add a debug2() right before DNS resolution; it's a place
where ssh could previously silently hang for a while. bz#2433
Upstream-ID: 52a1a3e0748db66518e7598352c427145692a6a0
don't record hostbased authentication hostkeys as user
keys in test for multiple authentication with the same key
Upstream-ID: 26b368fa2cff481f47f37e01b8da1ae5b57b1adc
Fix occurrences of "r = func() != 0" which result in the
wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
Upstream-ID: 5fc35c9fc0319cc6fca243632662d2f06b5fd840
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the
negotiated options. ok markus@
Upstream-ID: 8db921b3f92a4565271b1c1fbce6e7f508e1a2cb
Improve size == 0, count == 0 checking in mm_zalloc,
which is "array" like. Discussed with tedu, millert, otto.... and ok djm
Upstream-ID: 899b021be43b913fad3eca1aef44efe710c53e29
In the certificates section, be consistent about using
"host_key" and "user_key" for the respective key types. ok sthen@ deraadt@
Upstream-ID: 9e037ea3b15577b238604c5533e082a3947f13cb
Better compat matching for WinSCP, add compat matching
for FuTTY (fork of PuTTY); ok markus@ deraadt@
Upstream-ID: 24001d1ac115fa3260fbdc329a4b9aeb283c5389
add prohibit-password as a synonymn for without-password,
since the without-password is causing too many questions. Harden it to ban
all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from
djm, ok markus
Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
backout SSH_RSA_MINIMUM_MODULUS_SIZE increase for this
release; problems spotted by sthen@ ok deraadt@ markus@
Upstream-ID: d0bd60dde9e8c3cd7030007680371894c1499822
change default: PermitRootLogin without-password matching
install script changes coming as well ok djm markus
Upstream-ID: 0e2a6c4441daf5498b47a61767382bead5eb8ea6
Allow ssh_config and sshd_config kex parameters options be
prefixed by a '+' to indicate that the specified items be appended to the
default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
include the peer's offer when logging a failure to
negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
Upstream-ID: bbb8caabf5c01790bb845f5ce135565248d7c796
add Cisco to the list of clients that choke on the
hostkeys update extension. Pointed out by Howard Kash
Upstream-ID: c9eadde28ecec056c73d09ee10ba4570dfba7e84
Permit kbind(2) use in the sandbox now, to ease testing
of ld.so work using it
reminded by miod@, ok deraadt@
Upstream-ID: 523922e4d1ba7a091e3824e77a8a3c818ee97413
Damien Miller
jmc@openbsd.org
djm@openbsd.org
jsg@openbsd.org
deraadt@openbsd.org
naddy@openbsd.org
Darren Tucker
chris@openbsd.org
guenther@openbsd.org
millert@openbsd.org