Commit Graph

7586 Commits

Author SHA1 Message Date
Damien Miller 9235a030ad Three commits in one (since they touch the same heavily-diverged file
repeatedly):

   - markus@cvs.openbsd.org 2014/03/25 09:40:03
     [myproposal.h]
     trimm default proposals.

     This commit removes the weaker pre-SHA2 hashes, the broken ciphers
     (arcfour), and the broken modes (CBC) from the default configuration
     (the patch only changes the default, all the modes are still available
     for the config files).

     ok djm@, reminded by tedu@ & naddy@ and discussed with many
   - deraadt@cvs.openbsd.org 2014/03/26 17:16:26
     [myproposal.h]
     The current sharing of myproposal[] between both client and server code
     makes the previous diff highly unpallatable.  We want to go in that
     direction for the server, but not for the client.  Sigh.
     Brought up by naddy.
   - markus@cvs.openbsd.org 2014/03/27 23:01:27
     [myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
     disable weak proposals in sshd, but keep them in ssh; ok djm@
2014-04-20 13:17:20 +10:00
Damien Miller 6e1777f592 - tedu@cvs.openbsd.org 2014/03/19 14:42:44
[scp.1]
     there is no need for rcp anymore
     ok deraadt millert
2014-04-20 13:02:58 +10:00
Damien Miller eb1b7c514d - tedu@cvs.openbsd.org 2014/03/17 19:44:10
[ssh.1]
     old descriptions of des and blowfish are old. maybe ok deraadt
2014-04-20 13:02:26 +10:00
Damien Miller f0858de6e1 - deraadt@cvs.openbsd.org 2014/03/15 17:28:26
[ssh-agent.c ssh-keygen.1 ssh-keygen.c]
     Improve usage() and documentation towards the standard form.
     In particular, this line saves a lot of man page reading time.
       usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
                         [-N new_passphrase] [-C comment] [-f output_keyfile]
     ok schwarze jmc
2014-04-20 13:01:30 +10:00
Damien Miller 94bfe0fbd6 - naddy@cvs.openbsd.org 2014/03/12 13:06:59
[ssh-keyscan.1]
     scan for Ed25519 keys by default too
2014-04-20 13:00:51 +10:00
Damien Miller 3819519288 - djm@cvs.openbsd.org 2014/03/12 04:51:12
[authfile.c]
     correct test that kdf name is not "none" or "bcrypt"
2014-04-20 13:00:28 +10:00
Damien Miller 8f9cd709c7 - djm@cvs.openbsd.org 2014/03/12 04:50:32
[auth-bsdauth.c ssh-keygen.c]
     don't count on things that accept arguments by reference to clear
     things for us on error; most things do, but it's unsafe form.
2014-04-20 13:00:11 +10:00
Damien Miller 1c7ef4be83 - djm@cvs.openbsd.org 2014/03/12 04:44:58
[ssh-keyscan.c]
     scan for Ed25519 keys by default too
2014-04-20 12:59:46 +10:00
Damien Miller c10bf4d051 - djm@cvs.openbsd.org 2014/03/03 22:22:30
[session.c]
     ignore enviornment variables with embedded '=' or '\0' characters;
     spotted by Jann Horn; ok deraadt@
     Id sync only - portable already has this.
2014-04-20 12:58:04 +10:00
Damien Miller c2e49062fa - (djm) Use full release (e.g. 6.5p1) in debug output rather than just
version. From des@des.no
2014-04-01 14:42:46 +11:00
Damien Miller 14928b7492 - (djm) On platforms that support it, use prctl() to prevent sftp-server
from accessing /proc/self/{mem,maps}; patch from jann AT thejh.net
2014-04-01 14:38:07 +11:00
Damien Miller 48abc47e60 - (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to
remind myself to add sandbox violation logging via the log socket.
2014-03-17 14:45:56 +11:00
Tim Rice 9c36698ca2 20140314
- (tim) [opensshd.init.in] Add support for ed25519
2014-03-14 12:45:01 -07:00
Damien Miller 19158b2447 - (djm) Release OpenSSH 6.6 2014-03-13 13:14:21 +11:00
Damien Miller 8569eba5d7 - djm@cvs.openbsd.org 2014/03/03 22:22:30
[session.c]
     ignore enviornment variables with embedded '=' or '\0' characters;
     spotted by Jann Horn; ok deraadt@
2014-03-04 09:35:17 +11:00
Damien Miller 2476c31b96 - (djm) [regress/Makefile] Disable dhgex regress test; it breaks when
no moduli file exists at the expected location.
2014-03-02 04:01:00 +11:00
Damien Miller c83fdf30e9 - (djm) [regress/host-expand.sh] Add RCS Id 2014-02-28 10:34:03 +11:00
Damien Miller 834aeac355 - djm@cvs.openbsd.org 2014/02/27 21:21:25
[agent-ptrace.sh agent.sh]
     keep return values that are printed in error messages;
     from portable
     (Id sync only)
2014-02-28 10:25:16 +11:00
Damien Miller 4f7f1a9a0d - djm@cvs.openbsd.org 2014/02/27 20:04:16
[login-timeout.sh]
     remove any existing LoginGraceTime from sshd_config before adding
     a specific one for the test back in
2014-02-28 10:24:11 +11:00
Damien Miller d705d987c2 - djm@cvs.openbsd.org 2014/01/26 10:49:17
[scp-ssh-wrapper.sh scp.sh]
     make sure $SCP is tested on the remote end rather than whichever one
     happens to be in $PATH; from portable
     (Id sync only)
2014-02-28 10:23:26 +11:00
Damien Miller 624a3ca376 - djm@cvs.openbsd.org 2014/01/26 10:22:10
[regress/cert-hostkey.sh]
     automatically generate revoked keys from listed keys rather than
     manually specifying each type; from portable
     (Id sync only)
2014-02-28 10:22:37 +11:00
Damien Miller b843923284 - dtucker@cvs.openbsd.org 2014/01/25 04:35:32
[regress/Makefile regress/dhgex.sh]
     Add a test for DH GEX sizes
2014-02-28 10:21:26 +11:00
Damien Miller 1e2aa3d904 - dtucker@cvs.openbsd.org 2014/01/20 00:00:30
[sftp-chroot.sh]
     append to rather than truncating the log file
2014-02-28 10:19:51 +11:00
Damien Miller f483cc16fe - dtucker@cvs.openbsd.org 2014/01/19 23:43:02
[regress/sftp-chroot.sh]
     Don't use -q on sftp as it suppresses logging, instead redirect the
     output to the regress logfile.
2014-02-28 10:19:11 +11:00
Damien Miller 6486f16f1c - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
[contrib/suse/openssh.spec] Crank version numbers
2014-02-28 10:03:52 +11:00
Damien Miller 92cf5adea1 - djm@cvs.openbsd.org 2014/02/27 22:57:40
[version.h]
     openssh-6.6
2014-02-28 10:01:53 +11:00
Damien Miller fc5d6759ab - djm@cvs.openbsd.org 2014/02/27 22:47:07
[sshd_config.5]
     bz#2184 clarify behaviour of a keyword that appears in multiple
     matching Match blocks; ok dtucker@
2014-02-28 10:01:28 +11:00
Damien Miller 172ec7e0af - djm@cvs.openbsd.org 2014/02/27 08:25:09
[bufbn.c]
     off by one in range check
2014-02-28 10:00:57 +11:00
Damien Miller f9a9aaba43 - djm@cvs.openbsd.org 2014/02/27 00:41:49
[bufbn.c]
     fix unsigned overflow that could lead to reading a short ssh protocol
     1 bignum value; found by Ben Hawkes; ok deraadt@
2014-02-28 10:00:27 +11:00
Damien Miller fb3423b612 - markus@cvs.openbsd.org 2014/02/26 21:53:37
[sshd.c]
     ssh_gssapi_prepare_supported_oids needs GSSAPI
2014-02-27 10:20:07 +11:00
Damien Miller 1348129a34 - djm@cvs.openbsd.org 2014/02/26 20:29:29
[channels.c]
     don't assume that the socks4 username is \0 terminated;
     spotted by Ben Hawkes; ok markus@
2014-02-27 10:18:32 +11:00
Damien Miller e6a74aeeac - djm@cvs.openbsd.org 2014/02/26 20:28:44
[auth2-gss.c gss-serv.c ssh-gss.h sshd.c]
     bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep
     sandboxing, as running this code in the sandbox can cause violations;
     ok markus@
2014-02-27 10:17:49 +11:00
Damien Miller 08b57c67f3 - djm@cvs.openbsd.org 2014/02/26 20:18:37
[ssh.c]
     bz#2205: avoid early hostname lookups unless canonicalisation is enabled;
     ok dtucker@ markus@
2014-02-27 10:17:13 +11:00
Damien Miller 13f97b2286 - djm@cvs.openbsd.org 2014/02/23 20:11:36
[readconf.c readconf.h ssh.c ssh_config.5]
     reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes
     the hostname. This allows users to write configurations that always
     refer to canonical hostnames, e.g.

     CanonicalizeHostname yes
     CanonicalDomains int.example.org example.org
     CanonicalizeFallbackLocal no

     Host *.int.example.org
         Compression off
     Host *.example.org
         User djm

     ok markus@
2014-02-24 15:57:55 +11:00
Damien Miller bee3a234f3 - djm@cvs.openbsd.org 2014/02/23 20:03:42
[ssh-ed25519.c]
     check for unsigned overflow; not reachable in OpenSSH but others might
     copy our code...
2014-02-24 15:57:22 +11:00
Damien Miller 0628780abe - djm@cvs.openbsd.org 2014/02/22 01:32:19
[readconf.c]
     when processing Match blocks, skip 'exec' clauses if previous predicates
     failed to match; ok markus@
2014-02-24 15:56:45 +11:00
Damien Miller 0890dc8191 - djm@cvs.openbsd.org 2014/02/15 23:05:36
[channels.c]
     avoid spurious "getsockname failed: Bad file descriptor" errors in ssh -W;
     bz#2200, debian#738692 via Colin Watson; ok dtucker@
2014-02-24 15:56:07 +11:00
Damien Miller d3cf67e111 - djm@cvs.openbsd.org 2014/02/07 06:55:54
[cipher.c mac.c]
     remove some logging that makes ssh debugging output very verbose;
     ok markus
2014-02-24 15:55:36 +11:00
Tim Rice 03ae081aea 20140221
- (tim) [configure.ac]  Fix cut-and-paste error. Patch from Bryan Drewery.
2014-02-21 09:09:34 -08:00
Darren Tucker 4a20959d2e - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] Add compat
code for older OpenSSL versions that don't have EVP_MD_CTX_copy_ex.
2014-02-13 16:38:32 +11:00
Damien Miller d1a7a9c0fd - djm@cvs.openbsd.org 2014/02/06 22:21:01
[sshconnect.c]
     in ssh_create_socket(), only do the getaddrinfo for BindAddress when
     BindAddress is actually specified. Fixes regression in 6.5 for
     UsePrivilegedPort=yes; patch from Corinna Vinschen
2014-02-07 09:24:33 +11:00
Damien Miller 6ce35b6cc4 - naddy@cvs.openbsd.org 2014/02/05 20:13:25
[ssh-keygen.1 ssh-keygen.c]
     tweak synopsis: calling ssh-keygen without any arguments is fine; ok jmc@
     while here, fix ordering in usage(); requested by jmc@
2014-02-07 09:24:14 +11:00
Damien Miller 6434cb2cfb - (djm) [sandbox-seccomp-filter.c] Not all Linux architectures define
__NR_shutdown; some go via the socketcall(2) multiplexer.
2014-02-06 11:17:50 +11:00
Darren Tucker 8d36f9ac71 - (dtucker) [openbsd-compat/bsd-poll.c] Don't bother checking for non-NULL
before freeing since free(NULL) is a no-op.  ok djm.
2014-02-06 10:44:13 +11:00
Damien Miller a0959da368 - (djm) [sandbox-capsicum.c] Don't fatal if Capsicum is offered by
headers/libc but not supported by the kernel. Patch from Loganaden
   Velvindron @ AfriNIC
2014-02-05 10:33:45 +11:00
Damien Miller 9c449bc183 - (djm) [regress/setuid-allowed.c] Missing string.h for strerror() 2014-02-04 11:38:28 +11:00
Damien Miller bf7e0f03be - (djm) [openbsd-compat/Makefile.in] Add missing explicit_bzero.o 2014-02-04 11:37:50 +11:00
Damien Miller eb6d870a0e - djm@cvs.openbsd.org 2014/02/04 00:24:29
[ssh.c]
     delay lowercasing of hostname until right before hostname
     canonicalisation to unbreak case-sensitive matching of ssh_config;
     reported by Ike Devolder; ok markus@
2014-02-04 11:26:34 +11:00
Damien Miller d56b44d2df - djm@cvs.openbsd.org 2014/02/04 00:24:29
[ssh.c]
     delay lowercasing of hostname until right before hostname
     canonicalisation to unbreak case-sensitive matching of ssh_config;
     reported by Ike Devolder; ok markus@
2014-02-04 11:26:04 +11:00
Damien Miller db3c595ea7 - djm@cvs.openbsd.org 2014/02/02 03:44:31
[digest-libc.c digest-openssl.c]
     convert memset of potentially-private data to explicit_bzero()
2014-02-04 11:25:45 +11:00