Commit Graph

5536 Commits

Author SHA1 Message Date
Damien Miller 8b90642fcf - (djm) [session.c] Allow ChrootDirectory to work on SELinux platforms -
set up SELinux execution context before chroot() call. From Russell
   Coker via Colin watson; bz#1726 ok dtucker@
2010-03-26 11:04:09 +11:00
Damien Miller 44451d0af8 - djm@cvs.openbsd.org 2010/03/25 23:38:28
[servconf.c]
     from portable: getcwd(NULL, 0) doesn't work on all platforms, so
     use a stack buffer; ok dtucker@
2010-03-26 10:40:04 +11:00
Darren Tucker a83d90fbab - (dtucker) [configure.ac] Bug #1741: Add section for Haiku, patch originally
by Ingo Weinhold via Scott McCreary, ok djm@
2010-03-26 10:27:33 +11:00
Damien Miller 7d09b8f8d9 - (djm) [openbsd-compat/bsd-arc4random.c] Fix preprocessor detection
for arc4random_buf() and arc4random_uniform(); from Josh Gilkerson
2010-03-26 08:52:02 +11:00
Darren Tucker 62131dc6e2 - (dtucker) [contrib/cygwin/ssh-host-config] Mount the Windows directory
containing the services file explicitely case-insensitive.  This allows to
   tweak the Windows services file reliably.  Patch from vinschen at redhat.
2010-03-24 13:03:32 +11:00
Damien Miller b086d4ac70 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
[contrib/suse/openssh.spec] Crank version numbers
2010-03-22 06:11:55 +11:00
Damien Miller 13a9f7247a - djm@cvs.openbsd.org 2010/03/16 16:36:49
[version.h]
     crank version to openssh-5.5 since we have a few fixes since 5.4;
     requested deraadt@ kettenis@
2010-03-22 05:59:22 +11:00
Damien Miller 33334b27bc - stevesk@cvs.openbsd.org 2010/03/16 15:46:52
[auth-options.c]
     spelling in error message. ok djm kettenis
2010-03-22 05:59:02 +11:00
Damien Miller 1cfbfaf4a0 - stevesk@cvs.openbsd.org 2010/03/15 19:40:02
[key.c key.h ssh-keygen.c]
     also print certificate type (user or host) for ssh-keygen -L
     ok djm kettenis
2010-03-22 05:58:24 +11:00
Damien Miller 5a5d94b12f - jmc@cvs.openbsd.org 2010/03/13 23:38:13
[ssh-keygen.1]
     fix a formatting error (args need quoted); noted by stevesk
2010-03-22 05:57:49 +11:00
Damien Miller 1b61a2825e - djm@cvs.openbsd.org 2010/03/13 21:45:46
[ssh-keygen.1]
     Certificates are named *-cert.pub, not *_cert.pub; committing a diff
     from stevesk@ ok me
2010-03-22 05:55:06 +11:00
Damien Miller 8ddc71c13d - djm@cvs.openbsd.org 2010/03/13 21:10:38
[clientloop.c]
     protocol conformance fix: send language tag when disconnecting normally;
     spotted by 1.41421 AT gmail.com, ok markus@ deraadt@
2010-03-22 05:54:02 +11:00
Damien Miller 4a5f0d325b - markus@cvs.openbsd.org 2010/03/12 11:37:40
[servconf.c]
     do not prepend AuthorizedKeysFile with getcwd(), unbreaks relative paths
     free() (not xfree()) the buffer returned by getcwd()
2010-03-22 05:53:04 +11:00
Damien Miller c4cb47bc53 - djm@cvs.openbsd.org 2010/03/12 01:06:25
[servconf.c]
     unbreak AuthorizedKeys option with a $HOME-relative path; reported by
     vinschen AT redhat.com, ok dtucker@
2010-03-22 05:52:26 +11:00
Damien Miller e513a91195 - djm@cvs.openbsd.org 2010/03/10 23:27:17
[auth2-pubkey.c]
     correct certificate logging and make it more consistent between
     authorized_keys and TrustedCAKeys; ok markus@
2010-03-22 05:51:21 +11:00
Damien Miller 77497e1318 - jmc@cvs.openbsd.org 2010/03/10 07:40:35
[ssh-keygen.1]
     typos; from Ross Richardson
     closes prs 6334 and 6335
2010-03-22 05:50:51 +11:00
Damien Miller c59e2443d3 - jmc@cvs.openbsd.org 2010/03/08 09:41:27
[ssh-keygen.1]
     sort the list of constraints (to -O); ok djm
2010-03-22 05:50:31 +11:00
Damien Miller 1f574b2546 - (djm) [Makefile.in] Respecify -lssh after -lopenbsd-compat for
ssh-pkcs11-helper to repair static builds (we do the same for
   ssh-keyscan). Reported by felix-mindrot AT fefe.de
2010-03-14 08:41:34 +11:00
Damien Miller 47f9a4106a - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix
compilation failure when !HAVE_DLOPEN. Reported by felix-mindrot
   AT fefe.de
2010-03-14 08:37:49 +11:00
Tim Rice 4e0cea82dd - (tim) [contrib/cygwin/Makefile] Fix list of documentation files to install
on a Cygwin installation. Patch from Corinna Vinschen.
2010-03-11 22:35:19 -08:00
Tim Rice ded8fa0bc9 - (tim) [Makefile.in] Add missing $(EXEEXT) to install targets.
Patch from Corinna Vinschen.
2010-03-11 22:32:02 -08:00
Tim Rice 2bde3eec69 - (tim) [openssh/Makefile.in] Now that scard is gone, no need to
make $(datadir)
2010-03-11 22:18:13 -08:00
Tim Rice fa233ba73b - (tim) [contrib/suse/openssh.spec] crank version number here too.
report by imorgan AT nas.nasa.gov
2010-03-10 16:12:02 -08:00
Darren Tucker c9fe39b1a4 - (dtucker) [configure.ac] Use a proper AC_CHECK_DECL for BROKEN_GETADDRINFO
so setting it in CFLAGS correctly skips IPv6 tests.
2010-03-09 20:42:30 +11:00
Damien Miller 081c976e1c - djm@cvs.openbsd.org 2010/03/08 00:28:55
[ssh-keygen.1]
     document permit-agent-forwarding certificate constraint; patch from
     stevesk@
2010-03-08 11:30:00 +11:00
Damien Miller 958678726c - (djm) Release OpenSSH-5.4p1 2010-03-08 09:50:17 +11:00
Damien Miller 6bf31786cf - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
crank version numbers
2010-03-08 09:41:02 +11:00
Damien Miller 3e1ee491f3 - djm@cvs.openbsd.org 2010/03/07 22:16:01
[ssh-keygen.c]
     make internal strptime string match strftime format;
     suggested by vinschen AT redhat.com and markus@
2010-03-08 09:24:11 +11:00
Damien Miller b3bc331e09 - (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/03/07 22:01:32
     [version.h]
     openssh-5.4
2010-03-08 09:03:33 +11:00
Darren Tucker cd70e1b813 - dtucker@cvs.openbsd.org 2010/03/07 11:57:13
[auth-rhosts.c monitor.c monitor_wrap.c session.c auth-options.c sshd.c]
     Hold authentication debug messages until after successful authentication.
     Fixes an info leak of environment variables specified in authorized_keys,
     reported by Jacob Appelbaum.  ok djm@
2010-03-07 23:05:17 +11:00
Darren Tucker ac0c4c9c1d - (dtucker) [session.c] Also initialize creds to NULL for handing to
setpcred.
2010-03-07 13:32:16 +11:00
Darren Tucker c738e6c646 - (dtucker) [session.c] Bug #1567: move setpcred call to before chroot and
do not set real uid, since that's needed for the chroot, and will be set
   by permanently_set_uid.
2010-03-07 13:21:12 +11:00
Darren Tucker b3d20a3ff0 - (dtucker) [auth.c] Bug #1710: call setauthdb on AIX before getpwuid so that
it gets the passwd struct from the LAM that knows about the user which is
   not necessarily the default.  Patch from Alexandre Letourneau.
2010-03-07 11:56:59 +11:00
Damien Miller 5059d8d7e6 - djm@cvs.openbsd.org 2010/03/05 10:28:21
[ssh-add.1 ssh.1 ssh_config.5]
     mention loading of certificate files from [private]-cert.pub when
     they are present; feedback and ok jmc@
2010-03-05 21:31:11 +11:00
Damien Miller 922b541329 - jmc@cvs.openbsd.org 2010/03/05 08:31:20
[ssh.1]
     document certificate authentication; help/ok djm
2010-03-05 21:30:54 +11:00
Damien Miller 98339054f9 - jmc@cvs.openbsd.org 2010/03/05 06:50:35
[ssh.1 sshd.8]
     tweak previous;
2010-03-05 21:30:35 +11:00
Damien Miller 9527f228ae - (djm) [configure.ac] set -fno-strict-aliasing for gcc4; ok dtucker@ 2010-03-05 15:04:35 +11:00
Damien Miller b068d0ad6d - djm@cvs.openbsd.org 2010/03/05 02:58:11
[auth.c]
     make the warning for a revoked key louder and more noticable
2010-03-05 14:03:03 +11:00
Damien Miller 48b6021721 - (djm) [ssh-rand-helper.c] declare optind, avoiding compilation failure
on some platforms
2010-03-05 11:40:19 +11:00
Damien Miller 689b872842 - djm@cvs.openbsd.org 2010/03/04 23:27:25
[auth-options.c ssh-keygen.c]
     "force-command" is not spelled "forced-command"; spotted by
     imorgan AT nas.nasa.gov
2010-03-05 10:42:24 +11:00
Damien Miller a7dab8bfe5 - djm@cvs.openbsd.org 2010/03/04 23:19:29
[ssh.1 sshd.8]
     move section on CA and revoked keys from ssh.1 to sshd.8's known hosts
     format section and rework it a bit; requested by jmc@
2010-03-05 10:42:05 +11:00
Damien Miller c6db99ec14 - djm@cvs.openbsd.org 2010/03/04 23:17:25
[sshd_config.5]
     missing word; spotted by jmc@
2010-03-05 10:41:45 +11:00
Damien Miller 8f6c337563 - jmc@cvs.openbsd.org 2010/03/04 22:52:40
[ssh-keygen.1]
     fix Bk/Ek;
2010-03-05 10:41:26 +11:00
Tim Rice 179eee081a - (tim) [ssh-pkcs11.c] Fix "non-constant initializer" errors in older
compilers. OK djm@
2010-03-04 12:48:05 -08:00
Damien Miller f2b70cad75 - djm@cvs.openbsd.org 2010/03/04 20:35:08
[ssh-keygen.1 ssh-keygen.c]
     Add a -L flag to print the contents of a certificate; ok markus@
2010-03-05 07:39:35 +11:00
Damien Miller 72b33820af - jmc@cvs.openbsd.org 2010/03/04 12:51:25
[ssh.1 sshd_config.5]
     tweak previous;
2010-03-05 07:39:01 +11:00
Damien Miller 700dcfa3e0 - djm@cvs.openbsd.org 2010/03/04 10:38:23
[regress/cert-hostkey.sh regress/cert-userkey.sh]
     additional regression tests for revoked keys and TrustedUserCAKeys
2010-03-04 21:58:01 +11:00
Damien Miller 017d1e777e - djm@cvs.openbsd.org 2010/03/03 00:47:23
[regress/cert-hostkey.sh regress/cert-userkey.sh]
     add an extra test to ensure that authentication with the wrong
     certificate fails as it should (and it does)
2010-03-04 21:57:21 +11:00
Damien Miller 1aed65eb27 - djm@cvs.openbsd.org 2010/03/04 10:36:03
[auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c]
     [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h]
     [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5]
     Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
     are trusted to authenticate users (in addition than doing it per-user
     in authorized_keys).

     Add a RevokedKeys option to sshd_config and a @revoked marker to
     known_hosts to allow keys to me revoked and banned for user or host
     authentication.

     feedback and ok markus@
2010-03-04 21:53:35 +11:00
Damien Miller 2befbad9b3 - djm@cvs.openbsd.org 2010/03/04 01:44:57
[key.c]
     use buffer_get_string_ptr_ret() where we are checking the return
     value explicitly instead of the fatal()-causing buffer_get_string_ptr()
2010-03-04 21:52:18 +11:00