302889a1b0
- markus@cvs.openbsd.org 2012/09/17 13:04:11
...
[packet.c]
clear old keys on rekeing; ok djm
2012-10-05 10:42:53 +10:00
0af2405ebf
- (dtucker) OpenBSD CVS Sync
...
- djm@cvs.openbsd.org 2012/09/17 09:54:44
[sftp.c]
an XXX for later
2012-10-05 10:41:25 +10:00
26b9e3b0c5
- markus@cvs.openbsd.org 2012/09/14 16:51:34
...
[sshconnect.c]
remove unused variable
2012-09-17 13:25:44 +10:00
bb6cc07cf4
- dtucker@cvs.openbsd.org 2012/09/13 23:37:36
...
[servconf.c]
Fix comment line length
2012-09-17 13:25:06 +10:00
86dc9b4110
Fix author's name for RFC6594 SSHFP change
2012-09-07 18:08:23 +10:00
48bf4b0ca3
- dtucker@cvs.openbsd.org 2012/09/07 06:34:21
...
[clientloop.c]
when muxmaster is run with -N, make it shut down gracefully when a client
sends it "-O stop" rather than hanging around (bz#1985). ok djm@
2012-09-07 16:38:53 +10:00
ca0d0fd806
- dtucker@cvs.openbsd.org 2012/09/07 01:10:21
...
[clientloop.c]
Merge escape help text for ~v and ~V; ok djm@
2012-09-07 11:22:24 +10:00
f111d40604
- dtucker@cvs.openbsd.org 2012/09/07 00:30:19
...
[clientloop.c]
Print '^Z' instead of a raw ^Z when the sequence is not supported. ok djm@
2012-09-07 11:21:42 +10:00
83d0af6907
- jmc@cvs.openbsd.org 2012/09/06 13:57:42
...
[ssh.1]
missing letter in previous;
2012-09-07 11:21:03 +10:00
92a39cfa09
- dtucker@cvs.openbsd.org 2012/09/06 09:50:13
...
[clientloop.c]
Make the escape command help (~?) context sensitive so that only commands
that will work in the current session are shown. ok markus@
(note: previous commit with this description was a mistake on my part while
pulling changes from OpenBSD)
2012-09-07 11:20:20 +10:00
241995382e
bz#2039: add acknowledgement of the original authors of the ECDSA SSHFP DNS
...
work. From Ondřej Surý.
2012-09-07 10:44:34 +10:00
29bf4040b4
- dtucker@cvs.openbsd.org 2012/09/06 09:50:13
...
[clientloop.c]
Make the escape command help (~?) context sensitive so that only commands
that will work in the current session are shown. ok markus@
2012-09-06 21:26:34 +10:00
50a48d025f
- dtucker@cvs.openbsd.org 2012/09/06 04:37:39
...
[clientloop.c log.c ssh.1 log.h]
Add ~v and ~V escape sequences to raise and lower the logging level
respectively. Man page help from jmc, ok deraadt jmc
2012-09-06 21:25:37 +10:00
00c1518a4d
- djm@cvs.openbsd.org 2012/08/17 01:30:00
...
[compat.c sshconnect.c]
Send client banner immediately, rather than waiting for the server to
move first for SSH protocol 2 connections (the default). Patch based on
one in bz#1999 by tls AT panix.com, feedback dtucker@ ok markus@
2012-09-06 21:21:56 +10:00
f09a8a6c6d
- djm@cvs.openbsd.org 2012/08/17 01:25:58
...
[ssh-keygen.c]
print details of which host lines were deleted when using
"ssh-keygen -R host"; ok markus@
2012-09-06 21:20:39 +10:00
ae608bdd83
- djm@cvs.openbsd.org 2012/08/17 01:22:56
...
[kex.c]
add some comments about better handling first-KEX-follows notifications
from the server. Nothing uses these right now. No binary change
2012-09-06 21:19:51 +10:00
66cb0e0733
- dtucker@cvs.openbsd.org 2012/08/17 00:45:45
...
[clientloop.c clientloop.h mux.c]
Force a clean shutdown of ControlMaster client sessions when the ~. escape
sequence is used. This means that ~. should now work in mux clients even
if the server is no longer responding. Found by tedu, ok djm.
2012-09-06 21:19:05 +10:00
3ee50c5d9f
- jmc@cvs.openbsd.org 2012/08/15 18:25:50
...
[ssh-keygen.1]
a little more info on certificate validity;
requested by Ross L Richardson, and provided by djm
2012-09-06 21:18:11 +10:00
23e4b80a60
- (dtucker) [moduli] Import new moduli file.
2012-08-30 10:42:47 +10:00
4eb0a532ef
- (djm) Release openssh-6.1
2012-08-29 10:26:20 +10:00
318541854f
- (dtucker) [openbsd-compat/bsd-cygwin_util.h] define WIN32_LEAN_AND_MEAN
...
for compatibility with future mingw-w64 headers. Patch from vinschen at
redhat com.
2012-08-28 19:57:19 +10:00
39a9d2c933
- (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
...
[contrib/suse/openssh.spec] Update version numbers
2012-08-22 21:57:13 +10:00
38fe66230f
- markus@cvs.openbsd.org 2012/07/22 18:19:21
...
[version.h]
openssh 6.1
2012-07-31 12:23:16 +10:00
46cb75a258
- dtucker@cvs.openbsd.org 2012/07/13 01:35:21
...
[servconf.c]
handle long comments in config files better. bz#2025, ok markus
2012-07-31 12:22:37 +10:00
1cce103b3e
fix truncated entry
2012-07-31 12:22:18 +10:00
5a5c2b9063
- djm@cvs.openbsd.org 2012/07/10 02:19:15
...
[servconf.c servconf.h sshd.c sshd_config]
Turn on systrace sandboxing of pre-auth sshd by default for new installs
by shipping a config that overrides the current UsePrivilegeSeparation=yes
default. Make it easier to flip the default in the future by adding too.
2012-07-31 12:21:34 +10:00
709a1e90d9
- jmc@cvs.openbsd.org 2012/07/06 06:38:03
...
[ssh-keygen.c]
missing full stop in usage();
2012-07-31 12:20:43 +10:00
d809a4bc28
Import regened moduli file.
2012-07-20 10:42:06 +10:00
fff9f095e2
- djm@cvs.openbsd.org 2012/07/06 01:47:38
...
[ssh.c]
move setting of tty_flag to after config parsing so RequestTTY options
are correctly picked up. bz#1995 patch from przemoc AT gmail.com;
ok dtucker@
2012-07-06 13:45:01 +10:00
ab523b0246
- djm@cvs.openbsd.org 2012/07/06 01:37:21
...
[mux.c]
fix memory leak of passed-in environment variables and connection
context when new session message is malformed; bz#2003 from Bert.Wesarg
AT googlemail.com
2012-07-06 13:44:43 +10:00
dfceafe8b1
- dtucker@cvs.openbsd.org 2012/07/06 00:41:59
...
[moduli.c ssh-keygen.1 ssh-keygen.c]
Add options to specify starting line number and number of lines to process
when screening moduli candidates. This allows processing of different
parts of a candidate moduli file in parallel. man page help jmc@, ok djm@
2012-07-06 13:44:19 +10:00
77eab7b024
- (djm) [configure.ac] Recursively expand $(bindir) to ensure it has no
...
unexpanded $(prefix) embedded. bz#2007 patch from nix-corp AT
esperi.org.uk; ok dtucker@
2012-07-06 11:49:28 +10:00
a0433a7096
- (djm) [sandbox-seccomp-filter.c] fallback to rlimit if seccomp filter is
...
not available. Allows use of sshd compiled on host with a filter-capable
kernel on hosts that lack the support. bz#2011 ok dtucker@
2012-07-06 10:27:10 +10:00
34f702ae64
- (dtucker) [configure.ac openbsd-compat/bsd-misc.h] Add setlinebuf for
...
platforms that don't have it. "looks good" tim@
2012-07-04 08:50:09 +10:00
d545a4b974
- (dtucker) [configure.ac sandbox-rlimit.c] Test whether or not
...
setrlimit(RLIMIT_FSIZE, rl_zero) and skip it if it's not supported. Its
benefit is minor, so it's not worth disabling the sandbox if it doesn't
work.
2012-07-03 22:48:31 +10:00
60395f91c6
- (dtucker) [configure.ac] Detect platforms that can't use select(2) with
...
setrlimit(RLIMIT_NOFILE, rl_zero) and disable the rlimit sandbox on those.
2012-07-03 14:31:18 +10:00
6ea5dc6bb8
- (dtucker) [regress/test-exec.sh] Correct uname for cygwin/w2k.
2012-07-03 01:11:28 +10:00
ec1e15d51a
- (dtucker) [regress/reexec.sh regress/sftp-cmds.sh regress/test-exec.sh]
...
Move cygwin detection to test-exec and use to skip reexec test on cygwin.
2012-07-03 01:06:49 +10:00
369ceedce2
- dtucker@cvs.openbsd.org 2012/07/02 14:37:06
...
[regress/connect-privsep.sh]
remove exit from end of test since it prevents reporting failure
2012-07-03 00:53:18 +10:00
4908d44e67
- dtucker@cvs.openbsd.org 2012/07/02 12:13:26
...
[ssh-pkcs11-helper.c sftp-client.c]
fix a couple of "assigned but not used" warnings. ok markus@
2012-07-02 22:15:38 +10:00
7b30501bf5
- dtucker@cvs.openbsd.org 2012/07/02 08:50:03
...
[ssh.c]
set interactive ToS for forwarded X11 sessions. ok djm@
2012-07-02 18:55:09 +10:00
3b4b2d3021
- markus@cvs.openbsd.org 2012/06/30 14:35:09
...
[sandbox-systrace.c sshd.c]
fix a during the load of the sandbox policies (child can still make
the read-syscall and wait forever for systrace-answers) by replacing
the read/write synchronisation with SIGSTOP/SIGCONT;
report and help hshoexer@; ok djm@, dtucker@
2012-07-02 18:54:31 +10:00
ecbf14aa53
- naddy@cvs.openbsd.org 2012/06/29 13:57:25
...
[ssh_config.5 sshd_config.5]
match the documented MAC order of preference to the actual one;
ok dtucker@
2012-07-02 18:53:37 +10:00
14a9d2515b
- (dtucker) [key.c] ifdef out sha256 key types on platforms that don't have
...
the required functions in libcrypto.
2012-06-30 20:05:02 +10:00
3886f95d42
- (dtucker) [myproposal.h] Remove trailing backslash to fix compile error
2012-06-30 19:47:01 +10:00
a08c20763a
- dtucker@cvs.openbsd.org 2012/06/28 05:07:45
...
[regress/try-ciphers.sh regress/cipher-speed.sh]
Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed
from draft6 of the spec and will not be in the RFC when published. Patch
from mdb at juniper net via bz#2023, ok markus
2012-06-30 15:08:53 +10:00
2920bc145c
- dtucker@cvs.openbsd.org 2012/06/26 12:06:59
...
[regress/connect-privsep.sh]
test sandbox with every malloc option
2012-06-30 15:06:28 +10:00
ff32d7c9d2
- djm@cvs.openbsd.org 2012/06/01 00:52:52
...
[regress/sftp-cmds.sh]
don't delete .* on cleanup due to unintended env expansion; pointed out in
bz#2014 by openssh AT roumenpetrov.info
2012-06-30 15:04:13 +10:00
4430a86c14
- djm@cvs.openbsd.org 2012/06/01 00:47:35
...
[multiplex.sh forwarding.sh]
append to rather than truncate test log; bz#2013 from openssh AT
roumenpetrov.
2012-06-30 15:03:28 +10:00
301390316c
- dtucker@cvs.openbsd.org 2012/05/13 01:42:32
...
[regress/addrmatch.sh]
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests
to match. Feedback and ok djm@ markus@.
2012-06-30 15:01:22 +10:00
ee3c196ec7
- naddy@cvs.openbsd.org 2012/06/29 13:57:25
...
[ssh_config.5 sshd_config.5]
match the documented MAC order of preference to the actual one; ok dtucker@
(actual patch accidentally committed with previous)
2012-06-30 08:35:59 +10:00
db4f8e8618
- dtucker@cvs.openbsd.org 2012/06/28 05:07:45
...
[mac.c myproposal.h ssh_config.5 sshd_config.5]
Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed
from draft6 of the spec and will not be in the RFC when published. Patch
from mdb at juniper net via bz#2023, ok markus.
2012-06-30 08:34:59 +10:00
560de922b1
- dtucker@cvs.openbsd.org 2012/06/26 11:02:30
...
[sandbox-systrace.c]
Add mquery to the list of allowed syscalls for "UsePrivilegeSeparation
sandbox" since malloc now uses it. From johnw.mail at gmail com.
2012-06-30 08:33:53 +10:00
ea8582931f
- dtucker@cvs.openbsd.org 2012/06/22 14:36:33
...
[sftp.c]
Remove unused variable leftover from tab-completion changes.
From Steve.McClellan at radisys com, ok markus@
2012-06-30 08:33:32 +10:00
5f58a87768
- dtucker@cvs.openbsd.org 2012/06/22 12:30:26
...
[monitor.c sshconnect2.c]
remove dead code following 'for (;;)' loops.
From Steve.McClellan at radisys com, ok markus@
2012-06-30 08:33:17 +10:00
97f43bbfc9
- dtucker@cvs.openbsd.org 2012/06/21 00:16:07
...
[addrmatch.c]
fix strlcpy truncation check. from carsten at debian org, ok markus
2012-06-30 08:32:29 +10:00
8908da7dce
- (dtucker) [openbsd-compat/getrrsetbyname-ldns.c] bz #2022 : prevent null
...
pointer deref in the client when built with LDNS and using DNSSEC with a
CNAME. Patch from gregdlg+mr at hochet info.
2012-06-28 15:21:32 +10:00
62dcd63f5e
- (dtucker) [contrib/cygwin/ssh-host-config] Ensure that user sshd runs as
...
can logon as a service. Patch from vinschen at redhat com.
2012-06-22 22:02:42 +10:00
6c6da33d31
- djm@cvs.openbsd.org 2012/06/20 04:42:58
...
[clientloop.c serverloop.c]
initialise accept() backoff timer to avoid EINVAL from select(2) in
rekeying
2012-06-20 22:31:26 +10:00
f8268503d1
- jmc@cvs.openbsd.org 2012/06/19 21:35:54
...
[sshd_config.5]
tweak previous; ok markus
2012-06-20 21:54:15 +10:00
c24da77015
- markus@cvs.openbsd.org 2012/06/19 18:25:28
...
[servconf.c servconf.h sshd_config.5]
sshd_config: extend Match to allow AcceptEnv and {Allow,Deny}{Users,Groups}
this allows 'Match LocalPort 1022' combined with 'AllowUser bauer'
ok djm@ (back in March)
2012-06-20 21:53:58 +10:00
36378c6413
- dtucker@cvs.openbsd.org 2012/06/18 12:17:18
...
[ssh.1]
Clarify description of -W. Noted by Steve.McClellan at radisys com, ok jmc
2012-06-20 21:53:25 +10:00
b9902cf6f6
- dtucker@cvs.openbsd.org 2012/06/18 12:07:07
...
[ssh.1 sshd.8]
Remove mention of 'three' key files since there are now four. From
Steve.McClellan at radisys com.
2012-06-20 21:52:58 +10:00
7192433633
- dtucker@cvs.openbsd.org 2012/06/18 11:49:58
...
[ssh_config.5]
RSA instead of DSA twice. From Steve.McClellan at radisys com
2012-06-20 21:52:38 +10:00
276dcfd7f7
- dtucker@cvs.openbsd.org 2012/06/18 11:43:53
...
[jpake.c]
correct sizeof usage. patch from saw at online.de, ok deraadt
2012-06-20 21:52:18 +10:00
2e7decfcc0
- djm@cvs.openbsd.org 2012/06/01 01:01:22
...
[mux.c]
fix memory leak when mux socket creation fails; bz#2002 from bert.wesarg
AT googlemail.com
2012-06-20 21:52:00 +10:00
7f12157c0a
- djm@cvs.openbsd.org 2012/06/01 00:49:35
...
[PROTOCOL.mux]
correct types of port numbers (integers, not strings); bz#2004 from
bert.wesarg AT googlemail.com
2012-06-20 21:51:29 +10:00
3bde12aeef
- djm@cvs.openbsd.org 2012/05/23 03:28:28
...
[dns.c dns.h key.c key.h ssh-keygen.c]
add support for RFC6594 SSHFP DNS records for ECDSA key types.
patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@
2012-06-20 21:51:11 +10:00
ac58ce86e6
- djm@cvs.openbsd.org 2012/01/07 21:11:36
...
[mux.c]
fix double-free in new session handler
NB. Id sync only
2012-06-20 21:50:47 +10:00
140df63e1f
- djm@cvs.openbsd.org 2011/12/04 23:16:12
...
[mux.c]
revert:
> revision 1.32
> date: 2011/12/02 00:41:56; author: djm; state: Exp; lines: +4 -1
> fix bz#1948: ssh -f doesn't fork for multiplexed connection.
> ok dtucker@
it interacts badly with ControlPersist
2012-06-20 21:46:57 +10:00
efc6fc995d
- djm@cvs.openbsd.org 2011/12/02 00:41:56
...
[mux.c]
fix bz#1948: ssh -f doesn't fork for multiplexed connection.
ok dtucker@
2012-06-20 21:44:56 +10:00
ba9ea3200d
- dtucker@cvs.openbsd.org 2012/05/19 06:30:30
...
[sshd_config.5]
Document PermitOpen none. bz#2001, patch from Loganaden Velvindron
2012-05-19 19:37:33 +10:00
fbcf827559
- (dtucker) OpenBSD CVS Sync
...
- dtucker@cvs.openbsd.org 2012/05/13 01:42:32
[servconf.h servconf.c sshd.8 sshd.c auth.c sshd_config.5]
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests
to match. Feedback and ok djm@ markus@.
2012-05-19 19:37:01 +10:00
593538911a
- (dtucker) [configure.ac contrib/Makefile] bz#1996: use AC_PATH_TOOL to find
...
pkg-config so it does the right thing when cross-compiling. Patch from
cjwatson at debian org.
2012-05-19 15:24:37 +10:00
d0494fdb29
- (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch
...
from cjwatson at debian org.
2012-05-19 14:25:39 +10:00
e1a3ddf992
- (dtucker) [configure.ac] Include <sys/param.h> rather than <sys/types.h>
...
to fix building on some plaforms. Fom bowman at math utah edu and
des at des no.
2012-05-04 11:05:45 +10:00
d0d3fff483
- (dtucker) [regress/addrmatch.sh] skip tests when running on a non-ipv6
...
platform rather than exiting early, so that we still clean up and return
status to test-exec.sh
2012-04-27 10:55:39 +10:00
025bfd11d9
- (djm) [auth-krb5.c] Save errno across calls that might modify it;
...
ok dtucker@
2012-04-26 09:52:15 +10:00
7584cb1ac4
- (djm) [auth-passwd.c] Handle crypt() returning NULL; from Paul Wouters
...
via Niels
2012-04-26 09:51:26 +10:00
ba77e1f673
- djm@cvs.openbsd.org 2012/04/23 08:18:17
...
[channels.c]
fix function proto/source mismatch
2012-04-23 18:21:05 +10:00
70b2d5550b
- jmc@cvs.openbsd.org 2012/04/20 16:26:22
...
[ssh.1]
use "brackets" instead of "braces", for consistency;
2012-04-22 11:26:10 +10:00
4922315d1d
- djm@cvs.openbsd.org 2012/04/20 03:24:23
...
[sftp.c]
setlinebuf(3) is more readable than setvbuf(.., _IOLBF, ...)
2012-04-22 11:25:47 +10:00
8fef9ebbab
- djm@cvs.openbsd.org 2012/04/12 02:43:55
...
[sshd_config sshd_config.5]
mention AuthorizedPrincipalsFile=none default
2012-04-22 11:25:10 +10:00
23528816dc
- djm@cvs.openbsd.org 2012/04/12 02:42:32
...
[servconf.c servconf.h sshd.c sshd_config sshd_config.5]
VersionAddendum option to allow server operators to append some arbitrary
text to the SSH-... banner; ok deraadt@ "don't care" markus@
2012-04-22 11:24:43 +10:00
839f743464
- djm@cvs.openbsd.org 2012/04/11 13:34:17
...
[ssh-keyscan.1 ssh-keyscan.c]
now that sshd defaults to offering ECDSA keys, ssh-keyscan should also
look for them by default; bz#1971
2012-04-22 11:24:21 +10:00
a116d13c4d
- djm@cvs.openbsd.org 2012/04/11 13:26:40
...
[sshd.c]
don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a
while; ok deraadt@ markus@
2012-04-22 11:23:46 +10:00
9fed161e67
- djm@cvs.openbsd.org 2012/04/11 13:17:54
...
[auth.c]
Support "none" as an argument for AuthorizedPrincipalsFile to indicate
no file should be read.
2012-04-22 11:21:43 +10:00
a6508753db
- djm@cvs.openbsd.org 2012/04/11 13:16:19
...
[channels.c channels.h clientloop.c serverloop.c]
don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a
while; ok deraadt@ markus@
2012-04-22 11:21:10 +10:00
c6081482b2
- dtucker@cvs.openbsd.org 2012/03/29 23:54:36
...
[channels.c channels.h servconf.c]
Add PermitOpen none option based on patch from Loganaden Velvindron
(bz #1949 ). ok djm@
2012-04-22 11:18:53 +10:00
48348fc3b4
- djm@cvs.openbsd.org 2012/03/28 07:23:22
...
[PROTOCOL.certkeys]
explain certificate extensions/crit split rationale. Mention requirement
that each appear at most once per cert.
2012-04-22 11:08:30 +10:00
29cd188887
- guenther@cvs.openbsd.org 2012/03/15 03:10:27
...
[session.c]
root should always be excluded from the test for /etc/nologin instead
of having it always enforced even when marked as ignorenologin. This
regressed when the logic was incompletely flipped around in rev 1.251
ok halex@ millert@
2012-04-22 11:08:10 +10:00
a563cced06
- djm@cvs.openbsd.org 2012/02/29 11:21:26
...
[ssh-keygen.c]
allow conversion of RSA1 keys to public PEM and PKCS8; "nice" markus@
2012-04-22 11:07:28 +10:00
d5dacb43fa
- (djm) Release openssh-6.0
2012-04-20 15:01:01 +10:00
bf2304167b
- (djm) [README] Update URL to release notes.
2012-04-20 14:11:04 +10:00
8beb320390
- (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
...
[contrib/suse/openssh.spec] Update for release 6.0
2012-04-20 10:58:34 +10:00
398c0ffe0e
- (djm) [configure.ac] Fix compilation error on FreeBSD, whose libutil
...
contains openpty() but not login()
2012-04-19 21:46:35 +10:00
e0956e3834
- (djm) [Makefile.in configure.ac sandbox-seccomp-filter.c] Add sandbox
...
mode for Linux's new seccomp filter; patch from Will Drewry; feedback
and ok dtucker@
2012-04-04 11:27:54 +10:00
ce1ec9d4e2
- (djm) [openbsd-compat/bsd-cygwin_util.h] #undef _WIN32 to avoid incorrect
...
assumptions when building on Cygwin; patch from Corinna Vinschen
2012-03-30 14:07:05 +11:00
4d55734c16
- (djm) [entropy.c] bz#1991: relax OpenSSL version test to allow running
...
openssh binaries on a newer fix release than they were compiled on.
with and ok dtucker@
2012-03-30 11:34:27 +11:00
67ccc86506
- (dtucker) [contrib/redhat/openssh.spec] Bug #1992 : remove now-gone WARNING
...
file from spec file. From crighter at nuclioss com.
2012-03-30 10:19:56 +11:00
54c38d24c6
- (djm) [packet.c] bz#1963: Fix IPQoS not being set on non-mapped v4-in-v6
...
addressed connections. ok dtucker@
2012-03-09 10:28:07 +11:00
7bf7b889b3
- (djm) [openbsd-compat/port-linux.c] bz#1960: fix crash on SELinux
...
systems where sshd is run in te wrong context. Patch from Sven
Vermeulen; ok dtucker@
2012-03-09 10:25:16 +11:00
93a2d41505
- (dtucker) [audit-bsm.c configure.ac] bug #1968 : enable workarounds for BSM
...
audit breakage in Solaris 11. Patch from Magnus Johansson.
2012-02-24 10:40:41 +11:00
a3f297de91
- (tim) [regress/keytype.sh] stderr redirection needs to be inside back quote
...
to work. Spotted by Angel Gonzalez
2012-02-14 23:01:42 -08:00
f79b5d38a1
- (tim) [defines.h] move chunk introduced in 1.125 before MAXPATHLEN so
...
it actually works.
2012-02-14 20:13:05 -08:00
e3609c935c
- (tim) [openbsd-compat/bsd-misc.h sshd.c] Fix conflicting return type for
...
unsetenv due to rev 1.14 change to setenv.c. Cast unsetenv to void in sshd.c
ok dtucker@
2012-02-14 10:03:30 -08:00
7b7901c330
- (djm) [openbsd-compat/bsd-cygwin_util.c] Add PROGRAMFILES to list of
...
preserved Cygwin environment variables; from Corinna Vinschen
2012-02-14 06:38:36 +11:00
db854559be
- markus@cvs.openbsd.org 2012/02/09 20:00:18
...
[version.h]
move from 6.0-beta to 6.0
2012-02-11 08:19:44 +11:00
72de982def
- markus@cvs.openbsd.org 2012/01/25 19:40:09
...
[packet.c packet.h]
packet_read_poll() is not used anymore.
2012-02-11 08:19:21 +11:00
5d0077008f
- markus@cvs.openbsd.org 2012/01/25 19:36:31
...
[authfile.c]
memleak in key_load_file(); from Jan Klemkow
2012-02-11 08:19:02 +11:00
1de2cfe9a9
- markus@cvs.openbsd.org 2012/01/25 19:26:43
...
[packet.c]
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying;
ok dtucker@, djm@
2012-02-11 08:18:43 +11:00
8d60be5487
- dtucker@cvs.openbsd.org 2012/01/18 21:46:43
...
[clientloop.c]
Ensure that $DISPLAY contains only valid characters before using it to
extract xauth data so that it can't be used to play local shell
metacharacter games. Report from r00t_ati at ihteam.net, ok markus.
2012-02-11 08:18:17 +11:00
fb12c6d8bb
- miod@cvs.openbsd.org 2012/01/16 20:34:09
...
[ssh-pkcs11-client.c]
Fix a memory leak in pkcs11_rsa_private_encrypt(), reported by Jan Klemkow.
While there, be sure to buffer_clear() between send_msg() and recv_msg().
ok markus@
2012-02-11 08:17:52 +11:00
83ba8e6056
- miod@cvs.openbsd.org 2012/01/08 13:17:11
...
[ssh-ecdsa.c]
Fix memory leak in ssh_ecdsa_verify(); from Loganaden Velvindron,
ok markus@
2012-02-11 08:17:27 +11:00
2ec0342ed4
- djm@cvs.openbsd.org 2012/01/07 21:11:36
...
[mux.c]
fix double-free in new session handler
2012-02-11 08:16:28 +11:00
a2876db5e6
- djm@cvs.openbsd.org 2012/01/05 00:16:56
...
[monitor.c]
memleak on error path
2012-02-11 08:16:06 +11:00
b56e4930ae
- (djm) [ssh-keygen.c] Don't fail in do_gen_all_hostkeys on platforms
...
that don't support ECC. Patch from Phil Oleson
2012-02-06 07:41:27 +11:00
e9b3ad73ba
- (dtucker) [configure.ac mac.c openbsd-compat/openssl-compat.h] Add
...
null implementation of HMAC_CTX_init for the benefit of old versions
of OpenSSL that don't have it.
2012-01-17 14:03:34 +11:00
8ed4de8f1d
- djm@cvs.openbsd.org 2011/12/07 05:44:38
...
[auth2.c dh.c packet.c roaming.h roaming_client.c roaming_common.c]
fix some harmless and/or unreachable int overflows;
reported Xi Wang, ok markus@
2011-12-19 10:52:50 +11:00
913ddff40d
- djm@cvs.openbsd.org 2011/12/04 23:16:12
...
[mux.c]
revert:
> revision 1.32
> date: 2011/12/02 00:41:56; author: djm; state: Exp; lines: +4 -1
> fix bz#1948: ssh -f doesn't fork for multiplexed connection.
> ok dtucker@
it interacts badly with ControlPersist
2011-12-19 10:52:21 +11:00
d0e582c6da
- djm@cvs.openbsd.org 2011/12/02 00:43:57
...
[mac.c]
fix bz#1934: newer OpenSSL versions will require HMAC_CTX_Init before
HMAC_init (this change in policy seems insane to me)
ok dtucker@
2011-12-19 10:51:39 +11:00
5360dff2a0
- djm@cvs.openbsd.org 2011/12/02 00:41:56
...
[mux.c]
fix bz#1948: ssh -f doesn't fork for multiplexed connection.
ok dtucker@
2011-12-19 10:51:11 +11:00
47d8115e53
- oga@cvs.openbsd.org 2011/11/16 12:24:28
...
[sftp.c]
Don't leak list in complete_cmd_parse if there are no commands found.
Discovered when I was ``borrowing'' this code for something else.
ok djm@
2011-11-25 13:53:48 +11:00
4a725ef6a5
- (dtucker) [configure.ac] Set _FORTIFY_SOURCE. ok djm@
2011-11-21 16:38:48 +11:00
aa3cbd1b5b
- (dtucker) [INSTALL LICENCE configure.ac openbsd-compat/Makefile.in
...
openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/getrrsetbyname.c]
bz 1320: Add optional support for LDNS, a BSD licensed DNS resolver library
which supports DNSSEC. Patch from Simon Vallet (svallet at genoscope cns fr)
with some rework from myself and djm. ok djm.
2011-11-04 11:25:24 +11:00
be4032ba1e
- dtucker@cvs.openbsd.org 011/11/04 00:09:39
...
[moduli]
regenerated moduli file; ok deraadt
2011-11-04 11:16:06 +11:00
9c5d553d58
- djm@cvs.openbsd.org 2011/10/24 02:13:13
...
[session.c]
bz#1859: send tty break to pty master instead of (probably already
closed) slave side; "looks good" markus@
2011-11-04 10:55:24 +11:00
2d6665d944
- djm@cvs.openbsd.org 2011/10/24 02:10:46
...
[ssh.c]
bz#1943: unbreak stdio forwarding when ControlPersist is in user - ssh
was incorrectly requesting the forward in both the control master and
slave. skip requesting it in the master to fix. ok markus@
2011-11-04 10:54:22 +11:00
8a057953d2
- djm@cvs.openbsd.org 2011/10/19 10:39:48
...
[umac.c]
typo in comment; patch from Michael W. Bombardieri
2011-11-04 10:53:31 +11:00
9ee09cfce6
- djm@cvs.openbsd.org 2011/10/19 00:06:10
...
[moduli.c]
s/tmpfile/tmp/ to make this -Wshadow clean
2011-11-04 10:52:43 +11:00
e68cf84ac8
- djm@cvs.openbsd.org 2011/10/18 23:37:42
...
[ssh-add.c]
add -k to usage(); reminded by jmc@
2011-11-04 10:51:51 +11:00
45c66d7ad4
- djm@cvs.openbsd.org 2011/10/18 05:15:28
...
[ssh.c]
ssh(1): skip attempting to create ~/.ssh when -F is passed; ok markus@
2011-11-04 10:50:40 +11:00
9f157abbb6
- (dtucker) [contrib/cygwin/Makefile] Continue if installing a doc file
...
fails. Patch from Corinna Vinschen.
2011-10-25 09:37:57 +11:00
8f4279e4ab
- djm@cvs.openbsd.org 2011/10/18 05:00:48
...
[ssh-add.1 ssh-add.c]
new "ssh-add -k" option to load plain keys (skipping certificates);
"looks ok" markus@
2011-10-18 16:06:33 +11:00
c51a5ab2c6
- djm@cvs.openbsd.org 2011/10/18 04:58:26
...
[auth-options.c key.c]
remove explict search for \0 in packet strings, this job is now done
implicitly by buffer_get_cstring; ok markus
2011-10-18 16:06:14 +11:00
91f3eaec88
- stsp@cvs.openbsd.org 2011/10/16 15:51:39
...
[moduli.c]
add missing includes to unbreak tree; fix from rpointel
2011-10-18 16:05:55 +11:00
927d82bc6a
- jmc@cvs.openbsd.org 2011/10/16 15:02:41
...
[ssh-keygen.c]
put -K in the right place (usage());
2011-10-18 16:05:38 +11:00
390d0561fc
- dtucker@cvs.openbsd.org 2011/10/16 11:02:46
...
[moduli.c ssh-keygen.1 ssh-keygen.c]
Add optional checkpoints for moduli screening. feedback & ok deraadt
2011-10-18 16:05:19 +11:00
d3e6990c4c
- djm@cvs.openbsd.org 2011/10/04 14:17:32
...
[sftp-glob.c]
silence error spam for "ls */foo" in directory with files; bz#1683
2011-10-18 16:04:57 +11:00
2e13560ff5
- djm@cvs.openbsd.org 2011/09/30 21:22:49
...
[sshd.c]
fix inverted test that caused logspam; spotted by henning@
2011-10-02 19:10:13 +11:00
95125e5f43
ChangeLog entry for sshd.c rev 1.409
2011-10-02 19:09:07 +11:00
af1a60ec4f
- djm@cvs.openbsd.org 2011/09/25 05:44:47
...
[auth2-pubkey.c]
improve the AuthorizedPrincipalsFile debug log message to include
file and line number
2011-10-02 18:59:59 +11:00
68afb8c5f2
- markus@cvs.openbsd.org 2011/09/23 07:45:05
...
[mux.c readconf.h channels.h compat.h compat.c ssh.c readconf.c channels.c version.h]
unbreak remote portforwarding with dynamic allocated listen ports:
1) send the actual listen port in the open message (instead of 0).
this allows multiple forwardings with a dynamic listen port
2) update the matching permit-open entry, so we can identify where
to connect to
report: den at skbkontur.ru and P. Szczygielski
feedback and ok djm@
2011-10-02 18:59:03 +11:00
1338b9e067
- dtucker@cvs.openbsd.org 2011/09/23 00:22:04
...
[channels.c auth-options.c servconf.c channels.h sshd.8]
Add wildcard support to PermitOpen, allowing things like "PermitOpen
localhost:*". bz #1857 , ok djm markus.
2011-10-02 18:57:35 +11:00
036876cd7d
- (dtucker) [openbsd-compat/mktemp.c] Fix compiler warning. ok djm
2011-10-01 18:46:12 +10:00
b54f50e5d0
- (dtucker) [configure.ac openbsd-compat/Makefile.in
...
openbsd-compat/strnlen.c] Add strnlen to the compat library.
2011-09-29 23:17:18 +10:00
5ffe1c4b43
- (djm) [configure.ac defines.h] No need to detect sizeof(char); patch
...
from des AT des.no
2011-09-29 11:11:51 +10:00
d1a74580f8
- (djm) [openbsd-compat/setenv.c] Forklift upgrade, including inclusion
...
of static __findenv() function from upstream setenv.c
2011-09-23 11:26:34 +10:00
3e6fe87ef9
- otto@cvs.openbsd.org 2008/12/09 19:38:38
...
[openbsd-compat/inet_ntop.c]
fix inet_ntop(3) prototype; ok millert@ libc to be bumbed very soon
2011-09-23 11:16:09 +10:00
64efe9671d
- (djm) [openbsd-compat/sha2.c openbsd-compat/sha2.h] Remove OpenBSD rcsid
...
marker. The upstream API has changed (function and structure names)
enough to put it out of sync with other providers of this interface.
2011-09-23 11:13:00 +10:00
4888671343
- (djm) [openbsd-compat/mktemp.c] forklift upgrade to -current version.
...
The file was totally rewritten between what we had in tree and -current.
2011-09-23 10:56:29 +10:00
3a359b3228
- millert@cvs.openbsd.org 2008/08/21 16:54:44
...
[mktemp.c]
Remove useless code, the kernel will set errno appropriately if an
element in the path does not exist. OK deraadt@ pvalchev@
2011-09-23 10:47:29 +10:00
dc0e09b41c
- deraadt@cvs.openbsd.org 2008/07/22 21:47:45
...
[mktemp.c]
use arc4random_uniform(); ok djm millert
2011-09-23 10:46:48 +10:00
cd92790fcb
- (djm) [openbsd-compat/getgrouplist.c] Remove OpenBSD rcsid marker: the
...
upstream version is YPified and we don't want this
2011-09-23 10:44:03 +10:00
834e820317
- tobias@cvs.openbsd.org 2007/10/21 11:09:30
...
[mktemp.c]
Comment fix about time consumption of _gettemp.
FreeBSD did this in revision 1.20.
OK deraadt@, krw@
2011-09-23 10:42:02 +10:00
acdf3fbdba
- (djm) [openbsd-compat/getcwd.c] Remove OpenBSD rcsid marker since we no
...
longer want to sync this file (OpenBSD uses a __getcwd syscall now, we
want this longhand version)
2011-09-23 10:40:50 +10:00
add1e20802
- millert@cvs.openbsd.org 2006/05/05 15:27:38
...
[strlcpy.c]
Convert do {} while loop -> while {} for clarity. No binary change
on most architectures. From Oliver Smith. OK deraadt@ and henning@
2011-09-23 10:38:01 +10:00
d7be70d052
- djm@cvs.openbsd.org 2011/09/22 06:29:03
...
[sftp.c]
don't let remote_glob() implicitly sort its results in do_globbed_ls() -
in all likelihood, they will be resorted anyway
2011-09-22 21:43:06 +10:00
57c38ac7d5
- markus@cvs.openbsd.org 2011/09/12 08:46:15
...
[sftp-client.c]
fix leak in do_lsreaddir(); ok djm
2011-09-22 21:42:45 +10:00
3decdba425
- markus@cvs.openbsd.org 2011/09/11 16:07:26
...
[sftp-client.c]
fix leaks in do_hardlink() and do_readlink(); bz#1921
from Loganaden Velvindron
2011-09-22 21:41:05 +10:00
1bcbd0a9de
- okan@cvs.openbsd.org 2011/09/11 06:59:05
...
[ssh.1]
document new -O cancel command; ok djm@
2011-09-22 21:40:45 +10:00
ff773644e6
- markus@cvs.openbsd.org 2011/09/10 22:26:34
...
[channels.c channels.h clientloop.c ssh.1]
support cancellation of local/dynamic forwardings from ~C commandline;
ok & feedback djm@
2011-09-22 21:39:48 +10:00
f6dff7cd2f
- djm@cvs.openbsd.org 2011/09/09 22:46:44
...
[channels.c channels.h clientloop.h mux.c ssh.c]
support for cancelling local and remote port forwards via the multiplex
socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request
the cancellation of the specified forwardings; ok markus@
2011-09-22 21:38:52 +10:00
9ee2c606c1
- djm@cvs.openbsd.org 2011/09/09 22:38:21
...
[sshd.c]
kill the preauth privsep child on fatal errors in the monitor;
ok markus@
2011-09-22 21:38:30 +10:00
0603d98b4e
- djm@cvs.openbsd.org 2011/09/09 22:37:01
...
[scp.c]
suppress adding '--' to remote commandlines when the first argument
does not start with '-'. saves breakage on some difficult-to-upgrade
embedded/router platforms; feedback & ok dtucker ok markus
2011-09-22 21:38:00 +10:00
4cb855b070
- djm@cvs.openbsd.org 2011/09/09 00:44:07
...
[PROTOCOL.mux]
MUX_C_CLOSE_FWD includes forward type in message (though it isn't
implemented anyway)
2011-09-22 21:37:38 +10:00
f6e758cdba
- djm@cvs.openbsd.org 2011/09/09 00:43:00
...
[ssh_config.5 sshd_config.5]
fix typo in IPQoS parsing: there is no "AF14" class, but there is
an "AF21" class. Spotted by giesen AT snickers.org; ok markus stevesk
2011-09-22 21:37:13 +10:00
6232a16a9a
- deraadt@cvs.openbsd.org 2011/09/07 02:18:31
...
[ssh-keygen.1]
typo (they vs the) found by Lawrence Teo
2011-09-22 21:36:00 +10:00
e029673f1f
- jmc@cvs.openbsd.org 2011/09/05 07:01:44
...
[scp.1]
knock out a useless Ns;
2011-09-22 21:34:56 +10:00
2918e030fc
- djm@cvs.openbsd.org 2011/09/05 05:59:08
...
[misc.c]
fix typo in IPQoS parsing: there is no "AF14" class, but there is
an "AF21" class. Spotted by giesen AT snickers.org; ok markus stevesk
2011-09-22 21:34:35 +10:00
e577772a89
- djm@cvs.openbsd.org 2011/09/05 05:56:13
...
[scp.1 sftp.1]
mention ControlPersist and KbdInteractiveAuthentication in the -o
verbiage in these pages too (prompted by jmc@)
2011-09-22 21:34:15 +10:00
efad727517
- djm@cvs.openbsd.org 2011/08/26 01:45:15
...
[ssh.1]
Add some missing ssh_config(5) options that can be used in ssh(1)'s
-o argument. Patch from duclare AT guu.fi
2011-09-22 21:33:53 +10:00
e128a50e35
- djm@cvs.openbsd.org 2011/09/22 06:27:29
...
[glob.c]
fix GLOB_KEEPSTAT without GLOB_NOSORT; the implicit sort was being
applied only to the gl_pathv vector and not the corresponding gl_statv
array. reported in OpenSSH bz#1935; feedback and okay matthew@
2011-09-22 21:22:21 +10:00
c4bf7dde92
- stsp@cvs.openbsd.org 2011/09/20 10:18:46
...
[glob.c]
In glob(3), limit recursion during matching attempts. Similar to
fnmatch fix. Also collapse consecutive '*' (from NetBSD).
ok miod deraadt
2011-09-22 21:21:48 +10:00
e01a627047
- pyr@cvs.openbsd.org 2011/05/12 07:15:10
...
[openbsd-compat/glob.c]
When the max number of items for a directory has reached GLOB_LIMIT_READDIR
an error is returned but closedir() is not called.
spotted and fix provided by Frank Denis obsd-tech@pureftpd.org
ok otto@, millert@
2011-09-22 21:20:21 +10:00
e8a82c5faf
- (dtucker) [entropy.h] Bug #1932 : remove old definition of init_rng. From
...
Colin Watson.
2011-09-09 11:29:40 +10:00
022ee24197
- (djm) [contrib/redhat/openssh.spec] Correct restorcon => restorecon
2011-09-07 09:15:02 +10:00
fb9d8173f0
- (djm) [README version.h] Correct version
2011-09-07 09:11:53 +10:00
8e4a71e952
- (djm) Release OpenSSH-5.9
2011-09-05 15:39:20 +10:00
86dcd3e45a
- (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
...
[contrib/suse/openssh.spec] Update version numbers.
2011-09-05 10:29:04 +10:00
0dd24e02ec
- (dtucker) [ssh-keygen.c ssh-pkcs11.c] Bug #1929 : add null implementations
...
ofsh-pkcs11.cpkcs_init and pkcs_terminate for building without dlopen support.
2011-09-04 19:59:26 +10:00
6efd94f32e
- (djm) [regress/connect-privsep.sh regress/test-exec.sh] demote fatal
...
regress errors for the sandbox to warnings. ok tim dtucker
2011-09-04 19:04:16 +10:00
58ac11a2bd
- (djm) [openbsd-compat/port-linux.c] Suppress logging when attempting
...
to switch SELinux context away from unconfined_t, based on patch from
Jan Chadima; bz#1919 ok dtucker@
2011-08-29 16:09:52 +10:00
4438354870
- (dtucker) [auth-skey.c] Add log.h to fix build --with-skey.
2011-08-28 04:50:16 +10:00
a6e60616be
- (tim) [configure.ac] Typo in error message spotted by Andy Tsouladze
2011-08-17 21:48:22 -07:00
2df1bec086
- (djm) [regress/cipher-speed.sh regress/try-ciphers.sh] disable HMAC-SHA2
...
MAC tests for platforms that hack EVP_SHA2 support
2011-08-17 12:25:46 +10:00
062fa30532
- djm@cvs.openbsd.org 2011/08/02 01:23:41
...
[regress/cipher-speed.sh regress/try-ciphers.sh]
add SHA256/SHA512 based HMAC modes
2011-08-17 12:10:02 +10:00
faf4d80420
- markus@cvs.openbsd.org 2011/06/30 22:44:43
...
[connect-privsep.sh]
test with sandbox enabled; ok djm@
2011-08-17 12:09:19 +10:00
9231c8bde4
- dtucker@cvs.openbsd.org 2011/06/03 05:35:10
...
[regress/cfgmatch.sh]
use OBJ to find test configs, patch from Tim Rice
2011-08-17 12:08:15 +10:00
44a6c9340a
- (djm) [contrib/ssh-copy-id] Missing backlslash; spotted by
...
bisson AT archlinux.org
2011-08-17 12:01:44 +10:00
1a91c0f163
- (djm) [configure.ac] error out if the host lacks the necessary bits for
...
an explicitly requested sandbox type
2011-08-17 11:59:25 +10:00
9c08312968
- (djm) [ openbsd-compat/bsd-cygwin_util.c openbsd-compat/bsd-cygwin_util.h]
...
binary_pipe is no longer required on Cygwin; patch from Corinna Vinschen
2011-08-17 11:31:07 +10:00
a1226828ad
- (tim) [mac.c myproposal.h] Wrap SHA256 and SHA512 in ifdefs for
...
OpenSSL 0.9.7. ok djm
2011-08-16 17:29:01 -07:00
d1eb1dd5ed
- (djm) [contrib/ssh-copy-id] Fix failure for cases where the path to the
...
identify file contained whitespace. bz#1828 patch from gwenael.lambrouin
AT gmail.com; ok dtucker@
2011-08-12 11:22:47 +10:00
2db9977c06
- (djm) [contrib/redhat/openssh.spec contrib/redhat/sshd.init]
...
[contrib/suse/openssh.spec contrib/suse/rc.sshd] Updated RHEL and SLES
init scrips from imorgan AT nas.nasa.gov
2011-08-12 11:02:35 +10:00
4d47ec9c89
- (dtucker) [openbsd-compat/port-linux.c] Bug 1924: Improve selinux context
...
change error by reporting old and new context names Patch from
jchadima at redhat.
2011-08-12 10:12:53 +10:00
ddccfb4b98
- dtucker@cvs.openbsd.org 2011/08/07 12:55:30
...
[sftp.1]
typo, fix from Laurent Gautrot
2011-08-07 23:12:26 +10:00
91e6b57729
- jmc@cvs.openbsd.org 2010/10/14 20:41:28
...
[moduli.5]
probabalistic -> probabilistic; from naddy
2011-08-07 23:10:56 +10:00
f279474f1b
- sobrado@cvs.openbsd.org 2009/10/28 08:56:54
...
[moduli.5]
"Diffie-Hellman" is the usual spelling for the cryptographic protocol
first published by Whitfield Diffie and Martin Hellman in 1976.
ok jmc@
2011-08-07 23:10:11 +10:00
578451ddda
- (dtucker) OpenBSD CVS Sync
...
- jmc@cvs.openbsd.org 2008/06/26 06:59:39
[moduli.5]
tweak previous;
2011-08-07 23:09:20 +10:00
765f8c4eff
- djm@cvs.openbsd.org 2011/08/02 23:15:03
...
[ssh.c]
typo in comment
2011-08-06 06:18:16 +10:00
c471860d25
- djm@cvs.openbsd.org 2011/08/02 23:13:01
...
[version.h]
crank now, release later
2011-08-06 06:17:48 +10:00
20bd4535c0
- djm@cvs.openbsd.org 2011/08/02 01:22:11
...
[mac.c myproposal.h ssh.1 ssh_config.5 sshd.8 sshd_config.5]
Add new SHA256 and SHA512 based HMAC modes from
http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
Patch from mdb AT juniper.net; feedback and ok markus@
2011-08-06 06:17:30 +10:00
adb467fb69
- markus@cvs.openbsd.org 2011/08/01 19:18:15
...
[gss-serv.c]
prevent post-auth resource exhaustion (int overflow leading to 4GB malloc);
report Adam Zabrock; ok djm@, deraadt@
2011-08-06 06:16:46 +10:00
35e48198a8
- djm@cvs.openbsd.org 2011/07/29 14:42:45
...
[sandbox-systrace.c]
fail open(2) with EPERM rather than SIGKILLing the whole process. libc
will call open() to do strerror() when NLS is enabled;
feedback and ok markus@
2011-08-06 06:16:23 +10:00
6ea5e44871
- tedu@cvs.openbsd.org 2011/07/06 18:09:21
...
[authfd.c]
bzero the agent address. the kernel was for a while very cranky about
these things. evne though that's fixed, always good to initialize
memory. ok deraadt djm
2011-08-06 06:16:00 +10:00
7741ce8bd2
- djm@cvs.openbsd.org 2011/06/23 23:35:42
...
[monitor.c]
ignore EINTR errors from poll()
2011-08-06 06:15:15 +10:00
cd5e52ee78
- (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for
...
Darwin/OS X using sandbox_init() + setrlimit(); feedback and testing
markus@
2011-06-27 07:18:18 +10:00
dcbd41e7af
- djm@cvs.openbsd.org 2011/06/23 09:34:13
...
[sshd.c ssh-sandbox.h sandbox.h sandbox-rlimit.c sandbox-systrace.c]
[sandbox-null.c]
rename sandbox.h => ssh-sandbox.h to make things easier for portable
2011-06-23 19:45:51 +10:00
80b62e3738
- (djm) [sandbox-null.c] Dummy sandbox for platforms that don't support
...
setrlimit(2)
2011-06-23 19:03:18 +10:00
6d7b4377dd
- djm@cvs.openbsd.org 2011/06/22 22:08:42
...
[channels.c channels.h clientloop.c clientloop.h mux.c ssh.c]
hook up a channel confirm callback to warn the user then requested X11
forwarding was refused by the server; ok markus@
2011-06-23 08:31:57 +10:00
69ff1df952
- djm@cvs.openbsd.org 2011/06/22 21:57:01
...
[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c]
[sandbox-systrace.c sandbox.h configure.ac Makefile.in]
introduce sandboxing of the pre-auth privsep child using systrace(4).
This introduces a new "UsePrivilegeSeparation=sandbox" option for
sshd_config that applies mandatory restrictions on the syscalls the
privsep child can perform. This prevents a compromised privsep child
from being used to attack other hosts (by opening sockets and proxying)
or probing local kernel attack surface.
The sandbox is implemented using systrace(4) in unsupervised "fast-path"
mode, where a list of permitted syscalls is supplied. Any syscall not
on the list results in SIGKILL being sent to the privsep child. Note
that this requires a kernel with the new SYSTR_POLICY_KILL option.
UsePrivilegeSeparation=sandbox will become the default in the future
so please start testing it now.
feedback dtucker@; ok markus@
2011-06-23 08:30:03 +10:00
82c558761d
- OpenBSD CVS Sync
...
- djm@cvs.openbsd.org 2011/06/22 21:47:28
[servconf.c]
reuse the multistate option arrays to pretty-print options for "sshd -T"
2011-06-23 08:20:30 +10:00
4ac99c366c
- djm@cvs.openbsd.org 2011/06/17 21:57:25
...
[clientloop.c]
setproctitle for a mux master that has been gracefully stopped;
bz#1911 from Bert.Wesarg AT googlemail.com
2011-06-20 14:43:31 +10:00
33322127ec
- djm@cvs.openbsd.org 2011/06/17 21:47:35
...
[servconf.c]
factor out multi-choice option parsing into a parse_multistate label
and some support structures; ok dtucker@
2011-06-20 14:43:11 +10:00
f145a5be1c
- djm@cvs.openbsd.org 2011/06/17 21:46:16
...
[sftp-server.c]
the protocol version should be unsigned; bz#1913 reported by mb AT
smartftp.com
2011-06-20 14:42:51 +10:00
8f0bf237d4
- djm@cvs.openbsd.org 2011/06/17 21:44:31
...
[log.c log.h monitor.c monitor.h monitor_wrap.c monitor_wrap.h sshd.c]
make the pre-auth privsep slave log via a socketpair shared with the
monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
2011-06-20 14:42:23 +10:00
e7ac2bd42a
- markus@cvs.openbsd.org 2011/06/14 22:49:18
...
[authfile.c]
make sure key_parse_public/private_rsa1() no longer consumes its input
buffer. fixes ssh-add for passphrase-protected ssh1-keys;
noted by naddy@; ok djm@
2011-06-20 14:23:25 +10:00
6029e076b2
- djm@cvs.openbsd.org 2011/06/04 00:10:26
...
[ssh_config.5]
explain IdentifyFile's semantics a little better, prompted by bz#1898
ok dtucker jmc
2011-06-20 14:22:49 +10:00
bc481570d1
- (tim) [regress/cfgmatch.sh] Build/test out of tree fix.
2011-06-02 22:26:19 -07:00
bf4d05a37c
- dtucker@cvs.openbsd.org 2011/06/03 00:29:52
...
[regress/dynamic-forward.sh]
Retry establishing the port forwarding after a small delay, should make
the tests less flaky when the previous test is slow to shut down and free
up the port.
2011-06-03 14:19:02 +10:00
75e035c34e
- dtucker@cvs.openbsd.org 2011/05/31 02:03:34
...
[regress/dynamic-forward.sh]
work around startup and teardown races; caught by deraadt
2011-06-03 14:18:17 +10:00
260c8fbc4d
- dtucker@cvs.openbsd.org 2011/05/31 02:01:58
...
[regress/dynamic-forward.sh]
back out revs 1.6 and 1.5 since it's not reliable
2011-06-03 14:17:27 +10:00
3e78a516a0
- dtucker@cvs.openbsd.org 2011/06/03 01:37:40
...
[ssh-agent.c]
Check current parent process ID against saved one to determine if the parent
has exited, rather than attempting to send a zero signal, since the latter
won't work if the parent has changed privs. bz#1905, patch from Daniel Kahn
Gillmor, ok djm@
2011-06-03 14:14:16 +10:00
c09182f613
- (djm) [configure.ac] enable setproctitle emulation for OS X
2011-06-03 12:11:38 +10:00
ea2c1a4dc6
- djm@cvs.openbsd.org 2011/06/03 00:54:38
...
[ssh.c]
bz#1883 - setproctitle() to identify mux master; patch from Bert.Wesarg
AT googlemail.com; ok dtucker@
NB. includes additional portability code to enable setproctitle emulation
on platforms that don't support it.
2011-06-03 12:10:22 +10:00
c3c7227ccc
add missing changelog entry
2011-06-03 11:20:06 +10:00
90f42b0705
- (tim) [configure.ac defines.h] Run test program to detect system mail
...
directory. Add --with-maildir option to override. Fixed OpenServer 6
getting it wrong. Fixed many systems having MAIL=/var/mail//username
ok dtucker
2011-06-02 18:17:49 -07:00
c412c1567b
- (dtucker) [README version.h contrib/caldera/openssh.spec
...
contrib/redhat/openssh.spec contrib/suse/openssh.spec] Pull the version
bumps from the 5.8p2 branch into HEAD. ok djm.
2011-06-03 10:35:23 +10:00
8cb3587336
- djm@cvs.openbsd.org 2011/05/23 03:31:31
...
[regress/cfgmatch.sh]
include testing of multiple/overridden AuthorizedKeysFiles
refactor to simply daemon start/stop and get rid of racy constructs
2011-05-29 21:59:10 +10:00
295ee63ab2
- djm@cvs.openbsd.org 2011/05/24 07:15:47
...
[readconf.c readconf.h ssh.c ssh_config.5 sshconnect.c sshconnect2.c]
Remove undocumented legacy options UserKnownHostsFile2 and
GlobalKnownHostsFile2 by making UserKnownHostsFile/GlobalKnownHostsFile
accept multiple paths per line and making their defaults include
known_hosts2; ok markus
2011-05-29 21:42:31 +10:00
04bb56ef10
- djm@cvs.openbsd.org 2011/05/23 07:24:57
...
[authfile.c]
read in key comments for v.2 keys (though note that these are not
passed over the agent protocol); bz#439, based on patch from binder
AT arago.de; ok markus@
2011-05-29 21:42:08 +10:00
b9132fc427
- jmc@cvs.openbsd.org 2011/05/23 07:10:21
...
[sshd.8 sshd_config.5]
tweak previous; ok djm
2011-05-29 21:41:40 +10:00
201f425d29
- djm@cvs.openbsd.org 2011/05/23 03:52:55
...
[sshconnect.c]
remove extra newline
2011-05-29 21:41:03 +10:00
1dd66e5f74
- djm@cvs.openbsd.org 2011/05/23 03:33:38
...
[auth.c]
make secure_filename() spam debug logs less
2011-05-29 21:40:42 +10:00
d8478b6a9b
OpenBSD CVS Sync
...
- djm@cvs.openbsd.org 2011/05/23 03:30:07
[auth-rsa.c auth.c auth.h auth2-pubkey.c monitor.c monitor_wrap.c pathnames.h servconf.c servconf.h sshd.8 sshd_config sshd_config.5]
allow AuthorizedKeysFile to specify multiple files, separated by spaces.
Bring back authorized_keys2 as a default search path (to avoid breaking
existing users of this file), but override this in sshd_config so it will
be no longer used on fresh installs. Maybe in 2015 we can remove it
entierly :)
feedback and ok markus@ dtucker@
2011-05-29 21:39:36 +10:00
acacced70b
- dtucker@cvs.openbsd.org 2011/05/20 06:32:30
...
[dynamic-forward.sh]
fix dumb error in dynamic-forward test
2011-05-20 19:08:40 +10:00
7b9451f382
- dtucker@cvs.openbsd.org 2011/05/20 05:19:50
...
[dynamic-forward.sh]
Prevent races in dynamic forwarding test; ok djm
2011-05-20 19:08:11 +10:00
3045b45a03
- djm@cvs.openbsd.org 2011/05/20 02:43:36
...
[cert-hostkey.sh]
another attempt to generate a v00 ECDSA key that broke the test
ID sync only - portable already had this somehow
2011-05-20 19:07:45 +10:00
f67188fe13
- djm@cvs.openbsd.org 2011/05/17 07:13:31
...
[regress/cert-userkey.sh]
fatal() if asked to generate a legacy ECDSA cert (these don't exist)
and fix the regress test that was trying to generate them :)
2011-05-20 19:06:48 +10:00
f2e407e2dd
- djm@cvs.openbsd.org 2011/05/20 03:25:45
...
[monitor.c monitor_wrap.c servconf.c servconf.h]
use a macro to define which string options to copy between configs
for Match. This avoids problems caused by forgetting to keep three
code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
2011-05-20 19:04:14 +10:00
c2411909c7
- dtucker@cvs.openbsd.org 2011/05/20 02:00:19
...
[servconf.c]
Add comment documenting what should be after the preauth check. ok djm
2011-05-20 19:03:49 +10:00
5d74e58e62
- djm@cvs.openbsd.org 2011/05/20 00:55:02
...
[servconf.c]
the options TrustedUserCAKeys, RevokedKeysFile, AuthorizedKeysFile
and AuthorizedPrincipalsFile were not being correctly applied in
Match blocks, despite being overridable there; ok dtucker@
2011-05-20 19:03:31 +10:00
8f639fe722
- djm@cvs.openbsd.org 2011/05/17 07:13:31
...
[key.c]
fatal() if asked to generate a legacy ECDSA cert (these don't exist)
and fix the regress test that was trying to generate them :)
2011-05-20 19:03:08 +10:00
814ace0875
- OpenBSD CVS Sync
...
- djm@cvs.openbsd.org 2011/05/15 08:09:01
[authfd.c monitor.c serverloop.c]
use FD_CLOEXEC consistently; patch from zion AT x96.org
2011-05-20 19:02:47 +10:00
ec2eaa3daf
- (djm) [servconf.c] remove leftover droppings of AuthorizedKeysFile2
2011-05-20 18:57:14 +10:00
989bb7f0c5
- (djm) [aclocal.m4 configure.ac] since gcc-4.x ignores all -Wno-options
...
options, we should corresponding -W-option when trying to determine
whether it is accepted. Also includes a warning fix on the program
fragment uses (bad main() return type).
bz#1900 and bz#1901 reported by g.esp AT free.fr; ok dtucker@
2011-05-20 18:56:30 +10:00
14684a1f84
- (djm) [session.c] call setexeccon() before executing passwd for pw
...
changes; bz#1891 reported by jchadima AT redhat.com; ok dtucker@
2011-05-20 11:23:07 +10:00
23f425b48b
- (djm) [packet.c] unbreak portability #endif
2011-05-15 08:58:15 +10:00
9d276b8d68
- djm@cvs.openbsd.org 2011/05/13 00:05:36
...
[authfile.c]
warn on unexpected key type in key_parse_private_type()
2011-05-15 08:51:43 +10:00
Darren Tucker
Damien Miller
Tim Rice