- Enable use of PKCS11 library files by adjusting central configuration file.
- Modified dlsym() to return a void pointer instead of an int which is consistent with POSIX. The previous return type caused an issue with 32-bit builds with PKCS11 enabled.
https://github.com/PowerShell/Win32-OpenSSH/issues/1330
Issue: open(dev/nul) returns a handle is passes isatty() test (i.e its being treated as a terminal handle by OS). This handle seems to work fine for as a console handle for console APIs, except when NUL is explicitly redirected.
This works
ssh -n target hostname
but this hangs due to a deadlock from writing a log entry on a console API failure
ssh -n target hostname < NUL
Fix: Ignore console API failures when the handle is being reported as invalid.
dlerror() is supposed to return a char *, but currently returns a
DWORD. Reimplement it using the Win32 FormatMessage function.
Correctly handle UTF-8 filenames in the Win32 implementation of dlopen()
- Updated Win32 error translation table to translate ERROR_INVALID_FUNCTION as EOPNOTSUPP which in turn allows the SFTP rename capability to failover to rename() when link()/unlink() combination does not work due to the volume not supporting it.
- Addressed file security descriptor with no defined DACL.
PowerShell/Win32-OpenSSH#1357
Changes from #353 enabled closing of previously duplicated Console handles - this is causing TTY rendering issues in ssh.exe.
Added a workaround for now to skip closing Console handles.
Added an implementation of GSSAPI interface to support Kerberos SSPI within OpenSSH. This is only a partial definition of the full GSSAPI specification since OpenSSH only requires a subset of the overall GSSAPI functionality.
PowerShell/Win32-OpenSSH#1263
Issue: ssh-agent is using default sign algorithm, without considering related flags in request
Fix: parse flags and consider sign algorithm input
PowerShell/Win32-OpenSSH#1234
Issue: ssh-agent has old logic to lookup sshd account
Fix: remove this redundant logic
Issue: Earlier change missed "return" calls that will end up ignoring singleton logic and re-running console handle generation logic multiple times, leaking previously created handles in the process.
Fix: Add the missing "return" calls
With recent changes, PTY sessions are no longer working. The issue is due to TTY code in ssh.exe assuming that stdin and stdout are console handles. The reality could be different since these handles always are dup'ed or closed for other reasons.
Fix involves extracting console handles via CreateFile(CONIN\CONOUT).
PowerShell/Win32-OpenSSH#1211PowerShell/Win32-OpenSSH#1082
Added support for posix_spawnp that executes the command directly instead of appending path. (SH_ASKPASS and proxy command use this). Refactored posix spawn commandline building logic to automatically account for Windows CRT escaping rules on all arguments.
- Removed #ifdef WINDOWS blocks in base code where the feature support can be conveyed by a failed POSIX API call
- Refactored password authentication code
- Other misc changes - Removed DebugBreak on Release Builds
In Windows, unprivileged worker runs as a runtime generated virtual account. There should be no requirement to have a real account under the name of unprivileged user (sshd).
Current impementions of the gcc spectre mitigation flags cause
miscompilations when combined with other flags and do not provide much
protection. Found by fweimer at redhat.com, ok djm@
OpenSSL 1.1.0i has changed the behaviour of their PEM APIs,
so that empty passphrases are interpreted differently. This
probabalistically breaks loading some keys, because the PEM format
is terrible and doesn't include a proper MAC.
Avoid this by providing a basic callback to avoid passing empty
passphrases to OpenSSL in cases where one is required.
Based on patch from Jakub Jelen in bz#2913; ok dtucker@
is specified as "incorrect passphrase" instead of trying to choose between
that and "invalid format".
libcrypto can return ASN1 parsing errors rather than the expected
decrypt error in certain infrequent cases when trying to decrypt/parse
PEM private keys when supplied with an invalid passphrase.
Report and repro recipe from Thomas Deutschmann in bz#2901
ok markus@
OpenBSD-Commit-ID: b1d4cd92395f9743f81c0d23aab2524109580870
* Try to resolve a port specification with getservbyname(3) if a
numeric conversion fails.
* Make the "Port" option in ssh_config handle its argument as a
port rather than a plain integer.
ok dtucker@ deraadt@
OpenBSD-Commit-ID: e7f03633133205ab3dfbc67f9df7475fabae660d
