turn off 1024 bit diffie-hellman-group1-sha1 key
exchange method (already off in server, this turns it off in the client by
default too) ok dtucker@
Upstream-ID: f59b88f449210ab7acf7d9d88f20f1daee97a4fa
fatal() when a remote window update causes the window
value to overflow. Reported by Georg Wicherski, ok markus@
Upstream-ID: ead397a9aceb3bf74ebfa5fcaf259d72e569f351
Fix math error in remote window calculations that causes
eventual stalls for datagram channels. Reported by Georg Wicherski, ok
markus@
Upstream-ID: be54059d11bf64e0d85061f7257f53067842e2ab
Fix \-escaping bug that caused forward path parsing to skip
two characters and skip past the end of the string.
Based on patch by Salvador Fandino; ok dtucker@
Upstream-ID: 7b879dc446335677cbe4cb549495636a0535f3bd
Revert previous commit. We still want to call setgroups
in the case where there are zero groups to remove any that we might otherwise
inherit (as pointed out by grawity at gmail.com) and since the 2nd argument
to setgroups is always a static global it's always valid to dereference in
this case. ok deraadt@ djm@
Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01
Revert previous commit. We still want to call setgroups in
the case where there are zero groups to remove any that we might otherwise
inherit (as pointed out by grawity at gmail.com) and since the 2nd argument
to setgroups is always a static global it's always valid to dereference in
this case. ok deraadt@ djm@
Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01
Don't count successful partial authentication as failures
in monitor; this may have caused the monitor to refuse multiple
authentications that would otherwise have successfully completed; ok markus@
Upstream-ID: eb74b8e506714d0f649bd5c300f762a527af04a3
Don't call setgroups if we have zero groups; there's no
guarantee that it won't try to deref the pointer. Based on a patch from mail
at quitesimple.org, ok djm deraadt
Upstream-ID: 2fff85e11d7a9a387ef7fddf41fbfaf566708ab1
If AuthorizedPrincipalsCommand is specified, however
AuthorizedPrincipalsFile is not (or is set to "none"), authentication will
potentially fail due to key_cert_check_authority() failing to locate a
principal that matches the username, even though an authorized principal has
already been matched in the output of the subprocess. Fix this by using the
same logic to determine if pw->pw_name should be passed, as is used to
determine if a authorized principal must be matched earlier on.
ok djm@
Upstream-ID: 43b42302ec846b0ea68aceb40677245391b9409d
Make the arguments to match_principals_command() similar
to match_principals_file(), by changing the last argument a struct
sshkey_cert * and dereferencing key->cert in the caller.
No functional change.
ok djm@
Upstream-ID: 533f99b844b21b47342b32b62e198dfffcf8651c
When doing arg inspection and the syscall doesn't match, skip
past the instruction that reloads the syscall into the accumulator,
since the accumulator hasn't been modified at this point.
For "ssh -L 12345:/tmp/sock" don't fail with "No forward host
name." (we have a path, not a host name). Based on a diff from Jared
Yanovich. OK djm@
Upstream-ID: 2846b0a8c7de037e33657f95afbd282837fc213f
wrap all moduli-related code in #ifdef WITH_OPENSSL.
based on patch from Reuben Hawkins; bz#2388 feedback and ok dtucker@
Upstream-ID: d80cfc8be3e6ec65b3fac9e87c4466533b31b7cf
Increase the allowed length of the known host file name
in the log message to be consistent with other cases. Part of bz#1993, ok
deraadt.
Upstream-ID: a9e97567be49f25daf286721450968251ff78397
