to obtain known_hosts data from a command in addition to the usual files.
The command accepts bunch of %-expansions, including details of the
connection and the offered server host key. Note that the command may
be invoked up to three times per connection (see the manpage for
details).
ok markus@
OpenBSD-Commit-ID: 2433cff4fb323918ae968da6ff38feb99b4d33d0
make privilege dropping optional but allow it via callbacks (to avoid
need to link uidswap.c everywhere)
add some other flags (keep environment, disable strict path safety check)
that make this more useful for client-side use.
feedback & ok markus@
OpenBSD-Commit-ID: a80ea9fdcc156f1a18e9c166122c759fae1637bf
rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc which was
standardized in RFC4253 (2006), has been deprecated and disabled by default
since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001.
This will reduce the amount of work the cipher/kex regression tests need
to do by a little bit. ok markus@ djm@
OpenBSD-Commit-ID: fb460acc18290a998fd70910b19c29b4e4f199ad
pointing out my error (parse_ssh_uri() can return -1/0/1, that I missed).
Reported by Raf Czlonka via bugs@
ok tb@
OpenBSD-Commit-ID: a2991a3794bcaf1ca2b025212cce11cdb5f6b7d6
Add load_hostkeys_file() and hostkeys_foreach_file() that accept a
FILE* argument instead of opening the file directly.
Original load_hostkeys() and hostkeys_foreach() are implemented using
these new interfaces.
Add a u_int note field to the hostkey_entry and hostkey_foreach_line
structs that is passed directly from the load_hostkeys() and
hostkeys_foreach() call. This is a lightweight way to annotate results
between different invocations of load_hostkeys().
ok markus@
OpenBSD-Commit-ID: 6ff6db13ec9ee4edfa658b2c38baad0f505d8c20
consolidate the common arguments into a single struct and pass that around
instead of using a bunch of globals. ok markus@
OpenBSD-Commit-ID: 035e6d7ca9145ad504f6af5a021943f1958cd19b
TCP connect. The connection phase of the SSH session is time-sensitive (due
to server side login grace periods) and is frequently interactive (e.g.
entering passwords). The ultimate interactive/bulk TOS/DSCP will be set after
authentication completes.
ok dtucker@
OpenBSD-Commit-ID: f31ab10d9233363a6d2c9996007083ba43a093f1
report the type because it is ambiguous as to whether it referred to the
known or new host key. bz3216; ok dtucker@
OpenBSD-Commit-ID: 2d5ce4a83dbcf44e340a572e361decad8aab7bad
read-only directory, ensure that the directory is created with write and
execute permissions in the interim so that we can actually complete the
transfer, then set the directory permission as the final step. (The execute
bit is only likely to be an issue with a non-POSIX server). bz#3222, ok djm@
OpenBSD-Commit-ID: a82606212f2796e31f0e1af94a63355a7ad5d903
find_by_key_ctx struct. Initializing a single member should be enough
(the spec says the remainder should be initialized as per the static
rules) but some GCCs warn on this which prevents us testing with -Werror
on those. ok deraadt@ djm@
OpenBSD-Commit-ID: 687126e60a27d30f02614760ef3c3ae4e8d6af28
make it easier to determine which connection they are associated with in
cases like scp -3, ProxyJump, etc. bz#3224 ok dtucker
OpenBSD-Commit-ID: 67e6189b04b46c867662f8a6759cf3ecb5f59170
It was only set by the recently removed AC_HEADER_TIME macro, replace
with simple inclusions of both sys/time.h and time.h. Should prevent
mis-detection of struct timespec.
any other host names/addresses already associated with the key. E.g.
> The authenticity of host 'test (10.0.0.1)' can't be established.
> ECDSA key fingerprint is SHA256:milU4MODXm8iJQI18wlsbPG7Yup+34fuNNmV08qDnax.
> This host key is known by the following other names/addresses:
> ~/.ssh/known_hosts:1: host.example.org,10.0.0.1
> ~/.ssh/known_hosts:2: [hashed name]
> ~/.ssh/known_hosts:3: [hashed name]
> ~/.ssh/known_hosts:4: host
> ~/.ssh/known_hosts:5: [host]:2222
> Are you sure you want to continue connecting (yes/no/[fingerprint])?
feedback and ok markus@
OpenBSD-Commit-ID: f6f58a77b49f1368b5883b3a1f776447cfcc7ef4
