RepoMirrors/openssh
1
0
Fork 0
mirror of git://anongit.mindrot.org/openssh.git synced 2025-02-19 15:26:52 +00:00
Code Issues Packages Projects Releases Wiki Activity
12,871 Commits 69 Branches 158 Tags 28 MiB
master
Commit Graph

12871 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Damien Miller
0cbeedba81
openssh-9.9p2 2025-02-18 19:12:14 +11:00
djm@openbsd.org
0832aac795
upstream: Fix cases where error codes were not correctly set 
Reported by the Qualys Security Advisory team. ok markus@

OpenBSD-Commit-ID: 7bcd4ffe0fa1e27ff98d451fb9c22f5fae6e610d
 2025-02-18 19:03:28 +11:00
djm@openbsd.org
6ce00f0c2e
upstream: Don't reply to PING in preauth phase or during KEX 
Reported by the Qualys Security Advisory team. ok markus@

OpenBSD-Commit-ID: c656ac4abd1504389d1733d85152044b15830217
 2025-02-18 19:03:28 +11:00
jmc@openbsd.org
9e5bd74a85
upstream: - use \& when contructs like "e.g." end a line, to avoid 
double spacing - macro is Qq not Oq

OpenBSD-Commit-ID: 17e5d2d7f288cc7fc536e3af252224525f9fb43a
 2025-02-16 15:11:22 +11:00
Damien Miller
f519e71fb7
depend 2025-02-15 13:12:40 +11:00
djm@openbsd.org
9131ac64b0
upstream: add "Match version" support to ssh_config. Allows 
matching on the local version of OpenSSH, e.g. "Match version OpenSSH_10.*"

ok markus@

OpenBSD-Commit-ID: c0cb504d0b9e43ccf12e68a544a7cd625e89758d
 2025-02-15 13:12:22 +11:00
djm@openbsd.org
192a20df00
upstream: Add support for "Match sessiontype" to ssh_config. Allows 
matching on the type of session requested, either "shell" for interactive
sessions, "exec" for command execution sessions, "subsystem" for subsystem
requests, such as sftp, or "none" for transport/forwarding-only sessions.

ok markus@

OpenBSD-Commit-ID: eff5c001aecb2283d36639cfb28c0935a8bfd468
 2025-02-15 13:11:34 +11:00
djm@openbsd.org
caa3c0c770
upstream: "Match command ..." support for ssh_config to allow 
matching on the remote command specified on the commandline.

Also relaxes matching rules for `Match tagged` to allow
`Match tagged ""` to match an empty tag value. This also works
for command.

ok markus@

OpenBSD-Commit-ID: 00dcfea425bf58d824bf5e3464cfc2409121b60d
 2025-02-15 13:11:33 +11:00
Damien Miller
38f6000e98
depend 2025-02-11 10:32:26 +11:00
djm@openbsd.org
aa1409e7a0
upstream: include arguments the command was invoked with, and 
operating system name, version and architecture in startup debugging output;
ok dtucker

OpenBSD-Commit-ID: 2a509d319aaf31a6bf9998e1842832883fbc3edd
 2025-02-11 10:30:30 +11:00
djm@openbsd.org
857ac20f5f
upstream: include line number in Match debug messages, makes it a 
little easier to see what's going on

OpenBSD-Commit-ID: 1fcf4aa2ee667711b9497ded0fa52d757c69b1df
 2025-02-11 10:26:21 +11:00
djm@openbsd.org
af49d474e4
upstream: fix "Match invalid-user" from incorrectly being activated 
in initial configuration pass when no other predicates were present on the
match line

OpenBSD-Commit-ID: 02703b4bd207fafd03788bc4e7774bf80be6c9a8
 2025-02-11 10:26:21 +11:00
schwarze@openbsd.org
1c67bae3f5
upstream: In a section 1 manual, use the plain English words 
"standard output" rather than the overly technical abbreviation "stdout" - we
are not talking about a device file or a FILE * object here. Issue reported
by <onf at disroot dot org> on the groff mailing list.

OpenBSD-Commit-ID: a0816999f970e6159523bed8484f62c42ec93109
 2025-02-11 10:26:20 +11:00
dtucker@openbsd.org
85b3d68dd9
upstream: Fix debug logging of user specific delay. Patch from 
Achim Leitner (fjl5) via github PR#552.

OpenBSD-Commit-ID: 834a869ed9b15058d3c1ef0cd75402ef989255d8
 2025-02-06 09:41:20 +11:00
dtucker@openbsd.org
e4e5b06fdf
upstream: Call log_init in sshd-auth and sshd-session immediately 
after parsing the config file so that any log settings set in the config file
take effect immediately.  Move version banners to immediately after that, and
make them distinct per binary.  ok djm@

OpenBSD-Commit-ID: acf3d090638edf9b6e6f78eed96b537fe671f0f5
 2025-02-06 09:41:19 +11:00
dtucker@openbsd.org
0643994b20
upstream: Use strprefix helper when processing sshd -C test args 
instead of counting bytes by hand.  ok djm@

OpenBSD-Commit-ID: 2866d369d96fe04bf76112260ac37e489f98a9a9
 2025-02-06 09:40:16 +11:00
Damien Miller
66efd0fbb6
add support for AWS-LC (AWS libcrypto) 
Patch from Shubham Mittal via bz3784; ok dtucker
 2025-02-06 09:38:09 +11:00
Tim Rice
826483d51a
fix old typo (s/SYSVINITSTOPT/SYSVINITSTOP/) 2024-12-16 15:36:54 -08:00
dtucker@openbsd.org
1a8ce460f1
upstream: Plug leak on error path, spotted by Coverity. ok djm@ 
OpenBSD-Commit-ID: b1859959374b4709569760cae0866d22a16606d3
 2024-12-12 21:23:32 +11:00
Xavier Hsinyuan
924f996144
Add $(srcdir) for standalone sk-libfido2 make target. 
Fix out-of-tree build failure due to incorrect path for `sk-usbhid.c`.
 2024-12-12 20:12:09 +11:00
djm@openbsd.org
bbc9c18e84
upstream: replace bespoke logging of MaxSessions enforcement with 
new ratelimited logging infrastructure.

Add ratelimits to logging of connections dropped by PerSourcePenalties

ok dtucker

OpenBSD-Commit-ID: f22fe7c39607e4361aadf95e33773ffd68c59489
 2024-12-07 21:23:54 +11:00
djm@openbsd.org
5a6ddf946c
upstream: add infrastructure for ratelimited logging; feedback/ok 
dtucker

OpenBSD-Commit-ID: 18a83e5ac09d59aaf1e834fd6b796db89dd842e7
 2024-12-07 21:22:56 +11:00
djm@openbsd.org
85f0c1e75e
upstream: allow glob(3) patterns for sshd_config AuthorizedKeysFile 
and AuthorizedPrincipalsFile directives; bz2755 ok dtucker

OpenBSD-Commit-ID: 3e3e05a17fca39bba78b993a07b44664519adf7f
 2024-12-07 21:19:02 +11:00
djm@openbsd.org
9a9ffee6e1
upstream: support VersionAddendum in the client, mirroring the 
option of the same name in the server; bz2745 ok dtucker@

OpenBSD-Commit-ID: 6ff7905b3f9806649bde750515786553fb89cdf4
 2024-12-07 21:16:02 +11:00
djm@openbsd.org
41ab0ccecd
upstream: clarify encoding of options/extensions; bz2389 
OpenBSD-Commit-ID: c4e92356d44dfe6d0a4416deecb33d1d1eba016c
 2024-12-07 21:16:01 +11:00
djm@openbsd.org
5488810359
upstream: ignore SIGPIPE here; some downstreams have had this for 
years...

OpenBSD-Commit-ID: 73674ee4f8ceb8fc9cb8de71d8ddea0c721eb035
 2024-12-07 21:16:01 +11:00
djm@openbsd.org
4389a792d9
upstream: sync -o option lists with ssh.1; requested jmc@ 
OpenBSD-Commit-ID: a7ac295b444da7b2ca7a33a52370594f6897f6bb
 2024-12-07 21:16:00 +11:00
Fabio Pedretti
6b9cd09556
Remove ancient RHL 6.x config in RPM spec. 
It looks like build6x options were intended for RHL 6.x
(the Red Hat distro predating Fedora, not RHEL), but were
then applied to RHEL.

Completely remove support for this ancient configuration.

Successfully built, installed and run on RHEL 6. This also
remove a build warning about deprecation of PreReq.
 2024-12-07 01:15:48 +11:00
Darren Tucker
5cacfa798f
Add new hardware-backed signing key for myself. 
Retire old non-hardware based signing key.
 2024-12-06 23:54:45 +11:00
Jonas 'Sortie' Termansen
f129b6ee1d
Fix configure implicit declaration and format warnings. 2024-12-06 20:53:14 +11:00
dtucker@openbsd.org
11a5e51790
upstream: Expand $SSH to absolute path if it's not already. 
Prevents problem later in increase_datafile_size if ssh is not in
the path.  Patch from quaresmajose via GHPR#510.

OpenBSD-Regress-ID: 2670a66af8b827410ca7139f0a89f4501cece77b
 2024-12-06 20:20:20 +11:00
dtucker@openbsd.org
dc2ef8f094
upstream: Change "login again" to "log in again" 
in password change message.  From ThinLinc-Zeijlon via github PR#532.

OpenBSD-Commit-ID: fea5e9bc04caf613a118c419f16863733b340cf1
 2024-12-06 20:19:46 +11:00
naddy@openbsd.org
8252f346eb
upstream: catch up documentation: AES-GCM is preferred to AES-CTR 
OpenBSD-Commit-ID: 63360924b6834507fe70020edb936f5075043a9e
 2024-12-06 20:19:27 +11:00
Darren Tucker
9a2f4c7508
Change text from "login to" to "log in to". 
From ThinLinc-Zeijlon via GHPR#532.
 2024-12-06 17:56:17 +11:00
Xavier Hsinyuan
24dcf368d8
Fix configure message typo in sk-libfido2 standalone. 2024-12-06 17:43:25 +11:00
Alexander Kanavin
1a0cac2f34
Skip 2038 key expiry test on 64 bit time_t systems. 
This allows testing Y2038 with system time set to after that (i.e. 2040),
so that actual Y2038 issues can be exposed, and not masked by key expiry
errors.

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
 2024-12-06 17:38:22 +11:00
Darren Tucker
6b4611dc12
Skip 64bit expiry time test on 32bit time_t. 2024-12-06 01:45:52 +11:00
dtucker@openbsd.org
c9b7866a7d
upstream: Add key expiry test in the 64bit time_t range for additional 
coverage. From Alexander Kanavin via bz#3684.

OpenBSD-Regress-ID: bdf6eb3c2421f2e1e11483d03b34c7931d1bccf7
 2024-12-06 01:44:35 +11:00
Damien Miller
790c913b5f
typo 2024-12-05 19:25:05 +11:00
Damien Miller
d23a23aaee
add a Makefile target for ssh-verify-attestation 
Not built by default, but easier than doing it by hand
 2024-12-05 19:25:05 +11:00
dtucker@openbsd.org
d0ac63d0f8
upstream: De-magic the x11 base port number into a define. ok djm@ 
OpenBSD-Commit-ID: 23b85ca9d222cb739b9c33ee5e4d6ac9fdeecbfa
 2024-12-05 19:13:45 +11:00
dtucker@openbsd.org
9998c93d57
upstream: Prevent integer overflow in x11 port handling. These are 
theoretically possible if the admin misconfigures X11DisplayOffset or the
user misconfigures their own $DISPLAY, but don't happen in normal operation.
From Suhov Roman via bz#3730, ok djm@

OpenBSD-Commit-ID: e9e3860f1a19b862ccf07dc8ecbe8f1e1034f4ed
 2024-12-05 19:13:42 +11:00
djm@openbsd.org
8c9ee046d4
upstream: add a work-in-progress tool to verify FIDO attestation 
blobs that ssh-keygen can write when enrolling FIDO keys.

OpenBSD-Regress-ID: 6c97bf3f46e48866677ad69f54b77683eb92437f
 2024-12-05 03:45:02 +11:00
dtucker@openbsd.org
50c640d874
upstream: Don't assume existence of SK provider in test. Patch from 
balu.gajjala at gmail via bz#3402.

OpenBSD-Regress-ID: d571932016d07d135b54433d07520b9e1901db43
 2024-12-05 03:43:37 +11:00
djm@openbsd.org
73d7826931
upstream: sync the list of options accepted by -o with ssh_config.5 
prompted by bz3455

OpenBSD-Commit-ID: 0ecbfa70aea6c769bcc259defe07182edf461f57
 2024-12-05 01:38:33 +11:00
djm@openbsd.org
6993d9f095
upstream: don't screw up ssh-keygen -l output when the file 
contains CR characters; GHPR236 bz3385, fix from Dmitry Belyavskiy

OpenBSD-Commit-ID: e458cf6b0adcea5b69ef4c7ba38e590841d02ef4
 2024-12-05 01:28:55 +11:00
jsg@openbsd.org
c0b03c2534
upstream: spelling; ok djm@ 
OpenBSD-Commit-ID: c8ff3f70020451eef214e598117b7ce1a29853ef
 2024-12-05 01:28:54 +11:00
dtucker@openbsd.org
97eb247f40
upstream: Remove fallback to compiled-in gropup for dhgex when the 
moduli file exists, but does not contain moduli within the client-requested
range. The fallback behaviour remains for the case where the moduli file does
not exist (typically, running tests prior to installing). From bz#2793, based
in part on patch from Joe Testa, ok djm@

OpenBSD-Commit-ID: b1a8c5dbbedf249b42474679ebaf14db7332b1ab
 2024-12-05 01:28:47 +11:00
tb@openbsd.org
30c746265e
upstream: Remove redundant field of definition check 
This will allow us to get rid of EC_GROUP_method_of() in the near future.

ok djm

OpenBSD-Commit-ID: b4a3d2e00990cf5c2ec6881c21ddca67327c2df8
 2024-12-05 01:28:46 +11:00
Damien Miller
eaa1744f34
don't ignore changes in regress Makefiles 
reported by Torben Hansen in bz2880
 2024-12-05 01:01:04 +11:00