Damien Miller
a6508753db
- djm@cvs.openbsd.org 2012/04/11 13:16:19
...
[channels.c channels.h clientloop.c serverloop.c]
don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a
while; ok deraadt@ markus@
2012-04-22 11:21:10 +10:00
Damien Miller
c6081482b2
- dtucker@cvs.openbsd.org 2012/03/29 23:54:36
...
[channels.c channels.h servconf.c]
Add PermitOpen none option based on patch from Loganaden Velvindron
(bz #1949 ). ok djm@
2012-04-22 11:18:53 +10:00
Damien Miller
48348fc3b4
- djm@cvs.openbsd.org 2012/03/28 07:23:22
...
[PROTOCOL.certkeys]
explain certificate extensions/crit split rationale. Mention requirement
that each appear at most once per cert.
2012-04-22 11:08:30 +10:00
Damien Miller
29cd188887
- guenther@cvs.openbsd.org 2012/03/15 03:10:27
...
[session.c]
root should always be excluded from the test for /etc/nologin instead
of having it always enforced even when marked as ignorenologin. This
regressed when the logic was incompletely flipped around in rev 1.251
ok halex@ millert@
2012-04-22 11:08:10 +10:00
Damien Miller
a563cced06
- djm@cvs.openbsd.org 2012/02/29 11:21:26
...
[ssh-keygen.c]
allow conversion of RSA1 keys to public PEM and PKCS8; "nice" markus@
2012-04-22 11:07:28 +10:00
Damien Miller
d5dacb43fa
- (djm) Release openssh-6.0
2012-04-20 15:01:01 +10:00
Damien Miller
bf2304167b
- (djm) [README] Update URL to release notes.
2012-04-20 14:11:04 +10:00
Damien Miller
8beb320390
- (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
...
[contrib/suse/openssh.spec] Update for release 6.0
2012-04-20 10:58:34 +10:00
Damien Miller
398c0ffe0e
- (djm) [configure.ac] Fix compilation error on FreeBSD, whose libutil
...
contains openpty() but not login()
2012-04-19 21:46:35 +10:00
Damien Miller
e0956e3834
- (djm) [Makefile.in configure.ac sandbox-seccomp-filter.c] Add sandbox
...
mode for Linux's new seccomp filter; patch from Will Drewry; feedback
and ok dtucker@
2012-04-04 11:27:54 +10:00
Damien Miller
ce1ec9d4e2
- (djm) [openbsd-compat/bsd-cygwin_util.h] #undef _WIN32 to avoid incorrect
...
assumptions when building on Cygwin; patch from Corinna Vinschen
2012-03-30 14:07:05 +11:00
Damien Miller
4d55734c16
- (djm) [entropy.c] bz#1991: relax OpenSSL version test to allow running
...
openssh binaries on a newer fix release than they were compiled on.
with and ok dtucker@
2012-03-30 11:34:27 +11:00
Darren Tucker
67ccc86506
- (dtucker) [contrib/redhat/openssh.spec] Bug #1992 : remove now-gone WARNING
...
file from spec file. From crighter at nuclioss com.
2012-03-30 10:19:56 +11:00
Damien Miller
54c38d24c6
- (djm) [packet.c] bz#1963: Fix IPQoS not being set on non-mapped v4-in-v6
...
addressed connections. ok dtucker@
2012-03-09 10:28:07 +11:00
Damien Miller
7bf7b889b3
- (djm) [openbsd-compat/port-linux.c] bz#1960: fix crash on SELinux
...
systems where sshd is run in te wrong context. Patch from Sven
Vermeulen; ok dtucker@
2012-03-09 10:25:16 +11:00
Darren Tucker
93a2d41505
- (dtucker) [audit-bsm.c configure.ac] bug #1968 : enable workarounds for BSM
...
audit breakage in Solaris 11. Patch from Magnus Johansson.
2012-02-24 10:40:41 +11:00
Tim Rice
a3f297de91
- (tim) [regress/keytype.sh] stderr redirection needs to be inside back quote
...
to work. Spotted by Angel Gonzalez
2012-02-14 23:01:42 -08:00
Tim Rice
f79b5d38a1
- (tim) [defines.h] move chunk introduced in 1.125 before MAXPATHLEN so
...
it actually works.
2012-02-14 20:13:05 -08:00
Tim Rice
e3609c935c
- (tim) [openbsd-compat/bsd-misc.h sshd.c] Fix conflicting return type for
...
unsetenv due to rev 1.14 change to setenv.c. Cast unsetenv to void in sshd.c
ok dtucker@
2012-02-14 10:03:30 -08:00
Damien Miller
7b7901c330
- (djm) [openbsd-compat/bsd-cygwin_util.c] Add PROGRAMFILES to list of
...
preserved Cygwin environment variables; from Corinna Vinschen
2012-02-14 06:38:36 +11:00
Damien Miller
db854559be
- markus@cvs.openbsd.org 2012/02/09 20:00:18
...
[version.h]
move from 6.0-beta to 6.0
2012-02-11 08:19:44 +11:00
Damien Miller
72de982def
- markus@cvs.openbsd.org 2012/01/25 19:40:09
...
[packet.c packet.h]
packet_read_poll() is not used anymore.
2012-02-11 08:19:21 +11:00
Damien Miller
5d0077008f
- markus@cvs.openbsd.org 2012/01/25 19:36:31
...
[authfile.c]
memleak in key_load_file(); from Jan Klemkow
2012-02-11 08:19:02 +11:00
Damien Miller
1de2cfe9a9
- markus@cvs.openbsd.org 2012/01/25 19:26:43
...
[packet.c]
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying;
ok dtucker@, djm@
2012-02-11 08:18:43 +11:00
Damien Miller
8d60be5487
- dtucker@cvs.openbsd.org 2012/01/18 21:46:43
...
[clientloop.c]
Ensure that $DISPLAY contains only valid characters before using it to
extract xauth data so that it can't be used to play local shell
metacharacter games. Report from r00t_ati at ihteam.net, ok markus.
2012-02-11 08:18:17 +11:00
Damien Miller
fb12c6d8bb
- miod@cvs.openbsd.org 2012/01/16 20:34:09
...
[ssh-pkcs11-client.c]
Fix a memory leak in pkcs11_rsa_private_encrypt(), reported by Jan Klemkow.
While there, be sure to buffer_clear() between send_msg() and recv_msg().
ok markus@
2012-02-11 08:17:52 +11:00
Damien Miller
83ba8e6056
- miod@cvs.openbsd.org 2012/01/08 13:17:11
...
[ssh-ecdsa.c]
Fix memory leak in ssh_ecdsa_verify(); from Loganaden Velvindron,
ok markus@
2012-02-11 08:17:27 +11:00
Damien Miller
2ec0342ed4
- djm@cvs.openbsd.org 2012/01/07 21:11:36
...
[mux.c]
fix double-free in new session handler
2012-02-11 08:16:28 +11:00
Damien Miller
a2876db5e6
- djm@cvs.openbsd.org 2012/01/05 00:16:56
...
[monitor.c]
memleak on error path
2012-02-11 08:16:06 +11:00
Damien Miller
b56e4930ae
- (djm) [ssh-keygen.c] Don't fail in do_gen_all_hostkeys on platforms
...
that don't support ECC. Patch from Phil Oleson
2012-02-06 07:41:27 +11:00
Darren Tucker
e9b3ad73ba
- (dtucker) [configure.ac mac.c openbsd-compat/openssl-compat.h] Add
...
null implementation of HMAC_CTX_init for the benefit of old versions
of OpenSSL that don't have it.
2012-01-17 14:03:34 +11:00
Damien Miller
8ed4de8f1d
- djm@cvs.openbsd.org 2011/12/07 05:44:38
...
[auth2.c dh.c packet.c roaming.h roaming_client.c roaming_common.c]
fix some harmless and/or unreachable int overflows;
reported Xi Wang, ok markus@
2011-12-19 10:52:50 +11:00
Damien Miller
913ddff40d
- djm@cvs.openbsd.org 2011/12/04 23:16:12
...
[mux.c]
revert:
> revision 1.32
> date: 2011/12/02 00:41:56; author: djm; state: Exp; lines: +4 -1
> fix bz#1948: ssh -f doesn't fork for multiplexed connection.
> ok dtucker@
it interacts badly with ControlPersist
2011-12-19 10:52:21 +11:00
Damien Miller
d0e582c6da
- djm@cvs.openbsd.org 2011/12/02 00:43:57
...
[mac.c]
fix bz#1934: newer OpenSSL versions will require HMAC_CTX_Init before
HMAC_init (this change in policy seems insane to me)
ok dtucker@
2011-12-19 10:51:39 +11:00
Damien Miller
5360dff2a0
- djm@cvs.openbsd.org 2011/12/02 00:41:56
...
[mux.c]
fix bz#1948: ssh -f doesn't fork for multiplexed connection.
ok dtucker@
2011-12-19 10:51:11 +11:00
Damien Miller
47d8115e53
- oga@cvs.openbsd.org 2011/11/16 12:24:28
...
[sftp.c]
Don't leak list in complete_cmd_parse if there are no commands found.
Discovered when I was ``borrowing'' this code for something else.
ok djm@
2011-11-25 13:53:48 +11:00
Darren Tucker
4a725ef6a5
- (dtucker) [configure.ac] Set _FORTIFY_SOURCE. ok djm@
2011-11-21 16:38:48 +11:00
Darren Tucker
aa3cbd1b5b
- (dtucker) [INSTALL LICENCE configure.ac openbsd-compat/Makefile.in
...
openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/getrrsetbyname.c]
bz 1320: Add optional support for LDNS, a BSD licensed DNS resolver library
which supports DNSSEC. Patch from Simon Vallet (svallet at genoscope cns fr)
with some rework from myself and djm. ok djm.
2011-11-04 11:25:24 +11:00
Darren Tucker
be4032ba1e
- dtucker@cvs.openbsd.org 011/11/04 00:09:39
...
[moduli]
regenerated moduli file; ok deraadt
2011-11-04 11:16:06 +11:00
Darren Tucker
9c5d553d58
- djm@cvs.openbsd.org 2011/10/24 02:13:13
...
[session.c]
bz#1859: send tty break to pty master instead of (probably already
closed) slave side; "looks good" markus@
2011-11-04 10:55:24 +11:00
Darren Tucker
2d6665d944
- djm@cvs.openbsd.org 2011/10/24 02:10:46
...
[ssh.c]
bz#1943: unbreak stdio forwarding when ControlPersist is in user - ssh
was incorrectly requesting the forward in both the control master and
slave. skip requesting it in the master to fix. ok markus@
2011-11-04 10:54:22 +11:00
Darren Tucker
8a057953d2
- djm@cvs.openbsd.org 2011/10/19 10:39:48
...
[umac.c]
typo in comment; patch from Michael W. Bombardieri
2011-11-04 10:53:31 +11:00
Darren Tucker
9ee09cfce6
- djm@cvs.openbsd.org 2011/10/19 00:06:10
...
[moduli.c]
s/tmpfile/tmp/ to make this -Wshadow clean
2011-11-04 10:52:43 +11:00
Darren Tucker
e68cf84ac8
- djm@cvs.openbsd.org 2011/10/18 23:37:42
...
[ssh-add.c]
add -k to usage(); reminded by jmc@
2011-11-04 10:51:51 +11:00
Darren Tucker
45c66d7ad4
- djm@cvs.openbsd.org 2011/10/18 05:15:28
...
[ssh.c]
ssh(1): skip attempting to create ~/.ssh when -F is passed; ok markus@
2011-11-04 10:50:40 +11:00
Darren Tucker
9f157abbb6
- (dtucker) [contrib/cygwin/Makefile] Continue if installing a doc file
...
fails. Patch from Corinna Vinschen.
2011-10-25 09:37:57 +11:00
Damien Miller
8f4279e4ab
- djm@cvs.openbsd.org 2011/10/18 05:00:48
...
[ssh-add.1 ssh-add.c]
new "ssh-add -k" option to load plain keys (skipping certificates);
"looks ok" markus@
2011-10-18 16:06:33 +11:00
Damien Miller
c51a5ab2c6
- djm@cvs.openbsd.org 2011/10/18 04:58:26
...
[auth-options.c key.c]
remove explict search for \0 in packet strings, this job is now done
implicitly by buffer_get_cstring; ok markus
2011-10-18 16:06:14 +11:00
Damien Miller
91f3eaec88
- stsp@cvs.openbsd.org 2011/10/16 15:51:39
...
[moduli.c]
add missing includes to unbreak tree; fix from rpointel
2011-10-18 16:05:55 +11:00
Damien Miller
927d82bc6a
- jmc@cvs.openbsd.org 2011/10/16 15:02:41
...
[ssh-keygen.c]
put -K in the right place (usage());
2011-10-18 16:05:38 +11:00
Damien Miller
390d0561fc
- dtucker@cvs.openbsd.org 2011/10/16 11:02:46
...
[moduli.c ssh-keygen.1 ssh-keygen.c]
Add optional checkpoints for moduli screening. feedback & ok deraadt
2011-10-18 16:05:19 +11:00
Damien Miller
d3e6990c4c
- djm@cvs.openbsd.org 2011/10/04 14:17:32
...
[sftp-glob.c]
silence error spam for "ls */foo" in directory with files; bz#1683
2011-10-18 16:04:57 +11:00
Darren Tucker
2e13560ff5
- djm@cvs.openbsd.org 2011/09/30 21:22:49
...
[sshd.c]
fix inverted test that caused logspam; spotted by henning@
2011-10-02 19:10:13 +11:00
Darren Tucker
95125e5f43
ChangeLog entry for sshd.c rev 1.409
2011-10-02 19:09:07 +11:00
Darren Tucker
af1a60ec4f
- djm@cvs.openbsd.org 2011/09/25 05:44:47
...
[auth2-pubkey.c]
improve the AuthorizedPrincipalsFile debug log message to include
file and line number
2011-10-02 18:59:59 +11:00
Darren Tucker
68afb8c5f2
- markus@cvs.openbsd.org 2011/09/23 07:45:05
...
[mux.c readconf.h channels.h compat.h compat.c ssh.c readconf.c channels.c version.h]
unbreak remote portforwarding with dynamic allocated listen ports:
1) send the actual listen port in the open message (instead of 0).
this allows multiple forwardings with a dynamic listen port
2) update the matching permit-open entry, so we can identify where
to connect to
report: den at skbkontur.ru and P. Szczygielski
feedback and ok djm@
2011-10-02 18:59:03 +11:00
Darren Tucker
1338b9e067
- dtucker@cvs.openbsd.org 2011/09/23 00:22:04
...
[channels.c auth-options.c servconf.c channels.h sshd.8]
Add wildcard support to PermitOpen, allowing things like "PermitOpen
localhost:*". bz #1857 , ok djm markus.
2011-10-02 18:57:35 +11:00
Darren Tucker
036876cd7d
- (dtucker) [openbsd-compat/mktemp.c] Fix compiler warning. ok djm
2011-10-01 18:46:12 +10:00
Darren Tucker
b54f50e5d0
- (dtucker) [configure.ac openbsd-compat/Makefile.in
...
openbsd-compat/strnlen.c] Add strnlen to the compat library.
2011-09-29 23:17:18 +10:00
Damien Miller
5ffe1c4b43
- (djm) [configure.ac defines.h] No need to detect sizeof(char); patch
...
from des AT des.no
2011-09-29 11:11:51 +10:00
Damien Miller
d1a74580f8
- (djm) [openbsd-compat/setenv.c] Forklift upgrade, including inclusion
...
of static __findenv() function from upstream setenv.c
2011-09-23 11:26:34 +10:00
Damien Miller
3e6fe87ef9
- otto@cvs.openbsd.org 2008/12/09 19:38:38
...
[openbsd-compat/inet_ntop.c]
fix inet_ntop(3) prototype; ok millert@ libc to be bumbed very soon
2011-09-23 11:16:09 +10:00
Damien Miller
64efe9671d
- (djm) [openbsd-compat/sha2.c openbsd-compat/sha2.h] Remove OpenBSD rcsid
...
marker. The upstream API has changed (function and structure names)
enough to put it out of sync with other providers of this interface.
2011-09-23 11:13:00 +10:00
Damien Miller
4888671343
- (djm) [openbsd-compat/mktemp.c] forklift upgrade to -current version.
...
The file was totally rewritten between what we had in tree and -current.
2011-09-23 10:56:29 +10:00
Damien Miller
3a359b3228
- millert@cvs.openbsd.org 2008/08/21 16:54:44
...
[mktemp.c]
Remove useless code, the kernel will set errno appropriately if an
element in the path does not exist. OK deraadt@ pvalchev@
2011-09-23 10:47:29 +10:00
Damien Miller
dc0e09b41c
- deraadt@cvs.openbsd.org 2008/07/22 21:47:45
...
[mktemp.c]
use arc4random_uniform(); ok djm millert
2011-09-23 10:46:48 +10:00
Damien Miller
cd92790fcb
- (djm) [openbsd-compat/getgrouplist.c] Remove OpenBSD rcsid marker: the
...
upstream version is YPified and we don't want this
2011-09-23 10:44:03 +10:00
Damien Miller
834e820317
- tobias@cvs.openbsd.org 2007/10/21 11:09:30
...
[mktemp.c]
Comment fix about time consumption of _gettemp.
FreeBSD did this in revision 1.20.
OK deraadt@, krw@
2011-09-23 10:42:02 +10:00
Damien Miller
acdf3fbdba
- (djm) [openbsd-compat/getcwd.c] Remove OpenBSD rcsid marker since we no
...
longer want to sync this file (OpenBSD uses a __getcwd syscall now, we
want this longhand version)
2011-09-23 10:40:50 +10:00
Damien Miller
add1e20802
- millert@cvs.openbsd.org 2006/05/05 15:27:38
...
[strlcpy.c]
Convert do {} while loop -> while {} for clarity. No binary change
on most architectures. From Oliver Smith. OK deraadt@ and henning@
2011-09-23 10:38:01 +10:00
Damien Miller
d7be70d052
- djm@cvs.openbsd.org 2011/09/22 06:29:03
...
[sftp.c]
don't let remote_glob() implicitly sort its results in do_globbed_ls() -
in all likelihood, they will be resorted anyway
2011-09-22 21:43:06 +10:00
Damien Miller
57c38ac7d5
- markus@cvs.openbsd.org 2011/09/12 08:46:15
...
[sftp-client.c]
fix leak in do_lsreaddir(); ok djm
2011-09-22 21:42:45 +10:00
Damien Miller
3decdba425
- markus@cvs.openbsd.org 2011/09/11 16:07:26
...
[sftp-client.c]
fix leaks in do_hardlink() and do_readlink(); bz#1921
from Loganaden Velvindron
2011-09-22 21:41:05 +10:00
Damien Miller
1bcbd0a9de
- okan@cvs.openbsd.org 2011/09/11 06:59:05
...
[ssh.1]
document new -O cancel command; ok djm@
2011-09-22 21:40:45 +10:00
Damien Miller
ff773644e6
- markus@cvs.openbsd.org 2011/09/10 22:26:34
...
[channels.c channels.h clientloop.c ssh.1]
support cancellation of local/dynamic forwardings from ~C commandline;
ok & feedback djm@
2011-09-22 21:39:48 +10:00
Damien Miller
f6dff7cd2f
- djm@cvs.openbsd.org 2011/09/09 22:46:44
...
[channels.c channels.h clientloop.h mux.c ssh.c]
support for cancelling local and remote port forwards via the multiplex
socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request
the cancellation of the specified forwardings; ok markus@
2011-09-22 21:38:52 +10:00
Damien Miller
9ee2c606c1
- djm@cvs.openbsd.org 2011/09/09 22:38:21
...
[sshd.c]
kill the preauth privsep child on fatal errors in the monitor;
ok markus@
2011-09-22 21:38:30 +10:00
Damien Miller
0603d98b4e
- djm@cvs.openbsd.org 2011/09/09 22:37:01
...
[scp.c]
suppress adding '--' to remote commandlines when the first argument
does not start with '-'. saves breakage on some difficult-to-upgrade
embedded/router platforms; feedback & ok dtucker ok markus
2011-09-22 21:38:00 +10:00
Damien Miller
4cb855b070
- djm@cvs.openbsd.org 2011/09/09 00:44:07
...
[PROTOCOL.mux]
MUX_C_CLOSE_FWD includes forward type in message (though it isn't
implemented anyway)
2011-09-22 21:37:38 +10:00
Damien Miller
f6e758cdba
- djm@cvs.openbsd.org 2011/09/09 00:43:00
...
[ssh_config.5 sshd_config.5]
fix typo in IPQoS parsing: there is no "AF14" class, but there is
an "AF21" class. Spotted by giesen AT snickers.org; ok markus stevesk
2011-09-22 21:37:13 +10:00
Damien Miller
6232a16a9a
- deraadt@cvs.openbsd.org 2011/09/07 02:18:31
...
[ssh-keygen.1]
typo (they vs the) found by Lawrence Teo
2011-09-22 21:36:00 +10:00
Damien Miller
e029673f1f
- jmc@cvs.openbsd.org 2011/09/05 07:01:44
...
[scp.1]
knock out a useless Ns;
2011-09-22 21:34:56 +10:00
Damien Miller
2918e030fc
- djm@cvs.openbsd.org 2011/09/05 05:59:08
...
[misc.c]
fix typo in IPQoS parsing: there is no "AF14" class, but there is
an "AF21" class. Spotted by giesen AT snickers.org; ok markus stevesk
2011-09-22 21:34:35 +10:00
Damien Miller
e577772a89
- djm@cvs.openbsd.org 2011/09/05 05:56:13
...
[scp.1 sftp.1]
mention ControlPersist and KbdInteractiveAuthentication in the -o
verbiage in these pages too (prompted by jmc@)
2011-09-22 21:34:15 +10:00
Damien Miller
efad727517
- djm@cvs.openbsd.org 2011/08/26 01:45:15
...
[ssh.1]
Add some missing ssh_config(5) options that can be used in ssh(1)'s
-o argument. Patch from duclare AT guu.fi
2011-09-22 21:33:53 +10:00
Damien Miller
e128a50e35
- djm@cvs.openbsd.org 2011/09/22 06:27:29
...
[glob.c]
fix GLOB_KEEPSTAT without GLOB_NOSORT; the implicit sort was being
applied only to the gl_pathv vector and not the corresponding gl_statv
array. reported in OpenSSH bz#1935; feedback and okay matthew@
2011-09-22 21:22:21 +10:00
Damien Miller
c4bf7dde92
- stsp@cvs.openbsd.org 2011/09/20 10:18:46
...
[glob.c]
In glob(3), limit recursion during matching attempts. Similar to
fnmatch fix. Also collapse consecutive '*' (from NetBSD).
ok miod deraadt
2011-09-22 21:21:48 +10:00
Damien Miller
e01a627047
- pyr@cvs.openbsd.org 2011/05/12 07:15:10
...
[openbsd-compat/glob.c]
When the max number of items for a directory has reached GLOB_LIMIT_READDIR
an error is returned but closedir() is not called.
spotted and fix provided by Frank Denis obsd-tech@pureftpd.org
ok otto@, millert@
2011-09-22 21:20:21 +10:00
Darren Tucker
e8a82c5faf
- (dtucker) [entropy.h] Bug #1932 : remove old definition of init_rng. From
...
Colin Watson.
2011-09-09 11:29:40 +10:00
Damien Miller
022ee24197
- (djm) [contrib/redhat/openssh.spec] Correct restorcon => restorecon
2011-09-07 09:15:02 +10:00
Damien Miller
fb9d8173f0
- (djm) [README version.h] Correct version
2011-09-07 09:11:53 +10:00
Damien Miller
8e4a71e952
- (djm) Release OpenSSH-5.9
2011-09-05 15:39:20 +10:00
Damien Miller
86dcd3e45a
- (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
...
[contrib/suse/openssh.spec] Update version numbers.
2011-09-05 10:29:04 +10:00
Darren Tucker
0dd24e02ec
- (dtucker) [ssh-keygen.c ssh-pkcs11.c] Bug #1929 : add null implementations
...
ofsh-pkcs11.cpkcs_init and pkcs_terminate for building without dlopen support.
2011-09-04 19:59:26 +10:00
Damien Miller
6efd94f32e
- (djm) [regress/connect-privsep.sh regress/test-exec.sh] demote fatal
...
regress errors for the sandbox to warnings. ok tim dtucker
2011-09-04 19:04:16 +10:00
Damien Miller
58ac11a2bd
- (djm) [openbsd-compat/port-linux.c] Suppress logging when attempting
...
to switch SELinux context away from unconfined_t, based on patch from
Jan Chadima; bz#1919 ok dtucker@
2011-08-29 16:09:52 +10:00
Darren Tucker
4438354870
- (dtucker) [auth-skey.c] Add log.h to fix build --with-skey.
2011-08-28 04:50:16 +10:00
Tim Rice
a6e60616be
- (tim) [configure.ac] Typo in error message spotted by Andy Tsouladze
2011-08-17 21:48:22 -07:00
Damien Miller
2df1bec086
- (djm) [regress/cipher-speed.sh regress/try-ciphers.sh] disable HMAC-SHA2
...
MAC tests for platforms that hack EVP_SHA2 support
2011-08-17 12:25:46 +10:00
Damien Miller
062fa30532
- djm@cvs.openbsd.org 2011/08/02 01:23:41
...
[regress/cipher-speed.sh regress/try-ciphers.sh]
add SHA256/SHA512 based HMAC modes
2011-08-17 12:10:02 +10:00
Damien Miller
faf4d80420
- markus@cvs.openbsd.org 2011/06/30 22:44:43
...
[connect-privsep.sh]
test with sandbox enabled; ok djm@
2011-08-17 12:09:19 +10:00
Damien Miller
9231c8bde4
- dtucker@cvs.openbsd.org 2011/06/03 05:35:10
...
[regress/cfgmatch.sh]
use OBJ to find test configs, patch from Tim Rice
2011-08-17 12:08:15 +10:00
Damien Miller
44a6c9340a
- (djm) [contrib/ssh-copy-id] Missing backlslash; spotted by
...
bisson AT archlinux.org
2011-08-17 12:01:44 +10:00
Damien Miller
1a91c0f163
- (djm) [configure.ac] error out if the host lacks the necessary bits for
...
an explicitly requested sandbox type
2011-08-17 11:59:25 +10:00
Damien Miller
9c08312968
- (djm) [ openbsd-compat/bsd-cygwin_util.c openbsd-compat/bsd-cygwin_util.h]
...
binary_pipe is no longer required on Cygwin; patch from Corinna Vinschen
2011-08-17 11:31:07 +10:00
Tim Rice
a1226828ad
- (tim) [mac.c myproposal.h] Wrap SHA256 and SHA512 in ifdefs for
...
OpenSSL 0.9.7. ok djm
2011-08-16 17:29:01 -07:00
Damien Miller
d1eb1dd5ed
- (djm) [contrib/ssh-copy-id] Fix failure for cases where the path to the
...
identify file contained whitespace. bz#1828 patch from gwenael.lambrouin
AT gmail.com; ok dtucker@
2011-08-12 11:22:47 +10:00
Damien Miller
2db9977c06
- (djm) [contrib/redhat/openssh.spec contrib/redhat/sshd.init]
...
[contrib/suse/openssh.spec contrib/suse/rc.sshd] Updated RHEL and SLES
init scrips from imorgan AT nas.nasa.gov
2011-08-12 11:02:35 +10:00
Darren Tucker
4d47ec9c89
- (dtucker) [openbsd-compat/port-linux.c] Bug 1924: Improve selinux context
...
change error by reporting old and new context names Patch from
jchadima at redhat.
2011-08-12 10:12:53 +10:00
Darren Tucker
ddccfb4b98
- dtucker@cvs.openbsd.org 2011/08/07 12:55:30
...
[sftp.1]
typo, fix from Laurent Gautrot
2011-08-07 23:12:26 +10:00
Darren Tucker
91e6b57729
- jmc@cvs.openbsd.org 2010/10/14 20:41:28
...
[moduli.5]
probabalistic -> probabilistic; from naddy
2011-08-07 23:10:56 +10:00
Darren Tucker
f279474f1b
- sobrado@cvs.openbsd.org 2009/10/28 08:56:54
...
[moduli.5]
"Diffie-Hellman" is the usual spelling for the cryptographic protocol
first published by Whitfield Diffie and Martin Hellman in 1976.
ok jmc@
2011-08-07 23:10:11 +10:00
Darren Tucker
578451ddda
- (dtucker) OpenBSD CVS Sync
...
- jmc@cvs.openbsd.org 2008/06/26 06:59:39
[moduli.5]
tweak previous;
2011-08-07 23:09:20 +10:00
Damien Miller
765f8c4eff
- djm@cvs.openbsd.org 2011/08/02 23:15:03
...
[ssh.c]
typo in comment
2011-08-06 06:18:16 +10:00
Damien Miller
c471860d25
- djm@cvs.openbsd.org 2011/08/02 23:13:01
...
[version.h]
crank now, release later
2011-08-06 06:17:48 +10:00
Damien Miller
20bd4535c0
- djm@cvs.openbsd.org 2011/08/02 01:22:11
...
[mac.c myproposal.h ssh.1 ssh_config.5 sshd.8 sshd_config.5]
Add new SHA256 and SHA512 based HMAC modes from
http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
Patch from mdb AT juniper.net; feedback and ok markus@
2011-08-06 06:17:30 +10:00
Damien Miller
adb467fb69
- markus@cvs.openbsd.org 2011/08/01 19:18:15
...
[gss-serv.c]
prevent post-auth resource exhaustion (int overflow leading to 4GB malloc);
report Adam Zabrock; ok djm@, deraadt@
2011-08-06 06:16:46 +10:00
Damien Miller
35e48198a8
- djm@cvs.openbsd.org 2011/07/29 14:42:45
...
[sandbox-systrace.c]
fail open(2) with EPERM rather than SIGKILLing the whole process. libc
will call open() to do strerror() when NLS is enabled;
feedback and ok markus@
2011-08-06 06:16:23 +10:00
Damien Miller
6ea5e44871
- tedu@cvs.openbsd.org 2011/07/06 18:09:21
...
[authfd.c]
bzero the agent address. the kernel was for a while very cranky about
these things. evne though that's fixed, always good to initialize
memory. ok deraadt djm
2011-08-06 06:16:00 +10:00
Damien Miller
7741ce8bd2
- djm@cvs.openbsd.org 2011/06/23 23:35:42
...
[monitor.c]
ignore EINTR errors from poll()
2011-08-06 06:15:15 +10:00
Damien Miller
cd5e52ee78
- (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for
...
Darwin/OS X using sandbox_init() + setrlimit(); feedback and testing
markus@
2011-06-27 07:18:18 +10:00
Damien Miller
dcbd41e7af
- djm@cvs.openbsd.org 2011/06/23 09:34:13
...
[sshd.c ssh-sandbox.h sandbox.h sandbox-rlimit.c sandbox-systrace.c]
[sandbox-null.c]
rename sandbox.h => ssh-sandbox.h to make things easier for portable
2011-06-23 19:45:51 +10:00
Damien Miller
80b62e3738
- (djm) [sandbox-null.c] Dummy sandbox for platforms that don't support
...
setrlimit(2)
2011-06-23 19:03:18 +10:00
Damien Miller
6d7b4377dd
- djm@cvs.openbsd.org 2011/06/22 22:08:42
...
[channels.c channels.h clientloop.c clientloop.h mux.c ssh.c]
hook up a channel confirm callback to warn the user then requested X11
forwarding was refused by the server; ok markus@
2011-06-23 08:31:57 +10:00
Damien Miller
69ff1df952
- djm@cvs.openbsd.org 2011/06/22 21:57:01
...
[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c]
[sandbox-systrace.c sandbox.h configure.ac Makefile.in]
introduce sandboxing of the pre-auth privsep child using systrace(4).
This introduces a new "UsePrivilegeSeparation=sandbox" option for
sshd_config that applies mandatory restrictions on the syscalls the
privsep child can perform. This prevents a compromised privsep child
from being used to attack other hosts (by opening sockets and proxying)
or probing local kernel attack surface.
The sandbox is implemented using systrace(4) in unsupervised "fast-path"
mode, where a list of permitted syscalls is supplied. Any syscall not
on the list results in SIGKILL being sent to the privsep child. Note
that this requires a kernel with the new SYSTR_POLICY_KILL option.
UsePrivilegeSeparation=sandbox will become the default in the future
so please start testing it now.
feedback dtucker@; ok markus@
2011-06-23 08:30:03 +10:00
Damien Miller
82c558761d
- OpenBSD CVS Sync
...
- djm@cvs.openbsd.org 2011/06/22 21:47:28
[servconf.c]
reuse the multistate option arrays to pretty-print options for "sshd -T"
2011-06-23 08:20:30 +10:00
Damien Miller
4ac99c366c
- djm@cvs.openbsd.org 2011/06/17 21:57:25
...
[clientloop.c]
setproctitle for a mux master that has been gracefully stopped;
bz#1911 from Bert.Wesarg AT googlemail.com
2011-06-20 14:43:31 +10:00
Damien Miller
33322127ec
- djm@cvs.openbsd.org 2011/06/17 21:47:35
...
[servconf.c]
factor out multi-choice option parsing into a parse_multistate label
and some support structures; ok dtucker@
2011-06-20 14:43:11 +10:00
Damien Miller
f145a5be1c
- djm@cvs.openbsd.org 2011/06/17 21:46:16
...
[sftp-server.c]
the protocol version should be unsigned; bz#1913 reported by mb AT
smartftp.com
2011-06-20 14:42:51 +10:00
Damien Miller
8f0bf237d4
- djm@cvs.openbsd.org 2011/06/17 21:44:31
...
[log.c log.h monitor.c monitor.h monitor_wrap.c monitor_wrap.h sshd.c]
make the pre-auth privsep slave log via a socketpair shared with the
monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
2011-06-20 14:42:23 +10:00
Damien Miller
e7ac2bd42a
- markus@cvs.openbsd.org 2011/06/14 22:49:18
...
[authfile.c]
make sure key_parse_public/private_rsa1() no longer consumes its input
buffer. fixes ssh-add for passphrase-protected ssh1-keys;
noted by naddy@; ok djm@
2011-06-20 14:23:25 +10:00
Damien Miller
6029e076b2
- djm@cvs.openbsd.org 2011/06/04 00:10:26
...
[ssh_config.5]
explain IdentifyFile's semantics a little better, prompted by bz#1898
ok dtucker jmc
2011-06-20 14:22:49 +10:00
Tim Rice
bc481570d1
- (tim) [regress/cfgmatch.sh] Build/test out of tree fix.
2011-06-02 22:26:19 -07:00
Darren Tucker
bf4d05a37c
- dtucker@cvs.openbsd.org 2011/06/03 00:29:52
...
[regress/dynamic-forward.sh]
Retry establishing the port forwarding after a small delay, should make
the tests less flaky when the previous test is slow to shut down and free
up the port.
2011-06-03 14:19:02 +10:00
Darren Tucker
75e035c34e
- dtucker@cvs.openbsd.org 2011/05/31 02:03:34
...
[regress/dynamic-forward.sh]
work around startup and teardown races; caught by deraadt
2011-06-03 14:18:17 +10:00
Darren Tucker
260c8fbc4d
- dtucker@cvs.openbsd.org 2011/05/31 02:01:58
...
[regress/dynamic-forward.sh]
back out revs 1.6 and 1.5 since it's not reliable
2011-06-03 14:17:27 +10:00
Darren Tucker
3e78a516a0
- dtucker@cvs.openbsd.org 2011/06/03 01:37:40
...
[ssh-agent.c]
Check current parent process ID against saved one to determine if the parent
has exited, rather than attempting to send a zero signal, since the latter
won't work if the parent has changed privs. bz#1905, patch from Daniel Kahn
Gillmor, ok djm@
2011-06-03 14:14:16 +10:00
Damien Miller
c09182f613
- (djm) [configure.ac] enable setproctitle emulation for OS X
2011-06-03 12:11:38 +10:00
Damien Miller
ea2c1a4dc6
- djm@cvs.openbsd.org 2011/06/03 00:54:38
...
[ssh.c]
bz#1883 - setproctitle() to identify mux master; patch from Bert.Wesarg
AT googlemail.com; ok dtucker@
NB. includes additional portability code to enable setproctitle emulation
on platforms that don't support it.
2011-06-03 12:10:22 +10:00
Darren Tucker
c3c7227ccc
add missing changelog entry
2011-06-03 11:20:06 +10:00
Tim Rice
90f42b0705
- (tim) [configure.ac defines.h] Run test program to detect system mail
...
directory. Add --with-maildir option to override. Fixed OpenServer 6
getting it wrong. Fixed many systems having MAIL=/var/mail//username
ok dtucker
2011-06-02 18:17:49 -07:00
Darren Tucker
c412c1567b
- (dtucker) [README version.h contrib/caldera/openssh.spec
...
contrib/redhat/openssh.spec contrib/suse/openssh.spec] Pull the version
bumps from the 5.8p2 branch into HEAD. ok djm.
2011-06-03 10:35:23 +10:00
Damien Miller
8cb3587336
- djm@cvs.openbsd.org 2011/05/23 03:31:31
...
[regress/cfgmatch.sh]
include testing of multiple/overridden AuthorizedKeysFiles
refactor to simply daemon start/stop and get rid of racy constructs
2011-05-29 21:59:10 +10:00
Damien Miller
295ee63ab2
- djm@cvs.openbsd.org 2011/05/24 07:15:47
...
[readconf.c readconf.h ssh.c ssh_config.5 sshconnect.c sshconnect2.c]
Remove undocumented legacy options UserKnownHostsFile2 and
GlobalKnownHostsFile2 by making UserKnownHostsFile/GlobalKnownHostsFile
accept multiple paths per line and making their defaults include
known_hosts2; ok markus
2011-05-29 21:42:31 +10:00
Damien Miller
04bb56ef10
- djm@cvs.openbsd.org 2011/05/23 07:24:57
...
[authfile.c]
read in key comments for v.2 keys (though note that these are not
passed over the agent protocol); bz#439, based on patch from binder
AT arago.de; ok markus@
2011-05-29 21:42:08 +10:00
Damien Miller
b9132fc427
- jmc@cvs.openbsd.org 2011/05/23 07:10:21
...
[sshd.8 sshd_config.5]
tweak previous; ok djm
2011-05-29 21:41:40 +10:00
Damien Miller
201f425d29
- djm@cvs.openbsd.org 2011/05/23 03:52:55
...
[sshconnect.c]
remove extra newline
2011-05-29 21:41:03 +10:00
Damien Miller
1dd66e5f74
- djm@cvs.openbsd.org 2011/05/23 03:33:38
...
[auth.c]
make secure_filename() spam debug logs less
2011-05-29 21:40:42 +10:00
Damien Miller
d8478b6a9b
OpenBSD CVS Sync
...
- djm@cvs.openbsd.org 2011/05/23 03:30:07
[auth-rsa.c auth.c auth.h auth2-pubkey.c monitor.c monitor_wrap.c pathnames.h servconf.c servconf.h sshd.8 sshd_config sshd_config.5]
allow AuthorizedKeysFile to specify multiple files, separated by spaces.
Bring back authorized_keys2 as a default search path (to avoid breaking
existing users of this file), but override this in sshd_config so it will
be no longer used on fresh installs. Maybe in 2015 we can remove it
entierly :)
feedback and ok markus@ dtucker@
2011-05-29 21:39:36 +10:00
Damien Miller
acacced70b
- dtucker@cvs.openbsd.org 2011/05/20 06:32:30
...
[dynamic-forward.sh]
fix dumb error in dynamic-forward test
2011-05-20 19:08:40 +10:00