Commit Graph

6278 Commits

Author SHA1 Message Date
Darren Tucker
02c47341a2 - (dtucker) bug #1530: strip trailing ":" from hostname in ssh-copy-id.
based in part on a patch from Colin Watson, ok djm@
2010-08-10 13:36:09 +10:00
Damien Miller
2c4b13aa32 - (djm) bz#1561: don't bother setting IFF_UP on tun(4) device if it is
already set. Makes FreeBSD user openable tunnels useful; patch from
   richard.burakowski+ossh AT mrburak.net, ok dtucker@
2010-08-10 12:47:40 +10:00
Damien Miller
792010bafd - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
[contrib/suse/openssh.spec] Crank version numbers
2010-08-09 02:32:05 +10:00
Damien Miller
7e569b883c - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/08/08 16:26:42
     [version.h]
     crank to 5.6
2010-08-09 02:28:37 +10:00
Damien Miller
8e604acd44 unbreak datestamps 2010-08-09 02:28:10 +10:00
Damien Miller
7d45718943 - djm@cvs.openbsd.org 2010/08/05 13:08:42
[channels.c]
     Fix a trio of bugs in the local/remote window calculation for datagram
     data channels (i.e. TunnelForward):

     Calculate local_consumed correctly in channel_handle_wfd() by measuring
     the delta to buffer_len(c->output) from when we start to when we finish.
     The proximal problem here is that the output_filter we use in portable
     modified the length of the dequeued datagram (to futz with the headers
     for !OpenBSD).

     In channel_output_poll(), don't enqueue datagrams that won't fit in the
     peer's advertised packet size (highly unlikely to ever occur) or which
     won't fit in the peer's remaining window (more likely).

     In channel_input_data(), account for the 4-byte string header in
     datagram packets that we accept from the peer and enqueue in c->output.

     report, analysis and testing 2/3 cases from wierbows AT us.ibm.com;
     "looks good" markus@
2010-08-05 23:09:48 +10:00
Damien Miller
b89e6b76be - djm@cvs.openbsd.org 2010/08/04 06:08:40
[ssh-keysign.c]
     clean for -Wuninitialized (Id sync only; portable had this change)
2010-08-05 13:06:20 +10:00
Damien Miller
757f34e051 - djm@cvs.openbsd.org 2010/08/04 06:07:11
[ssh-keygen.1 ssh-keygen.c]
     Support CA keys in PKCS#11 tokens; feedback and ok markus@
2010-08-05 13:05:31 +10:00
Damien Miller
5458c4dd13 - djm@cvs.openbsd.org 2010/08/04 05:49:22
[authfile.c]
     commited the wrong version of the hostbased certificate diff; this
     version replaces some strlc{py,at} verbosity with xasprintf() at
     the request of markus@
2010-08-05 13:05:15 +10:00
Damien Miller
c158331f8c - djm@cvs.openbsd.org 2010/08/04 05:42:47
[auth.c auth2-hostbased.c authfile.c authfile.h ssh-keysign.8]
     [ssh-keysign.c ssh.c]
     enable certificates for hostbased authentication, from Iain Morgan;
     "looks ok" markus@
2010-08-05 13:04:50 +10:00
Damien Miller
1da6388959 - djm@cvs.openbsd.org 2010/08/04 05:40:39
[PROTOCOL.certkeys ssh-keygen.c]
     tighten the rules for certificate encoding by requiring that options
     appear in lexical order and make our ssh-keygen comply. ok markus@
2010-08-05 13:03:51 +10:00
Damien Miller
7fa96602e5 - djm@cvs.openbsd.org 2010/08/04 05:37:01
[ssh.1 ssh_config.5 sshd.8]
     Remove mentions of weird "addr/port" alternate address format for IPv6
     addresses combinations. It hasn't worked for ages and we have supported
     the more commen "[addr]:port" format for a long time. ok jmc@ markus@
2010-08-05 13:03:13 +10:00
Damien Miller
081f3c73d8 - dtucker@cvs.openbsd.org 2010/07/23 08:49:25
[ssh.1]
     Ciphers is documented in ssh_config(5) these days
2010-08-03 16:05:25 +10:00
Damien Miller
8c1eb113ef - djm@cvs.openbsd.org 2010/07/21 02:10:58
[misc.c]
     sync timingsafe_bcmp() with the one dempsky@ committed to sys/lib/libkern
2010-08-03 16:05:05 +10:00
Damien Miller
e11e1ea5d4 - djm@cvs.openbsd.org 2010/07/19 09:15:12
[clientloop.c readconf.c readconf.h ssh.c ssh_config.5]
     add a "ControlPersist" option that automatically starts a background
     ssh(1) multiplex master when connecting. This connection can stay alive
     indefinitely, or can be set to automatically close after a user-specified
     duration of inactivity. bz#1330 - patch by dwmw2 AT infradead.org, but
     further hacked on by wmertens AT cisco.com, apb AT cequrux.com,
     martin-mindrot-bugzilla AT earth.li and myself; "looks ok" markus@
2010-08-03 16:04:46 +10:00
Damien Miller
c4bb91c79c - djm@cvs.openbsd.org 2010/07/19 03:16:33
[sftp-client.c]
     bz#1797: fix swapped args in upload_dir_internal(), breaking recursive
     upload depth checks and causing verbose printing of transfers to always
     be turned on; patch from imorgan AT nas.nasa.gov
2010-08-03 16:04:22 +10:00
Damien Miller
4e8285e312 - djm@cvs.openbsd.org 2010/07/16 14:07:35
[ssh-rsa.c]
     more timing paranoia - compare all parts of the expected decrypted
     data before returning. AFAIK not exploitable in the SSH protocol.
     "groovy" deraadt@
2010-08-03 16:04:03 +10:00
Damien Miller
844cccfc1a - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/07/16 04:45:30
     [ssh-keygen.c]
     avoid bogus compiler warning
2010-08-03 16:03:29 +10:00
Darren Tucker
8b7a055e9a - (dtucker) [monitor.c] Bug #1795: Initialize the values to be returned from
PAM to sane values in case the PAM method doesn't write to them.  Spotted by
   Bitman Zhou, ok djm@.
2010-08-03 15:50:16 +10:00
Darren Tucker
12b29dbd8a - (dtucker) [contrib/ssh-copy-ud.1] Bug #1786: update ssh-copy-id.1 with more
details about its behaviour WRT existing directories.  Patch from
   asguthrie at gmail com, ok djm.
2010-07-19 21:24:13 +10:00
Damien Miller
bad5e03bfd - schwarze@cvs.openbsd.org 2010/07/15 21:20:38
[ssh-keygen.1]
     repair incorrect block nesting, which screwed up indentation;
     problem reported and fix OK by jmc@
2010-07-16 13:59:59 +10:00
Damien Miller
bcfbc48930 - jmc@cvs.openbsd.org 2010/07/14 17:06:58
[ssh.1]
     finally ssh synopsis looks nice again! this commit just removes a ton of
     hacks we had in place to make it work with old groff;
2010-07-16 13:59:11 +10:00
Damien Miller
ea1651c98e - djm@cvs.openbsd.org 2010/07/13 23:13:16
[auth-rsa.c channels.c jpake.c key.c misc.c misc.h monitor.c packet.c]
     [ssh-rsa.c]
     s/timing_safe_cmp/timingsafe_bcmp/g
2010-07-16 13:58:37 +10:00
Damien Miller
8a0268f1b3 - djm@cvs.openbsd.org 2010/07/13 11:52:06
[auth-rsa.c channels.c jpake.c key.c misc.c misc.h monitor.c]
     [packet.c ssh-rsa.c]
     implement a timing_safe_cmp() function to compare memory without leaking
     timing information by short-circuiting like memcmp() and use it for
     some of the more sensitive comparisons (though nothing high-value was
     readily attackable anyway); "looks ok" markus@
2010-07-16 13:57:51 +10:00
Damien Miller
d0244d498b - djm@cvs.openbsd.org 2010/07/12 22:41:13
[ssh.c ssh_config.5]
     expand %h to the hostname in ssh_config Hostname options. While this
     sounds useless, it is actually handy for working with unqualified
     hostnames:

     Host *.*
        Hostname %h
     Host *
        Hostname %h.example.org

     "I like it" markus@
2010-07-16 13:56:43 +10:00
Damien Miller
1f25ab43f4 - djm@cvs.openbsd.org 2010/07/12 22:38:52
[ssh.c]
     Make ExitOnForwardFailure work with fork-after-authentication ("ssh -f")
     for protocol 2. ok markus@
2010-07-16 13:56:23 +10:00
Damien Miller
9308fc7743 - djm@cvs.openbsd.org 2010/07/02 04:32:44
[misc.c]
     unbreak strdelim() skipping past quoted strings, e.g.
     AllowUsers "blah blah" blah
     was broken; report and fix in bz#1757 from bitman.zhou AT centrify.com
     ok dtucker;
2010-07-16 13:56:01 +10:00
Tim Rice
cfbdc28ffe - (tim) [contrib/redhat/openssh.spec] Bug 1796: Test for skip_x11_askpass
(line 77) should have been for no_x11_askpass.
2010-07-14 13:42:28 -07:00
Damien Miller
ab139cde38 - djm@cvs.openbsd.org 2010/06/29 23:59:54
[cert-userkey.sh]
     regress tests for key options in AuthorizedPrincipals
2010-07-02 13:42:18 +10:00
Damien Miller
527ded7f64 - phessler@cvs.openbsd.org 2010/06/27 19:19:56
[Makefile]
     fix how we run the tests so we can successfully use SUDO='sudo -E'
     in our env
2010-07-02 13:40:16 +10:00
Damien Miller
0979b40934 - millert@cvs.openbsd.org 2010/07/01 13:06:59
[scp.c]
     Fix a longstanding problem where if you suspend scp at the
     password/passphrase prompt the terminal mode is not restored.
     OK djm@
2010-07-02 13:37:33 +10:00
Damien Miller
d59dab8353 - jmc@cvs.openbsd.org 2010/06/30 07:28:34
[sshd_config.5]
     tweak previous;
2010-07-02 13:37:17 +10:00
Damien Miller
6022f58e3a - jmc@cvs.openbsd.org 2010/06/30 07:26:03
[ssh-keygen.c]
     sort usage();
2010-07-02 13:37:01 +10:00
Damien Miller
ea72728ffe - jmc@cvs.openbsd.org 2010/06/30 07:24:25
[ssh-keygen.1]
     tweak previous;
2010-07-02 13:35:34 +10:00
Damien Miller
6018a36864 - djm@cvs.openbsd.org 2010/06/29 23:16:46
[auth2-pubkey.c sshd_config.5]
     allow key options (command="..." and friends) in AuthorizedPrincipals;
     ok markus@
2010-07-02 13:35:19 +10:00
Damien Miller
44b2504011 - djm@cvs.openbsd.org 2010/06/29 23:15:30
[ssh-keygen.1 ssh-keygen.c]
     allow import (-i) and export (-e) of PEM and PKCS#8 encoded keys;
     bz#1749; ok markus@
2010-07-02 13:35:01 +10:00
Damien Miller
b96c441ee2 - djm@cvs.openbsd.org 2010/06/26 23:04:04
[ssh.c]
     oops, forgot to #include <canohost.h>; spotted and patch from chl@
2010-07-02 13:34:24 +10:00
Damien Miller
cede1dbc55 - jmc@cvs.openbsd.org 2010/06/26 00:57:07
[ssh_config.5]
     tweak previous;
2010-07-02 13:33:48 +10:00
Tim Rice
3fd307df5b - (tim) [openbsd-compat/port-uw.c] Reorder includes. auth-options.h now needs
key.h.
2010-06-26 16:45:15 -07:00
Damien Miller
1ab6a51f9b - djm@cvs.openbsd.org 2010/06/25 23:10:30
[ssh.c]
     log the hostname and address that we connected to at LogLevel=verbose
     after authentication is successful to mitigate "phishing" attacks by
     servers with trusted keys that accept authentication silently and
     automatically before presenting fake password/passphrase prompts;
     "nice!" markus@
2010-06-26 10:02:24 +10:00
Damien Miller
383ffe6c5f - djm@cvs.openbsd.org 2010/06/25 23:10:30
[ssh.c]
     log the hostname and address that we connected to at LogLevel=verbose
     after authentication is successful to mitigate "phishing" attacks by
     servers with trusted keys that accept authentication silently and
     automatically before presenting fake password/passphrase prompts;
     "nice!" markus@
2010-06-26 10:02:03 +10:00
Damien Miller
bda3ecafca - djm@cvs.openbsd.org 2010/06/25 08:46:17
[auth1.c auth2-none.c]
     skip the initial check for access with an empty password when
     PermitEmptyPasswords=no; bz#1638; ok markus@
2010-06-26 10:01:33 +10:00
Damien Miller
8853ca5fc4 - djm@cvs.openbsd.org 2010/06/25 07:20:04
[channels.c session.c]
     bz#1750: fix requirement for /dev/null inside ChrootDirectory for
     internal-sftp accidentally introduced in r1.253 by removing the code
     that opens and dup /dev/null to stderr and modifying the channels code
     to read stderr but discard it instead; ok markus@
2010-06-26 10:00:14 +10:00
Damien Miller
232cfb1b1d - djm@cvs.openbsd.org 2010/06/25 07:14:46
[channels.c mux.c readconf.c readconf.h ssh.h]
     bz#1327: remove hardcoded limit of 100 permitopen clauses and port
     forwards per direction; ok markus@ stevesk@
2010-06-26 09:50:30 +10:00
Damien Miller
d834d35834 - djm@cvs.openbsd.org 2010/06/23 02:59:02
[ssh-keygen.c]
     fix printing of extensions in v01 certificates that I broke in r1.190
2010-06-26 09:48:02 +10:00
Damien Miller
1b2b61e6f8 - djm@cvs.openbsd.org 2010/06/22 04:59:12
[session.c]
     include the user name on "subsystem request for ..." log messages;
     bz#1571; ok dtucker@
2010-06-26 09:47:43 +10:00
Damien Miller
0e76c5e502 - djm@cvs.openbsd.org 2010/06/22 04:54:30
[ssh-keyscan.c]
     replace verbose and overflow-prone Linebuf code with read_keyfile_line()
     based on patch from joachim AT joachimschipper.nl; bz#1565; ok dtucker@
2010-06-26 09:39:59 +10:00
Damien Miller
48147d6801 - djm@cvs.openbsd.org 2010/06/22 04:49:47
[auth.c]
     queue auth debug messages for bad ownership or permissions on the user's
     keyfiles. These messages will be sent after the user has successfully
     authenticated (where our client will display them with LogLevel=debug).
2010-06-26 09:39:25 +10:00
Damien Miller
ba3420acd2 - djm@cvs.openbsd.org 2010/06/22 04:32:06
[ssh-keygen.c]
     standardise error messages when attempting to open private key
     files to include "progname: filename: error reason"
     bz#1783; ok dtucker@
2010-06-26 09:39:07 +10:00
Damien Miller
ab6de35140 - djm@cvs.openbsd.org 2010/06/22 04:22:59
[servconf.c sshd_config.5]
     expose some more sshd_config options inside Match blocks:
       AuthorizedKeysFile AuthorizedPrincipalsFile
       HostbasedUsesNameFromPacketOnly PermitTunnel
     bz#1764; feedback from imorgan AT nas.nasa.gov; ok dtucker@
2010-06-26 09:38:45 +10:00