Commit Graph

5904 Commits

Author SHA1 Message Date
Damien Miller
8f0bf237d4 - djm@cvs.openbsd.org 2011/06/17 21:44:31
[log.c log.h monitor.c monitor.h monitor_wrap.c monitor_wrap.h sshd.c]
     make the pre-auth privsep slave log via a socketpair shared with the
     monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
2011-06-20 14:42:23 +10:00
Damien Miller
e7ac2bd42a - markus@cvs.openbsd.org 2011/06/14 22:49:18
[authfile.c]
     make sure key_parse_public/private_rsa1() no longer consumes its input
     buffer.  fixes ssh-add for passphrase-protected ssh1-keys;
     noted by naddy@; ok djm@
2011-06-20 14:23:25 +10:00
Damien Miller
6029e076b2 - djm@cvs.openbsd.org 2011/06/04 00:10:26
[ssh_config.5]
     explain IdentifyFile's semantics a little better, prompted by bz#1898
     ok dtucker jmc
2011-06-20 14:22:49 +10:00
Tim Rice
bc481570d1 - (tim) [regress/cfgmatch.sh] Build/test out of tree fix. 2011-06-02 22:26:19 -07:00
Darren Tucker
bf4d05a37c - dtucker@cvs.openbsd.org 2011/06/03 00:29:52
[regress/dynamic-forward.sh]
     Retry establishing the port forwarding after a small delay, should make
     the tests less flaky when the previous test is slow to shut down and free
     up the port.
2011-06-03 14:19:02 +10:00
Darren Tucker
75e035c34e - dtucker@cvs.openbsd.org 2011/05/31 02:03:34
[regress/dynamic-forward.sh]
     work around startup and teardown races; caught by deraadt
2011-06-03 14:18:17 +10:00
Darren Tucker
260c8fbc4d - dtucker@cvs.openbsd.org 2011/05/31 02:01:58
[regress/dynamic-forward.sh]
     back out revs 1.6 and 1.5 since it's not reliable
2011-06-03 14:17:27 +10:00
Darren Tucker
3e78a516a0 - dtucker@cvs.openbsd.org 2011/06/03 01:37:40
[ssh-agent.c]
     Check current parent process ID against saved one to determine if the parent
     has exited, rather than attempting to send a zero signal, since the latter
     won't work if the parent has changed privs.  bz#1905, patch from Daniel Kahn
     Gillmor, ok djm@
2011-06-03 14:14:16 +10:00
Damien Miller
c09182f613 - (djm) [configure.ac] enable setproctitle emulation for OS X 2011-06-03 12:11:38 +10:00
Damien Miller
ea2c1a4dc6 - djm@cvs.openbsd.org 2011/06/03 00:54:38
[ssh.c]
    bz#1883 - setproctitle() to identify mux master; patch from Bert.Wesarg
    AT googlemail.com; ok dtucker@
    NB. includes additional portability code to enable setproctitle emulation
    on platforms that don't support it.
2011-06-03 12:10:22 +10:00
Darren Tucker
c3c7227ccc add missing changelog entry 2011-06-03 11:20:06 +10:00
Tim Rice
90f42b0705 - (tim) [configure.ac defines.h] Run test program to detect system mail
directory. Add --with-maildir option to override. Fixed OpenServer 6
   getting it wrong. Fixed many systems having MAIL=/var/mail//username
   ok dtucker
2011-06-02 18:17:49 -07:00
Darren Tucker
c412c1567b - (dtucker) [README version.h contrib/caldera/openssh.spec
contrib/redhat/openssh.spec contrib/suse/openssh.spec] Pull the version
   bumps from the 5.8p2 branch into HEAD.  ok djm.
2011-06-03 10:35:23 +10:00
Damien Miller
8cb3587336 - djm@cvs.openbsd.org 2011/05/23 03:31:31
[regress/cfgmatch.sh]
     include testing of multiple/overridden AuthorizedKeysFiles
     refactor to simply daemon start/stop and get rid of racy constructs
2011-05-29 21:59:10 +10:00
Damien Miller
295ee63ab2 - djm@cvs.openbsd.org 2011/05/24 07:15:47
[readconf.c readconf.h ssh.c ssh_config.5 sshconnect.c sshconnect2.c]
     Remove undocumented legacy options UserKnownHostsFile2 and
     GlobalKnownHostsFile2 by making UserKnownHostsFile/GlobalKnownHostsFile
     accept multiple paths per line and making their defaults include
     known_hosts2; ok markus
2011-05-29 21:42:31 +10:00
Damien Miller
04bb56ef10 - djm@cvs.openbsd.org 2011/05/23 07:24:57
[authfile.c]
     read in key comments for v.2 keys (though note that these are not
     passed over the agent protocol); bz#439, based on patch from binder
     AT arago.de; ok markus@
2011-05-29 21:42:08 +10:00
Damien Miller
b9132fc427 - jmc@cvs.openbsd.org 2011/05/23 07:10:21
[sshd.8 sshd_config.5]
     tweak previous; ok djm
2011-05-29 21:41:40 +10:00
Damien Miller
201f425d29 - djm@cvs.openbsd.org 2011/05/23 03:52:55
[sshconnect.c]
     remove extra newline
2011-05-29 21:41:03 +10:00
Damien Miller
1dd66e5f74 - djm@cvs.openbsd.org 2011/05/23 03:33:38
[auth.c]
     make secure_filename() spam debug logs less
2011-05-29 21:40:42 +10:00
Damien Miller
d8478b6a9b OpenBSD CVS Sync
- djm@cvs.openbsd.org 2011/05/23 03:30:07
     [auth-rsa.c auth.c auth.h auth2-pubkey.c monitor.c monitor_wrap.c pathnames.h servconf.c servconf.h sshd.8 sshd_config sshd_config.5]
     allow AuthorizedKeysFile to specify multiple files, separated by spaces.
     Bring back authorized_keys2 as a default search path (to avoid breaking
     existing users of this file), but override this in sshd_config so it will
     be no longer used on fresh installs. Maybe in 2015 we can remove it
     entierly :)

     feedback and ok markus@ dtucker@
2011-05-29 21:39:36 +10:00
Damien Miller
acacced70b - dtucker@cvs.openbsd.org 2011/05/20 06:32:30
[dynamic-forward.sh]
     fix dumb error in dynamic-forward test
2011-05-20 19:08:40 +10:00
Damien Miller
7b9451f382 - dtucker@cvs.openbsd.org 2011/05/20 05:19:50
[dynamic-forward.sh]
     Prevent races in dynamic forwarding test; ok djm
2011-05-20 19:08:11 +10:00
Damien Miller
3045b45a03 - djm@cvs.openbsd.org 2011/05/20 02:43:36
[cert-hostkey.sh]
     another attempt to generate a v00 ECDSA key that broke the test
     ID sync only - portable already had this somehow
2011-05-20 19:07:45 +10:00
Damien Miller
f67188fe13 - djm@cvs.openbsd.org 2011/05/17 07:13:31
[regress/cert-userkey.sh]
     fatal() if asked to generate a legacy ECDSA cert (these don't exist)
     and fix the regress test that was trying to generate them :)
2011-05-20 19:06:48 +10:00
Damien Miller
f2e407e2dd - djm@cvs.openbsd.org 2011/05/20 03:25:45
[monitor.c monitor_wrap.c servconf.c servconf.h]
     use a macro to define which string options to copy between configs
     for Match. This avoids problems caused by forgetting to keep three
     code locations in perfect sync and ordering

     "this is at once beautiful and horrible" + ok dtucker@
2011-05-20 19:04:14 +10:00
Damien Miller
c2411909c7 - dtucker@cvs.openbsd.org 2011/05/20 02:00:19
[servconf.c]
     Add comment documenting what should be after the preauth check.  ok djm
2011-05-20 19:03:49 +10:00
Damien Miller
5d74e58e62 - djm@cvs.openbsd.org 2011/05/20 00:55:02
[servconf.c]
     the options TrustedUserCAKeys, RevokedKeysFile, AuthorizedKeysFile
     and AuthorizedPrincipalsFile were not being correctly applied in
     Match blocks, despite being overridable there; ok dtucker@
2011-05-20 19:03:31 +10:00
Damien Miller
8f639fe722 - djm@cvs.openbsd.org 2011/05/17 07:13:31
[key.c]
     fatal() if asked to generate a legacy ECDSA cert (these don't exist)
     and fix the regress test that was trying to generate them :)
2011-05-20 19:03:08 +10:00
Damien Miller
814ace0875 - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2011/05/15 08:09:01
     [authfd.c monitor.c serverloop.c]
     use FD_CLOEXEC consistently; patch from zion AT x96.org
2011-05-20 19:02:47 +10:00
Damien Miller
ec2eaa3daf - (djm) [servconf.c] remove leftover droppings of AuthorizedKeysFile2 2011-05-20 18:57:14 +10:00
Damien Miller
989bb7f0c5 - (djm) [aclocal.m4 configure.ac] since gcc-4.x ignores all -Wno-options
options, we should corresponding -W-option when trying to determine
   whether it is accepted.  Also includes a warning fix on the program
   fragment uses (bad main() return type).
   bz#1900 and bz#1901 reported by g.esp AT free.fr; ok dtucker@
2011-05-20 18:56:30 +10:00
Damien Miller
14684a1f84 - (djm) [session.c] call setexeccon() before executing passwd for pw
changes; bz#1891 reported by jchadima AT redhat.com; ok dtucker@
2011-05-20 11:23:07 +10:00
Damien Miller
23f425b48b - (djm) [packet.c] unbreak portability #endif 2011-05-15 08:58:15 +10:00
Damien Miller
9d276b8d68 - djm@cvs.openbsd.org 2011/05/13 00:05:36
[authfile.c]
     warn on unexpected key type in key_parse_private_type()
2011-05-15 08:51:43 +10:00
Damien Miller
7c1b2c4ea8 - djm@cvs.openbsd.org 2011/05/11 04:47:06
[auth.c auth.h auth2-pubkey.c pathnames.h servconf.c servconf.h]
     remove support for authorized_keys2; it is a relic from the early days
     of protocol v.2 support and has been undocumented for many years;
     ok markus@
2011-05-15 08:51:05 +10:00
Damien Miller
3219824f2d - djm@cvs.openbsd.org 2011/05/10 05:46:46
[authfile.c]
     despam debug() logs by detecting that we are trying to load a private key
     in key_try_load_public() and returning early; ok markus@
2011-05-15 08:50:32 +10:00
Damien Miller
555f3b856f - djm@cvs.openbsd.org 2011/05/08 12:52:01
[PROTOCOL.mux clientloop.c clientloop.h mux.c]
     improve our behaviour when TTY allocation fails: if we are in
     RequestTTY=auto mode (the default), then do not treat at TTY
     allocation error as fatal but rather just restore the local TTY
     to cooked mode and continue. This is more graceful on devices that
     never allocate TTYs.

     If RequestTTY is set to "yes" or "force", then failure to allocate
     a TTY is fatal.

     ok markus@
2011-05-15 08:48:05 +10:00
Damien Miller
f4b32aad05 - jmc@cvs.openbsd.org 2011/05/07 23:20:25
[ssh.1]
     +.It RequestTTY
2011-05-15 08:47:43 +10:00
Damien Miller
486dd2eadb - jmc@cvs.openbsd.org 2011/05/07 23:19:39
[ssh_config.5]
     - tweak previous
     - come consistency fixes

     ok djm
2011-05-15 08:47:18 +10:00
Damien Miller
c067f62560 - djm@cvs.openbsd.org 2011/05/06 22:20:10
[PROTOCOL.mux]
     fix numbering; from bert.wesarg AT googlemail.com
2011-05-15 08:46:54 +10:00
Damien Miller
a6bbbe4658 - djm@cvs.openbsd.org 2011/05/06 21:38:58
[ssh.c]
     fix dropping from previous diff
2011-05-15 08:46:29 +10:00
Damien Miller
21771e22d3 - djm@cvs.openbsd.org 2011/05/06 21:34:32
[clientloop.c mux.c readconf.c readconf.h ssh.c ssh_config.5]
     Add a RequestTTY ssh_config option to allow configuration-based
     control over tty allocation (like -t/-T); ok markus@
2011-05-15 08:45:50 +10:00
Damien Miller
fe92421772 - djm@cvs.openbsd.org 2011/05/06 21:31:38
[readconf.c ssh_config.5]
     support negated Host matching, e.g.

     Host *.example.org !c.example.org
        User mekmitasdigoat

     Will match "a.example.org", "b.example.org", but not "c.example.org"
     ok markus@
2011-05-15 08:44:45 +10:00
Damien Miller
dfc85fa181 - djm@cvs.openbsd.org 2011/05/06 21:18:02
[ssh.c ssh_config.5]
     add a %L expansion (short-form of the local host name) for ControlPath;
     sync some more expansions with LocalCommand; ok markus@
2011-05-15 08:44:02 +10:00
Damien Miller
d2ac5d74b4 - djm@cvs.openbsd.org 2011/05/06 21:14:05
[packet.c packet.h]
     set traffic class for IPv6 traffic as we do for IPv4 TOS;
     patch from lionel AT mamane.lu via Colin Watson in bz#1855;
     ok markus@
2011-05-15 08:43:13 +10:00
Damien Miller
78c40c321b - djm@cvs.openbsd.org 2011/05/06 02:05:41
[sshconnect2.c]
     fix memory leak; bz#1849 ok dtucker@
2011-05-15 08:36:59 +10:00
Damien Miller
58a77e2eac - djm@cvs.openbsd.org 2011/05/06 01:09:53
[sftp.1]
     mention that IPv6 addresses must be enclosed in square brackets;
     bz#1845
2011-05-15 08:36:29 +10:00
Damien Miller
fd53abd00b - dtucker@cvs.openbsd.org 2011/05/06 01:03:35
[sshd_config]
     clarify language about overriding defaults.  bz#1892, from Petr Cerny
2011-05-15 08:36:02 +10:00
Damien Miller
60432d8cf2 - djm@cvs.openbsd.org 2011/05/05 05:12:08
[mux.c]
     gracefully fall back when ControlPath is too large for a
     sockaddr_un. ok markus@ as part of a larger diff
2011-05-15 08:34:46 +10:00
Darren Tucker
d6548fe4cf - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882: fix
--with-ssl-engine which was broken with the change from deprecated
   SSLeay_add_all_algorithms().  ok djm
2011-05-10 11:13:36 +10:00