tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
7,346 Commits 6 Branches 20 Tags 97 MiB
Commit Graph

7346 Commits

Author SHA1 Message Date
Damien Miller 8c492da58f - djm@cvs.openbsd.org 2014/04/16 23:28:12 
[ssh-agent.1]
     remove the identity files from this manpage - ssh-agent doesn't deal
     with them at all and the same information is duplicated in ssh-add.1
     (which does deal with them); prodded by deraadt@
 2014-04-20 13:25:09 +10:00
Damien Miller adbfdbbdcc - djm@cvs.openbsd.org 2014/04/16 23:22:45 
[bufaux.c]
     skip leading zero bytes in buffer_put_bignum2_from_string();
     reported by jan AT mojzis.com; ok markus@
 2014-04-20 13:24:49 +10:00
Damien Miller 75c62728dc - djm@cvs.openbsd.org 2014/04/12 04:55:53 
[sshd.c]
     avoid crash at exit: check that pmonitor!=NULL before dereferencing;
     bz#2225, patch from kavi AT juniper.net
 2014-04-20 13:24:31 +10:00
Damien Miller 2a328437fb - djm@cvs.openbsd.org 2014/04/01 05:32:57 
[packet.c]
     demote a debug3 to PACKET_DEBUG; ok markus@
 2014-04-20 13:24:01 +10:00
Damien Miller 7d6a9fb660 - djm@cvs.openbsd.org 2014/04/01 03:34:10 
[sshconnect.c]
     When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
     certificate keys to plain keys and attempt SSHFP resolution.

     Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
     dialog by offering only certificate keys.

     Reported by mcv21 AT cam.ac.uk
 2014-04-20 13:23:43 +10:00
Damien Miller fcd62c0b66 - djm@cvs.openbsd.org 2014/04/01 02:05:27 
[ssh-keysign.c]
     include fingerprint of key not found
     use arc4random_buf() instead of loop+arc4random()
 2014-04-20 13:23:21 +10:00
Damien Miller 43b156cf72 - jmc@cvs.openbsd.org 2014/03/31 13:39:34 
[ssh-keygen.1]
     the text for the -K option was inserted in the wrong place in -r1.108;
     fix From: Matthew Clarke
 2014-04-20 13:23:03 +10:00
Damien Miller c1621c84f2 - naddy@cvs.openbsd.org 2014/03/28 05:17:11 
[ssh_config.5 sshd_config.5]
     sync available and default algorithms, improve algorithm list formatting
     help from jmc@ and schwarze@, ok deraadt@
 2014-04-20 13:22:46 +10:00
Damien Miller f2719b7c2b - tedu@cvs.openbsd.org 2014/03/26 19:58:37 
[sshd.8 sshd.c]
     remove libwrap support. ok deraadt djm mfriedl
 2014-04-20 13:22:18 +10:00
Damien Miller 4f40209aa4 - djm@cvs.openbsd.org 2014/03/26 04:55:35 
[chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c
     [misc.h poly1305.h ssh-pkcs11.c]
     use __bounded(...) attribute recently added to sys/cdefs.h instead of
     longform __attribute__(__bounded(...));

     for brevity and a warning free compilation with llvm/clang
 2014-04-20 13:21:22 +10:00
Damien Miller 9235a030ad Three commits in one (since they touch the same heavily-diverged file 
repeatedly):

   - markus@cvs.openbsd.org 2014/03/25 09:40:03
     [myproposal.h]
     trimm default proposals.

     This commit removes the weaker pre-SHA2 hashes, the broken ciphers
     (arcfour), and the broken modes (CBC) from the default configuration
     (the patch only changes the default, all the modes are still available
     for the config files).

     ok djm@, reminded by tedu@ & naddy@ and discussed with many
   - deraadt@cvs.openbsd.org 2014/03/26 17:16:26
     [myproposal.h]
     The current sharing of myproposal[] between both client and server code
     makes the previous diff highly unpallatable.  We want to go in that
     direction for the server, but not for the client.  Sigh.
     Brought up by naddy.
   - markus@cvs.openbsd.org 2014/03/27 23:01:27
     [myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
     disable weak proposals in sshd, but keep them in ssh; ok djm@
 2014-04-20 13:17:20 +10:00
Damien Miller 6e1777f592 - tedu@cvs.openbsd.org 2014/03/19 14:42:44 
[scp.1]
     there is no need for rcp anymore
     ok deraadt millert
 2014-04-20 13:02:58 +10:00
Damien Miller eb1b7c514d - tedu@cvs.openbsd.org 2014/03/17 19:44:10 
[ssh.1]
     old descriptions of des and blowfish are old. maybe ok deraadt
 2014-04-20 13:02:26 +10:00
Damien Miller f0858de6e1 - deraadt@cvs.openbsd.org 2014/03/15 17:28:26 
[ssh-agent.c ssh-keygen.1 ssh-keygen.c]
     Improve usage() and documentation towards the standard form.
     In particular, this line saves a lot of man page reading time.
       usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
                         [-N new_passphrase] [-C comment] [-f output_keyfile]
     ok schwarze jmc
 2014-04-20 13:01:30 +10:00
Damien Miller 94bfe0fbd6 - naddy@cvs.openbsd.org 2014/03/12 13:06:59 
[ssh-keyscan.1]
     scan for Ed25519 keys by default too
 2014-04-20 13:00:51 +10:00
Damien Miller 3819519288 - djm@cvs.openbsd.org 2014/03/12 04:51:12 
[authfile.c]
     correct test that kdf name is not "none" or "bcrypt"
 2014-04-20 13:00:28 +10:00
Damien Miller 8f9cd709c7 - djm@cvs.openbsd.org 2014/03/12 04:50:32 
[auth-bsdauth.c ssh-keygen.c]
     don't count on things that accept arguments by reference to clear
     things for us on error; most things do, but it's unsafe form.
 2014-04-20 13:00:11 +10:00
Damien Miller 1c7ef4be83 - djm@cvs.openbsd.org 2014/03/12 04:44:58 
[ssh-keyscan.c]
     scan for Ed25519 keys by default too
 2014-04-20 12:59:46 +10:00
Damien Miller c10bf4d051 - djm@cvs.openbsd.org 2014/03/03 22:22:30 
[session.c]
     ignore enviornment variables with embedded '=' or '\0' characters;
     spotted by Jann Horn; ok deraadt@
     Id sync only - portable already has this.
 2014-04-20 12:58:04 +10:00
Damien Miller c2e49062fa - (djm) Use full release (e.g. 6.5p1) in debug output rather than just 
version. From des@des.no
 2014-04-01 14:42:46 +11:00
Damien Miller 14928b7492 - (djm) On platforms that support it, use prctl() to prevent sftp-server 
from accessing /proc/self/{mem,maps}; patch from jann AT thejh.net
 2014-04-01 14:38:07 +11:00
Damien Miller 48abc47e60 - (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to 
remind myself to add sandbox violation logging via the log socket.
 2014-03-17 14:45:56 +11:00
Tim Rice 9c36698ca2 20140314 
- (tim) [opensshd.init.in] Add support for ed25519
 2014-03-14 12:45:01 -07:00
Damien Miller 19158b2447 - (djm) Release OpenSSH 6.6 2014-03-13 13:14:21 +11:00
Damien Miller 8569eba5d7 - djm@cvs.openbsd.org 2014/03/03 22:22:30 
[session.c]
     ignore enviornment variables with embedded '=' or '\0' characters;
     spotted by Jann Horn; ok deraadt@
 2014-03-04 09:35:17 +11:00
Damien Miller 2476c31b96 - (djm) [regress/Makefile] Disable dhgex regress test; it breaks when 
no moduli file exists at the expected location.
 2014-03-02 04:01:00 +11:00
Damien Miller c83fdf30e9 - (djm) [regress/host-expand.sh] Add RCS Id 2014-02-28 10:34:03 +11:00
Damien Miller 834aeac355 - djm@cvs.openbsd.org 2014/02/27 21:21:25 
[agent-ptrace.sh agent.sh]
     keep return values that are printed in error messages;
     from portable
     (Id sync only)
 2014-02-28 10:25:16 +11:00
Damien Miller 4f7f1a9a0d - djm@cvs.openbsd.org 2014/02/27 20:04:16 
[login-timeout.sh]
     remove any existing LoginGraceTime from sshd_config before adding
     a specific one for the test back in
 2014-02-28 10:24:11 +11:00
Damien Miller d705d987c2 - djm@cvs.openbsd.org 2014/01/26 10:49:17 
[scp-ssh-wrapper.sh scp.sh]
     make sure $SCP is tested on the remote end rather than whichever one
     happens to be in $PATH; from portable
     (Id sync only)
 2014-02-28 10:23:26 +11:00
Damien Miller 624a3ca376 - djm@cvs.openbsd.org 2014/01/26 10:22:10 
[regress/cert-hostkey.sh]
     automatically generate revoked keys from listed keys rather than
     manually specifying each type; from portable
     (Id sync only)
 2014-02-28 10:22:37 +11:00
Damien Miller b843923284 - dtucker@cvs.openbsd.org 2014/01/25 04:35:32 
[regress/Makefile regress/dhgex.sh]
     Add a test for DH GEX sizes
 2014-02-28 10:21:26 +11:00
Damien Miller 1e2aa3d904 - dtucker@cvs.openbsd.org 2014/01/20 00:00:30 
[sftp-chroot.sh]
     append to rather than truncating the log file
 2014-02-28 10:19:51 +11:00
Damien Miller f483cc16fe - dtucker@cvs.openbsd.org 2014/01/19 23:43:02 
[regress/sftp-chroot.sh]
     Don't use -q on sftp as it suppresses logging, instead redirect the
     output to the regress logfile.
 2014-02-28 10:19:11 +11:00
Damien Miller 6486f16f1c - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] 
[contrib/suse/openssh.spec] Crank version numbers
 2014-02-28 10:03:52 +11:00
Damien Miller 92cf5adea1 - djm@cvs.openbsd.org 2014/02/27 22:57:40 
[version.h]
     openssh-6.6
 2014-02-28 10:01:53 +11:00
Damien Miller fc5d6759ab - djm@cvs.openbsd.org 2014/02/27 22:47:07 
[sshd_config.5]
     bz#2184 clarify behaviour of a keyword that appears in multiple
     matching Match blocks; ok dtucker@
 2014-02-28 10:01:28 +11:00
Damien Miller 172ec7e0af - djm@cvs.openbsd.org 2014/02/27 08:25:09 
[bufbn.c]
     off by one in range check
 2014-02-28 10:00:57 +11:00
Damien Miller f9a9aaba43 - djm@cvs.openbsd.org 2014/02/27 00:41:49 
[bufbn.c]
     fix unsigned overflow that could lead to reading a short ssh protocol
     1 bignum value; found by Ben Hawkes; ok deraadt@
 2014-02-28 10:00:27 +11:00
Damien Miller fb3423b612 - markus@cvs.openbsd.org 2014/02/26 21:53:37 
[sshd.c]
     ssh_gssapi_prepare_supported_oids needs GSSAPI
 2014-02-27 10:20:07 +11:00
Damien Miller 1348129a34 - djm@cvs.openbsd.org 2014/02/26 20:29:29 
[channels.c]
     don't assume that the socks4 username is \0 terminated;
     spotted by Ben Hawkes; ok markus@
 2014-02-27 10:18:32 +11:00
Damien Miller e6a74aeeac - djm@cvs.openbsd.org 2014/02/26 20:28:44 
[auth2-gss.c gss-serv.c ssh-gss.h sshd.c]
     bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep
     sandboxing, as running this code in the sandbox can cause violations;
     ok markus@
 2014-02-27 10:17:49 +11:00
Damien Miller 08b57c67f3 - djm@cvs.openbsd.org 2014/02/26 20:18:37 
[ssh.c]
     bz#2205: avoid early hostname lookups unless canonicalisation is enabled;
     ok dtucker@ markus@
 2014-02-27 10:17:13 +11:00
Damien Miller 13f97b2286 - djm@cvs.openbsd.org 2014/02/23 20:11:36 
[readconf.c readconf.h ssh.c ssh_config.5]
     reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes
     the hostname. This allows users to write configurations that always
     refer to canonical hostnames, e.g.

     CanonicalizeHostname yes
     CanonicalDomains int.example.org example.org
     CanonicalizeFallbackLocal no

     Host *.int.example.org
         Compression off
     Host *.example.org
         User djm

     ok markus@
 2014-02-24 15:57:55 +11:00
Damien Miller bee3a234f3 - djm@cvs.openbsd.org 2014/02/23 20:03:42 
[ssh-ed25519.c]
     check for unsigned overflow; not reachable in OpenSSH but others might
     copy our code...
 2014-02-24 15:57:22 +11:00
Damien Miller 0628780abe - djm@cvs.openbsd.org 2014/02/22 01:32:19 
[readconf.c]
     when processing Match blocks, skip 'exec' clauses if previous predicates
     failed to match; ok markus@
 2014-02-24 15:56:45 +11:00
Damien Miller 0890dc8191 - djm@cvs.openbsd.org 2014/02/15 23:05:36 
[channels.c]
     avoid spurious "getsockname failed: Bad file descriptor" errors in ssh -W;
     bz#2200, debian#738692 via Colin Watson; ok dtucker@
 2014-02-24 15:56:07 +11:00
Damien Miller d3cf67e111 - djm@cvs.openbsd.org 2014/02/07 06:55:54 
[cipher.c mac.c]
     remove some logging that makes ssh debugging output very verbose;
     ok markus
 2014-02-24 15:55:36 +11:00
Tim Rice 03ae081aea 20140221 
- (tim) [configure.ac]  Fix cut-and-paste error. Patch from Bryan Drewery.
 2014-02-21 09:09:34 -08:00
Darren Tucker 4a20959d2e - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] Add compat 
code for older OpenSSL versions that don't have EVP_MD_CTX_copy_ex.
 2014-02-13 16:38:32 +11:00