add prohibit-password as a synonymn for without-password,
since the without-password is causing too many questions. Harden it to ban
all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from
djm, ok markus
Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
backout SSH_RSA_MINIMUM_MODULUS_SIZE increase for this
release; problems spotted by sthen@ ok deraadt@ markus@
Upstream-ID: d0bd60dde9e8c3cd7030007680371894c1499822
change default: PermitRootLogin without-password matching
install script changes coming as well ok djm markus
Upstream-ID: 0e2a6c4441daf5498b47a61767382bead5eb8ea6
Allow ssh_config and sshd_config kex parameters options be
prefixed by a '+' to indicate that the specified items be appended to the
default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
include the peer's offer when logging a failure to
negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
Upstream-ID: bbb8caabf5c01790bb845f5ce135565248d7c796
add Cisco to the list of clients that choke on the
hostkeys update extension. Pointed out by Howard Kash
Upstream-ID: c9eadde28ecec056c73d09ee10ba4570dfba7e84
Permit kbind(2) use in the sandbox now, to ease testing
of ld.so work using it
reminded by miod@, ok deraadt@
Upstream-ID: 523922e4d1ba7a091e3824e77a8a3c818ee97413
mention that the default of UseDNS=no implies that
hostnames cannot be used for host matching in sshd_config and
authorized_keys; bz#2045, ok dtucker@
Upstream-ID: 0812705d5f2dfa59aab01f2764ee800b1741c4e1
don't ignore PKCS#11 hosted keys that return empty
CKA_ID; patch by Jakub Jelen via bz#2429; ok markus
Upstream-ID: 2f7c94744eb0342f8ee8bf97b2351d4e00116485
only query each keyboard-interactive device once per
authentication request regardless of how many times it is listed; ok markus@
Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1
direct-streamlocal@openssh.com Unix domain foward
messages do not contain a "reserved for future use" field and in fact,
serverloop.c checks that there isn't one. Remove erroneous mention from
PROTOCOL description. bz#2421 from Daniel Black
Upstream-ID: 3d51a19e64f72f764682f1b08f35a8aa810a43ac
describe magic for setting up Unix domain socket fowards
via the mux channel; bz#2422 patch from Daniel Black
Upstream-ID: 943080fe3864715c423bdeb7c920bb30c4eee861
On some platforms the native realpath doesn't work with non-existent
files (this is actually specified in some versions of POSIX), however
the sftp spec says its realpath with "canonicalize any given path name".
On those platforms, use realpath from the compat library.
In addition, when compiling with -DFORTIFY_SOURCE, glibc redefines
the realpath symbol to the checked version, so redefine ours to
something else so we pick up the compat version we want.
bz#2428, ok djm@
Adapt tests, now that DSA if off by default; use
PubkeyAcceptedKeyTypes and PubkeyAcceptedKeyTypes to test DSA.
Upstream-Regress-ID: 0ff2a3ff5ac1ce5f92321d27aa07b98656efcc5c
legacy v00 certificates are gone; adapt and don't try to
test them; "sure" markus@ dtucker@
Upstream-Regress-ID: c57321e69b3cd4a3b3396dfcc43f0803d047da12
Add "PuTTY_Local:" to the clients to which we do not
offer DH-GEX. This was the string that was used for development versions
prior to September 2014 and they don't do RFC4419 DH-GEX, but unfortunately
there are some extant products based on those versions. bx2424 from Jay
Rouman, ok markus@ djm@
Upstream-ID: be34d41e18b966832fe09ca243d275b81882e1d5
Turn off DSA by default; add HostKeyAlgorithms to the
server and PubkeyAcceptedKeyTypes to the client side, so it still can be
tested or turned back on; feedback and ok djm@
Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
