:06 +11:00
881a7a2c5d
- jmc@cvs.openbsd.org 2013/01/18 21:48:43
...
[ssh-keygen.1]
command-line (adj.) -> command line (n.);
2013-01-20 22:34:46 +11:00
072fdcd198
- jmc@cvs.openbsd.org 2013/01/18 08:39:04
...
[ssh-keygen.1]
add -Q to the options list; ok djm
2013-01-20 22:34:04 +11:00
72abeb709e
- jmc@cvs.openbsd.org 2013/01/18 08:00:49
...
[sshd_config.5]
tweak previous;
2013-01-20 22:33:44 +11:00
3d6d68b1e1
- jmc@cvs.openbsd.org 2013/01/18 07:59:46
...
[ssh-keygen.c]
-u before -V in usage();
2013-01-20 22:33:23 +11:00
ac5542b6b8
- jmc@cvs.openbsd.org 2013/01/18 07:57:47
...
[ssh-keygen.1]
tweak previous;
2013-01-20 22:33:02 +11:00
da5cc5d09a
- (djm) [cipher-aes.c cipher-ctr.c openbsd-compat/openssl-compat.h]
...
Move prototypes for replacement ciphers to openssl-compat.h; fix EVP
prototypes for openssl-1.0.0-fips.
2013-01-20 22:31:29 +11:00
13f5f768bc
- djm@cvs.openbsd.org 2013/01/18 03:00:32
...
[krl.c]
fix KRL generation bug for list sections
2013-01-18 15:32:03 +11:00
ebafebda85
- djm@cvs.openbsd.org 2013/01/18 00:45:29
...
[regress/Makefile regress/cert-userkey.sh regress/krl.sh]
Tests for Key Revocation Lists (KRLs)
2013-01-18 11:51:56 +11:00
f3747bf401
- djm@cvs.openbsd.org 2013/01/17 23:00:01
...
[auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5]
[krl.c krl.h PROTOCOL.krl]
add support for Key Revocation Lists (KRLs). These are a compact way to
represent lists of revoked keys and certificates, taking as little as
a single bit of incremental cost to revoke a certificate by serial number.
KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
2013-01-18 11:44:04 +11:00
b26699bbad
- (djm) [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh]
...
check for GCM support before testing GCM ciphers.
2013-01-17 14:31:57 +11:00
efa1c95092
- (djm) [regress/integrity.sh] repair botched merge
2013-01-12 23:10:47 +11:00
846dc7f21c
- djm@cvs.openbsd.org 2013/01/12 11:23:53
...
[regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh]
test AES-GCM modes; feedback markus@
2013-01-12 22:46:26 +11:00
c20eb8b8ea
- djm@cvs.openbsd.org 2013/01/12 11:22:04
...
[cipher.c]
improve error message for integrity failure in AES-GCM modes; ok markus@
2013-01-12 22:41:26 +11:00
1422c0887c
- djm@cvs.openbsd.org 2013/01/09 05:40:17
...
[ssh-keygen.c]
correctly initialise fingerprint type for fingerprinting PKCS#11 keys
2013-01-09 16:44:54 +11:00
d522c68872
- (djm) [cipher.c configure.ac openbsd-compat/openssl-compat.h]
...
Fix merge botch, automatically detect AES-GCM in OpenSSL, move a little
cipher compat code to openssl-compat.h
2013-01-09 16:42:47 +11:00
1d75abfe23
- markus@cvs.openbsd.org 2013/01/08 18:49:04
...
[PROTOCOL authfile.c cipher.c cipher.h kex.c kex.h monitor_wrap.c]
[myproposal.h packet.c ssh_config.5 sshd_config.5]
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling)
ok and feedback djm@
2013-01-09 16:12:19 +11:00
aa7ad3039c
- jmc@cvs.openbsd.org 2013/01/04 19:26:38
...
[sftp-server.8 sftp-server.c]
sftp-server.8: add argument name to -d
sftp-server.c: add -d to usage()
ok djm
2013-01-09 15:58:21 +11:00
ec77c954c8
- djm@cvs.openbsd.org 2013/01/03 23:22:58
...
[ssh-keygen.c]
allow fingerprinting of keys hosted in PKCS#11 tokens: ssh-keygen -lD ...
ok markus@
2013-01-09 15:58:00 +11:00
502ab0eff1
- djm@cvs.openbsd.org 2013/01/03 12:54:49
...
[sftp-server.8 sftp-server.c]
allow specification of an alternate start directory for sftp-server(8)
"I like this" markus@
2013-01-09 15:57:36 +11:00
3739c8f041
- djm@cvs.openbsd.org 2013/01/03 12:49:01
...
[PROTOCOL]
fix description of MAC calculation for EtM modes; ok markus@
2013-01-09 15:57:16 +11:00
441384453c
- djm@cvs.openbsd.org 2013/01/03 05:49:36
...
[servconf.h]
add a couple of ServerOptions members that should be copied to the privsep
child (for consistency, in this case they happen only to be accessed in
the monitor); ok dtucker@
2013-01-09 15:56:45 +11:00
697485d50a
- djm@cvs.openbsd.org 2013/01/02 00:33:49
...
[PROTOCOL.agent]
correct format description for SSH_AGENTC_ADD_RSA_ID_CONSTRAINED
bz#2051 from david AT lechnology.com
2013-01-09 15:56:13 +11:00
73298f420e
- djm@cvs.openbsd.org 2013/01/02 00:32:07
...
[clientloop.c mux.c]
channel_setup_local_fwd_listener() returns 0 on failure, not -ve
bz#2055 reported by mathieu.lacage AT gmail.com
2013-01-09 15:55:50 +11:00
4e14a58f3f
- dtucker@cvs.openbsd.org 2012/12/14 05:26:43
...
[auth.c]
use correct string in error message; from rustybsd at gmx.fr
2013-01-09 15:54:48 +11:00
0fc77297e6
- (dtucker) [Makefile.in] Add some scaffolding so that the new regress
...
tests will work with VPATH directories.
2012-12-17 15:59:42 +11:00
13cbff1e00
- (djm) [cipher.c] Fix missing prototype for compat code
2012-12-13 08:25:07 +11:00
25a02b0c95
- (djm) [configure.ac cipher-ctr.c] Adapt EVP AES CTR change to retain our
...
compat code for older OpenSSL
2012-12-13 08:18:56 +11:00
8c05da3326
- markus@cvs.openbsd.org 2012/12/12 16:45:52
...
[packet.c]
reset incoming_packet buffer for each new packet in EtM-case, too;
this happens if packets are parsed only parially (e.g. ignore
messages sent when su/sudo turn off echo); noted by sthen/millert
2012-12-13 07:18:59 +11:00
faabeb6b36
- (djm) [regress/Makefile] fix t-exec rule
2012-12-12 12:51:54 +11:00
37461d7391
- (djm) [regress/integrity.sh] Fix awk quoting, packet length skip
2012-12-12 12:37:32 +11:00
37834afe7b
- (djm) [mac.c] fix merge botch
2012-12-12 11:00:37 +11:00
ec7ce9ace4
- markus@cvs.openbsd.org 2012/12/11 23:12:13
...
[try-ciphers.sh]
add hmac-ripemd160-etm@openssh.com
2012-12-12 10:55:32 +11:00
1fb593a3f1
- markus@cvs.openbsd.org 2012/12/11 22:42:11
...
[regress/Makefile regress/modpipe.c regress/integrity.sh]
test the integrity of the packets; with djm@
2012-12-12 10:54:37 +11:00
1a45b63d7b
- markus@cvs.openbsd.org 2012/12/11 22:32:56
...
[regress/try-ciphers.sh]
add etm modes
2012-12-12 10:52:07 +11:00
74f13bdf26
- sthen@cvs.openbsd.org 2012/12/11 22:51:45
...
[mac.c]
fix typo, s/tem/etm in hmac-ripemd160-tem. ok markus@
2012-12-12 10:46:53 +11:00
af43a7ac2d
- markus@cvs.openbsd.org 2012/12/11 22:31:18
...
[PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h]
[packet.c ssh_config.5 sshd_config.5]
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms
that change the packet format and compute the MAC over the encrypted
message (including the packet size) instead of the plaintext data;
these EtM modes are considered more secure and used by default.
feedback and ok djm@
2012-12-12 10:46:31 +11:00
6a1937eac5
- markus@cvs.openbsd.org 2012/12/11 22:16:21
...
[monitor.c]
drain the log messages after receiving the keystate from the unpriv
child. otherwise it might block while sending. ok djm@
2012-12-12 10:44:38 +11:00
3e1027cd1f
- dtucker@cvs.openbsd.org 2012/12/07 01:51:35
...
[serverloop.c]
Cast signal to int for logging. A no-op on openbsd (they're always ints)
but will prevent warnings in portable. ok djm@
2012-12-07 13:07:46 +11:00
8a96522482
- markus@cvs.openbsd.org 2012/12/05 15:42:52
...
[ssh-add.c]
prevent double-free of comment; ok djm@
2012-12-07 13:07:02 +11:00
f9333d5246
- jmc@cvs.openbsd.org 2012/12/03 08:33:03
...
[ssh-add.1 sshd_config.5]
tweak previous;
2012-12-07 13:06:13 +11:00
3dfb877046
- dtucker@cvs.openbsd.org 2012/12/06 06:06:54
...
[regress/keys-command.sh]
Fix some problems with the keys-command test:
- use string comparison rather than numeric comparison
- check for existing KEY_COMMAND file and don't clobber if it exists
- clean up KEY_COMMAND file if we do create it.
- check that KEY_COMMAND is executable (which it won't be if eg /var/run
is mounted noexec).
ok djm.
2012-12-07 13:03:10 +11:00
96ce9a1e45
20121205
...
- (tim) [defines.h] Some platforms are missing ULLONG_MAX. Feedback djm@.
2012-12-04 07:50:03 -08:00
8b48982a56
- (djm) [configure.ac] Revert previous. configure.ac already does this
...
for us.
2012-12-03 12:35:55 +11:00
03af12e930
- (djm) [configure.ac] Turn on -g for gcc compilers. Helps pre-installation
...
debugging. ok dtucker@
2012-12-03 11:55:53 +11:00
55aca027ed
- djm@cvs.openbsd.org 2012/12/03 00:14:06
...
[auth2-chall.c ssh-keygen.c]
Fix compilation with -Wall -Werror (trivial type fixes)
2012-12-03 11:25:30 +11:00
999bd2d259
- djm@cvs.openbsd.org 2012/12/02 20:47:48
...
[Makefile regress/forward-control.sh]
regress for AllowTcpForwarding local/remote; ok markus@
2012-12-03 10:13:39 +11:00
771c43cee6
- djm@cvs.openbsd.org 2012/11/22 22:49:30
...
[regress/Makefile regress/keys-command.sh]
regress for AuthorizedKeysCommand; hints from markus@
2012-12-03 10:12:13 +11:00
6618e92509
- djm@cvs.openbsd.org 2012/10/19 05:10:42
...
[regress/cert-userkey.sh]
include a serial number when generating certs
2012-12-03 10:09:04 +11:00
fa51d8b6b2
- dtucker@cvs.openbsd.org 2012/10/05 02:20:48
...
[regress/cipher-speed.sh regress/try-ciphers.sh]
Add umac-128@openssh.com to the list of MACs to be tested
2012-12-03 10:08:25 +11:00
d27a026ab7
- dtucker@cvs.openbsd.org 2012/10/05 02:05:30
...
[regress/multiplex.sh]
Use 'kill -0' to test for the presence of a pid since it's more portable
2012-12-03 10:06:37 +11:00
15b05cfa17
- djm@cvs.openbsd.org 2012/12/02 20:34:10
...
[auth.c auth.h auth1.c auth2-chall.c auth2-gss.c auth2-jpake.c auth2.c]
[monitor.c monitor.h]
Fixes logging of partial authentication when privsep is enabled
Previously, we recorded "Failed xxx" since we reset authenticated before
calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used
for keyboard-interactive.
Fix multiple authentication when one of the methods is
keyboard-interactive.
ok markus@
2012-12-03 09:53:20 +11:00
aa5b3f8314
- djm@cvs.openbsd.org 2012/12/02 20:46:11
...
[auth-options.c channels.c servconf.c servconf.h serverloop.c session.c]
[sshd_config.5]
make AllowTcpForwarding accept "local" and "remote" in addition to its
current "yes"/"no" to allow the server to specify whether just local or
remote TCP forwarding is enabled. ok markus@
2012-12-03 09:50:54 +11:00
33a813613a
- djm@cvs.openbsd.org 2012/12/02 20:42:15
...
[ssh-add.1 ssh-add.c]
make deleting explicit keys "ssh-add -d" symmetric with adding keys -
try to delete the corresponding certificate too and respect the -k option
to allow deleting of the key only; feedback and ok markus@
2012-12-03 09:50:24 +11:00
cb6b68b209
- djm@cvs.openbsd.org 2012/12/02 20:26:11
...
[ssh_config.5 sshconnect2.c]
Make IdentitiesOnly apply to keys obtained from a PKCS11Provider.
This allows control of which keys are offered from tokens using
IdentityFile. ok markus@
2012-12-03 09:49:52 +11:00
cf6ef137b5
- (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD to get
...
TAILQ_FOREACH_SAFE needed for upcoming changes.
2012-12-03 09:37:56 +11:00
6f3b362fa8
- djm@cvs.openbsd.org 2012/11/14 02:32:15
...
[ssh-keygen.c]
allow the full range of unsigned serial numbers; 'fine' deraadt@
2012-11-14 19:04:33 +11:00
1e85469fcb
- djm@cvs.openbsd.org 2012/11/14 02:24:27
...
[auth2-pubkey.c]
fix username passed to helper program
prepare stdio fds before closefrom()
spotted by landry@
2012-11-14 19:04:02 +11:00
0120c41d6b
- jmc@cvs.openbsd.org 2012/09/26 17:34:38
...
[moduli.5]
last stage of rfc changes, using consistent Rs/Re blocks, and moving the
references into a STANDARDS section;
2012-11-07 08:36:00 +11:00
d5c3d4c0ca
- eric@cvs.openbsd.org 2011/11/28 08:46:27
...
[moduli.5]
fix formula
ok djm@
2012-11-07 08:35:38 +11:00
737f7aff36
- (dtucker) [auth2-pubkey.c] wrap paths.h in an ifdef for platforms that
...
don't have it. Spotted by tim@.
2012-11-05 17:07:43 +11:00
f96ff18a92
- (dtucker) [uidswap.c openbsd-compat/Makefile.in
...
openbsd-compat/bsd-setres_id.c openbsd-compat/bsd-setres_id.h
openbsd-compat/openbsd-compat.h] Move the fallback code for setting uids
and gids from uidswap.c to the compat library, which allows it to work with
the new setresuid calls in auth2-pubkey. with tim@, ok djm@
2012-11-05 17:04:37 +11:00
a6e3f01d1e
- djm@cvs.openbsd.org 2012/11/04 11:09:15
...
[auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c]
[sshd_config.5]
Support multiple required authentication via an AuthenticationMethods
option. This option lists one or more comma-separated lists of
authentication method names. Successful completion of all the methods in
any list is required for authentication to complete;
feedback and ok markus@
2012-11-04 23:21:40 +11:00
d0d1099b3b
- djm@cvs.openbsd.org 2012/11/04 10:38:43
...
[auth2-pubkey.c sshd.c sshd_config.5]
Remove default of AuthorizedCommandUser. Administrators are now expected
to explicitly specify a user. feedback and ok markus@
2012-11-04 22:23:14 +11:00
f33580eed0
- OpenBSD CVS Sync
...
- jmc@cvs.openbsd.org 2012/10/31 08:04:50
[sshd_config.5]
tweak previous;
2012-11-04 22:22:52 +11:00
09d3e12512
- djm@cvs.openbsd.org 2012/10/30 21:29:55
...
[auth-rsa.c auth.c auth.h auth2-pubkey.c servconf.c servconf.h]
[sshd.c sshd_config sshd_config.5]
new sshd_config option AuthorizedKeysCommand to support fetching
authorized_keys from a command in addition to (or instead of) from
the filesystem. The command is run as the target server user unless
another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback
and ok markus@
2012-10-31 08:58:58 +11:00
07daed505f
- (djm) OpenBSD CVS Sync
...
- markus@cvs.openbsd.org 2012/10/05 12:34:39
[sftp.c]
fix signed vs unsigned warning; feedback & ok: djm@
2012-10-31 08:57:55 +11:00
c0e5cbe222
- (tim) [buildpkg.sh.in] Double up on some backslashes so they end up in
...
the generated file as intended.
2012-10-18 21:38:58 -07:00
cc8e9ffdd1
- [Makefile.in] "Using $< in a non-suffix rule context is a GNUmake idiom"
2012-10-05 15:41:06 +10:00
50ce447ef9
- [umac.c] Enforce allowed umac output sizes. From djm@.
2012-10-05 12:11:33 +10:00
ee4ad778d7
- dtucker@cvs.openbsd.org 2012/09/10 01:51:19
...
[regress/multiplex.sh]
use -Ocheck and waiting for completions by PID to make multiplexing test
less racy and (hopefully) more reliable on slow hardware.
2012-10-05 12:04:10 +10:00
9b2c0360cf
- dtucker@cvs.openbsd.org 2012/09/10 00:49:21
...
[regress/multiplex.sh]
Log -O cmd output to the log file and make logging consistent with the
other tests. Test clean shutdown of an existing channel when testing
"stop".
2012-10-05 11:45:39 +10:00
6fc5aa8b2e
- dtucker@cvs.openbsd.org 2012/09/09 11:51:25
...
[multiplex.sh]
Add test for ssh -Ostop
2012-10-05 11:43:57 +10:00
189e5bad5c
- dtucker@cvs.openbsd.org 2012/09/06 04:11:07
...
[regress/try-ciphers.sh]
Restore missing space. (Id sync only).
2012-10-05 11:41:52 +10:00
992faad1f1
- [Makefile umac.c] Add special-case target to build umac128.o.
2012-10-05 11:38:24 +10:00
427e409e99
- markus@cvs.openbsd.org 2012/10/04 13:21:50
...
[myproposal.h ssh_config.5 umac.h sshd_config.5 ssh.1 sshd.8 mac.c]
add umac128 variant; ok djm@ at n2k12
(note: further Makefile work is required)
2012-10-05 11:02:39 +10:00
0dc283b13a
- djm@cvs.openbsd.org 2012/10/02 07:07:45
...
[ssh-keygen.c]
fix -z option, broken in revision 1.215
2012-10-05 10:52:51 +10:00
3a7c04105a
- naddy@cvs.openbsd.org 2012/10/01 13:59:51
...
[monitor_wrap.c]
pasto; ok djm@
2012-10-05 10:51:59 +10:00
628a3fdce2
- jmc@cvs.openbsd.org 2012/09/26 16:12:13
...
[ssh.1]
last stage of rfc changes, using consistent Rs/Re blocks, and moving the
references into a STANDARDS section;
2012-10-05 10:50:15 +10:00
17146d369c
- dtucker@cvs.openbsd.org 2012/09/21 10:55:04
...
[sftp.c]
Fix handling of filenames containing escaped globbing characters and
escape "#" and "*". Patch from Jean-Marc Robert via tech@, ok djm.
2012-10-05 10:46:16 +10:00
191fcc6e4e
- dtucker@cvs.openbsd.org 2012/09/21 10:53:07
...
[sftp.c]
Fix improper handling of absolute paths when PWD is part of the completed
path. Patch from Jean-Marc Robert via tech@, ok djm.
2012-10-05 10:45:01 +10:00
063018d9f6
- dtucker@cvs.openbsd.org 2012/09/18 10:36:12
...
[sftp.c]
Add bounds check on sftp tab-completion. Part of a patch from from
Jean-Marc Robert via tech@, ok djm
2012-10-05 10:43:58 +10:00
302889a1b0
- markus@cvs.openbsd.org 2012/09/17 13:04:11
...
[packet.c]
clear old keys on rekeing; ok djm
2012-10-05 10:42:53 +10:00
0af2405ebf
- (dtucker) OpenBSD CVS Sync
...
- djm@cvs.openbsd.org 2012/09/17 09:54:44
[sftp.c]
an XXX for later
2012-10-05 10:41:25 +10:00
26b9e3b0c5
- markus@cvs.openbsd.org 2012/09/14 16:51:34
...
[sshconnect.c]
remove unused variable
2012-09-17 13:25:44 +10:00
bb6cc07cf4
- dtucker@cvs.openbsd.org 2012/09/13 23:37:36
...
[servconf.c]
Fix comment line length
2012-09-17 13:25:06 +10:00
86dc9b4110
Fix author's name for RFC6594 SSHFP change
2012-09-07 18:08:23 +10:00
48bf4b0ca3
- dtucker@cvs.openbsd.org 2012/09/07 06:34:21
...
[clientloop.c]
when muxmaster is run with -N, make it shut down gracefully when a client
sends it "-O stop" rather than hanging around (bz#1985). ok djm@
2012-09-07 16:38:53 +10:00
ca0d0fd806
- dtucker@cvs.openbsd.org 2012/09/07 01:10:21
...
[clientloop.c]
Merge escape help text for ~v and ~V; ok djm@
2012-09-07 11:22:24 +10:00
f111d40604
- dtucker@cvs.openbsd.org 2012/09/07 00:30:19
...
[clientloop.c]
Print '^Z' instead of a raw ^Z when the sequence is not supported. ok djm@
2012-09-07 11:21:42 +10:00
83d0af6907
- jmc@cvs.openbsd.org 2012/09/06 13:57:42
...
[ssh.1]
missing letter in previous;
2012-09-07 11:21:03 +10:00
92a39cfa09
- dtucker@cvs.openbsd.org 2012/09/06 09:50:13
...
[clientloop.c]
Make the escape command help (~?) context sensitive so that only commands
that will work in the current session are shown. ok markus@
(note: previous commit with this description was a mistake on my part while
pulling changes from OpenBSD)
2012-09-07 11:20:20 +10:00
241995382e
bz#2039: add acknowledgement of the original authors of the ECDSA SSHFP DNS
...
work. From Ondřej Surý.
2012-09-07 10:44:34 +10:00
29bf4040b4
- dtucker@cvs.openbsd.org 2012/09/06 09:50:13
...
[clientloop.c]
Make the escape command help (~?) context sensitive so that only commands
that will work in the current session are shown. ok markus@
2012-09-06 21:26:34 +10:00
50a48d025f
- dtucker@cvs.openbsd.org 2012/09/06 04:37:39
...
[clientloop.c log.c ssh.1 log.h]
Add ~v and ~V escape sequences to raise and lower the logging level
respectively. Man page help from jmc, ok deraadt jmc
2012-09-06 21:25:37 +10:00
00c1518a4d
- djm@cvs.openbsd.org 2012/08/17 01:30:00
...
[compat.c sshconnect.c]
Send client banner immediately, rather than waiting for the server to
move first for SSH protocol 2 connections (the default). Patch based on
one in bz#1999 by tls AT panix.com, feedback dtucker@ ok markus@
2012-09-06 21:21:56 +10:00
f09a8a6c6d
- djm@cvs.openbsd.org 2012/08/17 01:25:58
...
[ssh-keygen.c]
print details of which host lines were deleted when using
"ssh-keygen -R host"; ok markus@
2012-09-06 21:20:39 +10:00
ae608bdd83
- djm@cvs.openbsd.org 2012/08/17 01:22:56
...
[kex.c]
add some comments about better handling first-KEX-follows notifications
from the server. Nothing uses these right now. No binary change
2012-09-06 21:19:51 +10:00
66cb0e0733
- dtucker@cvs.openbsd.org 2012/08/17 00:45:45
...
[clientloop.c clientloop.h mux.c]
Force a clean shutdown of ControlMaster client sessions when the ~. escape
sequence is used. This means that ~. should now work in mux clients even
if the server is no longer responding. Found by tedu, ok djm.
2012-09-06 21:19:05 +10:00
3ee50c5d9f
- jmc@cvs.openbsd.org 2012/08/15 18:25:50
...
[ssh-keygen.1]
a little more info on certificate validity;
requested by Ross L Richardson, and provided by djm
2012-09-06 21:18:11 +10:00
23e4b80a60
- (dtucker) [moduli] Import new moduli file.
2012-08-30 10:42:47 +10:00
4eb0a532ef
- (djm) Release openssh-6.1
2012-08-29 10:26:20 +10:00
318541854f
- (dtucker) [openbsd-compat/bsd-cygwin_util.h] define WIN32_LEAN_AND_MEAN
...
for compatibility with future mingw-w64 headers. Patch from vinschen at
redhat com.
2012-08-28 19:57:19 +10:00
39a9d2c933
- (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
...
[contrib/suse/openssh.spec] Update version numbers
2012-08-22 21:57:13 +10:00
38fe66230f
- markus@cvs.openbsd.org 2012/07/22 18:19:21
...
[version.h]
openssh 6.1
2012-07-31 12:23:16 +10:00
46cb75a258
- dtucker@cvs.openbsd.org 2012/07/13 01:35:21
...
[servconf.c]
handle long comments in config files better. bz#2025, ok markus
2012-07-31 12:22:37 +10:00
1cce103b3e
fix truncated entry
2012-07-31 12:22:18 +10:00
5a5c2b9063
- djm@cvs.openbsd.org 2012/07/10 02:19:15
...
[servconf.c servconf.h sshd.c sshd_config]
Turn on systrace sandboxing of pre-auth sshd by default for new installs
by shipping a config that overrides the current UsePrivilegeSeparation=yes
default. Make it easier to flip the default in the future by adding too.
2012-07-31 12:21:34 +10:00
709a1e90d9
- jmc@cvs.openbsd.org 2012/07/06 06:38:03
...
[ssh-keygen.c]
missing full stop in usage();
2012-07-31 12:20:43 +10:00
d809a4bc28
Import regened moduli file.
2012-07-20 10:42:06 +10:00
fff9f095e2
- djm@cvs.openbsd.org 2012/07/06 01:47:38
...
[ssh.c]
move setting of tty_flag to after config parsing so RequestTTY options
are correctly picked up. bz#1995 patch from przemoc AT gmail.com;
ok dtucker@
2012-07-06 13:45:01 +10:00
ab523b0246
- djm@cvs.openbsd.org 2012/07/06 01:37:21
...
[mux.c]
fix memory leak of passed-in environment variables and connection
context when new session message is malformed; bz#2003 from Bert.Wesarg
AT googlemail.com
2012-07-06 13:44:43 +10:00
dfceafe8b1
- dtucker@cvs.openbsd.org 2012/07/06 00:41:59
...
[moduli.c ssh-keygen.1 ssh-keygen.c]
Add options to specify starting line number and number of lines to process
when screening moduli candidates. This allows processing of different
parts of a candidate moduli file in parallel. man page help jmc@, ok djm@
2012-07-06 13:44:19 +10:00
77eab7b024
- (djm) [configure.ac] Recursively expand $(bindir) to ensure it has no
...
unexpanded $(prefix) embedded. bz#2007 patch from nix-corp AT
esperi.org.uk; ok dtucker@
2012-07-06 11:49:28 +10:00
a0433a7096
- (djm) [sandbox-seccomp-filter.c] fallback to rlimit if seccomp filter is
...
not available. Allows use of sshd compiled on host with a filter-capable
kernel on hosts that lack the support. bz#2011 ok dtucker@
2012-07-06 10:27:10 +10:00
34f702ae64
- (dtucker) [configure.ac openbsd-compat/bsd-misc.h] Add setlinebuf for
...
platforms that don't have it. "looks good" tim@
2012-07-04 08:50:09 +10:00
d545a4b974
- (dtucker) [configure.ac sandbox-rlimit.c] Test whether or not
...
setrlimit(RLIMIT_FSIZE, rl_zero) and skip it if it's not supported. Its
benefit is minor, so it's not worth disabling the sandbox if it doesn't
work.
2012-07-03 22:48:31 +10:00
60395f91c6
- (dtucker) [configure.ac] Detect platforms that can't use select(2) with
...
setrlimit(RLIMIT_NOFILE, rl_zero) and disable the rlimit sandbox on those.
2012-07-03 14:31:18 +10:00
6ea5dc6bb8
- (dtucker) [regress/test-exec.sh] Correct uname for cygwin/w2k.
2012-07-03 01:11:28 +10:00
ec1e15d51a
- (dtucker) [regress/reexec.sh regress/sftp-cmds.sh regress/test-exec.sh]
...
Move cygwin detection to test-exec and use to skip reexec test on cygwin.
2012-07-03 01:06:49 +10:00
369ceedce2
- dtucker@cvs.openbsd.org 2012/07/02 14:37:06
...
[regress/connect-privsep.sh]
remove exit from end of test since it prevents reporting failure
2012-07-03 00:53:18 +10:00
4908d44e67
- dtucker@cvs.openbsd.org 2012/07/02 12:13:26
...
[ssh-pkcs11-helper.c sftp-client.c]
fix a couple of "assigned but not used" warnings. ok markus@
2012-07-02 22:15:38 +10:00
7b30501bf5
- dtucker@cvs.openbsd.org 2012/07/02 08:50:03
...
[ssh.c]
set interactive ToS for forwarded X11 sessions. ok djm@
2012-07-02 18:55:09 +10:00
3b4b2d3021
- markus@cvs.openbsd.org 2012/06/30 14:35:09
...
[sandbox-systrace.c sshd.c]
fix a during the load of the sandbox policies (child can still make
the read-syscall and wait forever for systrace-answers) by replacing
the read/write synchronisation with SIGSTOP/SIGCONT;
report and help hshoexer@; ok djm@, dtucker@
2012-07-02 18:54:31 +10:00
ecbf14aa53
- naddy@cvs.openbsd.org 2012/06/29 13:57:25
...
[ssh_config.5 sshd_config.5]
match the documented MAC order of preference to the actual one;
ok dtucker@
2012-07-02 18:53:37 +10:00
14a9d2515b
- (dtucker) [key.c] ifdef out sha256 key types on platforms that don't have
...
the required functions in libcrypto.
2012-06-30 20:05:02 +10:00
3886f95d42
- (dtucker) [myproposal.h] Remove trailing backslash to fix compile error
2012-06-30 19:47:01 +10:00
a08c20763a
- dtucker@cvs.openbsd.org 2012/06/28 05:07:45
...
[regress/try-ciphers.sh regress/cipher-speed.sh]
Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed
from draft6 of the spec and will not be in the RFC when published. Patch
from mdb at juniper net via bz#2023, ok markus
2012-06-30 15:08:53 +10:00
2920bc145c
- dtucker@cvs.openbsd.org 2012/06/26 12:06:59
...
[regress/connect-privsep.sh]
test sandbox with every malloc option
2012-06-30 15:06:28 +10:00
Damien Miller
Darren Tucker
Tim Rice