[clientloop.c]
unbreak tree by committing this bit that I missed from:
Fix sending tty modes when stdin is not a tty (bz#1199). Previously
we would send the modes corresponding to a zeroed struct termios,
whereas we should have been sending an empty list of modes.
Based on patch from daniel.ritz AT alcatel.ch; ok dtucker@ markus@
[ssh-keygen.c]
support -l (print fingerprint) in combination with -F (find host) to
search for a host in ~/.ssh/known_hosts and display its fingerprint;
ok markus@
[sshtty.c ttymodes.c sshpty.h]
Fix sending tty modes when stdin is not a tty (bz#1199). Previously
we would send the modes corresponding to a zeroed struct termios,
whereas we should have been sending an empty list of modes.
Based on patch from daniel.ritz AT alcatel.ch; ok dtucker@ markus@
[openbsd-compat/fmt_scaled.c openbsd-compat/openbsd-compat.h]
Fix compilation on Linux, including pulling in fmt_scaled(3)
implementation from OpenBSD's libutil.
[PROTOCOL]
document our protocol extensions and deviations; ok markus@
- djm@cvs.openbsd.org 2008/05/17 01:31:56
[PROTOCOL]
grammar and correctness fixes from stevesk@
[channels.h clientloop.c nchan.c serverloop.c]
unbreak
ssh -2 localhost od /bin/ls | true
ignoring SIGPIPE by adding a new channel message (EOW) that signals
the peer that we're not interested in any data it might send.
fixes bz #85; discussion, debugging and ok djm@
[channels.c]
error-fd race: don't enable the error fd in the select bitmask
for channels with both in- and output closed, since the channel
will go away before we call select();
report, lots of debugging help and ok djm@
[session.c]
re-add the USE_PIPES code and enable it.
without pipes shutdown-read from the sshd does not trigger
a SIGPIPE when the forked program does a write.
ok djm@
(Id sync only, USE_PIPES never left portable OpenSSH)
[clientloop.c clientloop.h ssh.c mux.c]
tidy up session multiplexing code, moving it into its own file and
making the function names more consistent - making ssh.c and
clientloop.c a fair bit more readable.
ok markus@
[channels.c channels.h clientloop.c serverloop.c]
Try additional addresses when connecting to a port forward destination
whose DNS name resolves to more than one address. The previous behaviour
was to try the first address and give up.
Reported by stig AT venaas.com in bz#343
great feedback and ok markus@
[clientloop.c clientloop.h ssh.c]
Use new channel status confirmation callback system to properly deal
with "important" channel requests that fail, in particular command exec,
shell and subsystem requests. Previously we would optimistically assume
that the requests would always succeed, which could cause hangs if they
did not (e.g. when the server runs out of fds) or were unimplemented by
the server (bz #1384)
Also, properly report failing multiplex channel requests via the mux
client stderr (subject to LogLevel in the mux master) - better than
silently failing.
most bits ok markus@ (as part of a larger diff)
[monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c]
[sshd_config sshd_config.5]
Make the maximum number of sessions run-time controllable via
a sshd_config MaxSessions knob. This is useful for disabling
login/shell/subsystem access while leaving port-forwarding working
(MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or
simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the
number of available file descriptors in sshd (which, at peak, might be
as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds
on error paths, and make it fail gracefully on out-of-fd conditions -
sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
[auth-options.c auth1.c channels.c channels.h clientloop.c gss-serv.c]
[monitor.c monitor_wrap.c nchan.c servconf.c serverloop.c session.c]
[ssh.c sshd.c]
Implement a channel success/failure status confirmation callback
mechanism. Each channel maintains a queue of callbacks, which will
be drained in order (RFC4253 guarantees confirm messages are not
reordered within an channel).
Also includes a abandonment callback to clean up if a channel is
closed without sending confirmation messages. This probably
shouldn't happen in compliant implementations, but it could be
abused to leak memory.
ok markus@ (as part of a larger diff)
[bufaux.c buffer.h channels.c packet.c packet.h]
avoid extra malloc/copy/free when receiving data over the net;
~10% speedup for localhost-scp; ok djm@
[servconf.c servconf.h session.c sshd_config.5]
Enable the AllowAgentForwarding option in sshd_config (global and match
context), to specify if agents should be permitted on the server.
As the man page states:
``Note that disabling Agent forwarding does not improve security
unless users are also denied shell access, as they can always install
their own forwarders.''
ok djm@, ok and a mild frown markus@
[sftp-client.c sftp-client.h sftp-server.c sftp.1 sftp.c sftp.h]
introduce sftp extension methods statvfs@openssh.com and
fstatvfs@openssh.com that implement statvfs(2)-like operations,
based on a patch from miklos AT szeredi.hu (bz#1399)
also add a "df" command to the sftp client that uses the
statvfs@openssh.com to produce a df(1)-like display of filesystem
space and inode utilisation
ok markus@
- djm@cvs.openbsd.org 2008/04/13 00:22:17
[dh.c sshd.c]
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound
is not a power of two
ok deraadt@ millert@
- djm@cvs.openbsd.org 2008/04/04 05:14:38
[sshd_config.5]
ChrootDirectory is supported in Match blocks (in fact, it is most useful
there). Spotted by Minstrel AT minstrel.org.uk
Darren Tucker
Damien Miller