adjust pledge promises for ControlMaster: when using
"ask" or "autoask", the process will use ssh-askpass for asking confirmation.
problem found by halex@
ok halex@
Upstream-ID: 38a58b30ae3eef85051c74d3c247216ec0735f80
Add "id" to ssh-agent pledge for subprocess support.
Found the hard way by Jan Johansson when using ssh-agent with X. Also,
rearranged proc/exec and retval to match other pledge calls in the tree.
ok djm@
Upstream-ID: 914255f6850e5e7fa830a2de6c38605333b584db
include remote port number in a few more messages; makes
tying log messages together into a session a bit easier; bz#2503 ok dtucker@
Upstream-ID: 9300dc354015f7a7368d94a8ff4a4266a69d237e
don't try to load SSHv1 private key when compiled without
SSHv1 support. From Iain Morgan bz#2505
Upstream-ID: 8b8e7b02a448cf5e5635979df2d83028f58868a7
use SSH_MAX_PUBKEY_BYTES consistently as buffer size when
reading key files. Increase it to match the size of the buffers already being
used.
Upstream-ID: 1b60586b484b55a947d99a0b32bd25e0ced56fae
fflush stdout so that output is seen even when running in
debug mode when output may otherwise not be flushed. Patch from dustin at
null-ptr.net.
Upstream-ID: b0c6b4cd2cdb01d7e9eefbffdc522e35b5bc4acc
- remove configure --with-rsh, because this option isn't supported anymore
- replace last occurrence of BuildPreReq by BuildRequires
- update grep statement to query the krb5 include directory
Patch from CarstenGrohmann via github, ok djm.
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures
(user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and
draft-ssh-ext-info-04.txt; with & ok djm@
Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309
pledges ssh client: - mux client: which is used when
ControlMaster is in use. will end with "stdio proc tty" (proc is to
permit sending SIGWINCH to mux master on window resize)
- client loop: several levels of pledging depending of your used options
ok deraadt@
Upstream-ID: 21676155a700e51f2ce911e33538e92a2cd1d94b
don't include port number in tcpip-forward replies for
requests that don't allocate a port; bz#2509 diagnosed by Ron Frederick ok
markus
Upstream-ID: 77efad818addb61ec638b5a2362f1554e21a970a
ban ConnectionAttempts=0, it makes no sense and would cause
ssh_connect_direct() to print an uninitialised stack variable; bz#2500
reported by dvw AT phas.ubc.ca
Upstream-ID: 32b5134c608270583a90b93a07b3feb3cbd5f7d5
Allow fingerprinting from standard input "ssh-keygen -lf
-"
Support fingerprinting multiple plain keys in a file and authorized_keys
files too (bz#1319)
ok markus@
Upstream-ID: 903f8b4502929d6ccf53509e4e07eae084574b77
always call privsep_preauth_child() regardless of whether
sshd was started by root; it does important priming before sandboxing and
failing to call it could result in sandbox violations later; ok markus@
Upstream-ID: c8a6d0d56c42f3faab38460dc917ca0d1705d383
1) Use xcalloc() instead of xmalloc() to check for
potential overflow. (Feedback from both mmcc@ and djm@) 2) move set_size
just before the for loop. (suggested by djm@)
OK djm@
Upstream-ID: 013534c308187284756c3141f11d2c0f33c47213
Add a new authorized_keys option "restrict" that
includes all current and future key restrictions (no-*-forwarding, etc). Also
add permissive versions of the existing restrictions, e.g. "no-pty" -> "pty".
This simplifies the task of setting up restricted keys and ensures they are
maximally-restricted, regardless of any permissions we might implement in the
future.
Example:
restrict,pty,command="nethack" ssh-ed25519 AAAAC3NzaC1lZDI1...
Idea from Jann Horn; ok markus@
Upstream-ID: 04ceb9d448e46e67e13887a7ae5ea45b4f1719d0
