[channels.c]
Fix a trio of bugs in the local/remote window calculation for datagram
data channels (i.e. TunnelForward):
Calculate local_consumed correctly in channel_handle_wfd() by measuring
the delta to buffer_len(c->output) from when we start to when we finish.
The proximal problem here is that the output_filter we use in portable
modified the length of the dequeued datagram (to futz with the headers
for !OpenBSD).
In channel_output_poll(), don't enqueue datagrams that won't fit in the
peer's advertised packet size (highly unlikely to ever occur) or which
won't fit in the peer's remaining window (more likely).
In channel_input_data(), account for the 4-byte string header in
datagram packets that we accept from the peer and enqueue in c->output.
report, analysis and testing 2/3 cases from wierbows AT us.ibm.com;
"looks good" markus@
[authfile.c]
commited the wrong version of the hostbased certificate diff; this
version replaces some strlc{py,at} verbosity with xasprintf() at
the request of markus@
[PROTOCOL.certkeys ssh-keygen.c]
tighten the rules for certificate encoding by requiring that options
appear in lexical order and make our ssh-keygen comply. ok markus@
[ssh.1 ssh_config.5 sshd.8]
Remove mentions of weird "addr/port" alternate address format for IPv6
addresses combinations. It hasn't worked for ages and we have supported
the more commen "[addr]:port" format for a long time. ok jmc@ markus@
[clientloop.c readconf.c readconf.h ssh.c ssh_config.5]
add a "ControlPersist" option that automatically starts a background
ssh(1) multiplex master when connecting. This connection can stay alive
indefinitely, or can be set to automatically close after a user-specified
duration of inactivity. bz#1330 - patch by dwmw2 AT infradead.org, but
further hacked on by wmertens AT cisco.com, apb AT cequrux.com,
martin-mindrot-bugzilla AT earth.li and myself; "looks ok" markus@
[sftp-client.c]
bz#1797: fix swapped args in upload_dir_internal(), breaking recursive
upload depth checks and causing verbose printing of transfers to always
be turned on; patch from imorgan AT nas.nasa.gov
[ssh-rsa.c]
more timing paranoia - compare all parts of the expected decrypted
data before returning. AFAIK not exploitable in the SSH protocol.
"groovy" deraadt@
[auth-rsa.c channels.c jpake.c key.c misc.c misc.h monitor.c]
[packet.c ssh-rsa.c]
implement a timing_safe_cmp() function to compare memory without leaking
timing information by short-circuiting like memcmp() and use it for
some of the more sensitive comparisons (though nothing high-value was
readily attackable anyway); "looks ok" markus@
[ssh.c ssh_config.5]
expand %h to the hostname in ssh_config Hostname options. While this
sounds useless, it is actually handy for working with unqualified
hostnames:
Host *.*
Hostname %h
Host *
Hostname %h.example.org
"I like it" markus@
[misc.c]
unbreak strdelim() skipping past quoted strings, e.g.
AllowUsers "blah blah" blah
was broken; report and fix in bz#1757 from bitman.zhou AT centrify.com
ok dtucker;
[ssh.c]
log the hostname and address that we connected to at LogLevel=verbose
after authentication is successful to mitigate "phishing" attacks by
servers with trusted keys that accept authentication silently and
automatically before presenting fake password/passphrase prompts;
"nice!" markus@
[ssh.c]
log the hostname and address that we connected to at LogLevel=verbose
after authentication is successful to mitigate "phishing" attacks by
servers with trusted keys that accept authentication silently and
automatically before presenting fake password/passphrase prompts;
"nice!" markus@
[channels.c session.c]
bz#1750: fix requirement for /dev/null inside ChrootDirectory for
internal-sftp accidentally introduced in r1.253 by removing the code
that opens and dup /dev/null to stderr and modifying the channels code
to read stderr but discard it instead; ok markus@
[channels.c mux.c readconf.c readconf.h ssh.h]
bz#1327: remove hardcoded limit of 100 permitopen clauses and port
forwards per direction; ok markus@ stevesk@
[ssh-keyscan.c]
replace verbose and overflow-prone Linebuf code with read_keyfile_line()
based on patch from joachim AT joachimschipper.nl; bz#1565; ok dtucker@
[auth.c]
queue auth debug messages for bad ownership or permissions on the user's
keyfiles. These messages will be sent after the user has successfully
authenticated (where our client will display them with LogLevel=debug).
[servconf.c sshd_config.5]
expose some more sshd_config options inside Match blocks:
AuthorizedKeysFile AuthorizedPrincipalsFile
HostbasedUsesNameFromPacketOnly PermitTunnel
bz#1764; feedback from imorgan AT nas.nasa.gov; ok dtucker@