9f157abbb6
- (dtucker) [contrib/cygwin/Makefile] Continue if installing a doc file
...
fails. Patch from Corinna Vinschen.
2011-10-25 09:37:57 +11:00
8f4279e4ab
- djm@cvs.openbsd.org 2011/10/18 05:00:48
...
[ssh-add.1 ssh-add.c]
new "ssh-add -k" option to load plain keys (skipping certificates);
"looks ok" markus@
2011-10-18 16:06:33 +11:00
c51a5ab2c6
- djm@cvs.openbsd.org 2011/10/18 04:58:26
...
[auth-options.c key.c]
remove explict search for \0 in packet strings, this job is now done
implicitly by buffer_get_cstring; ok markus
2011-10-18 16:06:14 +11:00
91f3eaec88
- stsp@cvs.openbsd.org 2011/10/16 15:51:39
...
[moduli.c]
add missing includes to unbreak tree; fix from rpointel
2011-10-18 16:05:55 +11:00
927d82bc6a
- jmc@cvs.openbsd.org 2011/10/16 15:02:41
...
[ssh-keygen.c]
put -K in the right place (usage());
2011-10-18 16:05:38 +11:00
390d0561fc
- dtucker@cvs.openbsd.org 2011/10/16 11:02:46
...
[moduli.c ssh-keygen.1 ssh-keygen.c]
Add optional checkpoints for moduli screening. feedback & ok deraadt
2011-10-18 16:05:19 +11:00
d3e6990c4c
- djm@cvs.openbsd.org 2011/10/04 14:17:32
...
[sftp-glob.c]
silence error spam for "ls */foo" in directory with files; bz#1683
2011-10-18 16:04:57 +11:00
2e13560ff5
- djm@cvs.openbsd.org 2011/09/30 21:22:49
...
[sshd.c]
fix inverted test that caused logspam; spotted by henning@
2011-10-02 19:10:13 +11:00
95125e5f43
ChangeLog entry for sshd.c rev 1.409
2011-10-02 19:09:07 +11:00
af1a60ec4f
- djm@cvs.openbsd.org 2011/09/25 05:44:47
...
[auth2-pubkey.c]
improve the AuthorizedPrincipalsFile debug log message to include
file and line number
2011-10-02 18:59:59 +11:00
68afb8c5f2
- markus@cvs.openbsd.org 2011/09/23 07:45:05
...
[mux.c readconf.h channels.h compat.h compat.c ssh.c readconf.c channels.c version.h]
unbreak remote portforwarding with dynamic allocated listen ports:
1) send the actual listen port in the open message (instead of 0).
this allows multiple forwardings with a dynamic listen port
2) update the matching permit-open entry, so we can identify where
to connect to
report: den at skbkontur.ru and P. Szczygielski
feedback and ok djm@
2011-10-02 18:59:03 +11:00
1338b9e067
- dtucker@cvs.openbsd.org 2011/09/23 00:22:04
...
[channels.c auth-options.c servconf.c channels.h sshd.8]
Add wildcard support to PermitOpen, allowing things like "PermitOpen
localhost:*". bz #1857 , ok djm markus.
2011-10-02 18:57:35 +11:00
036876cd7d
- (dtucker) [openbsd-compat/mktemp.c] Fix compiler warning. ok djm
2011-10-01 18:46:12 +10:00
b54f50e5d0
- (dtucker) [configure.ac openbsd-compat/Makefile.in
...
openbsd-compat/strnlen.c] Add strnlen to the compat library.
2011-09-29 23:17:18 +10:00
5ffe1c4b43
- (djm) [configure.ac defines.h] No need to detect sizeof(char); patch
...
from des AT des.no
2011-09-29 11:11:51 +10:00
d1a74580f8
- (djm) [openbsd-compat/setenv.c] Forklift upgrade, including inclusion
...
of static __findenv() function from upstream setenv.c
2011-09-23 11:26:34 +10:00
3e6fe87ef9
- otto@cvs.openbsd.org 2008/12/09 19:38:38
...
[openbsd-compat/inet_ntop.c]
fix inet_ntop(3) prototype; ok millert@ libc to be bumbed very soon
2011-09-23 11:16:09 +10:00
64efe9671d
- (djm) [openbsd-compat/sha2.c openbsd-compat/sha2.h] Remove OpenBSD rcsid
...
marker. The upstream API has changed (function and structure names)
enough to put it out of sync with other providers of this interface.
2011-09-23 11:13:00 +10:00
4888671343
- (djm) [openbsd-compat/mktemp.c] forklift upgrade to -current version.
...
The file was totally rewritten between what we had in tree and -current.
2011-09-23 10:56:29 +10:00
3a359b3228
- millert@cvs.openbsd.org 2008/08/21 16:54:44
...
[mktemp.c]
Remove useless code, the kernel will set errno appropriately if an
element in the path does not exist. OK deraadt@ pvalchev@
2011-09-23 10:47:29 +10:00
dc0e09b41c
- deraadt@cvs.openbsd.org 2008/07/22 21:47:45
...
[mktemp.c]
use arc4random_uniform(); ok djm millert
2011-09-23 10:46:48 +10:00
cd92790fcb
- (djm) [openbsd-compat/getgrouplist.c] Remove OpenBSD rcsid marker: the
...
upstream version is YPified and we don't want this
2011-09-23 10:44:03 +10:00
834e820317
- tobias@cvs.openbsd.org 2007/10/21 11:09:30
...
[mktemp.c]
Comment fix about time consumption of _gettemp.
FreeBSD did this in revision 1.20.
OK deraadt@, krw@
2011-09-23 10:42:02 +10:00
acdf3fbdba
- (djm) [openbsd-compat/getcwd.c] Remove OpenBSD rcsid marker since we no
...
longer want to sync this file (OpenBSD uses a __getcwd syscall now, we
want this longhand version)
2011-09-23 10:40:50 +10:00
add1e20802
- millert@cvs.openbsd.org 2006/05/05 15:27:38
...
[strlcpy.c]
Convert do {} while loop -> while {} for clarity. No binary change
on most architectures. From Oliver Smith. OK deraadt@ and henning@
2011-09-23 10:38:01 +10:00
d7be70d052
- djm@cvs.openbsd.org 2011/09/22 06:29:03
...
[sftp.c]
don't let remote_glob() implicitly sort its results in do_globbed_ls() -
in all likelihood, they will be resorted anyway
2011-09-22 21:43:06 +10:00
57c38ac7d5
- markus@cvs.openbsd.org 2011/09/12 08:46:15
...
[sftp-client.c]
fix leak in do_lsreaddir(); ok djm
2011-09-22 21:42:45 +10:00
3decdba425
- markus@cvs.openbsd.org 2011/09/11 16:07:26
...
[sftp-client.c]
fix leaks in do_hardlink() and do_readlink(); bz#1921
from Loganaden Velvindron
2011-09-22 21:41:05 +10:00
1bcbd0a9de
- okan@cvs.openbsd.org 2011/09/11 06:59:05
...
[ssh.1]
document new -O cancel command; ok djm@
2011-09-22 21:40:45 +10:00
ff773644e6
- markus@cvs.openbsd.org 2011/09/10 22:26:34
...
[channels.c channels.h clientloop.c ssh.1]
support cancellation of local/dynamic forwardings from ~C commandline;
ok & feedback djm@
2011-09-22 21:39:48 +10:00
f6dff7cd2f
- djm@cvs.openbsd.org 2011/09/09 22:46:44
...
[channels.c channels.h clientloop.h mux.c ssh.c]
support for cancelling local and remote port forwards via the multiplex
socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request
the cancellation of the specified forwardings; ok markus@
2011-09-22 21:38:52 +10:00
9ee2c606c1
- djm@cvs.openbsd.org 2011/09/09 22:38:21
...
[sshd.c]
kill the preauth privsep child on fatal errors in the monitor;
ok markus@
2011-09-22 21:38:30 +10:00
0603d98b4e
- djm@cvs.openbsd.org 2011/09/09 22:37:01
...
[scp.c]
suppress adding '--' to remote commandlines when the first argument
does not start with '-'. saves breakage on some difficult-to-upgrade
embedded/router platforms; feedback & ok dtucker ok markus
2011-09-22 21:38:00 +10:00
4cb855b070
- djm@cvs.openbsd.org 2011/09/09 00:44:07
...
[PROTOCOL.mux]
MUX_C_CLOSE_FWD includes forward type in message (though it isn't
implemented anyway)
2011-09-22 21:37:38 +10:00
f6e758cdba
- djm@cvs.openbsd.org 2011/09/09 00:43:00
...
[ssh_config.5 sshd_config.5]
fix typo in IPQoS parsing: there is no "AF14" class, but there is
an "AF21" class. Spotted by giesen AT snickers.org; ok markus stevesk
2011-09-22 21:37:13 +10:00
6232a16a9a
- deraadt@cvs.openbsd.org 2011/09/07 02:18:31
...
[ssh-keygen.1]
typo (they vs the) found by Lawrence Teo
2011-09-22 21:36:00 +10:00
e029673f1f
- jmc@cvs.openbsd.org 2011/09/05 07:01:44
...
[scp.1]
knock out a useless Ns;
2011-09-22 21:34:56 +10:00
2918e030fc
- djm@cvs.openbsd.org 2011/09/05 05:59:08
...
[misc.c]
fix typo in IPQoS parsing: there is no "AF14" class, but there is
an "AF21" class. Spotted by giesen AT snickers.org; ok markus stevesk
2011-09-22 21:34:35 +10:00
e577772a89
- djm@cvs.openbsd.org 2011/09/05 05:56:13
...
[scp.1 sftp.1]
mention ControlPersist and KbdInteractiveAuthentication in the -o
verbiage in these pages too (prompted by jmc@)
2011-09-22 21:34:15 +10:00
efad727517
- djm@cvs.openbsd.org 2011/08/26 01:45:15
...
[ssh.1]
Add some missing ssh_config(5) options that can be used in ssh(1)'s
-o argument. Patch from duclare AT guu.fi
2011-09-22 21:33:53 +10:00
e128a50e35
- djm@cvs.openbsd.org 2011/09/22 06:27:29
...
[glob.c]
fix GLOB_KEEPSTAT without GLOB_NOSORT; the implicit sort was being
applied only to the gl_pathv vector and not the corresponding gl_statv
array. reported in OpenSSH bz#1935; feedback and okay matthew@
2011-09-22 21:22:21 +10:00
c4bf7dde92
- stsp@cvs.openbsd.org 2011/09/20 10:18:46
...
[glob.c]
In glob(3), limit recursion during matching attempts. Similar to
fnmatch fix. Also collapse consecutive '*' (from NetBSD).
ok miod deraadt
2011-09-22 21:21:48 +10:00
e01a627047
- pyr@cvs.openbsd.org 2011/05/12 07:15:10
...
[openbsd-compat/glob.c]
When the max number of items for a directory has reached GLOB_LIMIT_READDIR
an error is returned but closedir() is not called.
spotted and fix provided by Frank Denis obsd-tech@pureftpd.org
ok otto@, millert@
2011-09-22 21:20:21 +10:00
e8a82c5faf
- (dtucker) [entropy.h] Bug #1932 : remove old definition of init_rng. From
...
Colin Watson.
2011-09-09 11:29:40 +10:00
022ee24197
- (djm) [contrib/redhat/openssh.spec] Correct restorcon => restorecon
2011-09-07 09:15:02 +10:00
fb9d8173f0
- (djm) [README version.h] Correct version
2011-09-07 09:11:53 +10:00
8e4a71e952
- (djm) Release OpenSSH-5.9
2011-09-05 15:39:20 +10:00
86dcd3e45a
- (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
...
[contrib/suse/openssh.spec] Update version numbers.
2011-09-05 10:29:04 +10:00
0dd24e02ec
- (dtucker) [ssh-keygen.c ssh-pkcs11.c] Bug #1929 : add null implementations
...
ofsh-pkcs11.cpkcs_init and pkcs_terminate for building without dlopen support.
2011-09-04 19:59:26 +10:00
6efd94f32e
- (djm) [regress/connect-privsep.sh regress/test-exec.sh] demote fatal
...
regress errors for the sandbox to warnings. ok tim dtucker
2011-09-04 19:04:16 +10:00
58ac11a2bd
- (djm) [openbsd-compat/port-linux.c] Suppress logging when attempting
...
to switch SELinux context away from unconfined_t, based on patch from
Jan Chadima; bz#1919 ok dtucker@
2011-08-29 16:09:52 +10:00
4438354870
- (dtucker) [auth-skey.c] Add log.h to fix build --with-skey.
2011-08-28 04:50:16 +10:00
a6e60616be
- (tim) [configure.ac] Typo in error message spotted by Andy Tsouladze
2011-08-17 21:48:22 -07:00
2df1bec086
- (djm) [regress/cipher-speed.sh regress/try-ciphers.sh] disable HMAC-SHA2
...
MAC tests for platforms that hack EVP_SHA2 support
2011-08-17 12:25:46 +10:00
062fa30532
- djm@cvs.openbsd.org 2011/08/02 01:23:41
...
[regress/cipher-speed.sh regress/try-ciphers.sh]
add SHA256/SHA512 based HMAC modes
2011-08-17 12:10:02 +10:00
faf4d80420
- markus@cvs.openbsd.org 2011/06/30 22:44:43
...
[connect-privsep.sh]
test with sandbox enabled; ok djm@
2011-08-17 12:09:19 +10:00
9231c8bde4
- dtucker@cvs.openbsd.org 2011/06/03 05:35:10
...
[regress/cfgmatch.sh]
use OBJ to find test configs, patch from Tim Rice
2011-08-17 12:08:15 +10:00
44a6c9340a
- (djm) [contrib/ssh-copy-id] Missing backlslash; spotted by
...
bisson AT archlinux.org
2011-08-17 12:01:44 +10:00
1a91c0f163
- (djm) [configure.ac] error out if the host lacks the necessary bits for
...
an explicitly requested sandbox type
2011-08-17 11:59:25 +10:00
9c08312968
- (djm) [ openbsd-compat/bsd-cygwin_util.c openbsd-compat/bsd-cygwin_util.h]
...
binary_pipe is no longer required on Cygwin; patch from Corinna Vinschen
2011-08-17 11:31:07 +10:00
a1226828ad
- (tim) [mac.c myproposal.h] Wrap SHA256 and SHA512 in ifdefs for
...
OpenSSL 0.9.7. ok djm
2011-08-16 17:29:01 -07:00
d1eb1dd5ed
- (djm) [contrib/ssh-copy-id] Fix failure for cases where the path to the
...
identify file contained whitespace. bz#1828 patch from gwenael.lambrouin
AT gmail.com; ok dtucker@
2011-08-12 11:22:47 +10:00
2db9977c06
- (djm) [contrib/redhat/openssh.spec contrib/redhat/sshd.init]
...
[contrib/suse/openssh.spec contrib/suse/rc.sshd] Updated RHEL and SLES
init scrips from imorgan AT nas.nasa.gov
2011-08-12 11:02:35 +10:00
4d47ec9c89
- (dtucker) [openbsd-compat/port-linux.c] Bug 1924: Improve selinux context
...
change error by reporting old and new context names Patch from
jchadima at redhat.
2011-08-12 10:12:53 +10:00
ddccfb4b98
- dtucker@cvs.openbsd.org 2011/08/07 12:55:30
...
[sftp.1]
typo, fix from Laurent Gautrot
2011-08-07 23:12:26 +10:00
91e6b57729
- jmc@cvs.openbsd.org 2010/10/14 20:41:28
...
[moduli.5]
probabalistic -> probabilistic; from naddy
2011-08-07 23:10:56 +10:00
f279474f1b
- sobrado@cvs.openbsd.org 2009/10/28 08:56:54
...
[moduli.5]
"Diffie-Hellman" is the usual spelling for the cryptographic protocol
first published by Whitfield Diffie and Martin Hellman in 1976.
ok jmc@
2011-08-07 23:10:11 +10:00
578451ddda
- (dtucker) OpenBSD CVS Sync
...
- jmc@cvs.openbsd.org 2008/06/26 06:59:39
[moduli.5]
tweak previous;
2011-08-07 23:09:20 +10:00
765f8c4eff
- djm@cvs.openbsd.org 2011/08/02 23:15:03
...
[ssh.c]
typo in comment
2011-08-06 06:18:16 +10:00
c471860d25
- djm@cvs.openbsd.org 2011/08/02 23:13:01
...
[version.h]
crank now, release later
2011-08-06 06:17:48 +10:00
20bd4535c0
- djm@cvs.openbsd.org 2011/08/02 01:22:11
...
[mac.c myproposal.h ssh.1 ssh_config.5 sshd.8 sshd_config.5]
Add new SHA256 and SHA512 based HMAC modes from
http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
Patch from mdb AT juniper.net; feedback and ok markus@
2011-08-06 06:17:30 +10:00
adb467fb69
- markus@cvs.openbsd.org 2011/08/01 19:18:15
...
[gss-serv.c]
prevent post-auth resource exhaustion (int overflow leading to 4GB malloc);
report Adam Zabrock; ok djm@, deraadt@
2011-08-06 06:16:46 +10:00
35e48198a8
- djm@cvs.openbsd.org 2011/07/29 14:42:45
...
[sandbox-systrace.c]
fail open(2) with EPERM rather than SIGKILLing the whole process. libc
will call open() to do strerror() when NLS is enabled;
feedback and ok markus@
2011-08-06 06:16:23 +10:00
6ea5e44871
- tedu@cvs.openbsd.org 2011/07/06 18:09:21
...
[authfd.c]
bzero the agent address. the kernel was for a while very cranky about
these things. evne though that's fixed, always good to initialize
memory. ok deraadt djm
2011-08-06 06:16:00 +10:00
7741ce8bd2
- djm@cvs.openbsd.org 2011/06/23 23:35:42
...
[monitor.c]
ignore EINTR errors from poll()
2011-08-06 06:15:15 +10:00
cd5e52ee78
- (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for
...
Darwin/OS X using sandbox_init() + setrlimit(); feedback and testing
markus@
2011-06-27 07:18:18 +10:00
dcbd41e7af
- djm@cvs.openbsd.org 2011/06/23 09:34:13
...
[sshd.c ssh-sandbox.h sandbox.h sandbox-rlimit.c sandbox-systrace.c]
[sandbox-null.c]
rename sandbox.h => ssh-sandbox.h to make things easier for portable
2011-06-23 19:45:51 +10:00
80b62e3738
- (djm) [sandbox-null.c] Dummy sandbox for platforms that don't support
...
setrlimit(2)
2011-06-23 19:03:18 +10:00
6d7b4377dd
- djm@cvs.openbsd.org 2011/06/22 22:08:42
...
[channels.c channels.h clientloop.c clientloop.h mux.c ssh.c]
hook up a channel confirm callback to warn the user then requested X11
forwarding was refused by the server; ok markus@
2011-06-23 08:31:57 +10:00
69ff1df952
- djm@cvs.openbsd.org 2011/06/22 21:57:01
...
[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c]
[sandbox-systrace.c sandbox.h configure.ac Makefile.in]
introduce sandboxing of the pre-auth privsep child using systrace(4).
This introduces a new "UsePrivilegeSeparation=sandbox" option for
sshd_config that applies mandatory restrictions on the syscalls the
privsep child can perform. This prevents a compromised privsep child
from being used to attack other hosts (by opening sockets and proxying)
or probing local kernel attack surface.
The sandbox is implemented using systrace(4) in unsupervised "fast-path"
mode, where a list of permitted syscalls is supplied. Any syscall not
on the list results in SIGKILL being sent to the privsep child. Note
that this requires a kernel with the new SYSTR_POLICY_KILL option.
UsePrivilegeSeparation=sandbox will become the default in the future
so please start testing it now.
feedback dtucker@; ok markus@
2011-06-23 08:30:03 +10:00
82c558761d
- OpenBSD CVS Sync
...
- djm@cvs.openbsd.org 2011/06/22 21:47:28
[servconf.c]
reuse the multistate option arrays to pretty-print options for "sshd -T"
2011-06-23 08:20:30 +10:00
4ac99c366c
- djm@cvs.openbsd.org 2011/06/17 21:57:25
...
[clientloop.c]
setproctitle for a mux master that has been gracefully stopped;
bz#1911 from Bert.Wesarg AT googlemail.com
2011-06-20 14:43:31 +10:00
33322127ec
- djm@cvs.openbsd.org 2011/06/17 21:47:35
...
[servconf.c]
factor out multi-choice option parsing into a parse_multistate label
and some support structures; ok dtucker@
2011-06-20 14:43:11 +10:00
f145a5be1c
- djm@cvs.openbsd.org 2011/06/17 21:46:16
...
[sftp-server.c]
the protocol version should be unsigned; bz#1913 reported by mb AT
smartftp.com
2011-06-20 14:42:51 +10:00
8f0bf237d4
- djm@cvs.openbsd.org 2011/06/17 21:44:31
...
[log.c log.h monitor.c monitor.h monitor_wrap.c monitor_wrap.h sshd.c]
make the pre-auth privsep slave log via a socketpair shared with the
monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
2011-06-20 14:42:23 +10:00
e7ac2bd42a
- markus@cvs.openbsd.org 2011/06/14 22:49:18
...
[authfile.c]
make sure key_parse_public/private_rsa1() no longer consumes its input
buffer. fixes ssh-add for passphrase-protected ssh1-keys;
noted by naddy@; ok djm@
2011-06-20 14:23:25 +10:00
6029e076b2
- djm@cvs.openbsd.org 2011/06/04 00:10:26
...
[ssh_config.5]
explain IdentifyFile's semantics a little better, prompted by bz#1898
ok dtucker jmc
2011-06-20 14:22:49 +10:00
bc481570d1
- (tim) [regress/cfgmatch.sh] Build/test out of tree fix.
2011-06-02 22:26:19 -07:00
bf4d05a37c
- dtucker@cvs.openbsd.org 2011/06/03 00:29:52
...
[regress/dynamic-forward.sh]
Retry establishing the port forwarding after a small delay, should make
the tests less flaky when the previous test is slow to shut down and free
up the port.
2011-06-03 14:19:02 +10:00
75e035c34e
- dtucker@cvs.openbsd.org 2011/05/31 02:03:34
...
[regress/dynamic-forward.sh]
work around startup and teardown races; caught by deraadt
2011-06-03 14:18:17 +10:00
260c8fbc4d
- dtucker@cvs.openbsd.org 2011/05/31 02:01:58
...
[regress/dynamic-forward.sh]
back out revs 1.6 and 1.5 since it's not reliable
2011-06-03 14:17:27 +10:00
3e78a516a0
- dtucker@cvs.openbsd.org 2011/06/03 01:37:40
...
[ssh-agent.c]
Check current parent process ID against saved one to determine if the parent
has exited, rather than attempting to send a zero signal, since the latter
won't work if the parent has changed privs. bz#1905, patch from Daniel Kahn
Gillmor, ok djm@
2011-06-03 14:14:16 +10:00
c09182f613
- (djm) [configure.ac] enable setproctitle emulation for OS X
2011-06-03 12:11:38 +10:00
ea2c1a4dc6
- djm@cvs.openbsd.org 2011/06/03 00:54:38
...
[ssh.c]
bz#1883 - setproctitle() to identify mux master; patch from Bert.Wesarg
AT googlemail.com; ok dtucker@
NB. includes additional portability code to enable setproctitle emulation
on platforms that don't support it.
2011-06-03 12:10:22 +10:00
c3c7227ccc
add missing changelog entry
2011-06-03 11:20:06 +10:00
90f42b0705
- (tim) [configure.ac defines.h] Run test program to detect system mail
...
directory. Add --with-maildir option to override. Fixed OpenServer 6
getting it wrong. Fixed many systems having MAIL=/var/mail//username
ok dtucker
2011-06-02 18:17:49 -07:00
c412c1567b
- (dtucker) [README version.h contrib/caldera/openssh.spec
...
contrib/redhat/openssh.spec contrib/suse/openssh.spec] Pull the version
bumps from the 5.8p2 branch into HEAD. ok djm.
2011-06-03 10:35:23 +10:00
8cb3587336
- djm@cvs.openbsd.org 2011/05/23 03:31:31
...
[regress/cfgmatch.sh]
include testing of multiple/overridden AuthorizedKeysFiles
refactor to simply daemon start/stop and get rid of racy constructs
2011-05-29 21:59:10 +10:00
295ee63ab2
- djm@cvs.openbsd.org 2011/05/24 07:15:47
...
[readconf.c readconf.h ssh.c ssh_config.5 sshconnect.c sshconnect2.c]
Remove undocumented legacy options UserKnownHostsFile2 and
GlobalKnownHostsFile2 by making UserKnownHostsFile/GlobalKnownHostsFile
accept multiple paths per line and making their defaults include
known_hosts2; ok markus
2011-05-29 21:42:31 +10:00
04bb56ef10
- djm@cvs.openbsd.org 2011/05/23 07:24:57
...
[authfile.c]
read in key comments for v.2 keys (though note that these are not
passed over the agent protocol); bz#439, based on patch from binder
AT arago.de; ok markus@
2011-05-29 21:42:08 +10:00
b9132fc427
- jmc@cvs.openbsd.org 2011/05/23 07:10:21
...
[sshd.8 sshd_config.5]
tweak previous; ok djm
2011-05-29 21:41:40 +10:00
201f425d29
- djm@cvs.openbsd.org 2011/05/23 03:52:55
...
[sshconnect.c]
remove extra newline
2011-05-29 21:41:03 +10:00
1dd66e5f74
- djm@cvs.openbsd.org 2011/05/23 03:33:38
...
[auth.c]
make secure_filename() spam debug logs less
2011-05-29 21:40:42 +10:00
d8478b6a9b
OpenBSD CVS Sync
...
- djm@cvs.openbsd.org 2011/05/23 03:30:07
[auth-rsa.c auth.c auth.h auth2-pubkey.c monitor.c monitor_wrap.c pathnames.h servconf.c servconf.h sshd.8 sshd_config sshd_config.5]
allow AuthorizedKeysFile to specify multiple files, separated by spaces.
Bring back authorized_keys2 as a default search path (to avoid breaking
existing users of this file), but override this in sshd_config so it will
be no longer used on fresh installs. Maybe in 2015 we can remove it
entierly :)
feedback and ok markus@ dtucker@
2011-05-29 21:39:36 +10:00
acacced70b
- dtucker@cvs.openbsd.org 2011/05/20 06:32:30
...
[dynamic-forward.sh]
fix dumb error in dynamic-forward test
2011-05-20 19:08:40 +10:00
7b9451f382
- dtucker@cvs.openbsd.org 2011/05/20 05:19:50
...
[dynamic-forward.sh]
Prevent races in dynamic forwarding test; ok djm
2011-05-20 19:08:11 +10:00
3045b45a03
- djm@cvs.openbsd.org 2011/05/20 02:43:36
...
[cert-hostkey.sh]
another attempt to generate a v00 ECDSA key that broke the test
ID sync only - portable already had this somehow
2011-05-20 19:07:45 +10:00
f67188fe13
- djm@cvs.openbsd.org 2011/05/17 07:13:31
...
[regress/cert-userkey.sh]
fatal() if asked to generate a legacy ECDSA cert (these don't exist)
and fix the regress test that was trying to generate them :)
2011-05-20 19:06:48 +10:00
f2e407e2dd
- djm@cvs.openbsd.org 2011/05/20 03:25:45
...
[monitor.c monitor_wrap.c servconf.c servconf.h]
use a macro to define which string options to copy between configs
for Match. This avoids problems caused by forgetting to keep three
code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
2011-05-20 19:04:14 +10:00
c2411909c7
- dtucker@cvs.openbsd.org 2011/05/20 02:00:19
...
[servconf.c]
Add comment documenting what should be after the preauth check. ok djm
2011-05-20 19:03:49 +10:00
5d74e58e62
- djm@cvs.openbsd.org 2011/05/20 00:55:02
...
[servconf.c]
the options TrustedUserCAKeys, RevokedKeysFile, AuthorizedKeysFile
and AuthorizedPrincipalsFile were not being correctly applied in
Match blocks, despite being overridable there; ok dtucker@
2011-05-20 19:03:31 +10:00
8f639fe722
- djm@cvs.openbsd.org 2011/05/17 07:13:31
...
[key.c]
fatal() if asked to generate a legacy ECDSA cert (these don't exist)
and fix the regress test that was trying to generate them :)
2011-05-20 19:03:08 +10:00
814ace0875
- OpenBSD CVS Sync
...
- djm@cvs.openbsd.org 2011/05/15 08:09:01
[authfd.c monitor.c serverloop.c]
use FD_CLOEXEC consistently; patch from zion AT x96.org
2011-05-20 19:02:47 +10:00
ec2eaa3daf
- (djm) [servconf.c] remove leftover droppings of AuthorizedKeysFile2
2011-05-20 18:57:14 +10:00
989bb7f0c5
- (djm) [aclocal.m4 configure.ac] since gcc-4.x ignores all -Wno-options
...
options, we should corresponding -W-option when trying to determine
whether it is accepted. Also includes a warning fix on the program
fragment uses (bad main() return type).
bz#1900 and bz#1901 reported by g.esp AT free.fr; ok dtucker@
2011-05-20 18:56:30 +10:00
14684a1f84
- (djm) [session.c] call setexeccon() before executing passwd for pw
...
changes; bz#1891 reported by jchadima AT redhat.com; ok dtucker@
2011-05-20 11:23:07 +10:00
23f425b48b
- (djm) [packet.c] unbreak portability #endif
2011-05-15 08:58:15 +10:00
9d276b8d68
- djm@cvs.openbsd.org 2011/05/13 00:05:36
...
[authfile.c]
warn on unexpected key type in key_parse_private_type()
2011-05-15 08:51:43 +10:00
7c1b2c4ea8
- djm@cvs.openbsd.org 2011/05/11 04:47:06
...
[auth.c auth.h auth2-pubkey.c pathnames.h servconf.c servconf.h]
remove support for authorized_keys2; it is a relic from the early days
of protocol v.2 support and has been undocumented for many years;
ok markus@
2011-05-15 08:51:05 +10:00
3219824f2d
- djm@cvs.openbsd.org 2011/05/10 05:46:46
...
[authfile.c]
despam debug() logs by detecting that we are trying to load a private key
in key_try_load_public() and returning early; ok markus@
2011-05-15 08:50:32 +10:00
555f3b856f
- djm@cvs.openbsd.org 2011/05/08 12:52:01
...
[PROTOCOL.mux clientloop.c clientloop.h mux.c]
improve our behaviour when TTY allocation fails: if we are in
RequestTTY=auto mode (the default), then do not treat at TTY
allocation error as fatal but rather just restore the local TTY
to cooked mode and continue. This is more graceful on devices that
never allocate TTYs.
If RequestTTY is set to "yes" or "force", then failure to allocate
a TTY is fatal.
ok markus@
2011-05-15 08:48:05 +10:00
f4b32aad05
- jmc@cvs.openbsd.org 2011/05/07 23:20:25
...
[ssh.1]
+.It RequestTTY
2011-05-15 08:47:43 +10:00
486dd2eadb
- jmc@cvs.openbsd.org 2011/05/07 23:19:39
...
[ssh_config.5]
- tweak previous
- come consistency fixes
ok djm
2011-05-15 08:47:18 +10:00
c067f62560
- djm@cvs.openbsd.org 2011/05/06 22:20:10
...
[PROTOCOL.mux]
fix numbering; from bert.wesarg AT googlemail.com
2011-05-15 08:46:54 +10:00
a6bbbe4658
- djm@cvs.openbsd.org 2011/05/06 21:38:58
...
[ssh.c]
fix dropping from previous diff
2011-05-15 08:46:29 +10:00
21771e22d3
- djm@cvs.openbsd.org 2011/05/06 21:34:32
...
[clientloop.c mux.c readconf.c readconf.h ssh.c ssh_config.5]
Add a RequestTTY ssh_config option to allow configuration-based
control over tty allocation (like -t/-T); ok markus@
2011-05-15 08:45:50 +10:00
fe92421772
- djm@cvs.openbsd.org 2011/05/06 21:31:38
...
[readconf.c ssh_config.5]
support negated Host matching, e.g.
Host *.example.org !c.example.org
User mekmitasdigoat
Will match "a.example.org", "b.example.org", but not "c.example.org"
ok markus@
2011-05-15 08:44:45 +10:00
dfc85fa181
- djm@cvs.openbsd.org 2011/05/06 21:18:02
...
[ssh.c ssh_config.5]
add a %L expansion (short-form of the local host name) for ControlPath;
sync some more expansions with LocalCommand; ok markus@
2011-05-15 08:44:02 +10:00
d2ac5d74b4
- djm@cvs.openbsd.org 2011/05/06 21:14:05
...
[packet.c packet.h]
set traffic class for IPv6 traffic as we do for IPv4 TOS;
patch from lionel AT mamane.lu via Colin Watson in bz#1855;
ok markus@
2011-05-15 08:43:13 +10:00
78c40c321b
- djm@cvs.openbsd.org 2011/05/06 02:05:41
...
[sshconnect2.c]
fix memory leak; bz#1849 ok dtucker@
2011-05-15 08:36:59 +10:00
58a77e2eac
- djm@cvs.openbsd.org 2011/05/06 01:09:53
...
[sftp.1]
mention that IPv6 addresses must be enclosed in square brackets;
bz#1845
2011-05-15 08:36:29 +10:00
fd53abd00b
- dtucker@cvs.openbsd.org 2011/05/06 01:03:35
...
[sshd_config]
clarify language about overriding defaults. bz#1892, from Petr Cerny
2011-05-15 08:36:02 +10:00
60432d8cf2
- djm@cvs.openbsd.org 2011/05/05 05:12:08
...
[mux.c]
gracefully fall back when ControlPath is too large for a
sockaddr_un. ok markus@ as part of a larger diff
2011-05-15 08:34:46 +10:00
d6548fe4cf
- (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882 : fix
...
--with-ssl-engine which was broken with the change from deprecated
SSLeay_add_all_algorithms(). ok djm
2011-05-10 11:13:36 +10:00
343f75fa19
- (dtucker) [openbsd-compat/regress/closefromtest.c] Bug #1875 : add prototype
...
for closefrom() in test code. Report from Dan Wallis via Gentoo.
2011-05-06 10:43:50 +10:00
9abb697d4f
- (tim) [defines.h] Deal with platforms that do not have S_IFSOCK ok djm@
2011-05-04 23:06:59 -07:00
19d8181b86
- (tim) [configure.ac] Add AC_LANG_SOURCE to OPENSSH_CHECK_CFLAG_COMPILE
...
so autoreconf 2.68 is happy.
2011-05-04 21:44:25 -07:00
2ce12ef1ac
- djm@cvs.openbsd.org 2011/05/04 21:15:29
...
[authfile.c authfile.h ssh-add.c]
allow "ssh-add - < key"; feedback and ok markus@
2011-05-05 14:17:18 +10:00
8cb1cda1e3
- djm@cvs.openbsd.org 2011/04/18 00:46:05
...
[ssh-keygen.c]
certificate options are supposed to be packed in lexical order of
option name (though we don't actually enforce this at present).
Move one up that was out of sequence
2011-05-05 14:16:56 +10:00
6c3eec7ab2
- djm@cvs.openbsd.org 2011/04/17 22:42:42
...
[PROTOCOL.mux clientloop.c clientloop.h mux.c ssh.1 ssh.c]
allow graceful shutdown of multiplexing: request that a mux server
removes its listener socket and refuse future multiplexing requests;
ok markus@
2011-05-05 14:16:22 +10:00
ad21032e65
- djm@cvs.openbsd.org 2011/04/13 04:09:37
...
[ssh-keygen.1]
mention valid -b sizes for ECDSA keys; bz#1862
2011-05-05 14:15:54 +10:00
085c90fa20
- djm@cvs.openbsd.org 2011/04/13 04:02:48
...
[ssh-keygen.1]
improve wording; bz#1861
2011-05-05 14:15:33 +10:00
26b57ce6c2
- djm@cvs.openbsd.org 2011/04/12 05:32:49
...
[sshd.c]
exit with 0 status on SIGTERM; bz#1879
2011-05-05 14:15:09 +10:00
884b63a061
- djm@cvs.openbsd.org 2011/04/12 04:23:50
...
[ssh-keygen.c]
fix -Wshadow
2011-05-05 14:14:52 +10:00
9147586599
- stevesk@cvs.openbsd.org 2011/03/29 18:54:17
...
[misc.c misc.h servconf.c]
print ipqos friendly string for sshd -T; ok markus
# sshd -Tf sshd_config|grep ipqos
ipqos lowdelay throughput
2011-05-05 14:14:34 +10:00
044f4a6cc3
- stevesk@cvs.openbsd.org 2011/03/24 22:14:54
...
[ssh-keygen.c]
use strcasecmp() for "clear" cert permission option also; ok djm
2011-05-05 14:14:08 +10:00
3ca1eb373f
- jmc@cvs.openbsd.org 2011/03/24 15:29:30
...
[ssh-keygen.1]
zap trailing whitespace;
2011-05-05 14:13:50 +10:00
111431963e
- stevesk@cvs.openbsd.org 2011/03/23 16:50:04
...
[ssh-keygen.c]
remove -d, documentation removed >10 years ago; ok markus
2011-05-05 14:13:25 +10:00
4a4d161545
- stevesk@cvs.openbsd.org 2011/03/23 16:24:56
...
[ssh-keygen.1]
-q not used in /etc/rc now so remove statement.
2011-05-05 14:06:39 +10:00
58f1bafb3d
- stevesk@cvs.openbsd.org 2011/03/23 15:16:22
...
[ssh-keygen.1 ssh-keygen.c]
Add -A option. For each of the key types (rsa1, rsa, dsa and ecdsa)
for which host keys do not exist, generate the host keys with the
default key file path, an empty passphrase, default bits for the key
type, and default comment. This will be used by /etc/rc to generate
new host keys. Idea from deraadt.
ok deraadt
2011-05-05 14:06:15 +10:00
Darren Tucker
Damien Miller
Tim Rice