Commit Graph

5356 Commits

Author SHA1 Message Date
Darren Tucker
535b5e1721 - stevesk@cvs.openbsd.org 2009/12/29 16:38:41
[sshd_config.5 readconf.c ssh_config.5 scp.1 servconf.c sftp.1 ssh.1]
     Rename RDomain config option to RoutingDomain to be more clear and
     consistent with other options.
     NOTE: if you currently use RDomain in the ssh client or server config,
     or ssh/sshd -o, you must update to use RoutingDomain.
     ok markus@ djm@
2010-01-08 18:56:48 +11:00
Darren Tucker
75456e8ab2 - stevesk@cvs.openbsd.org 2009/12/25 19:40:21
[readconf.c servconf.c misc.h ssh-keyscan.c misc.c]
     validate routing domain is in range 0-RT_TABLEID_MAX.
     'Looks right' deraadt@
2010-01-08 18:55:58 +11:00
Darren Tucker
f2705c8b7d - djm@cvs.openbsd.org 2009/12/20 23:20:40
[PROTOCOL]
     fix an incorrect magic number and typo in PROTOCOL; bz#1688
     report and fix from ueno AT unixuser.org
2010-01-08 18:54:17 +11:00
Darren Tucker
b8c884a0ba - guenther@cvs.openbsd.org 2009/12/20 07:28:36
[ssh.c sftp.c scp.c]
     When passing user-controlled options with arguments to other programs,
     pass the option and option argument as separate argv entries and
     not smashed into one (e.g., as -l foo and not -lfoo).  Also, always
     pass a "--" argument to stop option parsing, so that a positional
     argument that starts with a '-' isn't treated as an option.  This
     fixes some error cases as well as the handling of hostnames and
     filenames that start with a '-'.
     Based on a diff by halex@
     ok halex@ djm@ deraadt@
2010-01-08 18:53:43 +11:00
Darren Tucker
57e0d01260 - markus@cvs.openbsd.org 2009/12/11 18:16:33
[key.c]
     switch from 35 to the more common value of RSA_F4 == (2**16)+1 == 65537
     for the RSA public exponent; discussed with provos; ok djm@
2010-01-08 18:52:27 +11:00
Darren Tucker
b5082e90a1 - dtucker@cvs.openbsd.org 2009/12/06 23:53:54
[sftp.c]
     fix potential divide-by-zero in sftp's "df" output when talking to a server
     that reports zero files on the filesystem (Unix filesystems always have at
     least the root inode).  From Steve McClellan at radisys, ok djm@
2010-01-08 18:51:47 +11:00
Darren Tucker
75694dbe77 - djm@cvs.openbsd.org 2009/12/06 23:53:45
[roaming_common.c]
     use socklen_t for getsockopt optlen parameter; reported by
     Steve.McClellan AT radisys.com, ok dtucker@
2010-01-08 18:51:14 +11:00
Darren Tucker
5246df47a4 - dtucker@cvs.openbsd.org 2009/12/06 23:41:15
[sshconnect2.c]
     zap unused variable and strlen; from Steve McClellan, ok djm
2010-01-08 18:50:46 +11:00
Darren Tucker
c4dc4f5bac - halex@cvs.openbsd.org 2009/11/22 13:18:00
[sftp.c]
     make passing of zero-length arguments to ssh safe by
     passing "-<switch>" "<value>" rather than "-<switch><value>"
     ok dtucker@, guenther@, djm@
2010-01-08 18:50:04 +11:00
Darren Tucker
70d87693f4 - djm@cvs.openbsd.org 2009/11/20 03:24:07
[misc.c]
     correct off-by-one in percent_expand(): we would fatal() when trying
     to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually
     work.  Note that nothing in OpenSSH actually uses close to this limit at
     present.  bz#1607 from Jan.Pechanec AT Sun.COM
2010-01-08 18:49:16 +11:00
Darren Tucker
ab79169e29 - dtucker@cvs.openbsd.org 2009/11/20 00:59:36
[sshconnect2.c]
     Use the HostKeyAlias when prompting for passwords.  bz#1039, ok djm@
2010-01-08 18:48:02 +11:00
Darren Tucker
210631922f - djm@cvs.openbsd.org 2009/11/20 00:54:01
[sftp.c]
     bz#1588 change "Connecting to host..." message to "Connected to host."
     and delay it until after the sftp protocol connection has been established.
     Avoids confusing sequence of messages when the underlying ssh connection
     experiences problems. ok dtucker@
2010-01-08 17:10:36 +11:00
Darren Tucker
c3dc404113 - dtucker@cvs.openbsd.org 2009/11/20 00:15:41
[session.c]
     Warn but do not fail if stat()ing the subsystem binary fails.  This helps
     with chrootdirectory+forcecommand=sftp-server and restricted shells.
     bz #1599, ok djm.
2010-01-08 17:09:50 +11:00
Darren Tucker
d6b06a9f39 - djm@cvs.openbsd.org 2009/11/19 23:39:50
[session.c]
     bz#1606: error when an attempt is made to connect to a server
     with ForceCommand=internal-sftp with a shell session (i.e. not a
     subsystem session). Avoids stuck client when attempting to ssh to such a
     service. ok dtucker@
2010-01-08 17:09:11 +11:00
Darren Tucker
2944082b3f - djm@cvs.openbsd.org 2009/11/17 05:31:44
[clientloop.c]
     fix incorrect exit status when multiplexing and channel ID 0 is recycled
     bz#1570 reported by peter.oliver AT eon-is.co.uk; ok dtucker
2010-01-08 17:08:35 +11:00
Darren Tucker
876045b0fb - markus@cvs.openbsd.org 2009/11/11 21:37:03
[channels.c channels.h]
     fix race condition in x11/agent channel allocation: don't read after
     the end of the select read/write fdset and make sure a reused FD
     is not touched before the pre-handlers are called.
     with and ok djm@
2010-01-08 17:08:00 +11:00
Darren Tucker
6e7fe1c01b - dtucker@cvs.openbsd.org 2009/11/10 04:30:45
[sshconnect2.c channels.c sshconnect.c]
     Set close-on-exec on various descriptors so they don't get leaked to
     child processes.  bz #1643, patch from jchadima at redhat, ok deraadt.
2010-01-08 17:07:22 +11:00
Darren Tucker
f788a91624 - djm@cvs.openbsd.org 2009/11/10 02:58:56
[sshd_config.5]
     clarify that StrictModes does not apply to ChrootDirectory. Permissions
     and ownership are always checked when chrooting. bz#1532
2010-01-08 17:06:47 +11:00
Darren Tucker
78be8c54d6 - djm@cvs.openbsd.org 2009/11/10 02:56:22
[ssh_config.5]
     explain the constraints on LocalCommand some more so people don't
     try to abuse it.
2010-01-08 17:05:59 +11:00
Darren Tucker
cc117f0deb - jmc@cvs.openbsd.org 2009/10/28 21:45:08
[sshd_config.5 sftp.1]
     tweak previous;
2010-01-08 17:05:26 +11:00
Darren Tucker
34e314da1b - reyk@cvs.openbsd.org 2009/10/28 16:38:18
[ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c
     channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1
     sftp.1 sshd_config.5 readconf.c ssh.c misc.c]
     Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.
     ok markus@
2010-01-08 17:03:46 +11:00
Darren Tucker
f1de4e5228 - andreas@cvs.openbsd.org 2009/10/24 11:23:42
[ssh.c]
     Request roaming to be enabled if UseRoaming is true and the server
     supports it.
     ok markus@
2010-01-08 16:54:59 +11:00
Darren Tucker
e730118bf4 - andreas@cvs.openbsd.org 2009/10/24 11:22:37
[roaming_common.c]
     Do the actual suspend/resume in the client. This won't be useful until
     the server side supports roaming.
     Most code from Martin Forssen, maf at appgate dot com. Some changes by
     me and markus@
     ok markus@
2010-01-08 16:53:31 +11:00
Darren Tucker
f9e6eb8f22 - andreas@cvs.openbsd.org 2009/10/24 11:19:17
[ssh2.h]
     Define the KEX messages used when resuming a suspended connection.
     ok markus@
2010-01-08 16:52:32 +11:00
Darren Tucker
e32cf43106 - andreas@cvs.openbsd.org 2009/10/24 11:15:29
[clientloop.c]
     client_loop() must detect if the session has been suspended and resumed,
     and take appropriate action in that case.
     From Martin Forssen, maf at appgate dot com
     ok markus@
2010-01-08 16:51:40 +11:00
Darren Tucker
36331b5d6c - andreas@cvs.openbsd.org 2009/10/24 11:13:54
[sshconnect2.c kex.h kex.c]
     Let the client detect if the server supports roaming by looking
     for the resume@appgate.com kex algorithm.
     ok markus@
2010-01-08 16:50:41 +11:00
Darren Tucker
b7b17be4c0 - andreas@cvs.openbsd.org 2009/10/24 11:11:58
[roaming.h]
     Declarations needed for upcoming changes.
     ok markus@
2010-01-08 16:49:52 +11:00
Tim Rice
880ab0d84e - (tim) [contrib/cygwin/Makefile] Install ssh-copy-id and ssh-copy-id.1
Gzip all man pages. Patch from Corinna Vinschen.
2009-12-26 15:40:47 -08:00
Darren Tucker
1bf3503c9d - (dtucker) [auth-krb5.c platform.{c,h} openbsd-compat/port-aix.{c,h}]
Bug #1583: Use system's kerberos principal name on AIX if it's available.
   Based on a patch from and tested by Miguel Sanders.
2009-12-21 10:49:21 +11:00
Darren Tucker
c8802aac28 - (dtucker) Bug #1470: Disable OOM-killing of the listening sshd on Linux,
based on a patch from Vaclav Ovsik and Colin Watson.  ok djm.
2009-12-08 13:39:48 +11:00
Darren Tucker
d35e0ef616 - (dtucker) Bug #1677: add conditionals around the source for ssh-askpass. 2009-12-07 11:32:36 +11:00
Darren Tucker
1533311f4c - (dtucker) Bug #1160: use pkg-config for opensc config if it's available.
Tested by Martin Paljak.
2009-12-07 11:15:43 +11:00
Tim Rice
53e9974007 - (tim) [opensshd.init.in] If PidFile is set in sshd_config, use it.
Bug 1628. OK dtucker@
2009-11-20 19:32:15 -08:00
Damien Miller
409661f0d9 - (djm) [ssh-rand-helper.c] Print error and usage() when passed command-
line arguments as none are supported. Exit when passed unrecognised
   commandline flags. bz#1568 from gson AT araneus.fi
2009-11-20 15:16:35 +11:00
Damien Miller
2191e04549 - (djm) [contrib/gnome-ssh-askpass2.c] Make askpass dialog desktop-modal.
bz#1645, patch from jchadima AT redhat.com
2009-11-18 17:51:59 +11:00
Damien Miller
04ee0f8f12 - (djm) [channels.c misc.c misc.h sshd.c] add missing setsockopt() to
set IPV6_V6ONLY for local forwarding with GatwayPorts=yes. Unify
   setting IPV6_V6ONLY behind a new function misc.c:sock_set_v6only()
   report and fix from jan.kratochvil AT redhat.com
2009-11-18 17:48:30 +11:00
Darren Tucker
df6578bb4d - (dtucker) [authfile.c] Fall back to 3DES for the encryption of private
keys when built with OpenSSL versions that don't do AES.
2009-11-07 16:03:14 +11:00
Darren Tucker
e89ed1cfca - (dtucker) [authfile.c] Add OpenSSL compat header so this still builds with
older versions of OpenSSL.
2009-11-05 20:43:16 +11:00
Darren Tucker
4d6656b103 - (dtucker) [session.c openbsd-compat/port-linux.{c,h}] Bug #1637: if selinux
is enabled set the security context to "sftpd_t" before running the
   internal sftp server   Based on a patch from jchadima at redhat.
2009-10-24 15:04:12 +11:00
Darren Tucker
6ac91a7c83 - (dtucker) [mdoc2man.awk] Teach it to understand the .Ux macro. 2009-10-24 11:52:42 +11:00
Darren Tucker
199ee6ff07 - dtucker@cvs.openbsd.org 2009/10/24 00:48:34
[ssh-keygen.1]
     ssh-keygen now uses AES-128 for private keys
2009-10-24 11:50:17 +11:00
Darren Tucker
2f29a8caba - djm@cvs.openbsd.org 2009/10/23 01:57:11
[sshconnect2.c]
     disallow a hostile server from checking jpake auth by sending an
     out-of-sequence success message. (doesn't affect code enabled by default)
2009-10-24 11:47:58 +11:00
Darren Tucker
dfb9b71650 - djm@cvs.openbsd.org 2009/10/22 22:26:13
[authfile.c]
     switch from 3DES to AES-128 for encryption of passphrase-protected
     SSH protocol 2 private keys; ok several
2009-10-24 11:46:43 +11:00
Darren Tucker
98c9aec30e - sobrado@cvs.openbsd.org 2009/10/22 15:02:12
[ssh-agent.1 ssh-add.1 ssh.1]
     write UNIX-domain in a more consistent way; while here, replace a
     few remaining ".Tn UNIX" macros with ".Ux" ones.
     pointed out by ratchov@, thanks!
     ok jmc@
2009-10-24 11:42:44 +11:00
Darren Tucker
ae69e1d010 - sobrado@cvs.openbsd.org 2009/10/22 12:35:53
[ssh.1 ssh-agent.1 ssh-add.1]
     use the UNIX-related macros (.At and .Ux) where appropriate.
     ok jmc@
2009-10-24 11:41:34 +11:00
Darren Tucker
49b7e23545 - sobrado@cvs.openbsd.org 2009/10/17 12:10:39
[sftp-server.c]
     sort flags.
2009-10-24 11:41:05 +11:00
Darren Tucker
1b118881b8 - (dtucker) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2009/10/11 23:03:15
     [hostfile.c]
     mention the host name that we are looking for in check_host_in_hostfile()
2009-10-24 11:40:32 +11:00
Darren Tucker
e23a79cbed - markus@cvs.openbsd.org 2009/10/08 18:04:27
[regress/test-exec.sh]
     re-enable protocol v1 for the tests.
2009-10-12 09:37:22 +11:00
Darren Tucker
438b47320c - dtucker@cvs.openbsd.org 2009/10/11 10:41:26
[sftp-client.c]
     d_type isn't portable so use lstat to get dirent modes.  Suggested by and
     "looks sane" deraadt@
2009-10-11 21:52:10 +11:00
Darren Tucker
7a4a76579e - jmc@cvs.openbsd.org 2009/10/08 20:42:12
[sshd_config.5 ssh_config.5 sshd.8 ssh.1]
     some tweaks now that protocol 1 is not offered by default; ok markus
2009-10-11 21:51:40 +11:00