Commit Graph

10729 Commits

Author SHA1 Message Date
djm@openbsd.org
816036f142 upstream: use the new variant log macros instead of prepending
__func__ and appending ssh_err(r) manually; ok markus@

OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8
2020-10-18 23:46:29 +11:00
djm@openbsd.org
9e2c4f6422 upstream: variants of the log methods that append a ssherr.h string
from a supplied error code; ok markus@

OpenBSD-Commit-ID: aed98c4435d48d036ae6740300f6a8357b7cc0bf
2020-10-18 22:34:20 +11:00
djm@openbsd.org
28cb0a4b03 upstream: remove a level of macro indirection; ok markus@
OpenBSD-Commit-ID: 0c529d06e902c5d1a6b231e1bec6157f76dc67c9
2020-10-18 22:33:57 +11:00
djm@openbsd.org
9cac1db52e upstream: add some variant log.h calls that prepend the calling
function name; ok markus@

OpenBSD-Commit-ID: 4be1b2e2455b271ddb7457bc195c5367644f4e48
2020-10-18 22:33:57 +11:00
Damien Miller
d55dfed34e missing header 2020-10-17 22:55:24 +11:00
Damien Miller
999d7cb79a sync regress/misc/sk-dummy/fatal.c 2020-10-17 22:47:52 +11:00
djm@openbsd.org
3554b4afa3 upstream: make the log functions that exit (sshlogdie(),
sshfatal(), etc) have identical signatures. Makes things a bit more
consistent...

OpenBSD-Commit-ID: bd0ae124733389d7c0042e135c71ee9091362eb9
2020-10-17 22:45:37 +11:00
jmc@openbsd.org
616029a85a upstream: add space between macro arg and punctuation;
OpenBSD-Commit-ID: bb81e2ed5a77832fe62ab30a915ae67cda57633e
2020-10-17 22:45:37 +11:00
Damien Miller
f812a36cee check for and require a C99 capable compiler
recent logging changes use __VA_ARGS__.
2020-10-17 12:03:34 +11:00
Damien Miller
f9ea651520 logging is now macros, remove function pointers 2020-10-17 11:51:20 +11:00
Damien Miller
0f938f9986 adapt sk-dummy's fatal implementation to changes 2020-10-17 11:42:26 +11:00
Damien Miller
afbd9ec9e2 fix netcat build problem 2020-10-17 11:33:13 +11:00
djm@openbsd.org
793b583d09 upstream: LogVerbose keyword for ssh and sshd
Allows forcing maximum debug logging by file/function/line pattern-
lists.

ok markus@

OpenBSD-Commit-ID: c294c25732d1b4fe7e345cb3e044df00531a6356
2020-10-17 00:43:17 +11:00
djm@openbsd.org
752250caab upstream: revised log infrastructure for OpenSSH
log functions receive function, filename and line number of caller.
We can use this to selectively enable logging via pattern-lists.

ok markus@

OpenBSD-Commit-ID: 51a472610cbe37834ce6ce4a3f0e0b1ccc95a349
2020-10-17 00:42:29 +11:00
djm@openbsd.org
acadbb3402 upstream: use do_log2 instead of function pointers to different log
functions

OpenBSD-Commit-ID: 88077b826d348c58352a6b394755520f4e484480
2020-10-17 00:37:13 +11:00
djm@openbsd.org
95b0bcfd15 upstream: make UpdateHostkeys still more conservative: refuse to
proceed if one of the keys offered by the server is already in known_hosts
under another name. This avoid collisions between address entries for
different host aliases when CheckHostIP=yes

Also, do not attempt to fix known_hosts with incomplete host/ip matches
when there are no new or deprecated hostkeys.

OpenBSD-Commit-ID: 95c19842f7c41f9bd9c92aa6441a278c0fd0c4a3
2020-10-14 11:57:13 +11:00
kn@openbsd.org
a336ce8c2c upstream: Zap unused family parameter from ssh_connect_direct()
sshconnect.c r1.241 from 2013 made it unused;  found while reading code.

OK djm

OpenBSD-Commit-ID: 219ba6d7f9925d0b7992918612680399d86712b5
2020-10-14 11:57:13 +11:00
Philip Hands
e545d94b71 shift contents of long $() into filter_ids()
This was prompted by the fact that posh does not deal with $()
that contains comments where the comment includes an odd number
of single-quotes. It seems to get befuddled into trying to find
the matching quote.
Regardless, making a function for filtering the unneeded ids
seems much neater than avoiding apostrophes,
so that's what I've done.

SSH-Copy-ID-Upstream: 3dab3366a584427045c8a690a93282f02c09cf24
2020-10-13 12:45:05 +11:00
Philip Hands
fd36017459 combine if/elif to avoid duplication of the action
SSH-Copy-ID-Upstream: 42aeb1cc53d3f7f6e78edc210fb121fda0834914
2020-10-13 12:45:05 +11:00
Philip Hands
f7c3a39b01 shellcheck tidyage
SSH-Copy-ID-Upstream: 5b08f840e78ac544288b3983010a1b0585e966fd
2020-10-13 12:45:05 +11:00
Philip Hands
108676c3f2 tidy up test of $SCRATCH_DIR creation
SSH-Copy-ID-Upstream: 2d8b22d96c105d87743ffe8874887b06f8989b93
2020-10-13 12:44:38 +11:00
Philip Hands
a9c9e91a82 add -s flag: to install keys via SFTP
This is prompted by:

 https://bugzilla.mindrot.org/show_bug.cgi?id=3201

Thanks go to Matthias Blümel for the idea, and the helpful patch, from
which this patch grew.

SSH-Copy-ID-Upstream: f7c76dc64427cd20287a6868f672423b62057614
2020-10-13 11:52:47 +11:00
djm@openbsd.org
f92424970c upstream: UpdateHostkeys: check for keys under other names
Stop UpdateHostkeys from automatically removing deprecated keys from
known_hosts files if the same keys exist under a different name or
address to the host that is being connected to.

This avoids UpdateHostkeys from making known_hosts inconsistent in
some cases. For example, multiple host aliases sharing address-based
known_hosts on different lines, or hosts that resolves to multiple
addresses.

ok markus@

OpenBSD-Commit-ID: 6444a705ba504c3c8ccddccd8d1b94aa33bd11c1
2020-10-12 11:22:55 +11:00
djm@openbsd.org
d98f14b532 upstream: UpdateHostkeys: better CheckHostIP handling
When preparing to update the known_hosts file, fully check both
entries for both the host and the address (if CheckHostIP enabled)
and ensure that, at the end of the operation, entries for both are
recorded.

Make sure this works with HashKnownHosts too, which requires maintaining
a list of entry-types seen across the whole file for each key.

ok markus@

OpenBSD-Commit-ID: 374dc263103f6b343d9671f87dbf81ffd0d6abdd
2020-10-12 11:22:55 +11:00
djm@openbsd.org
af5941ae9b upstream: UpdateHostkeys: better detect manual host entries
Disable UpdateHostkeys if the known_hosts line has more than two
entries in the pattern-list. ssh(1) only writes "host" or "host,ip"
lines so anything else was added by a different tool or by a human.

ok markus@

OpenBSD-Commit-ID: e434828191fb5f3877d4887c218682825aa59820
2020-10-12 11:22:55 +11:00
djm@openbsd.org
6247812c76 upstream: don't misdetect comma-separated hostkey names as wildcards;
spotted by naddy@

OpenBSD-Commit-ID: 4b874edfec7fc324a21b130bdb42f912177739ce
2020-10-09 18:39:17 +11:00
wangxp006
67146c7d02 fix TEST_MALLOC_OPTIONS var 2020-10-08 21:15:17 +11:00
djm@openbsd.org
3205eaa3f8 upstream: clarify conditions for UpdateHostkeys
OpenBSD-Commit-ID: 9cba714cf6aeed769f998ccbe8c483077a618e27
2020-10-08 12:28:06 +11:00
djm@openbsd.org
e8dfca9bfe upstream: remove GlobalKnownHostsFile for this test after
UpdateHostkeys change

OpenBSD-Regress-ID: a940ad79d59343319613ba8fc46b6ef24aa3f8e1
2020-10-07 17:39:17 +11:00
djm@openbsd.org
4aa2717d75 upstream: Disable UpdateHostkeys when hostkey checking fails
If host key checking fails (i.e. a wrong host key is recorded for the
server) and the user elects to continue (via StrictHostKeyChecking=no),
then disable UpdateHostkeys for the session.

reminded by Mark D. Baushke; ok markus@

OpenBSD-Commit-ID: 98b524f121f4252309dd21becd8c4cacb0c6042a
2020-10-07 13:34:11 +11:00
djm@openbsd.org
04c06d0447 upstream: Fix UpdateHostkeys/HashKnownHosts/CheckHostIP bug
When all of UpdateHostkeys, HashKnownHosts and ChechHostIP
were enabled and new host keys were learned, known_hosts IP
entries were not being recorded for new host keys.

reported by matthieu@ ok markus@

OpenBSD-Commit-ID: a654a8290bd1c930aac509e8158cf85e42e49cb7
2020-10-07 13:34:11 +11:00
djm@openbsd.org
b70e337112 upstream: don't UpdateHostkeys when the hostkey is verified by the
GlobalKnownHostsFile file, support only UserKnownHostsFile matches

suggested by Mark D. Baushke; feedback and ok markus@

OpenBSD-Commit-ID: eabb771a6add676c398d38a143a1aff5f04abbb9
2020-10-07 13:34:11 +11:00
djm@openbsd.org
aa623142e4 upstream: revert kex->flags cert hostkey downgrade back to a plain
key (commitid VtF8vozGOF8DMKVg). We now do this a simpler way that needs less
plumbing.

ok markus@

OpenBSD-Commit-ID: fb92d25b216bff8c136da818ac2221efaadf18ed
2020-10-07 13:34:11 +11:00
djm@openbsd.org
f4f14e023c upstream: simply disable UpdateHostkeys when a certificate
successfully authenticated the host; simpler than the complicated plumbing
via kex->flags we have now.

ok markus@

OpenBSD-Commit-ID: 80e39644eed75717d563a7f177e8117a0e14f42c
2020-10-07 13:34:11 +11:00
djm@openbsd.org
e79957e877 upstream: disable UpdateHostkeys by default if VerifyHostKeyDNS is
enabled; suggested by Mark D. Baushke

OpenBSD-Commit-ID: 85a1b88592c81bc85df7ee7787dbbe721a0542bf
2020-10-07 13:34:11 +11:00
dtucker@openbsd.org
3d4c2016ba upstream: Agent protocol draft is now at rev 4. ok djm@
OpenBSD-Commit-ID: 8c01ea3aae48aab45e01b7421b0fca2dad5e7837
2020-10-07 13:34:11 +11:00
djm@openbsd.org
af889a40ff upstream: when ordering host key algorithms in the client, consider
the ECDSA key subtype; ok markus@

OpenBSD-Commit-ID: 3097686f853c61ff61772ea35f8b699931392ece
2020-10-07 13:33:12 +11:00
dtucker@openbsd.org
2d39fc9f7e upstream: Allow full range of UIDs and GIDs for sftp chown and
chgrp on 32bit platforms instead of being limited by LONG_MAX.  bz#3206,
found by booking00 at sina.cn, ok markus@

OpenBSD-Commit-ID: 373b7bbf1f15ae482d39567ce30d18b51c9229b5
2020-10-07 13:33:12 +11:00
djm@openbsd.org
396d32f3a1 upstream: There are lots of place where we want to redirect stdin,
stdout and/or stderr to /dev/null. Factor all these out to a single
stdfd_devnull() function that allows selection of which of these to redirect.
ok markus@

OpenBSD-Commit-ID: 3033ba5a4c47cacfd5def020d42cabc52fad3099
2020-10-03 19:34:24 +10:00
djm@openbsd.org
1286981d08 upstream: enable UpdateHostkeys by default when the configuration
has not overridden UserKnownHostsFile; ok markus@ "The timing is perfect"
deraadt@

OpenBSD-Commit-ID: 62df71c9c5242da5763cb473c2a2deefbd0cef60
2020-10-03 18:31:49 +10:00
djm@openbsd.org
332f215372 upstream: disable UpdateHostkeys when a wildcard hostname pattern
is encountered or when a certificate host key is in use. feedback/ok markus@

OpenBSD-Commit-ID: b6e5575af7e6732322be82ec299e09051a5413bd
2020-10-03 18:31:49 +10:00
djm@openbsd.org
13cee44ef9 upstream: record when the host key checking code downgrades a
certificate host key to a plain key. This occurs when the user connects to a
host with a certificate host key but no corresponding CA key configured in
known_hosts; feedback and ok markus@

OpenBSD-Commit-ID: 2ada81853ff9ee7824c62f440bcf4ad62030c901
2020-10-03 18:31:49 +10:00
djm@openbsd.org
12ae8f95e2 upstream: prefer ed25519 signature algorithm variants to ECDSA; ok
markus@

OpenBSD-Commit-ID: 82187926fca96d35a5b5afbc091afa84e0966e5b
2020-10-03 14:34:06 +10:00
djm@openbsd.org
e5ed753add upstream: want time.h here too
OpenBSD-Commit-ID: fafee8f1108c64ad8b282f9a1ed5ea830d8c58a7
2020-10-03 14:33:58 +10:00
deraadt@openbsd.org
66bd9fdf8b upstream: split introductory paragraph, and insert ominous words about
the glob issue, which cannot be fully fixed and really requires completely
replacing scp with a completely different subsystem. team effort to find the
right words..

OpenBSD-Commit-ID: 58e1f72d292687f63eb357183036ee242513691c
2020-10-03 13:39:22 +10:00
Damien Miller
86cc8ce002 use relative rather than system include here 2020-10-03 13:39:17 +10:00
Damien Miller
922cfac5ed add some openbsd-compat licenses we missed 2020-10-03 13:39:17 +10:00
Philip Hands
ce941c75ea un-nest $() to make ksh cheerful 2020-10-03 09:26:00 +10:00
Philip Hands
18ea5f4b88 ksh doesn't grok 'local'
and AFAICT it's not actually doing anything useful in the code, so let's
see how things go without it.
2020-10-03 09:25:32 +10:00
Oleg
d9e727dcc0 Fix EOF: command not found error in ssh-copy-id 2020-10-03 09:20:55 +10:00