Commit Graph

5011 Commits

Author SHA1 Message Date
Damien Miller 8b7ab960df - (djm) [openbsd-compat/sigact.c] Avoid NULL derefs in ancient sigaction
replacement code; patch from ighighi AT gmail.com in bz#1240;
   ok dtucker
2008-06-15 10:55:34 +10:00
Darren Tucker 30fd49e606 - (dtucker) [configure.ac] Bug #1276: avoid linking against libgssapi, which
despite its name doesn't seem to implement all of GSSAPI.  Patch from
   Jan Engelhardt, sanity checked by Simon Wilkinson.
2008-06-14 09:14:46 +10:00
Darren Tucker f6bffb1391 - grunk@cvs.openbsd.org 2008/06/13 20:13:26
[ssh.1]
     Explain the use of SSH fpr visualization using random art, and cite the
     original scientific paper inspiring that technique.
     Much help with English and nroff by jmc@, thanks.
2008-06-14 09:04:26 +10:00
Darren Tucker 03ccc9b142 - dtucker@cvs.openbsd.org 2008/06/13 18:55:22
[scp.c]
     Prevent -Wsign-compare warnings on LP64 systems.  bz #1192, ok deraadt@
2008-06-14 09:02:25 +10:00
Darren Tucker 47e713be94 - dtucker@cvs.openbsd.org 2008/06/13 17:21:20
[mux.c]
     Friendlier error messages for mux fallback.  ok djm@
2008-06-14 09:01:54 +10:00
Darren Tucker d9526a5e96 - dtucker@cvs.openbsd.org 2008/06/13 14:18:51
[auth2-pubkey.c auth-rhosts.c]
     Include unistd.h for close(), prevents warnings in -portable
2008-06-14 09:01:24 +10:00
Darren Tucker f2c16d30b4 - dtucker@cvs.openbsd.org 2008/06/13 13:56:59
[monitor.c]
     Clear key options in the monitor on failed authentication, prevents
     applying additional restrictions to non-pubkey authentications in
     the case where pubkey fails but another method subsequently succeeds.
     bz #1472, found by Colin Watson, ok markus@ djm
2008-06-14 08:59:49 +10:00
Darren Tucker 99bb7619d4 - deraadt@cvs.openbsd.org 2008/06/13 09:44:36
[packet.c]
     compile on older gcc; no decl after code
2008-06-13 22:02:50 +10:00
Darren Tucker f387e59d52 - (dtucker) [openbsd-compat/setenv.c] Make offsets size_t to prevent
compiler warnings on some platforms.  Based on a discussion with otto@
2008-06-13 15:03:14 +10:00
Darren Tucker 06db584e9d - djm@cvs.openbsd.org 2008/06/13 04:40:22
[auth2-pubkey.c auth-rhosts.c]
     refuse to read ~/.shosts or ~/.ssh/authorized_keys that are not
     regular files; report from Solar Designer via Colin Watson in bz#1471
     ok dtucker@ deraadt@
2008-06-13 14:51:28 +10:00
Darren Tucker 7517b5bd31 - dtucker@cvs.openbsd.org 2008/06/13 01:38:23
[misc.c]
     upcast uid to long with matching %ld, prevents warnings in portable
2008-06-13 14:48:59 +10:00
Darren Tucker 2c91b28a6d - (dtucker) [umac.c] STORE_UINT32_REVERSED and endian_convert are never used
on big endian machines, so ifdef them for little endian only to prevent
    unused function warnings.
2008-06-13 12:40:55 +10:00
Darren Tucker 2c1eb82695 - (dtucker) [auth-sia.c] Bug #1241: support password expiry on Tru64 SIA
systems.  Patch from R. Scott Bailey.
2008-06-13 11:13:13 +10:00
Darren Tucker c7e030fd78 - dtucker@cvs.openbsd.org 2008/06/13 00:51:47
[mac.c]
     upcast another size_t to u_long to match format
2008-06-13 10:58:50 +10:00
Darren Tucker 1adfd368c4 - dtucker@cvs.openbsd.org 2008/06/13 00:47:53
[mux.c]
     upcast size_t to u_long to match format arg; ok djm@
2008-06-13 10:58:10 +10:00
Darren Tucker 61b0695273 - (dtucker) [defines.h] Bug #1112: __dead is, well dead. Based on a patch
from Todd Vierling.
2008-06-13 10:28:57 +10:00
Darren Tucker ca19bfe254 - djm@cvs.openbsd.org 2008/06/13 00:16:49
[mux.c]
     fall back to creating a new TCP connection on most multiplexing errors
     (socket connect fail, invalid version, refused permittion, corrupted
     messages, etc.); bz #1329 ok dtucker@
2008-06-13 10:24:03 +10:00
Darren Tucker f8b7eb7c3c - dtucker@cvs.openbsd.org 2008/06/13 00:12:02
[sftp.h log.h]
     replace __dead with __attribute__((noreturn)), makes things
     a little easier to port.  Also, add it to sigdie().  ok djm@
2008-06-13 10:22:54 +10:00
Darren Tucker ff4454dbda - ian@cvs.openbsd.org 2008/06/12 23:24:58
[sshconnect.c]
     tweak wording in message, ok deraadt@ jmc@
2008-06-13 10:21:51 +10:00
Darren Tucker 0f0ef0ab1f - grunk@cvs.openbsd.org 2008/06/12 22:03:36
[key.c]
     add my copyright, ok djm@
2008-06-13 08:58:05 +10:00
Darren Tucker b68fb4ad21 - grunk@cvs.openbsd.org 2008/06/12 21:14:46
[ssh-keygen.c]
     make ssh-keygen -lf show the key type just as ssh-add -l would do it
     ok djm@ markus@
2008-06-13 08:57:27 +10:00
Darren Tucker babc1d5f73 - djm@cvs.openbsd.org 2008/06/12 21:06:25
[clientloop.c]
     I was coalescing expected global request confirmation replies at
     the wrong end of the queue - fix; prompted by markus@
2008-06-13 08:56:01 +10:00
Darren Tucker a64ab33f04 - djm@cvs.openbsd.org 2008/06/12 20:47:04
[sftp-client.c]
     print extension revisions for extensions that we understand
2008-06-13 07:01:29 +10:00
Darren Tucker 3fc464efdc - dtucker@cvs.openbsd.org 2008/06/12 20:38:28
[sshd.c sshconnect.c packet.h misc.c misc.h packet.c]
     Make keepalive timeouts apply while waiting for a packet, particularly
     during key renegotiation (bz #1363).  With djm and Matt Day, ok djm@
2008-06-13 06:42:45 +10:00
Darren Tucker f09e825329 - jmc@cvs.openbsd.org 2008/06/12 19:10:09
[ssh_config.5 ssh-keygen.1]
     tweak the ascii art text; ok grunk
2008-06-13 05:18:03 +10:00
Darren Tucker 1cf65ae61d - (dtucker) [clientloop.c serverloop.c] channel_register_filter now
takes 2 more args.  with djm@
2008-06-13 05:09:18 +10:00
Darren Tucker f6b01b758f - dtucker@cvs.openbsd.org 2008/06/12 16:35:31
[ssh_config.5 ssh.c]
     keyword expansion for localcommand.  ok djm@
2008-06-13 04:56:37 +10:00
Darren Tucker 84c56f536c - djm@cvs.openbsd.org 2008/06/12 15:19:17
[clientloop.h channels.h clientloop.c channels.c mux.c]
     The multiplexing escape char handler commit last night introduced a
     small memory leak per session; plug it.
2008-06-13 04:55:46 +10:00
Darren Tucker 4b3b9773ec - grunk@cvs.openbsd.org 2008/06/12 06:32:59
[key.c]
     We already mark the start of the worm, now also mark the end of the worm
     in our random art drawings.
     ok djm@
2008-06-13 04:55:10 +10:00
Darren Tucker ba69c7a987 - djm@cvs.openbsd.org 2008/06/12 05:32:30
[mux.c]
     some more TODO for me
2008-06-13 04:54:05 +10:00
Darren Tucker e5d98290a6 - djm@cvs.openbsd.org 2008/06/12 05:15:41
[PROTOCOL]
     document tun@openssh.com forwarding method
2008-06-13 04:53:27 +10:00
Darren Tucker d6173c0bd7 - djm@cvs.openbsd.org 2008/06/12 04:24:06
[ssh.c]
     thal shalt not code past the eightieth column
2008-06-13 04:52:53 +10:00
Darren Tucker 4d5cd33a5f - djm@cvs.openbsd.org 2008/06/12 04:17:47
[clientloop.c]
     thall shalt not code past the eightieth column
2008-06-13 04:51:14 +10:00
Darren Tucker 9f407c4422 - djm@cvs.openbsd.org 2008/06/12 04:06:00
[clientloop.h ssh.c clientloop.c]
     maintain an ordered queue of outstanding global requests that we
     expect replies to, similar to the per-channel confirmation queue.
     Use this queue to verify success or failure for remote forward
     establishment in a race free way.
     ok dtucker@
2008-06-13 04:50:27 +10:00
Darren Tucker 2fb66caca2 - djm@cvs.openbsd.org 2008/06/12 03:40:52
[clientloop.h mux.c channels.c clientloop.c channels.h]
     Enable ~ escapes for multiplex slave sessions; give each channel
     its own escape state and hook the escape filters up to muxed
     channels. bz #1331
     Mux slaves do not currently support the ~^Z and ~& escapes.
     NB. this change cranks the mux protocol version, so a new ssh
     mux client will not be able to connect to a running old ssh
     mux master.
     ok dtucker@
2008-06-13 04:49:33 +10:00
Darren Tucker 267e28bb75 - otto@cvs.openbsd.org 2008/06/12 00:13:13
[key.c]
     use an odd number of rows and columns and a separate start marker, looks
     better; ok grunk@
2008-06-13 04:48:11 +10:00
Darren Tucker 78913e0059 - grunk@cvs.openbsd.org 2008/06/12 00:13:55
[sshconnect.c]
     Make ssh print the random art also when ssh'ing to a host using IP only.
     spotted by naddy@, ok and help djm@ dtucker@
2008-06-13 04:47:34 +10:00
Darren Tucker d32b28a307 - grunk@cvs.openbsd.org 2008/06/11 23:51:57
[key.c]
     #define statements that are not atoms need braces around them, else they
     will cause trouble in some cases.
     Also do a computation of -1 once, and not in a loop several times.
     spotted by otto@
2008-06-13 04:45:50 +10:00
Darren Tucker dcc1ab5483 - grunk@cvs.openbsd.org 2008/06/11 23:03:56
[ssh_config.5]
     CheckHostIP set to ``fingerprint'' will display both hex and random art
     spotted by naddy@
2008-06-13 04:44:25 +10:00
Darren Tucker 014d76fa72 - otto@cvs.openbsd.org 2008/06/11 23:02:22
[key.c]
     simpler way of computing the augmentations; ok grunk@
2008-06-13 04:43:51 +10:00
Darren Tucker 35c45535ea - grunk@cvs.openbsd.org 2008/06/11 22:20:46
[ssh-keygen.c ssh-keygen.1]
     ssh-keygen would write fingerprints to STDOUT, and random art to STDERR,
     that is not how it was envisioned.
     Also correct manpage saying that -v is needed along with -l for it to work.
     spotted by naddy@
2008-06-13 04:43:15 +10:00
Darren Tucker a376a32e8e - grunk@cvs.openbsd.org 2008/06/11 21:38:25
[ssh-keygen.c]
     ssh-keygen -lv -f /etc/ssh/ssh_host_rsa_key.pub
     would not display you the random art as intended, spotted by canacar@
2008-06-13 04:42:14 +10:00
Darren Tucker 9c16ac9263 - grunk@cvs.openbsd.org 2008/06/11 21:01:35
[ssh_config.5 key.h readconf.c readconf.h ssh-keygen.1 ssh-keygen.c key.c
      sshconnect.c]
     Introduce SSH Fingerprint ASCII Visualization, a technique inspired by the
     graphical hash visualization schemes known as "random art", and by
     Dan Kaminsky's musings on the subject during a BlackOp talk at the
     23C3 in Berlin.
     Scientific publication (original paper):
     "Hash Visualization: a New Technique to improve Real-World Security",
     Perrig A. and Song D., 1999, International Workshop on Cryptographic
     Techniques and E-Commerce (CrypTEC '99)
     http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
     The algorithm used here is a worm crawling over a discrete plane,
     leaving a trace (augmenting the field) everywhere it goes.
     Movement is taken from dgst_raw 2bit-wise.  Bumping into walls
     makes the respective movement vector be ignored for this turn,
     thus switching to the other color of the chessboard.
     Graphs are not unambiguous for now, because circles in graphs can be
     walked in either direction.
     discussions with several people,
     help, corrections and ok markus@ djm@
2008-06-13 04:40:35 +10:00
Darren Tucker 1199673393 - jmc@cvs.openbsd.org 2008/06/11 07:30:37
[sshd.8]
     kill trailing whitespace;
2008-06-13 04:32:00 +10:00
Damien Miller 4401e45be6 - (djm) [channels.c configure.ac]
Do not set SO_REUSEADDR on wildcard X11 listeners (X11UseLocalhost=no)
   bz#1464; ok dtucker
2008-06-12 06:05:12 +10:00
Darren Tucker b8e0500351 - (dtucker) [Makefile.in] Move addrmatch.o to libssh.a where it's needed now. 2008-06-11 09:47:59 +10:00
Darren Tucker e045e0c62a - dtucker@cvs.openbsd.org 2008/06/10 23:13:43
[Makefile regress/key-options.sh]
     Add regress test for key options.  ok djm@
2008-06-11 09:38:12 +10:00
Darren Tucker 2a8b138ed8 - dtucker@cvs.openbsd.org 2008/06/10 23:21:34
[bufaux.c]
     Use '\0' for a nul byte rather than unadorned 0.  ok djm@
2008-06-11 09:35:37 +10:00
Darren Tucker 896ad5a4e4 - djm@cvs.openbsd.org 2008/06/10 23:06:19
[auth-options.c match.c servconf.c addrmatch.c sshd.8]
     support CIDR address matching in .ssh/authorized_keys from="..." stanzas
     ok and extensive testing dtucker@
2008-06-11 09:34:46 +10:00
Darren Tucker 8901fa9c88 - djm@cvs.openbsd.org 2008/06/10 22:15:23
[PROTOCOL ssh.c serverloop.c]
     Add a no-more-sessions@openssh.com global request extension that the
     client sends when it knows that it will never request another session
     (i.e. when session multiplexing is disabled). This allows a server to
     disallow further session requests and terminate the session.
     Why would a non-multiplexing client ever issue additional session
     requests? It could have been attacked with something like SSH'jack:
     http://www.storm.net.nz/projects/7
     feedback & ok markus
2008-06-11 09:34:01 +10:00