Commit Graph

6316 Commits

Author SHA1 Message Date
Damien Miller 1f583df8c3 - dtucker@cvs.openbsd.org 2013/02/06 00:20:42
[servconf.c sshd_config sshd_config.5]
     Change default of MaxStartups to 10:30:100 to start doing random early
     drop at 10 connections up to 100 connections.  This will make it harder
     to DoS as CPUs have come a long way since the original value was set
     back in 2000.  Prompted by nion at debian org, ok markus@
2013-02-12 11:02:08 +11:00
Damien Miller 0cd2f8e5f8 - djm@cvs.openbsd.org 2013/01/27 10:06:12
[krl.c]
     actually use the xrealloc() return value; spotted by xi.wang AT gmail.com
2013-02-12 11:01:39 +11:00
Damien Miller f0a8ded824 - djm@cvs.openbsd.org 2013/01/26 06:11:05
[Makefile.in acss.c acss.h cipher-acss.c cipher.c]
     [openbsd-compat/openssl-compat.h]
     remove ACSS, now that it is gone from libcrypto too
2013-02-12 11:00:34 +11:00
Damien Miller 60565bcb5c - djm@cvs.openbsd.org 2013/01/25 10:22:19
[krl.c]
     redo last commit without the vi-vomit that snuck in:
     skip serial lookup when cert's serial number is zero
     (now with 100% better comment)
2013-02-12 10:56:42 +11:00
Damien Miller 377d9a44f9 - krw@cvs.openbsd.org 2013/01/25 05:00:27
[krl.c]
     Revert last. Breaks due to likely typo. Let djm@ fix later.
     ok djm@ via dlg@
2013-02-12 10:55:16 +11:00
Damien Miller 6045f5d574 - djm@cvs.openbsd.org 2013/01/24 22:08:56
[krl.c]
     skip serial lookup when cert's serial number is zero
2013-02-12 10:54:54 +11:00
Damien Miller ea078462ea - (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2013/01/24 21:45:37
     [krl.c]
     fix handling of (unused) KRL signatures; skip string in correct buffer
2013-02-12 10:54:37 +11:00
Damien Miller b6f73b3af6 - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old
libcrypto that lacks EVP_CIPHER_CTX_ctrl
2013-02-11 10:39:12 +11:00
Darren Tucker 951b53b1be - (dtucker) [configure.ac openbsd-compat/sys-tree.h] Test if compiler allows
__attribute__ on return values and work around if necessary.  ok djm@
2013-02-08 11:50:09 +11:00
Damien Miller e7f50e1c18 - (djm) [contrib/redhat/sshd.init] treat RETVAL as an integer;
patch from Iain Morgan in bz#2059
2013-02-08 10:49:37 +11:00
Damien Miller 5c3bbd76aa - (djm) [configure.ac] Don't probe seccomp capability of running kernel
at configure time; the seccomp sandbox will fall back to rlimit at
       runtime anyway. Patch from plautrba AT redhat.com in bz#2011
2013-02-07 10:11:05 +11:00
Damien Miller dc75d1fc04 - (djm) [regress/krl.sh] replacement for jot; most platforms lack it 2013-01-20 22:58:51 +11:00
Damien Miller d60b210830 - (djm) [openbsd-compat/sys-tree.h] Sync with OpenBSD. krl.c needs newer
version.
2013-01-20 22:49:58 +11:00
Damien Miller a7522d9fc0 - markus@cvs.openbsd.org 2013/01/19 12:34:55
[krl.c]
     RB_INSERT does not remove existing elments; ok djm@
2013-01-20 22:35:31 +11:00
Damien Miller a0a7ee8bf4 - jmc@cvs.openbsd.org 2013/01/19 07:13:25
[ssh-keygen.1]
     fix some formatting; ok djm
2013-01-20 22:35:06 +11:00
Damien Miller 881a7a2c5d - jmc@cvs.openbsd.org 2013/01/18 21:48:43
[ssh-keygen.1]
     command-line (adj.) -> command line (n.);
2013-01-20 22:34:46 +11:00
Damien Miller 072fdcd198 - jmc@cvs.openbsd.org 2013/01/18 08:39:04
[ssh-keygen.1]
     add -Q to the options list; ok djm
2013-01-20 22:34:04 +11:00
Damien Miller 72abeb709e - jmc@cvs.openbsd.org 2013/01/18 08:00:49
[sshd_config.5]
     tweak previous;
2013-01-20 22:33:44 +11:00
Damien Miller 3d6d68b1e1 - jmc@cvs.openbsd.org 2013/01/18 07:59:46
[ssh-keygen.c]
     -u before -V in usage();
2013-01-20 22:33:23 +11:00
Damien Miller ac5542b6b8 - jmc@cvs.openbsd.org 2013/01/18 07:57:47
[ssh-keygen.1]
     tweak previous;
2013-01-20 22:33:02 +11:00
Damien Miller da5cc5d09a - (djm) [cipher-aes.c cipher-ctr.c openbsd-compat/openssl-compat.h]
Move prototypes for replacement ciphers to openssl-compat.h; fix EVP
   prototypes for openssl-1.0.0-fips.
2013-01-20 22:31:29 +11:00
Damien Miller 13f5f768bc - djm@cvs.openbsd.org 2013/01/18 03:00:32
[krl.c]
     fix KRL generation bug for list sections
2013-01-18 15:32:03 +11:00
Damien Miller ebafebda85 - djm@cvs.openbsd.org 2013/01/18 00:45:29
[regress/Makefile regress/cert-userkey.sh regress/krl.sh]
     Tests for Key Revocation Lists (KRLs)
2013-01-18 11:51:56 +11:00
Damien Miller f3747bf401 - djm@cvs.openbsd.org 2013/01/17 23:00:01
[auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5]
     [krl.c krl.h PROTOCOL.krl]
     add support for Key Revocation Lists (KRLs). These are a compact way to
     represent lists of revoked keys and certificates, taking as little as
     a single bit of incremental cost to revoke a certificate by serial number.
     KRLs are loaded via the existing RevokedKeys sshd_config option.
     feedback and ok markus@
2013-01-18 11:44:04 +11:00
Damien Miller b26699bbad - (djm) [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh]
check for GCM support before testing GCM ciphers.
2013-01-17 14:31:57 +11:00
Damien Miller efa1c95092 - (djm) [regress/integrity.sh] repair botched merge 2013-01-12 23:10:47 +11:00
Damien Miller 846dc7f21c - djm@cvs.openbsd.org 2013/01/12 11:23:53
[regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh]
     test AES-GCM modes; feedback markus@
2013-01-12 22:46:26 +11:00
Damien Miller c20eb8b8ea - djm@cvs.openbsd.org 2013/01/12 11:22:04
[cipher.c]
     improve error message for integrity failure in AES-GCM modes; ok markus@
2013-01-12 22:41:26 +11:00
Damien Miller 1422c0887c - djm@cvs.openbsd.org 2013/01/09 05:40:17
[ssh-keygen.c]
     correctly initialise fingerprint type for fingerprinting PKCS#11 keys
2013-01-09 16:44:54 +11:00
Damien Miller d522c68872 - (djm) [cipher.c configure.ac openbsd-compat/openssl-compat.h]
Fix merge botch, automatically detect AES-GCM in OpenSSL, move a little
   cipher compat code to openssl-compat.h
2013-01-09 16:42:47 +11:00
Damien Miller 1d75abfe23 - markus@cvs.openbsd.org 2013/01/08 18:49:04
[PROTOCOL authfile.c cipher.c cipher.h kex.c kex.h monitor_wrap.c]
     [myproposal.h packet.c ssh_config.5 sshd_config.5]
     support AES-GCM as defined in RFC 5647 (but with simpler KEX handling)
     ok and feedback djm@
2013-01-09 16:12:19 +11:00
Damien Miller aa7ad3039c - jmc@cvs.openbsd.org 2013/01/04 19:26:38
[sftp-server.8 sftp-server.c]
     sftp-server.8: add argument name to -d
     sftp-server.c: add -d to usage()
     ok djm
2013-01-09 15:58:21 +11:00
Damien Miller ec77c954c8 - djm@cvs.openbsd.org 2013/01/03 23:22:58
[ssh-keygen.c]
     allow fingerprinting of keys hosted in PKCS#11 tokens: ssh-keygen -lD ...
     ok markus@
2013-01-09 15:58:00 +11:00
Damien Miller 502ab0eff1 - djm@cvs.openbsd.org 2013/01/03 12:54:49
[sftp-server.8 sftp-server.c]
     allow specification of an alternate start directory for sftp-server(8)
     "I like this" markus@
2013-01-09 15:57:36 +11:00
Damien Miller 3739c8f041 - djm@cvs.openbsd.org 2013/01/03 12:49:01
[PROTOCOL]
     fix description of MAC calculation for EtM modes; ok markus@
2013-01-09 15:57:16 +11:00
Damien Miller 441384453c - djm@cvs.openbsd.org 2013/01/03 05:49:36
[servconf.h]
     add a couple of ServerOptions members that should be copied to the privsep
     child (for consistency, in this case they happen only to be accessed in
     the monitor); ok dtucker@
2013-01-09 15:56:45 +11:00
Damien Miller 697485d50a - djm@cvs.openbsd.org 2013/01/02 00:33:49
[PROTOCOL.agent]
     correct format description for SSH_AGENTC_ADD_RSA_ID_CONSTRAINED
     bz#2051 from david AT lechnology.com
2013-01-09 15:56:13 +11:00
Damien Miller 73298f420e - djm@cvs.openbsd.org 2013/01/02 00:32:07
[clientloop.c mux.c]
     channel_setup_local_fwd_listener() returns 0 on failure, not -ve
     bz#2055 reported by mathieu.lacage AT gmail.com
2013-01-09 15:55:50 +11:00
Damien Miller 4e14a58f3f - dtucker@cvs.openbsd.org 2012/12/14 05:26:43
[auth.c]
     use correct string in error message; from rustybsd at gmx.fr
2013-01-09 15:54:48 +11:00
Darren Tucker 0fc77297e6 - (dtucker) [Makefile.in] Add some scaffolding so that the new regress
tests will work with VPATH directories.
2012-12-17 15:59:42 +11:00
Damien Miller 13cbff1e00 - (djm) [cipher.c] Fix missing prototype for compat code 2012-12-13 08:25:07 +11:00
Damien Miller 25a02b0c95 - (djm) [configure.ac cipher-ctr.c] Adapt EVP AES CTR change to retain our
compat code for older OpenSSL
2012-12-13 08:18:56 +11:00
Damien Miller 8c05da3326 - markus@cvs.openbsd.org 2012/12/12 16:45:52
[packet.c]
     reset incoming_packet buffer for each new packet in EtM-case, too;
     this happens if packets are parsed only parially (e.g. ignore
     messages sent when su/sudo turn off echo); noted by sthen/millert
2012-12-13 07:18:59 +11:00
Damien Miller faabeb6b36 - (djm) [regress/Makefile] fix t-exec rule 2012-12-12 12:51:54 +11:00
Damien Miller 37461d7391 - (djm) [regress/integrity.sh] Fix awk quoting, packet length skip 2012-12-12 12:37:32 +11:00
Damien Miller 37834afe7b - (djm) [mac.c] fix merge botch 2012-12-12 11:00:37 +11:00
Damien Miller ec7ce9ace4 - markus@cvs.openbsd.org 2012/12/11 23:12:13
[try-ciphers.sh]
     add hmac-ripemd160-etm@openssh.com
2012-12-12 10:55:32 +11:00
Damien Miller 1fb593a3f1 - markus@cvs.openbsd.org 2012/12/11 22:42:11
[regress/Makefile regress/modpipe.c regress/integrity.sh]
     test the integrity of the packets; with djm@
2012-12-12 10:54:37 +11:00
Damien Miller 1a45b63d7b - markus@cvs.openbsd.org 2012/12/11 22:32:56
[regress/try-ciphers.sh]
     add etm modes
2012-12-12 10:52:07 +11:00
Damien Miller 74f13bdf26 - sthen@cvs.openbsd.org 2012/12/11 22:51:45
[mac.c]
     fix typo, s/tem/etm in hmac-ripemd160-tem. ok markus@
2012-12-12 10:46:53 +11:00
Damien Miller af43a7ac2d - markus@cvs.openbsd.org 2012/12/11 22:31:18
[PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h]
     [packet.c ssh_config.5 sshd_config.5]
     add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms
     that change the packet format and compute the MAC over the encrypted
     message (including the packet size) instead of the plaintext data;
     these EtM modes are considered more secure and used by default.
     feedback and ok djm@
2012-12-12 10:46:31 +11:00
Damien Miller 6a1937eac5 - markus@cvs.openbsd.org 2012/12/11 22:16:21
[monitor.c]
     drain the log messages after receiving the keystate from the unpriv
     child. otherwise it might block while sending. ok djm@
2012-12-12 10:44:38 +11:00
Darren Tucker 3e1027cd1f - dtucker@cvs.openbsd.org 2012/12/07 01:51:35
[serverloop.c]
     Cast signal to int for logging.  A no-op on openbsd (they're always ints)
     but will prevent warnings in portable.  ok djm@
2012-12-07 13:07:46 +11:00
Darren Tucker 8a96522482 - markus@cvs.openbsd.org 2012/12/05 15:42:52
[ssh-add.c]
     prevent double-free of comment; ok djm@
2012-12-07 13:07:02 +11:00
Darren Tucker f9333d5246 - jmc@cvs.openbsd.org 2012/12/03 08:33:03
[ssh-add.1 sshd_config.5]
     tweak previous;
2012-12-07 13:06:13 +11:00
Darren Tucker 3dfb877046 - dtucker@cvs.openbsd.org 2012/12/06 06:06:54
[regress/keys-command.sh]
     Fix some problems with the keys-command test:
      - use string comparison rather than numeric comparison
      - check for existing KEY_COMMAND file and don't clobber if it exists
      - clean up KEY_COMMAND file if we do create it.
      - check that KEY_COMMAND is executable (which it won't be if eg /var/run
        is mounted noexec).
     ok djm.
2012-12-07 13:03:10 +11:00
Tim Rice 96ce9a1e45 20121205
- (tim) [defines.h] Some platforms are missing ULLONG_MAX. Feedback djm@.
2012-12-04 07:50:03 -08:00
Damien Miller 8b48982a56 - (djm) [configure.ac] Revert previous. configure.ac already does this
for us.
2012-12-03 12:35:55 +11:00
Damien Miller 03af12e930 - (djm) [configure.ac] Turn on -g for gcc compilers. Helps pre-installation
debugging. ok dtucker@
2012-12-03 11:55:53 +11:00
Damien Miller 55aca027ed - djm@cvs.openbsd.org 2012/12/03 00:14:06
[auth2-chall.c ssh-keygen.c]
     Fix compilation with -Wall -Werror (trivial type fixes)
2012-12-03 11:25:30 +11:00
Damien Miller 999bd2d259 - djm@cvs.openbsd.org 2012/12/02 20:47:48
[Makefile regress/forward-control.sh]
     regress for AllowTcpForwarding local/remote; ok markus@
2012-12-03 10:13:39 +11:00
Damien Miller 771c43cee6 - djm@cvs.openbsd.org 2012/11/22 22:49:30
[regress/Makefile regress/keys-command.sh]
     regress for AuthorizedKeysCommand; hints from markus@
2012-12-03 10:12:13 +11:00
Damien Miller 6618e92509 - djm@cvs.openbsd.org 2012/10/19 05:10:42
[regress/cert-userkey.sh]
     include a serial number when generating certs
2012-12-03 10:09:04 +11:00
Damien Miller fa51d8b6b2 - dtucker@cvs.openbsd.org 2012/10/05 02:20:48
[regress/cipher-speed.sh regress/try-ciphers.sh]
     Add umac-128@openssh.com to the list of MACs to be tested
2012-12-03 10:08:25 +11:00
Damien Miller d27a026ab7 - dtucker@cvs.openbsd.org 2012/10/05 02:05:30
[regress/multiplex.sh]
     Use 'kill -0' to test for the presence of a pid since it's more portable
2012-12-03 10:06:37 +11:00
Damien Miller 15b05cfa17 - djm@cvs.openbsd.org 2012/12/02 20:34:10
[auth.c auth.h auth1.c auth2-chall.c auth2-gss.c auth2-jpake.c auth2.c]
     [monitor.c monitor.h]
     Fixes logging of partial authentication when privsep is enabled
     Previously, we recorded "Failed xxx" since we reset authenticated before
     calling auth_log() in auth2.c. This adds an explcit "Partial" state.

     Add a "submethod" to auth_log() to report which submethod is used
     for keyboard-interactive.

     Fix multiple authentication when one of the methods is
     keyboard-interactive.

     ok markus@
2012-12-03 09:53:20 +11:00
Damien Miller aa5b3f8314 - djm@cvs.openbsd.org 2012/12/02 20:46:11
[auth-options.c channels.c servconf.c servconf.h serverloop.c session.c]
     [sshd_config.5]
     make AllowTcpForwarding accept "local" and "remote" in addition to its
     current "yes"/"no" to allow the server to specify whether just local or
     remote TCP forwarding is enabled. ok markus@
2012-12-03 09:50:54 +11:00
Damien Miller 33a813613a - djm@cvs.openbsd.org 2012/12/02 20:42:15
[ssh-add.1 ssh-add.c]
     make deleting explicit keys "ssh-add -d" symmetric with adding keys -
     try to delete the corresponding certificate too and respect the -k option
     to allow deleting of the key only; feedback and ok markus@
2012-12-03 09:50:24 +11:00
Damien Miller cb6b68b209 - djm@cvs.openbsd.org 2012/12/02 20:26:11
[ssh_config.5 sshconnect2.c]
     Make IdentitiesOnly apply to keys obtained from a PKCS11Provider.
     This allows control of which keys are offered from tokens using
     IdentityFile. ok markus@
2012-12-03 09:49:52 +11:00
Damien Miller cf6ef137b5 - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD to get
TAILQ_FOREACH_SAFE needed for upcoming changes.
2012-12-03 09:37:56 +11:00
Damien Miller 6f3b362fa8 - djm@cvs.openbsd.org 2012/11/14 02:32:15
[ssh-keygen.c]
     allow the full range of unsigned serial numbers; 'fine' deraadt@
2012-11-14 19:04:33 +11:00
Damien Miller 1e85469fcb - djm@cvs.openbsd.org 2012/11/14 02:24:27
[auth2-pubkey.c]
     fix username passed to helper program
     prepare stdio fds before closefrom()

     spotted by landry@
2012-11-14 19:04:02 +11:00
Damien Miller 0120c41d6b - jmc@cvs.openbsd.org 2012/09/26 17:34:38
[moduli.5]
     last stage of rfc changes, using consistent Rs/Re blocks, and moving the
     references into a STANDARDS section;
2012-11-07 08:36:00 +11:00
Damien Miller d5c3d4c0ca - eric@cvs.openbsd.org 2011/11/28 08:46:27
[moduli.5]
     fix formula
     ok djm@
2012-11-07 08:35:38 +11:00
Darren Tucker 737f7aff36 - (dtucker) [auth2-pubkey.c] wrap paths.h in an ifdef for platforms that
don't have it.  Spotted by tim@.
2012-11-05 17:07:43 +11:00
Darren Tucker f96ff18a92 - (dtucker) [uidswap.c openbsd-compat/Makefile.in
openbsd-compat/bsd-setres_id.c openbsd-compat/bsd-setres_id.h
   openbsd-compat/openbsd-compat.h]  Move the fallback code for setting uids
   and gids from uidswap.c to the compat library, which allows it to work with
   the new setresuid calls in auth2-pubkey.  with tim@, ok djm@
2012-11-05 17:04:37 +11:00
Damien Miller a6e3f01d1e - djm@cvs.openbsd.org 2012/11/04 11:09:15
[auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c]
     [sshd_config.5]
     Support multiple required authentication via an AuthenticationMethods
     option. This option lists one or more comma-separated lists of
     authentication method names. Successful completion of all the methods in
     any list is required for authentication to complete;
     feedback and ok markus@
2012-11-04 23:21:40 +11:00
Damien Miller d0d1099b3b - djm@cvs.openbsd.org 2012/11/04 10:38:43
[auth2-pubkey.c sshd.c sshd_config.5]
     Remove default of AuthorizedCommandUser. Administrators are now expected
     to explicitly specify a user. feedback and ok markus@
2012-11-04 22:23:14 +11:00
Damien Miller f33580eed0 - OpenBSD CVS Sync
- jmc@cvs.openbsd.org 2012/10/31 08:04:50
     [sshd_config.5]
     tweak previous;
2012-11-04 22:22:52 +11:00
Damien Miller 09d3e12512 - djm@cvs.openbsd.org 2012/10/30 21:29:55
[auth-rsa.c auth.c auth.h auth2-pubkey.c servconf.c servconf.h]
     [sshd.c sshd_config sshd_config.5]
     new sshd_config option AuthorizedKeysCommand to support fetching
     authorized_keys from a command in addition to (or instead of) from
     the filesystem. The command is run as the target server user unless
     another specified via a new AuthorizedKeysCommandUser option.

     patch originally by jchadima AT redhat.com, reworked by me; feedback
     and ok markus@
2012-10-31 08:58:58 +11:00
Damien Miller 07daed505f - (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2012/10/05 12:34:39
     [sftp.c]
     fix signed vs unsigned warning; feedback & ok: djm@
2012-10-31 08:57:55 +11:00
Tim Rice c0e5cbe222 - (tim) [buildpkg.sh.in] Double up on some backslashes so they end up in
the generated file as intended.
2012-10-18 21:38:58 -07:00
Darren Tucker cc8e9ffdd1 - [Makefile.in] "Using $< in a non-suffix rule context is a GNUmake idiom" 2012-10-05 15:41:06 +10:00
Darren Tucker 50ce447ef9 - [umac.c] Enforce allowed umac output sizes. From djm@. 2012-10-05 12:11:33 +10:00
Darren Tucker ee4ad778d7 - dtucker@cvs.openbsd.org 2012/09/10 01:51:19
[regress/multiplex.sh]
     use -Ocheck and waiting for completions by PID to make multiplexing test
     less racy and (hopefully) more reliable on slow hardware.
2012-10-05 12:04:10 +10:00
Darren Tucker 9b2c0360cf - dtucker@cvs.openbsd.org 2012/09/10 00:49:21
[regress/multiplex.sh]
     Log -O cmd output to the log file and make logging consistent with the
     other tests.  Test clean shutdown of an existing channel when testing
     "stop".
2012-10-05 11:45:39 +10:00
Darren Tucker 6fc5aa8b2e - dtucker@cvs.openbsd.org 2012/09/09 11:51:25
[multiplex.sh]
     Add test for ssh -Ostop
2012-10-05 11:43:57 +10:00
Darren Tucker 189e5bad5c - dtucker@cvs.openbsd.org 2012/09/06 04:11:07
[regress/try-ciphers.sh]
     Restore missing space.  (Id sync only).
2012-10-05 11:41:52 +10:00
Darren Tucker 992faad1f1 - [Makefile umac.c] Add special-case target to build umac128.o. 2012-10-05 11:38:24 +10:00
Darren Tucker 427e409e99 - markus@cvs.openbsd.org 2012/10/04 13:21:50
[myproposal.h ssh_config.5 umac.h sshd_config.5 ssh.1 sshd.8 mac.c]
     add umac128 variant; ok djm@ at n2k12
     (note: further Makefile work is required)
2012-10-05 11:02:39 +10:00
Darren Tucker 0dc283b13a - djm@cvs.openbsd.org 2012/10/02 07:07:45
[ssh-keygen.c]
     fix -z option, broken in revision 1.215
2012-10-05 10:52:51 +10:00
Darren Tucker 3a7c04105a - naddy@cvs.openbsd.org 2012/10/01 13:59:51
[monitor_wrap.c]
     pasto; ok djm@
2012-10-05 10:51:59 +10:00
Darren Tucker 628a3fdce2 - jmc@cvs.openbsd.org 2012/09/26 16:12:13
[ssh.1]
     last stage of rfc changes, using consistent Rs/Re blocks, and moving the
     references into a STANDARDS section;
2012-10-05 10:50:15 +10:00
Darren Tucker 17146d369c - dtucker@cvs.openbsd.org 2012/09/21 10:55:04
[sftp.c]
     Fix handling of filenames containing escaped globbing characters and
     escape "#" and "*".  Patch from Jean-Marc Robert via tech@, ok djm.
2012-10-05 10:46:16 +10:00
Darren Tucker 191fcc6e4e - dtucker@cvs.openbsd.org 2012/09/21 10:53:07
[sftp.c]
     Fix improper handling of absolute paths when PWD is part of the completed
     path.  Patch from Jean-Marc Robert via tech@, ok djm.
2012-10-05 10:45:01 +10:00
Darren Tucker 063018d9f6 - dtucker@cvs.openbsd.org 2012/09/18 10:36:12
[sftp.c]
     Add bounds check on sftp tab-completion.  Part of a patch from from
     Jean-Marc Robert via tech@, ok djm
2012-10-05 10:43:58 +10:00
Darren Tucker 302889a1b0 - markus@cvs.openbsd.org 2012/09/17 13:04:11
[packet.c]
     clear old keys on rekeing; ok djm
2012-10-05 10:42:53 +10:00
Darren Tucker 0af2405ebf - (dtucker) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2012/09/17 09:54:44
     [sftp.c]
     an XXX for later
2012-10-05 10:41:25 +10:00
Darren Tucker 26b9e3b0c5 - markus@cvs.openbsd.org 2012/09/14 16:51:34
[sshconnect.c]
     remove unused variable
2012-09-17 13:25:44 +10:00
Darren Tucker bb6cc07cf4 - dtucker@cvs.openbsd.org 2012/09/13 23:37:36
[servconf.c]
     Fix comment line length
2012-09-17 13:25:06 +10:00
Darren Tucker 86dc9b4110 Fix author's name for RFC6594 SSHFP change 2012-09-07 18:08:23 +10:00
Darren Tucker 48bf4b0ca3 - dtucker@cvs.openbsd.org 2012/09/07 06:34:21
[clientloop.c]
     when muxmaster is run with -N, make it shut down gracefully when a client
     sends it "-O stop" rather than hanging around (bz#1985).  ok djm@
2012-09-07 16:38:53 +10:00
Darren Tucker ca0d0fd806 - dtucker@cvs.openbsd.org 2012/09/07 01:10:21
[clientloop.c]
     Merge escape help text for ~v and ~V; ok djm@
2012-09-07 11:22:24 +10:00
Darren Tucker f111d40604 - dtucker@cvs.openbsd.org 2012/09/07 00:30:19
[clientloop.c]
     Print '^Z' instead of a raw ^Z when the sequence is not supported.  ok djm@
2012-09-07 11:21:42 +10:00
Darren Tucker 83d0af6907 - jmc@cvs.openbsd.org 2012/09/06 13:57:42
[ssh.1]
     missing letter in previous;
2012-09-07 11:21:03 +10:00
Darren Tucker 92a39cfa09 - dtucker@cvs.openbsd.org 2012/09/06 09:50:13
[clientloop.c]
     Make the escape command help (~?) context sensitive so that only commands
     that will work in the current session are shown.  ok markus@

(note: previous commit with this description was a mistake on my part while
pulling changes from OpenBSD)
2012-09-07 11:20:20 +10:00
Darren Tucker 241995382e bz#2039: add acknowledgement of the original authors of the ECDSA SSHFP DNS
work.  From Ondřej Surý.
2012-09-07 10:44:34 +10:00
Darren Tucker 29bf4040b4 - dtucker@cvs.openbsd.org 2012/09/06 09:50:13
[clientloop.c]
     Make the escape command help (~?) context sensitive so that only commands
     that will work in the current session are shown.  ok markus@
2012-09-06 21:26:34 +10:00
Darren Tucker 50a48d025f - dtucker@cvs.openbsd.org 2012/09/06 04:37:39
[clientloop.c log.c ssh.1 log.h]
     Add ~v and ~V escape sequences to raise and lower the logging level
     respectively. Man page help from jmc, ok deraadt jmc
2012-09-06 21:25:37 +10:00
Darren Tucker 00c1518a4d - djm@cvs.openbsd.org 2012/08/17 01:30:00
[compat.c sshconnect.c]
     Send client banner immediately, rather than waiting for the server to
     move first for SSH protocol 2 connections (the default). Patch based on
     one in bz#1999 by tls AT panix.com, feedback dtucker@ ok markus@
2012-09-06 21:21:56 +10:00
Darren Tucker f09a8a6c6d - djm@cvs.openbsd.org 2012/08/17 01:25:58
[ssh-keygen.c]
     print details of which host lines were deleted when using
     "ssh-keygen -R host"; ok markus@
2012-09-06 21:20:39 +10:00
Darren Tucker ae608bdd83 - djm@cvs.openbsd.org 2012/08/17 01:22:56
[kex.c]
     add some comments about better handling first-KEX-follows notifications
     from the server. Nothing uses these right now. No binary change
2012-09-06 21:19:51 +10:00
Darren Tucker 66cb0e0733 - dtucker@cvs.openbsd.org 2012/08/17 00:45:45
[clientloop.c clientloop.h mux.c]
     Force a clean shutdown of ControlMaster client sessions when the ~. escape
     sequence is used.  This means that ~. should now work in mux clients even
     if the server is no longer responding.  Found by tedu, ok djm.
2012-09-06 21:19:05 +10:00
Darren Tucker 3ee50c5d9f - jmc@cvs.openbsd.org 2012/08/15 18:25:50
[ssh-keygen.1]
     a little more info on certificate validity;
     requested by Ross L Richardson, and provided by djm
2012-09-06 21:18:11 +10:00
Darren Tucker 23e4b80a60 - (dtucker) [moduli] Import new moduli file. 2012-08-30 10:42:47 +10:00
Damien Miller 4eb0a532ef - (djm) Release openssh-6.1 2012-08-29 10:26:20 +10:00
Darren Tucker 318541854f - (dtucker) [openbsd-compat/bsd-cygwin_util.h] define WIN32_LEAN_AND_MEAN
for compatibility with future mingw-w64 headers.  Patch from vinschen at
   redhat com.
2012-08-28 19:57:19 +10:00
Damien Miller 39a9d2c933 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
[contrib/suse/openssh.spec] Update version numbers
2012-08-22 21:57:13 +10:00
Damien Miller 38fe66230f - markus@cvs.openbsd.org 2012/07/22 18:19:21
[version.h]
     openssh 6.1
2012-07-31 12:23:16 +10:00
Damien Miller 46cb75a258 - dtucker@cvs.openbsd.org 2012/07/13 01:35:21
[servconf.c]
     handle long comments in config files better.  bz#2025, ok markus
2012-07-31 12:22:37 +10:00
Damien Miller 1cce103b3e fix truncated entry 2012-07-31 12:22:18 +10:00
Damien Miller 5a5c2b9063 - djm@cvs.openbsd.org 2012/07/10 02:19:15
[servconf.c servconf.h sshd.c sshd_config]
     Turn on systrace sandboxing of pre-auth sshd by default for new installs
     by shipping a config that overrides the current UsePrivilegeSeparation=yes
     default. Make it easier to flip the default in the future by adding too.
2012-07-31 12:21:34 +10:00
Damien Miller 709a1e90d9 - jmc@cvs.openbsd.org 2012/07/06 06:38:03
[ssh-keygen.c]
     missing full stop in usage();
2012-07-31 12:20:43 +10:00
Darren Tucker d809a4bc28 Import regened moduli file. 2012-07-20 10:42:06 +10:00
Damien Miller fff9f095e2 - djm@cvs.openbsd.org 2012/07/06 01:47:38
[ssh.c]
     move setting of tty_flag to after config parsing so RequestTTY options
     are correctly picked up. bz#1995 patch from przemoc AT gmail.com;
     ok dtucker@
2012-07-06 13:45:01 +10:00
Damien Miller ab523b0246 - djm@cvs.openbsd.org 2012/07/06 01:37:21
[mux.c]
     fix memory leak of passed-in environment variables and connection
     context when new session message is malformed; bz#2003 from Bert.Wesarg
     AT googlemail.com
2012-07-06 13:44:43 +10:00
Damien Miller dfceafe8b1 - dtucker@cvs.openbsd.org 2012/07/06 00:41:59
[moduli.c ssh-keygen.1 ssh-keygen.c]
     Add options to specify starting line number and number of lines to process
     when screening moduli candidates.  This allows processing of different
     parts of a candidate moduli file in parallel.  man page help jmc@, ok djm@
2012-07-06 13:44:19 +10:00
Damien Miller 77eab7b024 - (djm) [configure.ac] Recursively expand $(bindir) to ensure it has no
unexpanded $(prefix) embedded. bz#2007 patch from nix-corp AT
   esperi.org.uk; ok dtucker@
2012-07-06 11:49:28 +10:00
Damien Miller a0433a7096 - (djm) [sandbox-seccomp-filter.c] fallback to rlimit if seccomp filter is
not available. Allows use of sshd compiled on host with a filter-capable
   kernel on hosts that lack the support. bz#2011 ok dtucker@
2012-07-06 10:27:10 +10:00
Darren Tucker 34f702ae64 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] Add setlinebuf for
platforms that don't have it.  "looks good" tim@
2012-07-04 08:50:09 +10:00
Darren Tucker d545a4b974 - (dtucker) [configure.ac sandbox-rlimit.c] Test whether or not
setrlimit(RLIMIT_FSIZE, rl_zero) and skip it if it's not supported.  Its
   benefit is minor, so it's not worth disabling the sandbox if it doesn't
   work.
2012-07-03 22:48:31 +10:00
Darren Tucker 60395f91c6 - (dtucker) [configure.ac] Detect platforms that can't use select(2) with
setrlimit(RLIMIT_NOFILE, rl_zero) and disable the rlimit sandbox on those.
2012-07-03 14:31:18 +10:00
Darren Tucker 6ea5dc6bb8 - (dtucker) [regress/test-exec.sh] Correct uname for cygwin/w2k. 2012-07-03 01:11:28 +10:00
Darren Tucker ec1e15d51a - (dtucker) [regress/reexec.sh regress/sftp-cmds.sh regress/test-exec.sh]
Move cygwin detection to test-exec and use to skip reexec test on cygwin.
2012-07-03 01:06:49 +10:00
Darren Tucker 369ceedce2 - dtucker@cvs.openbsd.org 2012/07/02 14:37:06
[regress/connect-privsep.sh]
     remove exit from end of test since it prevents reporting failure
2012-07-03 00:53:18 +10:00
Darren Tucker 4908d44e67 - dtucker@cvs.openbsd.org 2012/07/02 12:13:26
[ssh-pkcs11-helper.c sftp-client.c]
     fix a couple of "assigned but not used" warnings.  ok markus@
2012-07-02 22:15:38 +10:00
Darren Tucker 7b30501bf5 - dtucker@cvs.openbsd.org 2012/07/02 08:50:03
[ssh.c]
     set interactive ToS for forwarded X11 sessions.  ok djm@
2012-07-02 18:55:09 +10:00
Darren Tucker 3b4b2d3021 - markus@cvs.openbsd.org 2012/06/30 14:35:09
[sandbox-systrace.c sshd.c]
     fix a during the load of the sandbox policies (child can still make
     the read-syscall and wait forever for systrace-answers) by replacing
     the read/write synchronisation with SIGSTOP/SIGCONT;
     report and help hshoexer@; ok djm@, dtucker@
2012-07-02 18:54:31 +10:00
Darren Tucker ecbf14aa53 - naddy@cvs.openbsd.org 2012/06/29 13:57:25
[ssh_config.5 sshd_config.5]
     match the documented MAC order of preference to the actual one;
     ok dtucker@
2012-07-02 18:53:37 +10:00
Darren Tucker 14a9d2515b - (dtucker) [key.c] ifdef out sha256 key types on platforms that don't have
the required functions in libcrypto.
2012-06-30 20:05:02 +10:00
Darren Tucker 3886f95d42 - (dtucker) [myproposal.h] Remove trailing backslash to fix compile error 2012-06-30 19:47:01 +10:00
Darren Tucker a08c20763a - dtucker@cvs.openbsd.org 2012/06/28 05:07:45
[regress/try-ciphers.sh regress/cipher-speed.sh]
     Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed
     from draft6 of the spec and will not be in the RFC when published.  Patch
     from mdb at juniper net via bz#2023, ok markus
2012-06-30 15:08:53 +10:00
Darren Tucker 2920bc145c - dtucker@cvs.openbsd.org 2012/06/26 12:06:59
[regress/connect-privsep.sh]
     test sandbox with every malloc option
2012-06-30 15:06:28 +10:00
Darren Tucker ff32d7c9d2 - djm@cvs.openbsd.org 2012/06/01 00:52:52
[regress/sftp-cmds.sh]
     don't delete .* on cleanup due to unintended env expansion; pointed out in
     bz#2014 by openssh AT roumenpetrov.info
2012-06-30 15:04:13 +10:00
Darren Tucker 4430a86c14 - djm@cvs.openbsd.org 2012/06/01 00:47:35
[multiplex.sh forwarding.sh]
     append to rather than truncate test log; bz#2013 from openssh AT
     roumenpetrov.
2012-06-30 15:03:28 +10:00
Darren Tucker 301390316c - dtucker@cvs.openbsd.org 2012/05/13 01:42:32
[regress/addrmatch.sh]
     Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests
     to match.  Feedback and ok djm@ markus@.
2012-06-30 15:01:22 +10:00
Damien Miller ee3c196ec7 - naddy@cvs.openbsd.org 2012/06/29 13:57:25
[ssh_config.5 sshd_config.5]
     match the documented MAC order of preference to the actual one; ok dtucker@

(actual patch accidentally committed with previous)
2012-06-30 08:35:59 +10:00
Damien Miller db4f8e8618 - dtucker@cvs.openbsd.org 2012/06/28 05:07:45
[mac.c myproposal.h ssh_config.5 sshd_config.5]
     Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed
     from draft6 of the spec and will not be in the RFC when published.  Patch
     from mdb at juniper net via bz#2023, ok markus.
2012-06-30 08:34:59 +10:00
Damien Miller 560de922b1 - dtucker@cvs.openbsd.org 2012/06/26 11:02:30
[sandbox-systrace.c]
     Add mquery to the list of allowed syscalls for "UsePrivilegeSeparation
     sandbox" since malloc now uses it.  From johnw.mail at gmail com.
2012-06-30 08:33:53 +10:00
Damien Miller ea8582931f - dtucker@cvs.openbsd.org 2012/06/22 14:36:33
[sftp.c]
     Remove unused variable leftover from tab-completion changes.
     From Steve.McClellan at radisys com, ok markus@
2012-06-30 08:33:32 +10:00