This is basically the existing notify_pipe kludge from serverloop.c
moved behind a pselect interface. It works by installing a signal
handler that writes to a pipe that the select is watching, then calls
the original handler.
The select call in serverloop will become pselect soon, at which point the
kludge will be removed from thereand will only exist in the compat layer.
Original code by markus, help from djm.
By design, 'partial' logins are successful logins, so initially with
authenticated set to 1, for which another authentication is required. As
a result, authenticated is always reset to 0 when partial is set to 1.
However, even if authenticated is 0, those are not failed login
attempts, similarly to attempts with authctxt->postponed set to 1.
function definitions and not a statement, so there should be no semicolon
following them. Patch from Michael Forney
OpenBSD-Commit-ID: c975dd180580f0bdc0a4d5b7d41ab1f5e9b7bedd
stuff, de-wrapping the example lines and better aligning the examples with
common usage and FAQs; ok jmc
OpenBSD-Commit-ID: d59f1c9281f828148e2a2e49eb9629266803b75c
pselect() and mask signals while checking signal flags, umasking for pselect
and restoring afterwards. Also restore signals before sighup_restart so they
don't remain blocked after restart.
This prevents a race where a SIGTERM or SIGHUP can arrive between
checking the flag and calling select (eg if sshd is processing a
new connection) resulting in sshd not shutting down until the next
time it receives a new connection. bz#2158, with & ok djm@
OpenBSD-Commit-ID: bf85bf880fd78e00d7478657644fcda97b9a936f
handled specially by the protocol. Useful in ~/.ssh/config to set TERM to
something generic (e.g. "xterm" instead of "xterm-256color") for destinations
that lack terminfo entries. feedback and ok dtucker@
OpenBSD-Commit-ID: 38b1ef4d5bc159c7d9d589d05e3017433e2d5758
allowing it to be overridden. Do the same in the PuTTY tests since it's
needed there and not exported by test-exec.sh.
OpenBSD-Regress-ID: c49dcd6aa7602a8606b7afa192196ca1fa65de16
allows overriding if necessary (eg in -portable where we're testing against a
specific version of OpenSSL).
OpenBSD-Regress-ID: 491f39cae9e762c71aa4bf045803d077139815c5
prior to passing it to libfido2, which does expect a hash.
There is no effect for users who are simply generating FIDO keys using
ssh-keygen - by default we generate a random 256 bit challenge, but
people building attestation workflows around our tools should now have
a more consistent experience (esp. fewer failures when they fail to
guess the magic 32-byte challenge length requirement).
ok markus@
OpenBSD-Commit-ID: b8d5363a6a7ca3b23dc28f3ca69470472959f2b5
when the update removed more host keys than remain present. Fix tested by
reporter James Cook, via bugs@
OpenBSD-Commit-ID: 44f641f6ee02bb957f0c1d150495b60cf7b869d3
"hostbasedacceptedalgorithms"
This fixes a mistake that slipped in when "HostbasedKeyTypes" was
renamed to "HostbasedAcceptedAlgorithms".
Bug report by zack@philomathiclife.com
OpenBSD-Commit-ID: d745a7e8e50b2589fc56877f322ea204bc784f38
The original intent was to provide a status page for the CIs configured
in that directory, but it had the side effect of replacing the top-level
README.md.
ssh(1) needs to set file descriptors to non-blocking mode to operate
but it was not restoring the original state on exit. This could cause
problems with fds shared with other programs via the shell, e.g.
> $ cat > test.sh << _EOF
> #!/bin/sh
> {
> ssh -Fnone -oLogLevel=verbose ::1 hostname
> cat /usr/share/dict/words
> } | sleep 10
> _EOF
> $ ./test.sh
> Authenticated to ::1 ([::1]:22).
> Transferred: sent 2352, received 2928 bytes, in 0.1 seconds
> Bytes per second: sent 44338.9, received 55197.4
> cat: stdout: Resource temporarily unavailable
This restores the blocking status for fds 0,1,2 (stdio) before ssh(1)
abandons/closes them.
This was reported as bz3280 and GHPR246; ok dtucker@
OpenBSD-Commit-ID: 8cc67346f05aa85a598bddf2383fcfcc3aae61ce
shell when the -N (no shell) option was specified. bz3290 reported by Richard
Schwab; patch from markus@ ok me
OpenBSD-Commit-ID: ea1ea4af16a95687302f7690bdbe36a6aabf87e1
connection do need to use the same parameters (ie groups), the DH-GEX
protocol takes care of that and both ends do not need the same contents in
the moduli file, which is what the previous text suggested. ok djm@ jmc@
OpenBSD-Commit-ID: f0c18cc8e79c2fbf537a432a9070ed94e96a622a
Check out specified OpenSSL version. Install custom libcrypto where
configure expects to find it. Remove unneeded OpenSSL config time
options. Older OpenSSL versions were not make -j safe so remove it.
Darren Tucker
Vincent Brillault
djm@openbsd.org
dtucker@openbsd.org
naddy@openbsd.org
Damien Miller