criteria tokeniser to a more shell-like one. Apparently the old tokeniser
(accidentally?) allowed "Match criteria=argument" as well as the "Match
criteria argument" syntax that we tested for.
People were using this syntax so this adds back support for
"Match criteria=argument"
bz3739 ok dtucker
OpenBSD-Commit-ID: d1eebedb8c902002b75b75debfe1eeea1801f58a
relies on using -fwrapv to provide defined over/underflow behaviour, but we
use -ftrapv to catch integer errors and abort the program. ok dtucker@
OpenBSD-Commit-ID: 8933369b33c17b5f02479503d0a92d87bc3a574b
implementation in SUPERCOP 20201130 to the "compact" implementation in
SUPERCOP 20240808. The new version is substantially faster. Thanks to Daniel
J Bernstein for pointing out the new implementation (and of course for
writing it).
tested in snaps/ok deraadt@
OpenBSD-Commit-ID: bf1a77924c125ecdbf03e2f3df8ad13bd3dafdcb
options.
This allows writing Match conditions that trigger for invalid username.
E.g.
PerSourcePenalties refuseconnection:90s
Match invalid-user
RefuseConnection yes
Will effectively penalise bots try to guess passwords for bogus accounts,
at the cost of implicitly revealing which accounts are invalid.
feedback markus@
OpenBSD-Commit-ID: 93d3a46ca04bbd9d84a94d1e1d9d3a21073fbb07
PerSourcePenalties
This allows penalising connection sources that have had connections
dropped by the RefuseConnection option. ok markus@
OpenBSD-Commit-ID: 3c8443c427470bb3eac1880aa075cb4864463cb6
If set, this will terminate the connection at the first authentication
request (this is the earliest we can evaluate sshd_config Match blocks)
ok markus@
OpenBSD-Commit-ID: 43cc2533984074c44d0d2f92eb93f661e7a0b09c
string tokeniser, making it possible to use shell-like quoting in Match
directives, particularly "Match exec". ok markus@
OpenBSD-Commit-ID: 0877309650b76f624b2194c35dbacaf065e769a5
prompts. Helps the user know what's going on when ssh-keygen is invoked via
other tools. Requested in GHPR503
OpenBSD-Commit-ID: 613b0bb6cf845b7e787d69a5b314057ceda6a8b6
verification fails. Prevents restrictive key options being incorrectly
applied to subsequent keys in authorized_keys. bz3733, ok markus@
OpenBSD-Commit-ID: ba3776d9da4642443c19dbc015a1333622eb5a4e
OpenSSH 9.8, which incorrectly required that sshd was started with an
absolute path in inetd mode. bz3717, patch from Colin Wilson
OpenBSD-Commit-ID: 25c57f22764897242d942853f8cccc5e991ea058
I can't find a reliable way to detect the features the ML-KEM code
requires in configure. Give up for now and use VLA support (that we
can detect) as a proxy for "old compiler" and turn off ML-KEM if
it isn't supported.
The ML-KEM implementation we uses need the compiler to support
C99-style named struct initialisers (e.g foo = {.bar = 1}). We
still support (barely) building OpenSSH with older compilers, so
add a configure test for this.
compile-time flag now than an IANA codepoint has been assigned for the
algorithm.
Add mlkem768x25519-sha256 in 2nd KexAlgorithms preference slot.
ok markus@
OpenBSD-Commit-ID: 9f50a0fae7d7ae8b27fcca11f8dc6f979207451a
the string rather than the first. This makes it possible to use usernames
that contain '@' characters.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Prompted by Max Zettlmeißl; feedback/ok millert@
OpenBSD-Commit-ID: 0b16eec246cda15469ebdcf3b1e2479810e394c5
shortnames (e.g "rsa") in user-interface code and require full SSH protocol
names (e.g. "ssh-rsa") everywhere else.
Prompted by bz3725; ok markus@
OpenBSD-Commit-ID: b3d8de9dac37992eab78adbf84fab2fe0d84b187
