RepoMirrors/openssh
1
0
Fork 0
mirror of git://anongit.mindrot.org/openssh.git synced 2025-02-07 17:41:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
7,665 Commits 69 Branches 157 Tags 27 MiB
cb3bde373e
Commit Graph

7665 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
djm@openbsd.org
cb3bde373e upstream commit 
handle PKCS#11 C_Login returning
 CKR_USER_ALREADY_LOGGED_IN; based on patch from Yuri Samoilenko; ok markus@
 2015-02-03 11:06:16 +11:00
djm@openbsd.org
15ad750e5e upstream commit 
turn UpdateHostkeys off by default until I figure out
 mlarkin@'s warning message; requested by deraadt@
 2015-02-03 11:06:16 +11:00
deraadt@openbsd.org
3cd5103c1e upstream commit 
increasing encounters with difficult DNS setups in
 darknets has convinced me UseDNS off by default is better ok djm
 2015-02-03 11:06:15 +11:00
djm@openbsd.org
6049a548a8 upstream commit 
Let sshd load public host keys even when private keys are
 missing. Allows sshd to advertise additional keys for future key rotation.
 Also log fingerprint of hostkeys loaded; ok markus@
 2015-02-01 09:13:09 +11:00
djm@openbsd.org
46347ed596 upstream commit 
Add a ssh_config HostbasedKeyType option to control which
 host public key types are tried during hostbased authentication.

This may be used to prevent too many keys being sent to the server,
and blowing past its MaxAuthTries limit.

bz#2211 based on patch by Iain Morgan; ok markus@
 2015-01-30 22:47:01 +11:00
djm@openbsd.org
802660cb70 upstream commit 
set a timeout to prevent hangs when talking to busted
 servers; ok markus@
 2015-01-30 22:47:00 +11:00
djm@openbsd.org
86936ec245 upstream commit 
regression test for 'wildcard CA' serial/key ID revocations
 2015-01-30 12:19:29 +11:00
djm@openbsd.org
4509b5d4a4 upstream commit 
avoid more fatal/exit in the packet.c paths that
 ssh-keyscan uses; feedback and "looks good" markus@
 2015-01-30 12:18:59 +11:00
djm@openbsd.org
669aee9943 upstream commit 
permit KRLs that revoke certificates by serial number or
 key ID without scoping to a particular CA; ok markus@
 2015-01-30 12:17:07 +11:00
djm@openbsd.org
7a2c368477 upstream commit 
missing parentheses after if in do_convert_from() broke
 private key conversion from other formats some time in 2010; bz#2345 reported
 by jjelen AT redhat.com
 2015-01-30 12:16:33 +11:00
djm@openbsd.org
25f5f78d8b upstream commit 
fix ssh protocol 1, spotted by miod@
 2015-01-30 12:16:33 +11:00
djm@openbsd.org
9ce86c926d upstream commit 
update to new API (key_fingerprint => sshkey_fingerprint)
 check sshkey_fingerprint return values; ok markus
 2015-01-29 10:18:56 +11:00
djm@openbsd.org
9125525c37 upstream commit 
avoid fatal() calls in packet code makes ssh-keyscan more
 reliable against server failures ok dtucker@ markus@
 2015-01-29 09:08:07 +11:00
djm@openbsd.org
fae7bbe544 upstream commit 
avoid fatal() calls in packet code makes ssh-keyscan more
 reliable against server failures ok dtucker@ markus@
 2015-01-29 09:08:07 +11:00
djm@openbsd.org
1a3d14f6b4 upstream commit 
remove obsolete comment
 2015-01-29 09:08:07 +11:00
okan@openbsd.org
80c25b7bc0 upstream commit 
Since r1.2 removed the use of PRI* macros, inttypes.h is
 no longer required.

ok djm@
 2015-01-29 09:08:06 +11:00
Damien Miller
69ff64f696 compile on systems without TCP_MD5SIG (e.g. OSX) 2015-01-27 23:07:43 +11:00
Damien Miller
358964f308 use ssh-keygen under test rather than system's 2015-01-27 23:07:25 +11:00
Damien Miller
a2c95c1bf3 OSX lacks HOST_NAME_MAX, has _POSIX_HOST_NAME_MAX 2015-01-27 23:06:59 +11:00
Damien Miller
ade31d7b6f these need active_state defined to link on OSX 
temporary measure until active_state goes away entirely
 2015-01-27 23:06:23 +11:00
djm@openbsd.org
e56aa87502 upstream commit 
use printf instead of echo -n to reduce diff against
 -portable
 2015-01-27 23:03:15 +11:00
jmc@openbsd.org
9f7637f56e upstream commit 
sort previous;
 2015-01-27 23:02:44 +11:00
djm@openbsd.org
3076ee7d53 upstream commit 
properly restore umask
 2015-01-27 00:37:35 +11:00
djm@openbsd.org
d411d39555 upstream commit 
regression test for host key rotation
 2015-01-27 00:03:53 +11:00
djm@openbsd.org
fe8a3a5169 upstream commit 
adapt to sshkey API tweaks
 2015-01-27 00:03:31 +11:00
miod@openbsd.org
7dd355fb1f upstream commit 
Move -lz late in the linker commandline for things to
 build on static arches.
 2015-01-27 00:03:30 +11:00
miod@openbsd.org
0dad3b806f upstream commit 
-Wpointer-sign is supported by gcc 4 only.
 2015-01-27 00:03:30 +11:00
djm@openbsd.org
2b3b1c1e4b upstream commit 
use SUBDIR to recuse into unit tests; makes "make obj"
 actually work
 2015-01-27 00:03:12 +11:00
djm@openbsd.org
1d1092bff8 upstream commit 
correct description of UpdateHostKeys in ssh_config.5 and
 add it to -o lists for ssh, scp and sftp; pointed out by jmc@
 2015-01-27 00:00:58 +11:00
djm@openbsd.org
5104db7cbd upstream commit 
correctly match ECDSA subtype (== curve) for
 offered/recevied host keys. Fixes connection-killing host key mismatches when
 a server offers multiple ECDSA keys with different curve type (an extremely
 unlikely configuration).

ok markus, "looks mechanical" deraadt@
 2015-01-27 00:00:57 +11:00
djm@openbsd.org
8d4f87258f upstream commit 
Host key rotation support.

Add a hostkeys@openssh.com protocol extension (global request) for
a server to inform a client of all its available host key after
authentication has completed. The client may record the keys in
known_hosts, allowing it to upgrade to better host key algorithms
and a server to gracefully rotate its keys.

The client side of this is controlled by a UpdateHostkeys config
option (default on).

ok markus@
 2015-01-27 00:00:57 +11:00
djm@openbsd.org
60b1825262 upstream commit 
small refactor and add some convenience functions; ok
 markus
 2015-01-27 00:00:36 +11:00
jmc@openbsd.org
a5a3e3328d upstream commit 
heirarchy -> hierarchy;
 2015-01-26 23:58:54 +11:00
deraadt@openbsd.org
dcff5810a1 upstream commit 
Provide a warning about chroot misuses (which sadly, seem
 to have become quite popular because shiny).  sshd cannot detect/manage/do
 anything about these cases, best we can do is warn in the right spot in the
 man page. ok markus
 2015-01-26 23:58:53 +11:00
deraadt@openbsd.org
087266ec33 upstream commit 
Reduce use of <sys/param.h> and transition to <limits.h>
 throughout. ok djm markus
 2015-01-26 23:58:53 +11:00
markus@openbsd.org
57e783c8ba upstream commit 
kex_setup errors are fatal()
 2015-01-26 23:53:56 +11:00
djm@openbsd.org
1d6424a6ff upstream commit 
this test would accidentally delete agent.sh if run without
 obj/
 2015-01-20 19:03:08 +11:00
djm@openbsd.org
12b5f50777 upstream commit 
make this compile with KERBEROS5 enabled
 2015-01-20 18:58:37 +11:00
djm@openbsd.org
e2cc6bef08 upstream commit 
fix hostkeys in agent; ok markus@
 2015-01-20 18:58:36 +11:00
Damien Miller
1ca3e2155a fix kex test 2015-01-20 10:11:31 +11:00
markus@openbsd.org
c78a578107 upstream commit 
finally enable the KEX tests I wrote some years ago...
 2015-01-20 09:50:34 +11:00
markus@openbsd.org
31821d7217 upstream commit 
adapt to new error message (SSH_ERR_MAC_INVALID)
 2015-01-20 09:46:48 +11:00
djm@openbsd.org
d3716ca19e upstream commit 
this test was broken in at least two ways, such that it
 wasn't checking that a KRL was not excluding valid keys
 2015-01-20 09:45:56 +11:00
markus@openbsd.org
3f79765374 upstream commit 
switch ssh-keyscan from setjmp to multiple ssh transport
 layer instances ok djm@
 2015-01-20 09:24:11 +11:00
markus@openbsd.org
f582f0e917 upstream commit 
add experimental api for packet layer; ok djm@
 2015-01-20 09:23:46 +11:00
markus@openbsd.org
48b3b2ba75 upstream commit 
store compat flags in struct ssh; ok djm@
 2015-01-20 09:19:40 +11:00
markus@openbsd.org
57d10cbe86 upstream commit 
adapt kex to sshbuf and struct ssh; ok djm@
 2015-01-20 09:19:39 +11:00
markus@openbsd.org
3fdc88a0de upstream commit 
move dispatch to struct ssh; ok djm@
 2015-01-20 09:14:16 +11:00
markus@openbsd.org
091c302829 upstream commit 
update packet.c & isolate, introduce struct ssh a) switch
 packet.c to buffer api and isolate per-connection info into struct ssh b)
 (de)serialization of the state is moved from monitor to packet.c c) the old
 packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and
 integrated into packet.c with and ok djm@
 2015-01-20 09:13:01 +11:00
djm@openbsd.org
4e62cc68ce upstream commit 
fix format strings in (disabled) debugging
 2015-01-20 08:33:01 +11:00