Commit Graph

5622 Commits

Author SHA1 Message Date
Darren Tucker
8b7a055e9a - (dtucker) [monitor.c] Bug #1795: Initialize the values to be returned from
PAM to sane values in case the PAM method doesn't write to them.  Spotted by
   Bitman Zhou, ok djm@.
2010-08-03 15:50:16 +10:00
Darren Tucker
12b29dbd8a - (dtucker) [contrib/ssh-copy-ud.1] Bug #1786: update ssh-copy-id.1 with more
details about its behaviour WRT existing directories.  Patch from
   asguthrie at gmail com, ok djm.
2010-07-19 21:24:13 +10:00
Damien Miller
bad5e03bfd - schwarze@cvs.openbsd.org 2010/07/15 21:20:38
[ssh-keygen.1]
     repair incorrect block nesting, which screwed up indentation;
     problem reported and fix OK by jmc@
2010-07-16 13:59:59 +10:00
Damien Miller
bcfbc48930 - jmc@cvs.openbsd.org 2010/07/14 17:06:58
[ssh.1]
     finally ssh synopsis looks nice again! this commit just removes a ton of
     hacks we had in place to make it work with old groff;
2010-07-16 13:59:11 +10:00
Damien Miller
ea1651c98e - djm@cvs.openbsd.org 2010/07/13 23:13:16
[auth-rsa.c channels.c jpake.c key.c misc.c misc.h monitor.c packet.c]
     [ssh-rsa.c]
     s/timing_safe_cmp/timingsafe_bcmp/g
2010-07-16 13:58:37 +10:00
Damien Miller
8a0268f1b3 - djm@cvs.openbsd.org 2010/07/13 11:52:06
[auth-rsa.c channels.c jpake.c key.c misc.c misc.h monitor.c]
     [packet.c ssh-rsa.c]
     implement a timing_safe_cmp() function to compare memory without leaking
     timing information by short-circuiting like memcmp() and use it for
     some of the more sensitive comparisons (though nothing high-value was
     readily attackable anyway); "looks ok" markus@
2010-07-16 13:57:51 +10:00
Damien Miller
d0244d498b - djm@cvs.openbsd.org 2010/07/12 22:41:13
[ssh.c ssh_config.5]
     expand %h to the hostname in ssh_config Hostname options. While this
     sounds useless, it is actually handy for working with unqualified
     hostnames:

     Host *.*
        Hostname %h
     Host *
        Hostname %h.example.org

     "I like it" markus@
2010-07-16 13:56:43 +10:00
Damien Miller
1f25ab43f4 - djm@cvs.openbsd.org 2010/07/12 22:38:52
[ssh.c]
     Make ExitOnForwardFailure work with fork-after-authentication ("ssh -f")
     for protocol 2. ok markus@
2010-07-16 13:56:23 +10:00
Damien Miller
9308fc7743 - djm@cvs.openbsd.org 2010/07/02 04:32:44
[misc.c]
     unbreak strdelim() skipping past quoted strings, e.g.
     AllowUsers "blah blah" blah
     was broken; report and fix in bz#1757 from bitman.zhou AT centrify.com
     ok dtucker;
2010-07-16 13:56:01 +10:00
Tim Rice
cfbdc28ffe - (tim) [contrib/redhat/openssh.spec] Bug 1796: Test for skip_x11_askpass
(line 77) should have been for no_x11_askpass.
2010-07-14 13:42:28 -07:00
Damien Miller
ab139cde38 - djm@cvs.openbsd.org 2010/06/29 23:59:54
[cert-userkey.sh]
     regress tests for key options in AuthorizedPrincipals
2010-07-02 13:42:18 +10:00
Damien Miller
527ded7f64 - phessler@cvs.openbsd.org 2010/06/27 19:19:56
[Makefile]
     fix how we run the tests so we can successfully use SUDO='sudo -E'
     in our env
2010-07-02 13:40:16 +10:00
Damien Miller
0979b40934 - millert@cvs.openbsd.org 2010/07/01 13:06:59
[scp.c]
     Fix a longstanding problem where if you suspend scp at the
     password/passphrase prompt the terminal mode is not restored.
     OK djm@
2010-07-02 13:37:33 +10:00
Damien Miller
d59dab8353 - jmc@cvs.openbsd.org 2010/06/30 07:28:34
[sshd_config.5]
     tweak previous;
2010-07-02 13:37:17 +10:00
Damien Miller
6022f58e3a - jmc@cvs.openbsd.org 2010/06/30 07:26:03
[ssh-keygen.c]
     sort usage();
2010-07-02 13:37:01 +10:00
Damien Miller
ea72728ffe - jmc@cvs.openbsd.org 2010/06/30 07:24:25
[ssh-keygen.1]
     tweak previous;
2010-07-02 13:35:34 +10:00
Damien Miller
6018a36864 - djm@cvs.openbsd.org 2010/06/29 23:16:46
[auth2-pubkey.c sshd_config.5]
     allow key options (command="..." and friends) in AuthorizedPrincipals;
     ok markus@
2010-07-02 13:35:19 +10:00
Damien Miller
44b2504011 - djm@cvs.openbsd.org 2010/06/29 23:15:30
[ssh-keygen.1 ssh-keygen.c]
     allow import (-i) and export (-e) of PEM and PKCS#8 encoded keys;
     bz#1749; ok markus@
2010-07-02 13:35:01 +10:00
Damien Miller
b96c441ee2 - djm@cvs.openbsd.org 2010/06/26 23:04:04
[ssh.c]
     oops, forgot to #include <canohost.h>; spotted and patch from chl@
2010-07-02 13:34:24 +10:00
Damien Miller
cede1dbc55 - jmc@cvs.openbsd.org 2010/06/26 00:57:07
[ssh_config.5]
     tweak previous;
2010-07-02 13:33:48 +10:00
Tim Rice
3fd307df5b - (tim) [openbsd-compat/port-uw.c] Reorder includes. auth-options.h now needs
key.h.
2010-06-26 16:45:15 -07:00
Damien Miller
1ab6a51f9b - djm@cvs.openbsd.org 2010/06/25 23:10:30
[ssh.c]
     log the hostname and address that we connected to at LogLevel=verbose
     after authentication is successful to mitigate "phishing" attacks by
     servers with trusted keys that accept authentication silently and
     automatically before presenting fake password/passphrase prompts;
     "nice!" markus@
2010-06-26 10:02:24 +10:00
Damien Miller
383ffe6c5f - djm@cvs.openbsd.org 2010/06/25 23:10:30
[ssh.c]
     log the hostname and address that we connected to at LogLevel=verbose
     after authentication is successful to mitigate "phishing" attacks by
     servers with trusted keys that accept authentication silently and
     automatically before presenting fake password/passphrase prompts;
     "nice!" markus@
2010-06-26 10:02:03 +10:00
Damien Miller
bda3ecafca - djm@cvs.openbsd.org 2010/06/25 08:46:17
[auth1.c auth2-none.c]
     skip the initial check for access with an empty password when
     PermitEmptyPasswords=no; bz#1638; ok markus@
2010-06-26 10:01:33 +10:00
Damien Miller
8853ca5fc4 - djm@cvs.openbsd.org 2010/06/25 07:20:04
[channels.c session.c]
     bz#1750: fix requirement for /dev/null inside ChrootDirectory for
     internal-sftp accidentally introduced in r1.253 by removing the code
     that opens and dup /dev/null to stderr and modifying the channels code
     to read stderr but discard it instead; ok markus@
2010-06-26 10:00:14 +10:00
Damien Miller
232cfb1b1d - djm@cvs.openbsd.org 2010/06/25 07:14:46
[channels.c mux.c readconf.c readconf.h ssh.h]
     bz#1327: remove hardcoded limit of 100 permitopen clauses and port
     forwards per direction; ok markus@ stevesk@
2010-06-26 09:50:30 +10:00
Damien Miller
d834d35834 - djm@cvs.openbsd.org 2010/06/23 02:59:02
[ssh-keygen.c]
     fix printing of extensions in v01 certificates that I broke in r1.190
2010-06-26 09:48:02 +10:00
Damien Miller
1b2b61e6f8 - djm@cvs.openbsd.org 2010/06/22 04:59:12
[session.c]
     include the user name on "subsystem request for ..." log messages;
     bz#1571; ok dtucker@
2010-06-26 09:47:43 +10:00
Damien Miller
0e76c5e502 - djm@cvs.openbsd.org 2010/06/22 04:54:30
[ssh-keyscan.c]
     replace verbose and overflow-prone Linebuf code with read_keyfile_line()
     based on patch from joachim AT joachimschipper.nl; bz#1565; ok dtucker@
2010-06-26 09:39:59 +10:00
Damien Miller
48147d6801 - djm@cvs.openbsd.org 2010/06/22 04:49:47
[auth.c]
     queue auth debug messages for bad ownership or permissions on the user's
     keyfiles. These messages will be sent after the user has successfully
     authenticated (where our client will display them with LogLevel=debug).
2010-06-26 09:39:25 +10:00
Damien Miller
ba3420acd2 - djm@cvs.openbsd.org 2010/06/22 04:32:06
[ssh-keygen.c]
     standardise error messages when attempting to open private key
     files to include "progname: filename: error reason"
     bz#1783; ok dtucker@
2010-06-26 09:39:07 +10:00
Damien Miller
ab6de35140 - djm@cvs.openbsd.org 2010/06/22 04:22:59
[servconf.c sshd_config.5]
     expose some more sshd_config options inside Match blocks:
       AuthorizedKeysFile AuthorizedPrincipalsFile
       HostbasedUsesNameFromPacketOnly PermitTunnel
     bz#1764; feedback from imorgan AT nas.nasa.gov; ok dtucker@
2010-06-26 09:38:45 +10:00
Damien Miller
495663165f - djm@cvs.openbsd.org 2010/06/18 04:43:08
[sftp-client.c]
     fix memory leak in do_realpath() error path; bz#1771, patch from
     anicka AT suse.cz
2010-06-26 09:38:23 +10:00
Damien Miller
7aa46ec393 - djm@cvs.openbsd.org 2010/06/18 03:16:03
[session.c]
     Missing check for chroot_director == "none" (we already checked against
     NULL); bz#1564 from Jan.Pechanec AT Sun.COM
2010-06-26 09:37:57 +10:00
Damien Miller
99ac4e9546 - djm@cvs.openbsd.org 2010/06/18 00:58:39
[sftp.c]
     unbreak ls in working directories that contains globbing characters in
     their pathnames. bz#1655 reported by vgiffin AT apple.com
2010-06-26 09:36:58 +10:00
Damien Miller
c094d1e481 - djm@cvs.openbsd.org 2010/06/17 07:07:30
[mux.c]
     Correct sizing of object to be allocated by calloc(), replacing
     sizeof(state) with sizeof(*state). This worked by accident since
     the struct contained a single int at present, but could have broken
     in the future. patch from hyc AT symas.com
2010-06-26 09:36:34 +10:00
Damien Miller
4fe686d35f - markus@cvs.openbsd.org 2010/06/08 21:32:19
[ssh-pkcs11.c]
     check length of value returned  C_GetAttributValue for != 0
     from mdrtbugzilla@codefive.co.uk; bugzilla #1773; ok dtucker@
2010-06-26 09:36:10 +10:00
Damien Miller
2e77446a13 - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/05/21 05:00:36
     [misc.c]
     colon() returns char*, so s/return (0)/return NULL/
2010-06-26 09:30:47 +10:00
Damien Miller
d82a260fdf - (djm) [loginrec.c] crank LINFO_NAMESIZE (username length) to 512
bz#1579; ok dtucker
2010-06-22 15:02:39 +10:00
Damien Miller
ea909791c5 - (djm) [contrib/ssh-copy-id] Update key file explicitly under ~
rather than assuming that $CWD == $HOME. bz#1500, patch from
   timothy AT gelter.com
2010-06-18 11:09:24 +10:00
Tim Rice
b9ae4ec556 - (tim) [contrib/cygwin/README] Remove a reference to the obsolete
minires-devel package, and to add the reference to the libedit-devel
   package since CYgwin now provides libedit. Patch from Corinna Vinschen.
2010-06-17 11:11:44 -07:00
Damien Miller
d0e4a8e2e0 - djm@cvs.openbsd.org 2010/05/20 23:46:02
[PROTOCOL.certkeys auth-options.c ssh-keygen.c]
     Move the permit-* options to the non-critical "extensions" field for v01
     certificates. The logic is that if another implementation fails to
     implement them then the connection just loses features rather than fails
     outright.

     ok markus@
2010-05-21 14:58:32 +10:00
Damien Miller
84399555f0 - djm@cvs.openbsd.org 2010/05/20 11:25:26
[auth2-pubkey.c]
     fix logspam when key options (from="..." especially) deny non-matching
     keys; reported by henning@ also bz#1765; ok markus@ dtucker@
2010-05-21 14:58:12 +10:00
Damien Miller
388f6fc485 - markus@cvs.openbsd.org 2010/05/16 12:55:51
[PROTOCOL.mux clientloop.h mux.c readconf.c readconf.h ssh.1 ssh.c]
     mux support for remote forwarding with dynamic port allocation,
     use with
        LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost`
     feedback and ok djm@
2010-05-21 14:57:35 +10:00
Damien Miller
d530f5f471 - djm@cvs.openbsd.org 2010/05/14 23:29:23
[channels.c channels.h mux.c ssh.c]
     Pause the mux channel while waiting for reply from aynch callbacks.
     Prevents misordering of replies if new requests arrive while waiting.

     Extend channel open confirm callback to allow signalling failure
     conditions as well as success. Use this to 1) fix a memory leak, 2)
     start using the above pause mechanism and 3) delay sending a success/
     failure message on mux slave session open until we receive a reply from
     the server.

     motivated by and with feedback from markus@
2010-05-21 14:57:10 +10:00
Damien Miller
c6afb5f2c0 - djm@cvs.openbsd.org 2010/05/14 00:47:22
[ssh-add.c]
     check that the certificate matches the corresponding private key before
     grafting it on
2010-05-21 14:56:47 +10:00
Damien Miller
3b903827eb - djm@cvs.openbsd.org 2010/05/11 02:58:04
[auth-rsa.c]
     don't accept certificates marked as "cert-authority" here; ok markus@
2010-05-21 14:56:25 +10:00
Damien Miller
3bcce80b54 - djm@cvs.openbsd.org 2010/05/07 11:31:26
[regress/Makefile regress/cert-userkey.sh]
     regress tests for AuthorizedPrincipalsFile and "principals=" key option.
     feedback and ok markus@
2010-05-21 14:48:16 +10:00
Damien Miller
4b1ec8381b - (djm) [openbsd-compat/openssl-compat.h] Fix build breakage on older
libcrypto by defining OPENSSL_[DR]SA_MAX_MODULUS_BITS if they aren't
   already. ok dtucker@
2010-05-12 17:49:59 +10:00
Darren Tucker
5b6d0d0eba - (dtucker) [Makefile.in] Bug #1770: Link libopenbsd-compat twice to solve
circular dependency problem on old or odd platforms.  From Tom Lane, ok
   djm@.
2010-05-12 16:51:38 +10:00