RepoMirrors/openssh
1
0
Fork 0
mirror of git://anongit.mindrot.org/openssh.git synced 2025-01-02 07:42:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
10,251 Commits 69 Branches 157 Tags 27 MiB
84226b447d
Commit Graph

10251 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Darren Tucker
84226b447d Remove mysignal wrapper. 
We switched the main code to use sigaction(), so the wrapper is no
longer used.
 2020-01-23 18:55:24 +11:00
jmc@openbsd.org
5533c2fb7e upstream: new sentence, new line; 
OpenBSD-Commit-ID: b6c3f2f36ec77e99198619b38a9f146655281925
 2020-01-23 18:51:25 +11:00
dtucker@openbsd.org
3bf2a6ac79 upstream: Replace all calls to signal(2) with a wrapper around 
sigaction(2). This wrapper blocks all other signals during the handler
preventing races between handlers, and sets SA_RESTART which should reduce
the potential for short read/write operations.

OpenBSD-Commit-ID: 5e047663fd77a40d7b07bdabe68529df51fd2519
 2020-01-23 18:51:25 +11:00
djm@openbsd.org
e027c044c7 upstream: missing header change from previous; spotted by dtucker@ 
OpenBSD-Commit-ID: 321ce74c0a5bbd0f02fa3f20cb5cf2a952c6b96f
 2020-01-23 15:56:17 +11:00
dtucker@openbsd.org
7e1323102b upstream: Check for and warn about StrictModes permission problems. ok tb@ 
OpenBSD-Regress-ID: 4841704ccdee50ee7efc6035bc686695c6ac2991
 2020-01-23 15:49:09 +11:00
dtucker@openbsd.org
84de1c27f8 upstream: Also test PuTTY chacha20. 
OpenBSD-Regress-ID: 7af6a0e8763b05f1f8eee6bca5f31fcb16151040
 2020-01-23 15:48:24 +11:00
dtucker@openbsd.org
c7ed15a396 upstream: Also test PuTTY ecdh kex methods. 
OpenBSD-Regress-ID: ec4017dce612131842398a03e93007a869c2c133
 2020-01-23 15:04:08 +11:00
dtucker@openbsd.org
c4b3a12895 upstream: Remove unsupported algorithms from list of defaults at run 
time and remove ifdef and distinct settings for OPENSSL=no case.

This will make things much simpler for -portable where the exact set
of algos depends on the configuration of both OpenSSH and the libcrypto
it's linked against (if any).  ok djm@

OpenBSD-Commit-ID: e0116d0183dcafc7a9c40ba5fe9127805c5dfdd2
 2020-01-23 14:40:15 +11:00
djm@openbsd.org
56cffcc09f upstream: add a new signature operations "find-principal" to look 
up the principal associated with a signature from an allowed-signers file.
Work by Sebastian Kinne; ok dtucker@

OpenBSD-Commit-ID: 6f782cc7e18e38fcfafa62af53246a1dcfe74e5d
 2020-01-23 13:45:24 +11:00
dtucker@openbsd.org
65cf8730de upstream: Ignore whitespace when checking explict fingerprint. 
When confirming a host key using the fingerprint itself, ignore leading and
trailing whitespace. ok deraadt@ djm@

OpenBSD-Commit-ID: cafd7f803bbdcd40c3a8f8f1a77747e6b6d8c011
 2020-01-23 13:45:24 +11:00
dtucker@openbsd.org
8d3af6ebdf upstream: Increase keyscan timeout from default. On slow hosts 3 
concurrent keyscans can hit the default 5 second timeout, so increase to 15
seconds.

OpenBSD-Regress-ID: 16383dec166af369b7fb9948572856f5d544c93f
 2020-01-22 18:34:01 +11:00
tedu@openbsd.org
6c30c9adbe upstream: remove diffie-hellman-group14-sha1 from default kex to 
see what happens. general mostly ok

OpenBSD-Commit-ID: 216b7b8462d2ef5f4531f26cb2cb839b2153dad9
 2020-01-22 17:17:51 +11:00
claudio@openbsd.org
4a32c0ca44 upstream: For ssh-keygen -lF only add a space after key fingerprint 
when there is a comment. This makes copy-paste of fingerprints into ssh
easier. OK djm@

OpenBSD-Commit-ID: fa01d95624f65c1eb4dc7c575d20d77c78010dfd
 2020-01-22 17:17:51 +11:00
djm@openbsd.org
37d3b73650 upstream: some __func__ and strerror(errno) here; no functional 
change

OpenBSD-Commit-ID: 6c3ddd5f848b99ea560b31d3fba99ceed66cef37
 2020-01-22 17:17:51 +11:00
djm@openbsd.org
e2031b05c7 upstream: factor out parsing of allowed-signers lines 
OpenBSD-Commit-ID: 85ee6aeff608371826019ea85e55bfa87f79d06e
 2020-01-22 17:17:51 +11:00
Damien Miller
47160e1de8 unbreak fuzzer support for recent ssh-sk.h changes 2020-01-22 10:30:13 +11:00
djm@openbsd.org
70d38c3cfd upstream: expose the number of currently-authenticating connections 
along with the MaxStartups limit in the proctitle; suggestion from Philipp
Marek, w/ feedback from Craig Miskell ok dtucker@

OpenBSD-Commit-ID: a4a6db2dc1641a5df8eddf7d6652176e359dffb3
 2020-01-22 09:41:47 +11:00
naddy@openbsd.org
a78c66d5d2 upstream: document the default value of the ControlPersist option; 
ok dtucker@ djm@

OpenBSD-Commit-ID: 0788e7f2b5a9d4e36d3d2ab378f73329320fef66
 2020-01-22 09:41:41 +11:00
Damien Miller
b46a632584 remove accidental change in f8c11461 2020-01-22 09:28:32 +11:00
djm@openbsd.org
80d3bebcab upstream: don't #ifdef out the KRL code when compiling without 
libcrypto support; it works just fine and disabling it breaks a few tests. ok
dtucker@

OpenBSD-Commit-ID: 65f6272c4241eb4b04de78b012fe98b2b555ad44
 2020-01-21 22:10:28 +11:00
djm@openbsd.org
f8c11461aa upstream: pass SSH_SK_HELPER explicitly past $SUDO to avoid it getting 
cleared; with dtucker@

OpenBSD-Regress-ID: 03178a0580324bf0dff28f7eac6c3edbc5407f8e
 2020-01-21 19:08:37 +11:00
djm@openbsd.org
b5fcb0ac1c upstream: check access(ssh-sk-helper, X_OK) to provide friendly 
error message for misconfigured helper paths

OpenBSD-Commit-ID: 061bcc262155d12e726305c91394ac0aaf1f8341
 2020-01-21 18:09:25 +11:00
dtucker@openbsd.org
56bced43c1 upstream: Document sntrup4591761x25519-sha512@tinyssh.org. Patch 
from jtesta@positronsecurity.com via github PR#151.

OpenBSD-Commit-ID: f3d48168623045c258245c340a5a2af7dbb74edc
 2020-01-21 18:09:09 +11:00
djm@openbsd.org
4a05d789b8 upstream: fix ssh-keygen not displaying authenticator touch 
prompt; reported by jmc@

OpenBSD-Commit-ID: 04d4f582fc194eb3897ebcbfe286c49958ba2859
 2020-01-21 18:09:09 +11:00
djm@openbsd.org
881aded038 upstream: a little more verbosity in sign_and_send_pubkey() debug 
messages

OpenBSD-Commit-ID: 6da47a0e6373f6683006f49bc2a516d197655508
 2020-01-21 18:09:09 +11:00
naddy@openbsd.org
b715fdc71b upstream: one more replacement "(security) key" -> "(FIDO) 
authenticator"

OpenBSD-Commit-ID: 031bca03c1d1f878ab929facd561911f1bc68dfd
 2020-01-21 18:09:09 +11:00
naddy@openbsd.org
84911da1be upstream: undo merge error and replace the term "security key" 
again

OpenBSD-Commit-ID: 341749062c089cc360a7877e9ee3a887aecde395
 2020-01-21 18:09:09 +11:00
naddy@openbsd.org
e8c06c4ee7 upstream: Document loading of resident keys from a FIDO 
authenticator.

* Rename -O to -K to keep "-O option" available.
* Document -K.
* Trim usage() message down to synopsis, like all other commands.

ok markus@

OpenBSD-Commit-ID: 015c2c4b28f8e19107adc80351b44b23bca4c78a
 2020-01-21 18:09:09 +11:00
naddy@openbsd.org
0d005d6372 upstream: sync ssh-keygen.1 and ssh-keygen's usage() with each 
other and reality ok markus@

OpenBSD-Commit-ID: cdf64454f2c3604c25977c944e5b6262a3bcce92
 2020-01-21 18:09:09 +11:00
naddy@openbsd.org
b8a4ca2ebf upstream: revise the fix for reversed arguments on 
expand_proxy_command()

Always put 'host' before 'host_arg' for consistency.  ok markus@ djm@

OpenBSD-Commit-ID: 1ba5b25472779f1b1957295fcc6907bb961472a3
 2020-01-21 18:09:09 +11:00
djm@openbsd.org
57b181eaf2 upstream: pass the log-on-stderr flag and log level through to 
ssh-sk-helper, making debugging a bit easier. ok markus@

OpenBSD-Commit-ID: 2e7aea6bf5770d3f38b7c7bba891069256c5a49a
 2020-01-21 18:09:09 +11:00
Damien Miller
a8bd5fdbdb Wrap copy_environment_blacklist() in #ifdef 
It's only needed for USE_PAM or HAVE_CYGWIN cases and will cause compiler
warnings otherwise.
 2020-01-21 12:32:16 +11:00
Damien Miller
10ecc647fc depend 2020-01-21 12:20:05 +11:00
Ruben Kerkhof
b3f7009c9f Fix missing prototype warning for copy_environment 
This function is only used in this file, and only on Cygwin, so make
it static and hide it behind HAVE_CYGWIN.  Prevents missing prototype
warning.
 2020-01-21 10:47:29 +11:00
Ruben Kerkhof
0c428c0e99 configure.ac: fix ldns test 
When running ./configure --with-ldns, if ldns-config cannot be found, we
add -Iyes/include to CPPFLAGS and -Lyes/lib to LDFLAGS. Fix that.
 2020-01-21 10:46:11 +11:00
Ruben Kerkhof
6089abf715 Make sshpam_password_change_required static. 
sshpam_password_change_required is only used in auth-pam.c, so make it
static to prevent a mising prototype warning.
 2020-01-21 10:39:49 +11:00
Ruben Kerkhof
5a9b9c8285 sandbox-darwin.c: fix missing prototypes. 
Include the right header just like the other sandbox files.
Fixes missing prototype warnings for ssh_sandbox_* functions.
 2020-01-21 10:37:25 +11:00
Ruben Kerkhof
335dc93526 Fix a few warnings when on Mac OS X. 
Include stdlib.h for calloc, malloc, free and setenv.
 2020-01-20 21:17:11 +11:00
Ruben Kerkhof
0488dc2d30 Fix building without openssl. 
This fixes the following when there are no openssl headers on the system:
ssh-ecdsa-sk.c:34:10: fatal error: 'openssl/bn.h' file not found
 2020-01-20 21:14:46 +11:00
Ruben Kerkhof
e6b7157b4e Add config.log to .gitignore 2020-01-16 13:27:23 +11:00
Ruben Kerkhof
515e10ddf9 Fix typo in README.md, s/crytpo/crypto/ 2020-01-16 13:26:46 +11:00
Darren Tucker
1af3354aea Wrap stdint.h in ifdef HAVE_STDINT_H. 2020-01-15 16:22:36 +11:00
Darren Tucker
429170f273 Wrap stdint.h inside HAVE_STDINT_H. 2020-01-14 14:41:47 +11:00
Darren Tucker
a0989b6021 Include compat header for definitions. 2020-01-14 14:28:01 +11:00
Darren Tucker
e0cedcad51 Improve search for 'struct timespec'. 
Make struct timespec test consistent with existing timeval test.
Include time.h for timespec in compat header where required.
 2020-01-14 14:28:01 +11:00
Darren Tucker
acaf9e0585 Update depend to remove rmd160.h. 2020-01-14 12:43:03 +11:00
Darren Tucker
26b2675b0c Remove configure test & compat code for ripemd160. 
RIPEMD160 support was removed upstream in 2017, however we still had
a configure test and compat code for it, so clean those up now.
 2020-01-14 12:05:00 +11:00
djm@openbsd.org
ed3ad71b17 upstream: fix reversed arguments on expand_proxy_command(); spotted 
by anton@

OpenBSD-Commit-ID: db1c32478a01dfbc9c4db171de0f25907bea5775
 2020-01-09 21:29:19 +11:00
jmc@openbsd.org
cd53476383 upstream: put the fido options in a list, and tidy up the text a 
little; ok djm

OpenBSD-Commit-ID: 491ce15ae52a88b7a6a2b3b6708a14b4aacdeebb
 2020-01-09 21:29:19 +11:00
Jeremy Drake
30f704ebc0 Deny (non-fatal) ipc in preauth privsep child. 
As noted in openssh/openssh-portable#149, i386 does not have have
_NR_shmget etc.  Instead, it has a single ipc syscall (see man 2 ipc,
https://linux.die.net/man/2/ipc).  Add this syscall, if present, to the
list of syscalls that seccomp will deny non-fatally.
 2020-01-08 21:47:44 +11:00