since it's only applicable to SSH1 and thus no longer used. ok markus@
"kill it with fire" djm@
OpenBSD-Commit-ID: ea13318b1937795d9db4790d3ce0a6ed01584dab
Check if flags to mmap and madvise are defined before using them.
Should fix problems building on older Linux systems that don't have
these. bz#3537, with & ok djm@.
-Ohashalg=sha1|sha256 when outputting SSHFP fingerprints to allow algorithm
selection. bz3493 ok dtucker@
OpenBSD-Commit-ID: e6e07fe21318a873bd877f333e189eb963a11b3d
effective configuration without attempting to load private keys and perform
other checks. This allows usage of the option before keys have been
generated.
bz3460 feedback/ok dtucker@
OpenBSD-Commit-ID: 774504f629023fc25a559ab1d95401adb3a7fb29
so the recently-added ones will result in the test not cleaning up
after itself. Patch from cjwatson at debian.org vi bz#3536.
OpenBSD-Regress-ID: 1fc8283568f5bf2f918517c2c1e778072cf61b1a
Linux mmap(2) and madvise(2) syscalls support quite a number of funky
flags that we don't expect that sshd/libc will ever need. We can
exclude this kernel attack surface by filtering the mmap(2) flags
and the madvise(2) advice arguments.
Similarly, the sandboxed process in sshd is a single-threaded program
that does not use shared memory for synchronisation or communication.
Therefore, there should be no reason for the advanced priority
inheritance futex(2) operations to be necessary. These can also be
excluded.
Motivated by Jann Horn pointing out that there have been kernel bugs
in nearby Linux kernel code, e.g. CVE-2020-29368, CVE-2020-29374 and
CVE-2022-42703.
Feedback Jann Horn, ok dtucker@
Minix 3's Unix domain sockets don't seem to work the way we expect, so
skip connection-timeout test on that platform. While there, group
together all similarly skipped tests and explicitly comment.
../Makefile.inc and Makfile are concatenated for reuse, which hopefully won't
be too fragile, we'll see if we need a different approach. The resulting sshd
binary is tested with the new sshd -V option before installation. As the
binary layout is now semi-unknown (meaning relative, fixed, and gadget
offsets are not precisely known), change the filesystem permissions to 511 to
prevent what I call "logged in BROP". I have ideas for improving this further
but this is a first step ok djm
OpenBSD-Commit-ID: 1e0a2692b7e20b126dda60bf04999d1d30d959d8
exactly the flags that ssh started with and don't just clobber them with
zero, as this could also remove the append flag from the set;
bz3523; ok dtucker@
OpenBSD-Commit-ID: 1336b03e881db7564a4b66014eb24c5230e9a0c0
again. This was missed when the fallthrough in the switch case above it was
removed. OK deraadt@
OpenBSD-Commit-ID: 5583e5d8f6d62a8a4215cfa95a69932f344c8120
client connections that have no open channels for some length of time. This
complements the recently-added ChannelTimeout option that terminates inactive
channels after a timeout.
ok markus@
OpenBSD-Commit-ID: ca983be74c0350364c11f8ba3bd692f6f24f5da9
(20221122) and change the import approach to the same one we use for
Streamlined NTRUPrime: use a shell script to extract the bits we need from
SUPERCOP, make some minor adjustments and squish them all into a single file.
ok tb@ tobhe@
OpenBSD-Commit-ID: 1bc0fd624cb6af440905b8ba74ac7c03311b8e3b
OpenSSL (since we use it to compute the hash), put the hash at the end and
just omit it if we don't have it. Prompted by bz#3521.
OpenBSD-Regress-ID: c79ecba64250ed3b6417294b6c965e6b12ca5eea
When setting up the CI environment, retry package installation 3 times
before going up. Should help prevent spurious failures during
infrastructure issues.
commit to add scp to the test sshd's path causes the t-envpass test to fail
when the test scp is given using a fully qualified path. Put this in a
helper function and only call it from the scp tests.
OpenBSD-Regress-ID: 7533dc1c4265c1de716abb062957994195b36df4
If the scp we're testing is fully qualified (eg it's not in the system
PATH) then add its path to the under-test sshd's PATH so we can find
it. Prompted by bz#3518.
OpenBSD-Regress-ID: 7df4f5a0be3aa135495b7e5a6719d3cbc26cc4c0
-oUserKnownHostsFile=none and a hostkey in one of the system known hosts file
changes; ok dtucker@
OpenBSD-Commit-ID: 7ca87614bfc6da491315536a7f2301434a9fe614
dtucker@openbsd.org
jmc@openbsd.org
Darren Tucker
djm@openbsd.org
Damien Miller
deraadt@openbsd.org
millert@openbsd.org