RepoMirrors/openssh
1
0
Fork 0
mirror of git://anongit.mindrot.org/openssh.git synced 2025-01-04 00:32:06 +00:00
Code Issues Packages Projects Releases Wiki Activity
6,757 Commits 69 Branches 157 Tags 27 MiB
ada7e17ae5
Commit Graph

6256 Commits

Author SHA1 Message Date
Damien Miller
276dcfd7f7 - dtucker@cvs.openbsd.org 2012/06/18 11:43:53 
[jpake.c]
     correct sizeof usage.  patch from saw at online.de, ok deraadt
 2012-06-20 21:52:18 +10:00
Damien Miller
2e7decfcc0 - djm@cvs.openbsd.org 2012/06/01 01:01:22 
[mux.c]
     fix memory leak when mux socket creation fails; bz#2002 from bert.wesarg
     AT googlemail.com
 2012-06-20 21:52:00 +10:00
Damien Miller
7f12157c0a - djm@cvs.openbsd.org 2012/06/01 00:49:35 
[PROTOCOL.mux]
     correct types of port numbers (integers, not strings); bz#2004 from
     bert.wesarg AT googlemail.com
 2012-06-20 21:51:29 +10:00
Damien Miller
3bde12aeef - djm@cvs.openbsd.org 2012/05/23 03:28:28 
[dns.c dns.h key.c key.h ssh-keygen.c]
     add support for RFC6594 SSHFP DNS records for ECDSA key types.
     patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@
 2012-06-20 21:51:11 +10:00
Damien Miller
ac58ce86e6 - djm@cvs.openbsd.org 2012/01/07 21:11:36 
[mux.c]
     fix double-free in new session handler
     NB. Id sync only
 2012-06-20 21:50:47 +10:00
Damien Miller
140df63e1f - djm@cvs.openbsd.org 2011/12/04 23:16:12 
[mux.c]
     revert:

     > revision 1.32
     > date: 2011/12/02 00:41:56;  author: djm;  state: Exp;  lines: +4 -1
     > fix bz#1948: ssh -f doesn't fork for multiplexed connection.
     > ok dtucker@

     it interacts badly with ControlPersist
 2012-06-20 21:46:57 +10:00
Damien Miller
efc6fc995d - djm@cvs.openbsd.org 2011/12/02 00:41:56 
[mux.c]
     fix bz#1948: ssh -f doesn't fork for multiplexed connection.
     ok dtucker@
 2012-06-20 21:44:56 +10:00
Darren Tucker
ba9ea3200d - dtucker@cvs.openbsd.org 2012/05/19 06:30:30 
[sshd_config.5]
     Document PermitOpen none.  bz#2001, patch from Loganaden Velvindron
 2012-05-19 19:37:33 +10:00
Darren Tucker
fbcf827559 - (dtucker) OpenBSD CVS Sync 
- dtucker@cvs.openbsd.org 2012/05/13 01:42:32
     [servconf.h servconf.c sshd.8 sshd.c auth.c sshd_config.5]
     Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests
     to match.  Feedback and ok djm@ markus@.
 2012-05-19 19:37:01 +10:00
Darren Tucker
593538911a - (dtucker) [configure.ac contrib/Makefile] bz#1996: use AC_PATH_TOOL to find 
pkg-config so it does the right thing when cross-compiling.  Patch from
   cjwatson at debian org.
 2012-05-19 15:24:37 +10:00
Darren Tucker
d0494fdb29 - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch 
from cjwatson at debian org.
 2012-05-19 14:25:39 +10:00
Darren Tucker
e1a3ddf992 - (dtucker) [configure.ac] Include <sys/param.h> rather than <sys/types.h> 
to fix building on some plaforms.  Fom bowman at math utah edu and
   des at des no.
 2012-05-04 11:05:45 +10:00
Darren Tucker
d0d3fff483 - (dtucker) [regress/addrmatch.sh] skip tests when running on a non-ipv6 
platform rather than exiting early, so that we still clean up and return
   status to test-exec.sh
 2012-04-27 10:55:39 +10:00
Damien Miller
025bfd11d9 - (djm) [auth-krb5.c] Save errno across calls that might modify it; 
ok dtucker@
 2012-04-26 09:52:15 +10:00
Damien Miller
7584cb1ac4 - (djm) [auth-passwd.c] Handle crypt() returning NULL; from Paul Wouters 
via Niels
 2012-04-26 09:51:26 +10:00
Damien Miller
ba77e1f673 - djm@cvs.openbsd.org 2012/04/23 08:18:17 
[channels.c]
     fix function proto/source mismatch
 2012-04-23 18:21:05 +10:00
Damien Miller
70b2d5550b - jmc@cvs.openbsd.org 2012/04/20 16:26:22 
[ssh.1]
     use "brackets" instead of "braces", for consistency;
 2012-04-22 11:26:10 +10:00
Damien Miller
4922315d1d - djm@cvs.openbsd.org 2012/04/20 03:24:23 
[sftp.c]
     setlinebuf(3) is more readable than setvbuf(.., _IOLBF, ...)
 2012-04-22 11:25:47 +10:00
Damien Miller
8fef9ebbab - djm@cvs.openbsd.org 2012/04/12 02:43:55 
[sshd_config sshd_config.5]
     mention AuthorizedPrincipalsFile=none default
 2012-04-22 11:25:10 +10:00
Damien Miller
23528816dc - djm@cvs.openbsd.org 2012/04/12 02:42:32 
[servconf.c servconf.h sshd.c sshd_config sshd_config.5]
     VersionAddendum option to allow server operators to append some arbitrary
     text to the SSH-... banner; ok deraadt@ "don't care" markus@
 2012-04-22 11:24:43 +10:00
Damien Miller
839f743464 - djm@cvs.openbsd.org 2012/04/11 13:34:17 
[ssh-keyscan.1 ssh-keyscan.c]
     now that sshd defaults to offering ECDSA keys, ssh-keyscan should also
     look for them by default; bz#1971
 2012-04-22 11:24:21 +10:00
Damien Miller
a116d13c4d - djm@cvs.openbsd.org 2012/04/11 13:26:40 
[sshd.c]
     don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a
     while; ok deraadt@ markus@
 2012-04-22 11:23:46 +10:00
Damien Miller
9fed161e67 - djm@cvs.openbsd.org 2012/04/11 13:17:54 
[auth.c]
     Support "none" as an argument for AuthorizedPrincipalsFile to indicate
     no file should be read.
 2012-04-22 11:21:43 +10:00
Damien Miller
a6508753db - djm@cvs.openbsd.org 2012/04/11 13:16:19 
[channels.c channels.h clientloop.c serverloop.c]
     don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a
     while; ok deraadt@ markus@
 2012-04-22 11:21:10 +10:00
Damien Miller
c6081482b2 - dtucker@cvs.openbsd.org 2012/03/29 23:54:36 
[channels.c channels.h servconf.c]
     Add PermitOpen none option based on patch from Loganaden Velvindron
     (bz #1949).  ok djm@
 2012-04-22 11:18:53 +10:00
Damien Miller
48348fc3b4 - djm@cvs.openbsd.org 2012/03/28 07:23:22 
[PROTOCOL.certkeys]
     explain certificate extensions/crit split rationale. Mention requirement
     that each appear at most once per cert.
 2012-04-22 11:08:30 +10:00
Damien Miller
29cd188887 - guenther@cvs.openbsd.org 2012/03/15 03:10:27 
[session.c]
     root should always be excluded from the test for /etc/nologin instead
     of having it always enforced even when marked as ignorenologin.  This
     regressed when the logic was incompletely flipped around in rev 1.251
     ok halex@ millert@
 2012-04-22 11:08:10 +10:00
Damien Miller
a563cced06 - djm@cvs.openbsd.org 2012/02/29 11:21:26 
[ssh-keygen.c]
     allow conversion of RSA1 keys to public PEM and PKCS8; "nice" markus@
 2012-04-22 11:07:28 +10:00
Damien Miller
d5dacb43fa - (djm) Release openssh-6.0 2012-04-20 15:01:01 +10:00
Damien Miller
bf2304167b - (djm) [README] Update URL to release notes. 2012-04-20 14:11:04 +10:00
Damien Miller
8beb320390 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] 
[contrib/suse/openssh.spec] Update for release 6.0
 2012-04-20 10:58:34 +10:00
Damien Miller
398c0ffe0e - (djm) [configure.ac] Fix compilation error on FreeBSD, whose libutil 
contains openpty() but not login()
 2012-04-19 21:46:35 +10:00
Damien Miller
e0956e3834 - (djm) [Makefile.in configure.ac sandbox-seccomp-filter.c] Add sandbox 
mode for Linux's new seccomp filter; patch from Will Drewry; feedback
   and ok dtucker@
 2012-04-04 11:27:54 +10:00
Damien Miller
ce1ec9d4e2 - (djm) [openbsd-compat/bsd-cygwin_util.h] #undef _WIN32 to avoid incorrect 
assumptions when building on Cygwin; patch from Corinna Vinschen
 2012-03-30 14:07:05 +11:00
Damien Miller
4d55734c16 - (djm) [entropy.c] bz#1991: relax OpenSSL version test to allow running 
openssh binaries on a newer fix release than they were compiled on.
   with and ok dtucker@
 2012-03-30 11:34:27 +11:00
Darren Tucker
67ccc86506 - (dtucker) [contrib/redhat/openssh.spec] Bug #1992: remove now-gone WARNING 
file from spec file.  From crighter at nuclioss com.
 2012-03-30 10:19:56 +11:00
Damien Miller
54c38d24c6 - (djm) [packet.c] bz#1963: Fix IPQoS not being set on non-mapped v4-in-v6 
addressed connections. ok dtucker@
 2012-03-09 10:28:07 +11:00
Damien Miller
7bf7b889b3 - (djm) [openbsd-compat/port-linux.c] bz#1960: fix crash on SELinux 
systems where sshd is run in te wrong context. Patch from Sven
   Vermeulen; ok dtucker@
 2012-03-09 10:25:16 +11:00
Darren Tucker
93a2d41505 - (dtucker) [audit-bsm.c configure.ac] bug #1968: enable workarounds for BSM 
audit breakage in Solaris 11.  Patch from Magnus Johansson.
 2012-02-24 10:40:41 +11:00
Tim Rice
a3f297de91 - (tim) [regress/keytype.sh] stderr redirection needs to be inside back quote 
to work. Spotted by Angel Gonzalez
 2012-02-14 23:01:42 -08:00
Tim Rice
f79b5d38a1 - (tim) [defines.h] move chunk introduced in 1.125 before MAXPATHLEN so 
it actually works.
 2012-02-14 20:13:05 -08:00
Tim Rice
e3609c935c - (tim) [openbsd-compat/bsd-misc.h sshd.c] Fix conflicting return type for 
unsetenv due to rev 1.14 change to setenv.c. Cast unsetenv to void in sshd.c
   ok dtucker@
 2012-02-14 10:03:30 -08:00
Damien Miller
7b7901c330 - (djm) [openbsd-compat/bsd-cygwin_util.c] Add PROGRAMFILES to list of 
preserved Cygwin environment variables; from Corinna Vinschen
 2012-02-14 06:38:36 +11:00
Damien Miller
db854559be - markus@cvs.openbsd.org 2012/02/09 20:00:18 
[version.h]
     move from 6.0-beta to 6.0
 2012-02-11 08:19:44 +11:00
Damien Miller
72de982def - markus@cvs.openbsd.org 2012/01/25 19:40:09 
[packet.c packet.h]
     packet_read_poll() is not used anymore.
 2012-02-11 08:19:21 +11:00
Damien Miller
5d0077008f - markus@cvs.openbsd.org 2012/01/25 19:36:31 
[authfile.c]
     memleak in key_load_file(); from Jan Klemkow
 2012-02-11 08:19:02 +11:00
Damien Miller
1de2cfe9a9 - markus@cvs.openbsd.org 2012/01/25 19:26:43 
[packet.c]
     do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying;
     ok dtucker@, djm@
 2012-02-11 08:18:43 +11:00
Damien Miller
8d60be5487 - dtucker@cvs.openbsd.org 2012/01/18 21:46:43 
[clientloop.c]
     Ensure that $DISPLAY contains only valid characters before using it to
     extract xauth data so that it can't be used to play local shell
     metacharacter games.  Report from r00t_ati at ihteam.net, ok markus.
 2012-02-11 08:18:17 +11:00
Damien Miller
fb12c6d8bb - miod@cvs.openbsd.org 2012/01/16 20:34:09 
[ssh-pkcs11-client.c]
     Fix a memory leak in pkcs11_rsa_private_encrypt(), reported by Jan Klemkow.
     While there, be sure to buffer_clear() between send_msg() and recv_msg().
     ok markus@
 2012-02-11 08:17:52 +11:00
Damien Miller
83ba8e6056 - miod@cvs.openbsd.org 2012/01/08 13:17:11 
[ssh-ecdsa.c]
     Fix memory leak in ssh_ecdsa_verify(); from Loganaden Velvindron,
     ok markus@
 2012-02-11 08:17:27 +11:00
Damien Miller
2ec0342ed4 - djm@cvs.openbsd.org 2012/01/07 21:11:36 
[mux.c]
     fix double-free in new session handler
 2012-02-11 08:16:28 +11:00
Damien Miller
a2876db5e6 - djm@cvs.openbsd.org 2012/01/05 00:16:56 
[monitor.c]
     memleak on error path
 2012-02-11 08:16:06 +11:00
Damien Miller
b56e4930ae - (djm) [ssh-keygen.c] Don't fail in do_gen_all_hostkeys on platforms 
that don't support ECC. Patch from Phil Oleson
 2012-02-06 07:41:27 +11:00
Darren Tucker
e9b3ad73ba - (dtucker) [configure.ac mac.c openbsd-compat/openssl-compat.h] Add 
null implementation of HMAC_CTX_init for the benefit of old versions
   of OpenSSL that don't have it.
 2012-01-17 14:03:34 +11:00
Damien Miller
8ed4de8f1d - djm@cvs.openbsd.org 2011/12/07 05:44:38 
[auth2.c dh.c packet.c roaming.h roaming_client.c roaming_common.c]
     fix some harmless and/or unreachable int overflows;
     reported Xi Wang, ok markus@
 2011-12-19 10:52:50 +11:00
Damien Miller
913ddff40d - djm@cvs.openbsd.org 2011/12/04 23:16:12 
[mux.c]
     revert:
     > revision 1.32
     > date: 2011/12/02 00:41:56;  author: djm;  state: Exp;  lines: +4 -1
     > fix bz#1948: ssh -f doesn't fork for multiplexed connection.
     > ok dtucker@
     it interacts badly with ControlPersist
 2011-12-19 10:52:21 +11:00
Damien Miller
d0e582c6da - djm@cvs.openbsd.org 2011/12/02 00:43:57 
[mac.c]
     fix bz#1934: newer OpenSSL versions will require HMAC_CTX_Init before
     HMAC_init (this change in policy seems insane to me)
     ok dtucker@
 2011-12-19 10:51:39 +11:00
Damien Miller
5360dff2a0 - djm@cvs.openbsd.org 2011/12/02 00:41:56 
[mux.c]
     fix bz#1948: ssh -f doesn't fork for multiplexed connection.
     ok dtucker@
 2011-12-19 10:51:11 +11:00
Damien Miller
47d8115e53 - oga@cvs.openbsd.org 2011/11/16 12:24:28 
[sftp.c]
     Don't leak list in complete_cmd_parse if there are no commands found.
     Discovered when I was ``borrowing'' this code for something else.
     ok djm@
 2011-11-25 13:53:48 +11:00
Darren Tucker
4a725ef6a5 - (dtucker) [configure.ac] Set _FORTIFY_SOURCE. ok djm@ 2011-11-21 16:38:48 +11:00
Darren Tucker
aa3cbd1b5b - (dtucker) [INSTALL LICENCE configure.ac openbsd-compat/Makefile.in 
openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/getrrsetbyname.c]
   bz 1320: Add optional support for LDNS, a BSD licensed DNS resolver library
   which supports DNSSEC.  Patch from Simon Vallet (svallet at genoscope cns fr)
   with some rework from myself and djm.  ok djm.
 2011-11-04 11:25:24 +11:00
Darren Tucker
be4032ba1e - dtucker@cvs.openbsd.org 011/11/04 00:09:39 
[moduli]
     regenerated moduli file; ok deraadt
 2011-11-04 11:16:06 +11:00
Darren Tucker
9c5d553d58 - djm@cvs.openbsd.org 2011/10/24 02:13:13 
[session.c]
     bz#1859: send tty break to pty master instead of (probably already
     closed) slave side; "looks good" markus@
 2011-11-04 10:55:24 +11:00
Darren Tucker
2d6665d944 - djm@cvs.openbsd.org 2011/10/24 02:10:46 
[ssh.c]
     bz#1943: unbreak stdio forwarding when ControlPersist is in user - ssh
     was incorrectly requesting the forward in both the control master and
     slave. skip requesting it in the master to fix. ok markus@
 2011-11-04 10:54:22 +11:00
Darren Tucker
8a057953d2 - djm@cvs.openbsd.org 2011/10/19 10:39:48 
[umac.c]
     typo in comment; patch from Michael W. Bombardieri
 2011-11-04 10:53:31 +11:00
Darren Tucker
9ee09cfce6 - djm@cvs.openbsd.org 2011/10/19 00:06:10 
[moduli.c]
     s/tmpfile/tmp/ to make this -Wshadow clean
 2011-11-04 10:52:43 +11:00
Darren Tucker
e68cf84ac8 - djm@cvs.openbsd.org 2011/10/18 23:37:42 
[ssh-add.c]
     add -k to usage(); reminded by jmc@
 2011-11-04 10:51:51 +11:00
Darren Tucker
45c66d7ad4 - djm@cvs.openbsd.org 2011/10/18 05:15:28 
[ssh.c]
     ssh(1): skip attempting to create ~/.ssh when -F is passed; ok markus@
 2011-11-04 10:50:40 +11:00
Darren Tucker
9f157abbb6 - (dtucker) [contrib/cygwin/Makefile] Continue if installing a doc file 
fails.  Patch from Corinna Vinschen.
 2011-10-25 09:37:57 +11:00
Damien Miller
8f4279e4ab - djm@cvs.openbsd.org 2011/10/18 05:00:48 
[ssh-add.1 ssh-add.c]
     new "ssh-add -k" option to load plain keys (skipping certificates);
     "looks ok" markus@
 2011-10-18 16:06:33 +11:00
Damien Miller
c51a5ab2c6 - djm@cvs.openbsd.org 2011/10/18 04:58:26 
[auth-options.c key.c]
     remove explict search for \0 in packet strings, this job is now done
     implicitly by buffer_get_cstring; ok markus
 2011-10-18 16:06:14 +11:00
Damien Miller
91f3eaec88 - stsp@cvs.openbsd.org 2011/10/16 15:51:39 
[moduli.c]
     add missing includes to unbreak tree; fix from rpointel
 2011-10-18 16:05:55 +11:00
Damien Miller
927d82bc6a - jmc@cvs.openbsd.org 2011/10/16 15:02:41 
[ssh-keygen.c]
     put -K in the right place (usage());
 2011-10-18 16:05:38 +11:00
Damien Miller
390d0561fc - dtucker@cvs.openbsd.org 2011/10/16 11:02:46 
[moduli.c ssh-keygen.1 ssh-keygen.c]
     Add optional checkpoints for moduli screening.  feedback & ok deraadt
 2011-10-18 16:05:19 +11:00
Damien Miller
d3e6990c4c - djm@cvs.openbsd.org 2011/10/04 14:17:32 
[sftp-glob.c]
     silence error spam for "ls */foo" in directory with files; bz#1683
 2011-10-18 16:04:57 +11:00
Darren Tucker
2e13560ff5 - djm@cvs.openbsd.org 2011/09/30 21:22:49 
[sshd.c]
     fix inverted test that caused logspam; spotted by henning@
 2011-10-02 19:10:13 +11:00
Darren Tucker
95125e5f43 ChangeLog entry for sshd.c rev 1.409 2011-10-02 19:09:07 +11:00
Darren Tucker
af1a60ec4f - djm@cvs.openbsd.org 2011/09/25 05:44:47 
[auth2-pubkey.c]
     improve the AuthorizedPrincipalsFile debug log message to include
     file and line number
 2011-10-02 18:59:59 +11:00
Darren Tucker
68afb8c5f2 - markus@cvs.openbsd.org 2011/09/23 07:45:05 
[mux.c readconf.h channels.h compat.h compat.c ssh.c readconf.c channels.c     version.h]
     unbreak remote portforwarding with dynamic allocated listen ports:
     1) send the actual listen port in the open message (instead of 0).
        this allows multiple forwardings with a dynamic listen port
     2) update the matching permit-open entry, so we can identify where
        to connect to
     report: den at skbkontur.ru and P. Szczygielski
     feedback and ok djm@
 2011-10-02 18:59:03 +11:00
Darren Tucker
1338b9e067 - dtucker@cvs.openbsd.org 2011/09/23 00:22:04 
[channels.c auth-options.c servconf.c channels.h sshd.8]
     Add wildcard support to PermitOpen, allowing things like "PermitOpen
     localhost:*".  bz #1857, ok djm markus.
 2011-10-02 18:57:35 +11:00
Darren Tucker
036876cd7d - (dtucker) [openbsd-compat/mktemp.c] Fix compiler warning. ok djm 2011-10-01 18:46:12 +10:00
Darren Tucker
b54f50e5d0 - (dtucker) [configure.ac openbsd-compat/Makefile.in 
openbsd-compat/strnlen.c] Add strnlen to the compat library.
 2011-09-29 23:17:18 +10:00
Damien Miller
5ffe1c4b43 - (djm) [configure.ac defines.h] No need to detect sizeof(char); patch 
from des AT des.no
 2011-09-29 11:11:51 +10:00
Damien Miller
d1a74580f8 - (djm) [openbsd-compat/setenv.c] Forklift upgrade, including inclusion 
of static __findenv() function from upstream setenv.c
 2011-09-23 11:26:34 +10:00
Damien Miller
3e6fe87ef9 - otto@cvs.openbsd.org 2008/12/09 19:38:38 
[openbsd-compat/inet_ntop.c]
     fix inet_ntop(3) prototype; ok millert@ libc to be bumbed very soon
 2011-09-23 11:16:09 +10:00
Damien Miller
64efe9671d - (djm) [openbsd-compat/sha2.c openbsd-compat/sha2.h] Remove OpenBSD rcsid 
marker. The upstream API has changed (function and structure names)
   enough to put it out of sync with other providers of this interface.
 2011-09-23 11:13:00 +10:00
Damien Miller
4888671343 - (djm) [openbsd-compat/mktemp.c] forklift upgrade to -current version. 
The file was totally rewritten between what we had in tree and -current.
 2011-09-23 10:56:29 +10:00
Damien Miller
3a359b3228 - millert@cvs.openbsd.org 2008/08/21 16:54:44 
[mktemp.c]
     Remove useless code, the kernel will set errno appropriately if an
     element in the path does not exist.  OK deraadt@ pvalchev@
 2011-09-23 10:47:29 +10:00
Damien Miller
dc0e09b41c - deraadt@cvs.openbsd.org 2008/07/22 21:47:45 
[mktemp.c]
     use arc4random_uniform(); ok djm millert
 2011-09-23 10:46:48 +10:00
Damien Miller
cd92790fcb - (djm) [openbsd-compat/getgrouplist.c] Remove OpenBSD rcsid marker: the 
upstream version is YPified and we don't want this
 2011-09-23 10:44:03 +10:00
Damien Miller
834e820317 - tobias@cvs.openbsd.org 2007/10/21 11:09:30 
[mktemp.c]
     Comment fix about time consumption of _gettemp.
     FreeBSD did this in revision 1.20.
     OK deraadt@, krw@
 2011-09-23 10:42:02 +10:00
Damien Miller
acdf3fbdba - (djm) [openbsd-compat/getcwd.c] Remove OpenBSD rcsid marker since we no 
longer want to sync this file (OpenBSD uses a __getcwd syscall now, we
   want this longhand version)
 2011-09-23 10:40:50 +10:00
Damien Miller
add1e20802 - millert@cvs.openbsd.org 2006/05/05 15:27:38 
[strlcpy.c]
     Convert do {} while loop -> while {} for clarity.  No binary change
     on most architectures.  From Oliver Smith.  OK deraadt@ and henning@
 2011-09-23 10:38:01 +10:00
Damien Miller
d7be70d052 - djm@cvs.openbsd.org 2011/09/22 06:29:03 
[sftp.c]
     don't let remote_glob() implicitly sort its results in do_globbed_ls() -
     in all likelihood, they will be resorted anyway
 2011-09-22 21:43:06 +10:00
Damien Miller
57c38ac7d5 - markus@cvs.openbsd.org 2011/09/12 08:46:15 
[sftp-client.c]
     fix leak in do_lsreaddir(); ok djm
 2011-09-22 21:42:45 +10:00
Damien Miller
3decdba425 - markus@cvs.openbsd.org 2011/09/11 16:07:26 
[sftp-client.c]
     fix leaks in do_hardlink() and do_readlink(); bz#1921
     from Loganaden Velvindron
 2011-09-22 21:41:05 +10:00
Damien Miller
1bcbd0a9de - okan@cvs.openbsd.org 2011/09/11 06:59:05 
[ssh.1]
     document new -O cancel command; ok djm@
 2011-09-22 21:40:45 +10:00
Damien Miller
ff773644e6 - markus@cvs.openbsd.org 2011/09/10 22:26:34 
[channels.c channels.h clientloop.c ssh.1]
     support cancellation of local/dynamic forwardings from ~C commandline;
     ok & feedback djm@
 2011-09-22 21:39:48 +10:00
Damien Miller
f6dff7cd2f - djm@cvs.openbsd.org 2011/09/09 22:46:44 
[channels.c channels.h clientloop.h mux.c ssh.c]
     support for cancelling local and remote port forwards via the multiplex
     socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request
     the cancellation of the specified forwardings; ok markus@
 2011-09-22 21:38:52 +10:00
Damien Miller
9ee2c606c1 - djm@cvs.openbsd.org 2011/09/09 22:38:21 
[sshd.c]
     kill the preauth privsep child on fatal errors in the monitor;
     ok markus@
 2011-09-22 21:38:30 +10:00
Damien Miller
0603d98b4e - djm@cvs.openbsd.org 2011/09/09 22:37:01 
[scp.c]
     suppress adding '--' to remote commandlines when the first argument
     does not start with '-'. saves breakage on some difficult-to-upgrade
     embedded/router platforms; feedback & ok dtucker ok markus
 2011-09-22 21:38:00 +10:00
Damien Miller
4cb855b070 - djm@cvs.openbsd.org 2011/09/09 00:44:07 
[PROTOCOL.mux]
     MUX_C_CLOSE_FWD includes forward type in message (though it isn't
     implemented anyway)
 2011-09-22 21:37:38 +10:00
Damien Miller
f6e758cdba - djm@cvs.openbsd.org 2011/09/09 00:43:00 
[ssh_config.5 sshd_config.5]
     fix typo in IPQoS parsing: there is no "AF14" class, but there is
     an "AF21" class. Spotted by giesen AT snickers.org; ok markus stevesk
 2011-09-22 21:37:13 +10:00
Damien Miller
6232a16a9a - deraadt@cvs.openbsd.org 2011/09/07 02:18:31 
[ssh-keygen.1]
     typo (they vs the) found by Lawrence Teo
 2011-09-22 21:36:00 +10:00
Damien Miller
e029673f1f - jmc@cvs.openbsd.org 2011/09/05 07:01:44 
[scp.1]
     knock out a useless Ns;
 2011-09-22 21:34:56 +10:00
Damien Miller
2918e030fc - djm@cvs.openbsd.org 2011/09/05 05:59:08 
[misc.c]
     fix typo in IPQoS parsing: there is no "AF14" class, but there is
     an "AF21" class. Spotted by giesen AT snickers.org; ok markus stevesk
 2011-09-22 21:34:35 +10:00
Damien Miller
e577772a89 - djm@cvs.openbsd.org 2011/09/05 05:56:13 
[scp.1 sftp.1]
     mention ControlPersist and KbdInteractiveAuthentication in the -o
     verbiage in these pages too (prompted by jmc@)
 2011-09-22 21:34:15 +10:00
Damien Miller
efad727517 - djm@cvs.openbsd.org 2011/08/26 01:45:15 
[ssh.1]
     Add some missing ssh_config(5) options that can be used in ssh(1)'s
     -o argument. Patch from duclare AT guu.fi
 2011-09-22 21:33:53 +10:00
Damien Miller
e128a50e35 - djm@cvs.openbsd.org 2011/09/22 06:27:29 
[glob.c]
     fix GLOB_KEEPSTAT without GLOB_NOSORT; the implicit sort was being
     applied only to the gl_pathv vector and not the corresponding gl_statv
     array. reported in OpenSSH bz#1935; feedback and okay matthew@
 2011-09-22 21:22:21 +10:00
Damien Miller
c4bf7dde92 - stsp@cvs.openbsd.org 2011/09/20 10:18:46 
[glob.c]
     In glob(3), limit recursion during matching attempts. Similar to
     fnmatch fix. Also collapse consecutive '*' (from NetBSD).
     ok miod deraadt
 2011-09-22 21:21:48 +10:00
Damien Miller
e01a627047 - pyr@cvs.openbsd.org 2011/05/12 07:15:10 
[openbsd-compat/glob.c]
     When the max number of items for a directory has reached GLOB_LIMIT_READDIR
     an error is returned but closedir() is not called.
     spotted and fix provided by Frank Denis obsd-tech@pureftpd.org
     ok otto@, millert@
 2011-09-22 21:20:21 +10:00
Darren Tucker
e8a82c5faf - (dtucker) [entropy.h] Bug #1932: remove old definition of init_rng. From 
Colin Watson.
 2011-09-09 11:29:40 +10:00
Damien Miller
022ee24197 - (djm) [contrib/redhat/openssh.spec] Correct restorcon => restorecon 2011-09-07 09:15:02 +10:00
Damien Miller
fb9d8173f0 - (djm) [README version.h] Correct version 2011-09-07 09:11:53 +10:00
Damien Miller
8e4a71e952 - (djm) Release OpenSSH-5.9 2011-09-05 15:39:20 +10:00
Damien Miller
86dcd3e45a - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] 
[contrib/suse/openssh.spec] Update version numbers.
 2011-09-05 10:29:04 +10:00
Darren Tucker
0dd24e02ec - (dtucker) [ssh-keygen.c ssh-pkcs11.c] Bug #1929: add null implementations 
ofsh-pkcs11.cpkcs_init and pkcs_terminate for building without dlopen support.
 2011-09-04 19:59:26 +10:00
Damien Miller
6efd94f32e - (djm) [regress/connect-privsep.sh regress/test-exec.sh] demote fatal 
regress errors for the sandbox to warnings. ok tim dtucker
 2011-09-04 19:04:16 +10:00
Damien Miller
58ac11a2bd - (djm) [openbsd-compat/port-linux.c] Suppress logging when attempting 
to switch SELinux context away from unconfined_t, based on patch from
   Jan Chadima; bz#1919 ok dtucker@
 2011-08-29 16:09:52 +10:00
Darren Tucker
4438354870 - (dtucker) [auth-skey.c] Add log.h to fix build --with-skey. 2011-08-28 04:50:16 +10:00
Tim Rice
a6e60616be - (tim) [configure.ac] Typo in error message spotted by Andy Tsouladze 2011-08-17 21:48:22 -07:00
Damien Miller
2df1bec086 - (djm) [regress/cipher-speed.sh regress/try-ciphers.sh] disable HMAC-SHA2 
MAC tests for platforms that hack EVP_SHA2 support
 2011-08-17 12:25:46 +10:00
Damien Miller
062fa30532 - djm@cvs.openbsd.org 2011/08/02 01:23:41 
[regress/cipher-speed.sh regress/try-ciphers.sh]
     add SHA256/SHA512 based HMAC modes
 2011-08-17 12:10:02 +10:00
Damien Miller
faf4d80420 - markus@cvs.openbsd.org 2011/06/30 22:44:43 
[connect-privsep.sh]
     test with sandbox enabled; ok djm@
 2011-08-17 12:09:19 +10:00
Damien Miller
9231c8bde4 - dtucker@cvs.openbsd.org 2011/06/03 05:35:10 
[regress/cfgmatch.sh]
     use OBJ to find test configs, patch from Tim Rice
 2011-08-17 12:08:15 +10:00
Damien Miller
44a6c9340a - (djm) [contrib/ssh-copy-id] Missing backlslash; spotted by 
bisson AT archlinux.org
 2011-08-17 12:01:44 +10:00
Damien Miller
1a91c0f163 - (djm) [configure.ac] error out if the host lacks the necessary bits for 
an explicitly requested sandbox type
 2011-08-17 11:59:25 +10:00
Damien Miller
9c08312968 - (djm) [ openbsd-compat/bsd-cygwin_util.c openbsd-compat/bsd-cygwin_util.h] 
binary_pipe is no longer required on Cygwin; patch from Corinna Vinschen
 2011-08-17 11:31:07 +10:00
Tim Rice
a1226828ad - (tim) [mac.c myproposal.h] Wrap SHA256 and SHA512 in ifdefs for 
OpenSSL 0.9.7. ok djm
 2011-08-16 17:29:01 -07:00
Damien Miller
d1eb1dd5ed - (djm) [contrib/ssh-copy-id] Fix failure for cases where the path to the 
identify file contained whitespace. bz#1828 patch from gwenael.lambrouin
   AT gmail.com; ok dtucker@
 2011-08-12 11:22:47 +10:00
Damien Miller
2db9977c06 - (djm) [contrib/redhat/openssh.spec contrib/redhat/sshd.init] 
[contrib/suse/openssh.spec contrib/suse/rc.sshd] Updated RHEL and SLES
   init scrips from imorgan AT nas.nasa.gov
 2011-08-12 11:02:35 +10:00
Darren Tucker
4d47ec9c89 - (dtucker) [openbsd-compat/port-linux.c] Bug 1924: Improve selinux context 
change error by reporting old and new context names  Patch from
   jchadima at redhat.
 2011-08-12 10:12:53 +10:00
Darren Tucker
ddccfb4b98 - dtucker@cvs.openbsd.org 2011/08/07 12:55:30 
[sftp.1]
     typo, fix from Laurent Gautrot
 2011-08-07 23:12:26 +10:00
Darren Tucker
91e6b57729 - jmc@cvs.openbsd.org 2010/10/14 20:41:28 
[moduli.5]
     probabalistic -> probabilistic; from naddy
 2011-08-07 23:10:56 +10:00
Darren Tucker
f279474f1b - sobrado@cvs.openbsd.org 2009/10/28 08:56:54 
[moduli.5]
     "Diffie-Hellman" is the usual spelling for the cryptographic protocol
     first published by Whitfield Diffie and Martin Hellman in 1976.
     ok jmc@
 2011-08-07 23:10:11 +10:00
Darren Tucker
578451ddda - (dtucker) OpenBSD CVS Sync 
- jmc@cvs.openbsd.org 2008/06/26 06:59:39
     [moduli.5]
     tweak previous;
 2011-08-07 23:09:20 +10:00
Damien Miller
765f8c4eff - djm@cvs.openbsd.org 2011/08/02 23:15:03 
[ssh.c]
     typo in comment
 2011-08-06 06:18:16 +10:00
Damien Miller
c471860d25 - djm@cvs.openbsd.org 2011/08/02 23:13:01 
[version.h]
     crank now, release later
 2011-08-06 06:17:48 +10:00
Damien Miller
20bd4535c0 - djm@cvs.openbsd.org 2011/08/02 01:22:11 
[mac.c myproposal.h ssh.1 ssh_config.5 sshd.8 sshd_config.5]
     Add new SHA256 and SHA512 based HMAC modes from
     http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
     Patch from mdb AT juniper.net; feedback and ok markus@
 2011-08-06 06:17:30 +10:00
Damien Miller
adb467fb69 - markus@cvs.openbsd.org 2011/08/01 19:18:15 
[gss-serv.c]
     prevent post-auth resource exhaustion (int overflow leading to 4GB malloc);
     report Adam Zabrock; ok djm@, deraadt@
 2011-08-06 06:16:46 +10:00
Damien Miller
35e48198a8 - djm@cvs.openbsd.org 2011/07/29 14:42:45 
[sandbox-systrace.c]
     fail open(2) with EPERM rather than SIGKILLing the whole process. libc
     will call open() to do strerror() when NLS is enabled;
     feedback and ok markus@
 2011-08-06 06:16:23 +10:00
Damien Miller
6ea5e44871 - tedu@cvs.openbsd.org 2011/07/06 18:09:21 
[authfd.c]
     bzero the agent address.  the kernel was for a while very cranky about
     these things.  evne though that's fixed, always good to initialize
     memory.  ok deraadt djm
 2011-08-06 06:16:00 +10:00
Damien Miller
7741ce8bd2 - djm@cvs.openbsd.org 2011/06/23 23:35:42 
[monitor.c]
     ignore EINTR errors from poll()
 2011-08-06 06:15:15 +10:00
Damien Miller
cd5e52ee78 - (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for 
Darwin/OS X using sandbox_init() + setrlimit(); feedback and testing
   markus@
 2011-06-27 07:18:18 +10:00
Damien Miller
dcbd41e7af - djm@cvs.openbsd.org 2011/06/23 09:34:13 
[sshd.c ssh-sandbox.h sandbox.h sandbox-rlimit.c sandbox-systrace.c]
     [sandbox-null.c]
     rename sandbox.h => ssh-sandbox.h to make things easier for portable
 2011-06-23 19:45:51 +10:00
Damien Miller
80b62e3738 - (djm) [sandbox-null.c] Dummy sandbox for platforms that don't support 
setrlimit(2)
 2011-06-23 19:03:18 +10:00
Damien Miller
6d7b4377dd - djm@cvs.openbsd.org 2011/06/22 22:08:42 
[channels.c channels.h clientloop.c clientloop.h mux.c ssh.c]
     hook up a channel confirm callback to warn the user then requested X11
     forwarding was refused by the server; ok markus@
 2011-06-23 08:31:57 +10:00
Damien Miller
69ff1df952 - djm@cvs.openbsd.org 2011/06/22 21:57:01 
[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c]
     [sandbox-systrace.c sandbox.h configure.ac Makefile.in]
     introduce sandboxing of the pre-auth privsep child using systrace(4).

     This introduces a new "UsePrivilegeSeparation=sandbox" option for
     sshd_config that applies mandatory restrictions on the syscalls the
     privsep child can perform. This prevents a compromised privsep child
     from being used to attack other hosts (by opening sockets and proxying)
     or probing local kernel attack surface.

     The sandbox is implemented using systrace(4) in unsupervised "fast-path"
     mode, where a list of permitted syscalls is supplied. Any syscall not
     on the list results in SIGKILL being sent to the privsep child. Note
     that this requires a kernel with the new SYSTR_POLICY_KILL option.

     UsePrivilegeSeparation=sandbox will become the default in the future
     so please start testing it now.

     feedback dtucker@; ok markus@
 2011-06-23 08:30:03 +10:00
Damien Miller
82c558761d - OpenBSD CVS Sync 
- djm@cvs.openbsd.org 2011/06/22 21:47:28
     [servconf.c]
     reuse the multistate option arrays to pretty-print options for "sshd -T"
 2011-06-23 08:20:30 +10:00
Damien Miller
4ac99c366c - djm@cvs.openbsd.org 2011/06/17 21:57:25 
[clientloop.c]
     setproctitle for a mux master that has been gracefully stopped;
     bz#1911 from Bert.Wesarg AT googlemail.com
 2011-06-20 14:43:31 +10:00
Damien Miller
33322127ec - djm@cvs.openbsd.org 2011/06/17 21:47:35 
[servconf.c]
     factor out multi-choice option parsing into a parse_multistate label
     and some support structures; ok dtucker@
 2011-06-20 14:43:11 +10:00
Damien Miller
f145a5be1c - djm@cvs.openbsd.org 2011/06/17 21:46:16 
[sftp-server.c]
     the protocol version should be unsigned; bz#1913 reported by mb AT
     smartftp.com
 2011-06-20 14:42:51 +10:00
Damien Miller
8f0bf237d4 - djm@cvs.openbsd.org 2011/06/17 21:44:31 
[log.c log.h monitor.c monitor.h monitor_wrap.c monitor_wrap.h sshd.c]
     make the pre-auth privsep slave log via a socketpair shared with the
     monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
 2011-06-20 14:42:23 +10:00
Damien Miller
e7ac2bd42a - markus@cvs.openbsd.org 2011/06/14 22:49:18 
[authfile.c]
     make sure key_parse_public/private_rsa1() no longer consumes its input
     buffer.  fixes ssh-add for passphrase-protected ssh1-keys;
     noted by naddy@; ok djm@
 2011-06-20 14:23:25 +10:00
Damien Miller
6029e076b2 - djm@cvs.openbsd.org 2011/06/04 00:10:26 
[ssh_config.5]
     explain IdentifyFile's semantics a little better, prompted by bz#1898
     ok dtucker jmc
 2011-06-20 14:22:49 +10:00
Tim Rice
bc481570d1 - (tim) [regress/cfgmatch.sh] Build/test out of tree fix. 2011-06-02 22:26:19 -07:00
Darren Tucker
bf4d05a37c - dtucker@cvs.openbsd.org 2011/06/03 00:29:52 
[regress/dynamic-forward.sh]
     Retry establishing the port forwarding after a small delay, should make
     the tests less flaky when the previous test is slow to shut down and free
     up the port.
 2011-06-03 14:19:02 +10:00
Darren Tucker
75e035c34e - dtucker@cvs.openbsd.org 2011/05/31 02:03:34 
[regress/dynamic-forward.sh]
     work around startup and teardown races; caught by deraadt
 2011-06-03 14:18:17 +10:00
Darren Tucker
260c8fbc4d - dtucker@cvs.openbsd.org 2011/05/31 02:01:58 
[regress/dynamic-forward.sh]
     back out revs 1.6 and 1.5 since it's not reliable
 2011-06-03 14:17:27 +10:00
Darren Tucker
3e78a516a0 - dtucker@cvs.openbsd.org 2011/06/03 01:37:40 
[ssh-agent.c]
     Check current parent process ID against saved one to determine if the parent
     has exited, rather than attempting to send a zero signal, since the latter
     won't work if the parent has changed privs.  bz#1905, patch from Daniel Kahn
     Gillmor, ok djm@
 2011-06-03 14:14:16 +10:00
Damien Miller
c09182f613 - (djm) [configure.ac] enable setproctitle emulation for OS X 2011-06-03 12:11:38 +10:00
Damien Miller
ea2c1a4dc6 - djm@cvs.openbsd.org 2011/06/03 00:54:38 
[ssh.c]
    bz#1883 - setproctitle() to identify mux master; patch from Bert.Wesarg
    AT googlemail.com; ok dtucker@
    NB. includes additional portability code to enable setproctitle emulation
    on platforms that don't support it.
 2011-06-03 12:10:22 +10:00
Darren Tucker
c3c7227ccc add missing changelog entry 2011-06-03 11:20:06 +10:00
Tim Rice
90f42b0705 - (tim) [configure.ac defines.h] Run test program to detect system mail 
directory. Add --with-maildir option to override. Fixed OpenServer 6
   getting it wrong. Fixed many systems having MAIL=/var/mail//username
   ok dtucker
 2011-06-02 18:17:49 -07:00
Darren Tucker
c412c1567b - (dtucker) [README version.h contrib/caldera/openssh.spec 
contrib/redhat/openssh.spec contrib/suse/openssh.spec] Pull the version
   bumps from the 5.8p2 branch into HEAD.  ok djm.
 2011-06-03 10:35:23 +10:00
Damien Miller
8cb3587336 - djm@cvs.openbsd.org 2011/05/23 03:31:31 
[regress/cfgmatch.sh]
     include testing of multiple/overridden AuthorizedKeysFiles
     refactor to simply daemon start/stop and get rid of racy constructs
 2011-05-29 21:59:10 +10:00
Damien Miller
295ee63ab2 - djm@cvs.openbsd.org 2011/05/24 07:15:47 
[readconf.c readconf.h ssh.c ssh_config.5 sshconnect.c sshconnect2.c]
     Remove undocumented legacy options UserKnownHostsFile2 and
     GlobalKnownHostsFile2 by making UserKnownHostsFile/GlobalKnownHostsFile
     accept multiple paths per line and making their defaults include
     known_hosts2; ok markus
 2011-05-29 21:42:31 +10:00
Damien Miller
04bb56ef10 - djm@cvs.openbsd.org 2011/05/23 07:24:57 
[authfile.c]
     read in key comments for v.2 keys (though note that these are not
     passed over the agent protocol); bz#439, based on patch from binder
     AT arago.de; ok markus@
 2011-05-29 21:42:08 +10:00
Damien Miller
b9132fc427 - jmc@cvs.openbsd.org 2011/05/23 07:10:21 
[sshd.8 sshd_config.5]
     tweak previous; ok djm
 2011-05-29 21:41:40 +10:00
Damien Miller
201f425d29 - djm@cvs.openbsd.org 2011/05/23 03:52:55 
[sshconnect.c]
     remove extra newline
 2011-05-29 21:41:03 +10:00
Damien Miller
1dd66e5f74 - djm@cvs.openbsd.org 2011/05/23 03:33:38 
[auth.c]
     make secure_filename() spam debug logs less
 2011-05-29 21:40:42 +10:00
Damien Miller
d8478b6a9b OpenBSD CVS Sync 
- djm@cvs.openbsd.org 2011/05/23 03:30:07
     [auth-rsa.c auth.c auth.h auth2-pubkey.c monitor.c monitor_wrap.c pathnames.h servconf.c servconf.h sshd.8 sshd_config sshd_config.5]
     allow AuthorizedKeysFile to specify multiple files, separated by spaces.
     Bring back authorized_keys2 as a default search path (to avoid breaking
     existing users of this file), but override this in sshd_config so it will
     be no longer used on fresh installs. Maybe in 2015 we can remove it
     entierly :)

     feedback and ok markus@ dtucker@
 2011-05-29 21:39:36 +10:00
Damien Miller
acacced70b - dtucker@cvs.openbsd.org 2011/05/20 06:32:30 
[dynamic-forward.sh]
     fix dumb error in dynamic-forward test
 2011-05-20 19:08:40 +10:00
Damien Miller
7b9451f382 - dtucker@cvs.openbsd.org 2011/05/20 05:19:50 
[dynamic-forward.sh]
     Prevent races in dynamic forwarding test; ok djm
 2011-05-20 19:08:11 +10:00
Damien Miller
3045b45a03 - djm@cvs.openbsd.org 2011/05/20 02:43:36 
[cert-hostkey.sh]
     another attempt to generate a v00 ECDSA key that broke the test
     ID sync only - portable already had this somehow
 2011-05-20 19:07:45 +10:00
Damien Miller
f67188fe13 - djm@cvs.openbsd.org 2011/05/17 07:13:31 
[regress/cert-userkey.sh]
     fatal() if asked to generate a legacy ECDSA cert (these don't exist)
     and fix the regress test that was trying to generate them :)
 2011-05-20 19:06:48 +10:00
Damien Miller
f2e407e2dd - djm@cvs.openbsd.org 2011/05/20 03:25:45 
[monitor.c monitor_wrap.c servconf.c servconf.h]
     use a macro to define which string options to copy between configs
     for Match. This avoids problems caused by forgetting to keep three
     code locations in perfect sync and ordering

     "this is at once beautiful and horrible" + ok dtucker@
 2011-05-20 19:04:14 +10:00
Damien Miller
c2411909c7 - dtucker@cvs.openbsd.org 2011/05/20 02:00:19 
[servconf.c]
     Add comment documenting what should be after the preauth check.  ok djm
 2011-05-20 19:03:49 +10:00
Damien Miller
5d74e58e62 - djm@cvs.openbsd.org 2011/05/20 00:55:02 
[servconf.c]
     the options TrustedUserCAKeys, RevokedKeysFile, AuthorizedKeysFile
     and AuthorizedPrincipalsFile were not being correctly applied in
     Match blocks, despite being overridable there; ok dtucker@
 2011-05-20 19:03:31 +10:00
Damien Miller
8f639fe722 - djm@cvs.openbsd.org 2011/05/17 07:13:31 
[key.c]
     fatal() if asked to generate a legacy ECDSA cert (these don't exist)
     and fix the regress test that was trying to generate them :)
 2011-05-20 19:03:08 +10:00
Damien Miller
814ace0875 - OpenBSD CVS Sync 
- djm@cvs.openbsd.org 2011/05/15 08:09:01
     [authfd.c monitor.c serverloop.c]
     use FD_CLOEXEC consistently; patch from zion AT x96.org
 2011-05-20 19:02:47 +10:00
Damien Miller
ec2eaa3daf - (djm) [servconf.c] remove leftover droppings of AuthorizedKeysFile2 2011-05-20 18:57:14 +10:00
Damien Miller
989bb7f0c5 - (djm) [aclocal.m4 configure.ac] since gcc-4.x ignores all -Wno-options 
options, we should corresponding -W-option when trying to determine
   whether it is accepted.  Also includes a warning fix on the program
   fragment uses (bad main() return type).
   bz#1900 and bz#1901 reported by g.esp AT free.fr; ok dtucker@
 2011-05-20 18:56:30 +10:00
Damien Miller
14684a1f84 - (djm) [session.c] call setexeccon() before executing passwd for pw 
changes; bz#1891 reported by jchadima AT redhat.com; ok dtucker@
 2011-05-20 11:23:07 +10:00
Damien Miller
23f425b48b - (djm) [packet.c] unbreak portability #endif 2011-05-15 08:58:15 +10:00
Damien Miller
9d276b8d68 - djm@cvs.openbsd.org 2011/05/13 00:05:36 
[authfile.c]
     warn on unexpected key type in key_parse_private_type()
 2011-05-15 08:51:43 +10:00
Damien Miller
7c1b2c4ea8 - djm@cvs.openbsd.org 2011/05/11 04:47:06 
[auth.c auth.h auth2-pubkey.c pathnames.h servconf.c servconf.h]
     remove support for authorized_keys2; it is a relic from the early days
     of protocol v.2 support and has been undocumented for many years;
     ok markus@
 2011-05-15 08:51:05 +10:00
Damien Miller
3219824f2d - djm@cvs.openbsd.org 2011/05/10 05:46:46 
[authfile.c]
     despam debug() logs by detecting that we are trying to load a private key
     in key_try_load_public() and returning early; ok markus@
 2011-05-15 08:50:32 +10:00
Damien Miller
555f3b856f - djm@cvs.openbsd.org 2011/05/08 12:52:01 
[PROTOCOL.mux clientloop.c clientloop.h mux.c]
     improve our behaviour when TTY allocation fails: if we are in
     RequestTTY=auto mode (the default), then do not treat at TTY
     allocation error as fatal but rather just restore the local TTY
     to cooked mode and continue. This is more graceful on devices that
     never allocate TTYs.

     If RequestTTY is set to "yes" or "force", then failure to allocate
     a TTY is fatal.

     ok markus@
 2011-05-15 08:48:05 +10:00
Damien Miller
f4b32aad05 - jmc@cvs.openbsd.org 2011/05/07 23:20:25 
[ssh.1]
     +.It RequestTTY
 2011-05-15 08:47:43 +10:00
Damien Miller
486dd2eadb - jmc@cvs.openbsd.org 2011/05/07 23:19:39 
[ssh_config.5]
     - tweak previous
     - come consistency fixes

     ok djm
 2011-05-15 08:47:18 +10:00
Damien Miller
c067f62560 - djm@cvs.openbsd.org 2011/05/06 22:20:10 
[PROTOCOL.mux]
     fix numbering; from bert.wesarg AT googlemail.com
 2011-05-15 08:46:54 +10:00
Damien Miller
a6bbbe4658 - djm@cvs.openbsd.org 2011/05/06 21:38:58 
[ssh.c]
     fix dropping from previous diff
 2011-05-15 08:46:29 +10:00
Damien Miller
21771e22d3 - djm@cvs.openbsd.org 2011/05/06 21:34:32 
[clientloop.c mux.c readconf.c readconf.h ssh.c ssh_config.5]
     Add a RequestTTY ssh_config option to allow configuration-based
     control over tty allocation (like -t/-T); ok markus@
 2011-05-15 08:45:50 +10:00
Damien Miller
fe92421772 - djm@cvs.openbsd.org 2011/05/06 21:31:38 
[readconf.c ssh_config.5]
     support negated Host matching, e.g.

     Host *.example.org !c.example.org
        User mekmitasdigoat

     Will match "a.example.org", "b.example.org", but not "c.example.org"
     ok markus@
 2011-05-15 08:44:45 +10:00
Damien Miller
dfc85fa181 - djm@cvs.openbsd.org 2011/05/06 21:18:02 
[ssh.c ssh_config.5]
     add a %L expansion (short-form of the local host name) for ControlPath;
     sync some more expansions with LocalCommand; ok markus@
 2011-05-15 08:44:02 +10:00
Damien Miller
d2ac5d74b4 - djm@cvs.openbsd.org 2011/05/06 21:14:05 
[packet.c packet.h]
     set traffic class for IPv6 traffic as we do for IPv4 TOS;
     patch from lionel AT mamane.lu via Colin Watson in bz#1855;
     ok markus@
 2011-05-15 08:43:13 +10:00
Damien Miller
78c40c321b - djm@cvs.openbsd.org 2011/05/06 02:05:41 
[sshconnect2.c]
     fix memory leak; bz#1849 ok dtucker@
 2011-05-15 08:36:59 +10:00
Damien Miller
58a77e2eac - djm@cvs.openbsd.org 2011/05/06 01:09:53 
[sftp.1]
     mention that IPv6 addresses must be enclosed in square brackets;
     bz#1845
 2011-05-15 08:36:29 +10:00
Damien Miller
fd53abd00b - dtucker@cvs.openbsd.org 2011/05/06 01:03:35 
[sshd_config]
     clarify language about overriding defaults.  bz#1892, from Petr Cerny
 2011-05-15 08:36:02 +10:00
Damien Miller
60432d8cf2 - djm@cvs.openbsd.org 2011/05/05 05:12:08 
[mux.c]
     gracefully fall back when ControlPath is too large for a
     sockaddr_un. ok markus@ as part of a larger diff
 2011-05-15 08:34:46 +10:00
Darren Tucker
d6548fe4cf - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882: fix 
--with-ssl-engine which was broken with the change from deprecated
   SSLeay_add_all_algorithms().  ok djm
 2011-05-10 11:13:36 +10:00
Darren Tucker
343f75fa19 - (dtucker) [openbsd-compat/regress/closefromtest.c] Bug #1875: add prototype 
for closefrom() in test code.  Report from Dan Wallis via Gentoo.
 2011-05-06 10:43:50 +10:00
Tim Rice
9abb697d4f - (tim) [defines.h] Deal with platforms that do not have S_IFSOCK ok djm@ 2011-05-04 23:06:59 -07:00
Tim Rice
19d8181b86 - (tim) [configure.ac] Add AC_LANG_SOURCE to OPENSSH_CHECK_CFLAG_COMPILE 
so autoreconf 2.68 is happy.
 2011-05-04 21:44:25 -07:00
Damien Miller
2ce12ef1ac - djm@cvs.openbsd.org 2011/05/04 21:15:29 
[authfile.c authfile.h ssh-add.c]
     allow "ssh-add - < key"; feedback and ok markus@
 2011-05-05 14:17:18 +10:00
Damien Miller
8cb1cda1e3 - djm@cvs.openbsd.org 2011/04/18 00:46:05 
[ssh-keygen.c]
     certificate options are supposed to be packed in lexical order of
     option name (though we don't actually enforce this at present).
     Move one up that was out of sequence
 2011-05-05 14:16:56 +10:00
Damien Miller
6c3eec7ab2 - djm@cvs.openbsd.org 2011/04/17 22:42:42 
[PROTOCOL.mux clientloop.c clientloop.h mux.c ssh.1 ssh.c]
     allow graceful shutdown of multiplexing: request that a mux server
     removes its listener socket and refuse future multiplexing requests;
     ok markus@
 2011-05-05 14:16:22 +10:00
Damien Miller
ad21032e65 - djm@cvs.openbsd.org 2011/04/13 04:09:37 
[ssh-keygen.1]
     mention valid -b sizes for ECDSA keys; bz#1862
 2011-05-05 14:15:54 +10:00
Damien Miller
085c90fa20 - djm@cvs.openbsd.org 2011/04/13 04:02:48 
[ssh-keygen.1]
     improve wording; bz#1861
 2011-05-05 14:15:33 +10:00
Damien Miller
26b57ce6c2 - djm@cvs.openbsd.org 2011/04/12 05:32:49 
[sshd.c]
     exit with 0 status on SIGTERM; bz#1879
 2011-05-05 14:15:09 +10:00
Damien Miller
884b63a061 - djm@cvs.openbsd.org 2011/04/12 04:23:50 
[ssh-keygen.c]
     fix -Wshadow
 2011-05-05 14:14:52 +10:00
Damien Miller
9147586599 - stevesk@cvs.openbsd.org 2011/03/29 18:54:17 
[misc.c misc.h servconf.c]
     print ipqos friendly string for sshd -T; ok markus
     # sshd -Tf sshd_config|grep ipqos
     ipqos lowdelay throughput
 2011-05-05 14:14:34 +10:00
Damien Miller
044f4a6cc3 - stevesk@cvs.openbsd.org 2011/03/24 22:14:54 
[ssh-keygen.c]
     use strcasecmp() for "clear" cert permission option also; ok djm
 2011-05-05 14:14:08 +10:00
Damien Miller
3ca1eb373f - jmc@cvs.openbsd.org 2011/03/24 15:29:30 
[ssh-keygen.1]
     zap trailing whitespace;
 2011-05-05 14:13:50 +10:00
Damien Miller
111431963e - stevesk@cvs.openbsd.org 2011/03/23 16:50:04 
[ssh-keygen.c]
     remove -d, documentation removed >10 years ago; ok markus
 2011-05-05 14:13:25 +10:00
Damien Miller
4a4d161545 - stevesk@cvs.openbsd.org 2011/03/23 16:24:56 
[ssh-keygen.1]
     -q not used in /etc/rc now so remove statement.
 2011-05-05 14:06:39 +10:00
Damien Miller
58f1bafb3d - stevesk@cvs.openbsd.org 2011/03/23 15:16:22 
[ssh-keygen.1 ssh-keygen.c]
     Add -A option.  For each of the key types (rsa1, rsa, dsa and ecdsa)
     for which host keys do not exist, generate the host keys with the
     default key file path, an empty passphrase, default bits for the key
     type, and default comment.  This will be used by /etc/rc to generate
     new host keys.  Idea from deraadt.
     ok deraadt
 2011-05-05 14:06:15 +10:00
Damien Miller
c5219e701e - okan@cvs.openbsd.org 2011/03/15 10:36:02 
[ssh-keyscan.c]
     use timerclear macro
     ok djm@
 2011-05-05 14:05:12 +10:00
Damien Miller
b2da7d185e - djm@cvs.openbsd.org 2011/03/10 11:34:25 
[auth.h]
     allow GSSAPI authentication to detect when a server-side failure causes
     authentication failure and don't count such failures against MaxAuthTries;
     bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
 2011-05-05 14:04:50 +10:00
Damien Miller
3fcdfd55a3 - OpenBSD CVS Sync 
- djm@cvs.openbsd.org 2011/03/10 02:52:57
     [auth2-gss.c auth2.c]
     allow GSSAPI authentication to detect when a server-side failure causes
     authentication failure and don't count such failures against MaxAuthTries;
     bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
 2011-05-05 14:04:11 +10:00
Damien Miller
f22019bdbf - (djm) [Makefile.in WARNING.RNG aclocal.m4 buildpkg.sh.in configure.ac] 
[entropy.c ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c]
   [ssh-keysign.c ssh-pkcs11-helper.c ssh-rand-helper.8 ssh-rand-helper.c]
   [ssh.c ssh_prng_cmds.in sshd.c contrib/aix/buildbff.sh]
   [regress/README.regress] Remove ssh-rand-helper and all its
   tentacles. PRNGd seeding has been rolled into entropy.c directly.
   Thanks to tim@ for testing on affected platforms.
 2011-05-05 13:48:37 +10:00
Damien Miller
68790fedef - (djm) [defines.h] Move up include of netinet/ip.h for IPTOS 
definitions.
 2011-05-05 11:19:13 +10:00
Damien Miller
db59a3fb22 (whitespace change to test sync to hg) 2011-03-28 15:07:06 +11:00
Darren Tucker
e541aaaf0f - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the 
Cygwin-specific service installer script ssh-host-config.  The actual
   functionality is the same, the revisited version is just more
   exact when it comes to check for problems which disallow to run
   certain aspects of the script.  So, part of this script and the also
   rearranged service helper script library "csih" is to check if all
   the tools required to run the script are available on the system.
   The new script also is more thorough to inform the user why the
   script failed.  Patch from vinschen at redhat com.
 2011-02-21 21:41:29 +11:00
Damien Miller
0588beba39 - djm@cvs.openbsd.org 2011/02/16 00:31:14 
[ssh-keysign.c]
     make hostbased auth with ECDSA keys work correctly. Based on patch
     by harvey.eneman AT oracle.com in bz#1858; ok markus@ (pre-lock)
 2011-02-18 09:18:45 +11:00
Darren Tucker
ea676a6422 - (dtucker) [contrib/cygwin/ssh-{host,user}-config] Add ECDSA key 
generation and simplify.  Patch from Corinna Vinschen.
 2011-02-06 13:31:23 +11:00
Darren Tucker
3b9617ecbd - (dtucker) [openbsd-compat/port-linux.c] Bug #1851: fix syntax error in 
selinux code.  Patch from Leonardo Chiquitto.
 2011-02-06 13:24:35 +11:00
Damien Miller
0d30b092ce - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] 
[contrib/suse/openssh.spec] update versions in docs and spec files.
 - Release OpenSSH 5.8p1
 2011-02-04 12:43:36 +11:00
Damien Miller
a69812707d - djm@cvs.openbsd.org 2011/02/04 00:44:43 
[version.h]
     openssh-5.8
 2011-02-04 11:47:20 +11:00
Damien Miller
0a5f0129a3 - djm@cvs.openbsd.org 2011/02/04 00:44:21 
[key.c]
     fix uninitialised nonce variable; reported by Mateusz Kocielski
 2011-02-04 11:47:01 +11:00
Damien Miller
b407dd8d05 - djm@cvs.openbsd.org 2011/01/31 21:42:15 
[PROTOCOL.mux]
     cut'n'pasto; from bert.wesarg AT googlemail.com
 2011-02-04 11:46:39 +11:00
Damien Miller
d4a5504cb1 - (djm) [openbsd-compat/port-linux.c] Check whether SELinux is enabled 
before attempting setfscreatecon(). Check whether matchpathcon()
   succeeded before using its result. Patch from cjwatson AT debian.org;
   bz#1851
 2011-01-28 10:30:18 +11:00
Tim Rice
648f876566 20110127 
- (tim) [configure.ac] Consistent M4 quoting throughout, updated obsolete
   AC_TRY_COMPILE with AC_COMPILE_IFELSE, updated obsolete AC_TRY_LINK with
   AC_LINK_IFELSE, updated obsolete AC_TRY_RUN with AC_RUN_IFELSE, misc white
   space changes for consistency/readability. Makes autoconf 2.68 happy.
   "Nice work" djm
 2011-01-26 12:38:57 -08:00
Tim Rice
d069c48207 20110127 
- (tim) [config.guess config.sub] Sync with upstream.
 2011-01-26 12:32:12 -08:00
Damien Miller
71adf127e8 - (djm) [configure.ac Makefile.in ssh.c openbsd-compat/port-linux.c 
openbsd-compat/port-linux.h] Move SELinux-specific code from ssh.c to
   port-linux.c to avoid compilation errors. Add -lselinux to ssh when
   building with SELinux support to avoid linking failure; report from
   amk AT spamfence.net; ok dtucker
 2011-01-25 12:16:15 +11:00
Damien Miller
6f8f04b860 - (djm) Release 5.7p1 2011-01-22 20:25:11 +11:00
Damien Miller
4a5eb41cee trim entries older than 5.5p1 2011-01-22 20:24:34 +11:00
Damien Miller
966accc533 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] 
[contrib/suse/openssh.spec] update versions in docs and spec files.
 2011-01-22 20:23:10 +11:00
Damien Miller
ad4b1adf95 - OpenBSD CVS Sync 
- djm@cvs.openbsd.org 2011/01/22 09:18:53
     [version.h]
     crank to OpenSSH-5.7
 2011-01-22 20:21:33 +11:00
Darren Tucker
79241377df - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] Add 
RSA_get_default_method() for the benefit of openssl versions that don't
   have it (at least openssl-engine-0.9.6b).  Found and tested by Kevin Brott,
   ok djm@.
 2011-01-22 09:37:01 +11:00
Damien Miller
e323ebc250 - (djm) [configure.ac] Disable ECC on OpenSSL <0.9.8g. Releases prior to 
0.9.8 lacked it, and 0.9.8a through 0.9.8d have proven buggy in pre-
   release testing (random crashes and failure to load ECC keys).
   ok dtucker@
 2011-01-19 23:12:27 +11:00
Tim Rice
15e1b4dea7 - (tim) [contrib/caldera/openssh.spec] Use CFLAGS from Makefile instead 
of RPM so build completes. Signatures were changed to .asc since 4.1p1.
 2011-01-18 20:47:04 -08:00
Darren Tucker
ea52a82969 - (dtucker) [LICENCE Makefile.in audit-bsm.c audit-linux.c audit.c audit.h 
configure.ac defines.h loginrec.c]  Bug #1402: add linux audit subsystem
   support, based on patches from Tomas Mraz and jchadima at redhat.
 2011-01-17 21:15:27 +11:00
Darren Tucker
263d43d2a5 - (dtucker) [openbsd-compat/port-linux.c] Fix minor bug caught by -Werror on 
the tinderbox.
 2011-01-17 18:50:22 +11:00
Tim Rice
6dfcd34042 - (tim) [regress/agent-getpeereid.sh] shell portability fix. 2011-01-16 22:53:56 -08:00
Damien Miller
58497780ab - (djm) [configure.ac regress/agent-getpeereid.sh regress/multiplex.sh] 
[regress/sftp-glob.sh regress/test-exec.sh] Rework how feature tests are
   disabled on platforms that do not support them; add a "config_defined()"
   shell function that greps for defines in config.h and use them to decide
   on feature tests.
   Convert a couple of existing grep's over config.h to use the new function
   Add a define "FILESYSTEM_NO_BACKSLASH" for filesystem that can't represent
   backslash characters in filenames, enable it for Cygwin and use it to turn
   of tests for quotes backslashes in sftp-glob.sh.
   based on discussion with vinschen AT redhat.com and dtucker@; ok dtucker@
 2011-01-17 16:17:09 +11:00
Darren Tucker
0c93adc7c1 - (dtucker) [openbsd-compat/port-linux.c] Bug #1838: Add support for the new 
Linux OOM-killer magic values that changed in 2.6.36 kernels, with fallback
   to the old values.  Feedback from vapier at gentoo org and djm, ok djm.
 2011-01-17 11:55:59 +11:00
Damien Miller
1ccbfa88b1 - (djm) [regress/agent-getpeereid.sh] leave stdout attached when running 
ssh-add to avoid $SUDO failures on Linux
 2011-01-17 11:52:40 +11:00
Damien Miller
fd3669eb26 - (djm) [regress/agent-ptrace.sh] Fix false failure on OS X by adding 
its unique snowflake of a gdb error to the ones we look for.
 2011-01-17 11:20:18 +11:00