Commit Graph

8237 Commits

Author SHA1 Message Date
jmc@openbsd.org
ee1e0a16ff upstream commit
cidr permitted for {allow,deny}users; from lars nooden ok djm

Upstream-ID: 13e7327fe85f6c63f3f7f069e0fdc8c351515d11
2016-04-28 19:55:28 +10:00
djm@openbsd.org
b6e0140a5a upstream commit
make argument == NULL tests more consistent

Upstream-ID: dc4816678704aa5cbda3a702e0fa2033ff04581d
2016-04-21 16:30:11 +10:00
jmc@openbsd.org
6aaabc2b61 upstream commit
tweak previous;

Upstream-ID: 46c1bab91c164078edbccd5f7d06b9058edd814f
2016-04-21 16:30:11 +10:00
djm@openbsd.org
0f839e5969 upstream commit
missing bit of Include regress

Upstream-Regress-ID: 1063595f7f40f8489a1b7a27230b9e8acccea34f
2016-04-15 12:58:35 +10:00
djm@openbsd.org
12e4ac46ae upstream commit
remove redundant CLEANFILES section

Upstream-Regress-ID: 29ef1b267fa56daa60a1463396635e7d53afb587
2016-04-15 12:58:09 +10:00
djm@openbsd.org
b1d05aa653 upstream commit
sync CLEANFILES with portable, sort

Upstream-Regress-ID: cb782f4f1ab3e079efbc335c6b64942f790766ed
2016-04-15 11:16:13 +10:00
djm@openbsd.org
35f22dad26 upstream commit
regression test for ssh_config Include directive

Upstream-Regress-ID: 46a38c8101f635461c506d1aac2d96af80f97f1e
2016-04-15 11:16:13 +10:00
djm@openbsd.org
6b8a1a8700 upstream commit
unbreak test for recent ssh de-duplicated forwarding
 change

Upstream-Regress-ID: 6b2b115d99acd7cff13986e6739ea214cf2a3da3
2016-04-15 11:16:12 +10:00
djm@openbsd.org
0767877024 upstream commit
add test knob and warning for StrictModes

Upstream-Regress-ID: 8cd10952ce7898655ee58945904f2a0a3bdf7682
2016-04-15 11:16:12 +10:00
djm@openbsd.org
dc7990be86 upstream commit
Include directive for ssh_config(5); feedback & ok markus@

Upstream-ID: ae3b76e2e343322b9f74acde6f1e1c5f027d5fff
2016-04-15 11:16:11 +10:00
Damien Miller
85bdcd7c92 ignore PAM environment vars when UseLogin=yes
If PAM is configured to read user-specified environment variables
and UseLogin=yes in sshd_config, then a hostile local user may
attack /bin/login via LD_PRELOAD or similar environment variables
set via PAM.

CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
2016-04-13 10:44:42 +10:00
djm@openbsd.org
dce19bf6e4 upstream commit
make private key loading functions consistently handle NULL
 key pointer arguments; ok markus@

Upstream-ID: 92038726ef4a338169c35dacc9c5a07fcc7fa761
2016-04-13 10:44:06 +10:00
Darren Tucker
5f41f030e2 Remove NO_IPPORT_RESERVED_CONCEPT
Replace by defining IPPORT_RESERVED to zero on Cygwin, which should have
the same effect without causing problems syncing patches with OpenBSD.
Resync the two affected functions with OpenBSD.  ok djm, sanity checked
by Corinna.
2016-04-08 21:21:27 +10:00
djm@openbsd.org
34a01b2cf7 upstream commit
whitespace at EOL

Upstream-ID: 5beffd4e001515da12851b974e2323ae4aa313b6
2016-04-08 18:21:51 +10:00
djm@openbsd.org
90ee563fa6 upstream commit
We accidentally send an empty string and a zero uint32 with
 every direct-streamlocal@openssh.com channel open, in contravention of our
 own spec.

Fixing this is too hard wrt existing versions that expect these
fields to be present and fatal() if they aren't, so document them
as "reserved" fields in the PROTOCOL spec as though we always
intended this and let us never speak of it again.

bz#2529, reported by Ron Frederick

Upstream-ID: 34cd326a4d236ca6e39084c4ff796bd97ab833e7
2016-04-08 17:36:29 +10:00
djm@openbsd.org
0ccbd5eca0 upstream commit
don't record duplicate LocalForward and RemoteForward
 entries; fixes failure with ExitOnForwardFailure+hostname canonicalisation
 where the same forwards are added on the second pass through the
 configuration file. bz#2562; ok dtucker@

Upstream-ID: 40a51d68b6300f1cc61deecdb7d4847b8b7b0de1
2016-04-08 14:26:06 +10:00
krw@openbsd.org
574def0eb4 upstream commit
Another use for fcntl() and thus of the superfluous 3rd
 parameter is when sanitising standard fd's before calling daemon().

Use a tweaked version of the ssh(1) function in all three places
found using fcntl() this way.

ok jca@ beck@

Upstream-ID: f16811ffa19a1c5f4ef383c5f0fecb843c84e218
2016-04-08 14:12:18 +10:00
Darren Tucker
b3413534aa Tidy up openssl header test. 2016-04-04 11:09:21 +10:00
Darren Tucker
815bcac0b9 Fix configure-time warnings for openssl test. 2016-04-04 11:07:59 +10:00
djm@openbsd.org
95687f5831 upstream commit
whitespace at EOL

Upstream-ID: 40ae2203d07cb14e0a89e1a0d4c6120ee8fd8c3a
2016-04-01 23:57:14 +11:00
dtucker@openbsd.org
fdfbf4580d upstream commit
Remove fallback from moduli to "primes" file that was
 deprecated in 2001 and fix log messages referring to primes file.  Based on
 patch from xnox at ubuntu.com via bz#2559.  "kill it" deraadt@

Upstream-ID: 0d4f8c70e2fa7431a83b95f8ca81033147ba8713
2016-04-01 23:57:14 +11:00
djm@openbsd.org
0235a5fa67 upstream commit
UseDNS affects ssh hostname processing in authorized_keys,
 not known_hosts; bz#2554 reported by jjelen AT redhat.com

Upstream-ID: c1c1bb895dde46095fc6d81d8653703928437591
2016-03-18 04:53:50 +11:00
Darren Tucker
8c4739338f Don't call Solaris setproject() with UsePAM=yes.
When Solaris Projects are enabled along with PAM setting the project
is PAM's responsiblity.  bz#2425, based on patch from
brent.paulson at gmail.com.
2016-03-15 09:24:43 +11:00
Damien Miller
cff26f373c remove slogin from *.spec 2016-03-15 04:30:21 +11:00
djm@openbsd.org
c38905ba39 upstream commit
unbreak authentication using lone certificate keys in
 ssh-agent: when attempting pubkey auth with a certificate, if no separate
 private key is found among the keys then try with the certificate key itself.

bz#2550 reported by Peter Moody

Upstream-ID: f939cd76d68e6a9a3d1711b5a943d6ed1e623966
2016-03-15 03:23:46 +11:00
djm@openbsd.org
4b4bfb01cd upstream commit
sanitise characters destined for xauth reported by
 github.com/tintinweb feedback and ok deraadt and markus

Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261
2016-03-15 03:23:46 +11:00
Darren Tucker
732b463d37 Pass supported malloc options to connect-privsep.
This allows us to activate only the supported options during the malloc
option portion of the connect-privsep test.
2016-03-14 16:04:23 +11:00
Darren Tucker
d29c5b9b3e Remove leftover roaming.h file.
Pointed out by des at des.no.
2016-03-14 09:30:58 +11:00
Darren Tucker
8ff20ec95f Quote variables that may contain whitespace.
The variable $L_TMP_ID_FILE needs to be surrounded by quotes in order to
survive paths containing whitespace.  bz#2551, from Corinna Vinschen via
Philip Hands.
2016-03-14 09:24:03 +11:00
Darren Tucker
627824480c Include priv.h for priv_set_t.
From alex at cooperi.net.
2016-03-11 14:47:41 +11:00
Darren Tucker
e960051f9a Wrap stdint.h inside #ifdef HAVE_STDINT_H. 2016-03-09 13:14:18 +11:00
Darren Tucker
2c48bd344d Add compat to monotime_double().
Apply all of the portability changes in monotime() to monotime() double.
Fixes build on at least older FreeBSD systems.
2016-03-09 12:46:50 +11:00
Damien Miller
7b40ef6c2e make a regress-binaries target
Easier to build all the regression/unit test binaries in one pass
than going through all of ${REGRESS_BINARIES}
2016-03-08 14:12:58 -08:00
Damien Miller
c425494d6b unbreak kexfuzz for -Werror without __bounded__ 2016-03-08 14:03:54 -08:00
Damien Miller
3ed9218c33 unbreak PAM after canohost refactor 2016-03-08 14:01:29 -08:00
Darren Tucker
885fb2a44f auth_get_canonical_hostname in portable code.
"refactor canohost.c" replaced get_canonical_hostname, this makes the
same change to some portable-specific code.
2016-03-08 11:58:43 +11:00
djm@openbsd.org
95767262ca upstream commit
refactor canohost.c: move functions that cache results closer
 to the places that use them (authn and session code). After this, no state is
 cached in canohost.c

feedback and ok markus@

Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
2016-03-08 06:20:35 +11:00
Damien Miller
af0bb38ffd hook unittests/misc/kexfuzz into build 2016-03-04 15:12:26 +11:00
dtucker@openbsd.org
331b8e07ee upstream commit
Filter debug messages out of log before picking the last
 two lines. Should prevent problems if any more debug output is added late in
 the connection.

Upstream-Regress-ID: 345d0a9589c381e7d640a4ead06cfaadf4db1363
2016-03-04 15:12:25 +11:00
djm@openbsd.org
0892edaa3c upstream commit
add KEX fuzzer harness; ok deraadt@

Upstream-Regress-ID: 3df5242d30551b12b828aa9ba4a4cec0846be8d1
2016-03-04 15:12:24 +11:00
dtucker@openbsd.org
ae2562c47d upstream commit
Look back 3 lines for possible error messages.  Changes
 to the code mean that "Bad packet length" errors are 3 lines back instead of
 the previous two, which meant we didn't skip some offsets that we intended
 to.

Upstream-Regress-ID: 24f36912740a634d509a3144ebc8eb7c09b9c684
2016-03-04 15:12:22 +11:00
djm@openbsd.org
988e429d90 upstream commit
fix ClientAliveInterval when a time-based RekeyLimit is
 set; previously keepalive packets were not being sent. bz#2252 report and
 analysis by Christian Wittenhorst and Garrett Lee feedback and ok dtucker@

Upstream-ID: d48f9deadd35fdacdd5106b41bb07630ddd4aa81
2016-03-04 15:12:21 +11:00
dtucker@openbsd.org
8ef04d7a94 upstream commit
Improve accuracy of reported transfer speeds by waiting
 for the ack from the other end.  Pointed out by mmcc@, ok deraadt@ markus@

Upstream-ID: 99f1cf15c9a8f161086b814d414d862795ae153d
2016-03-04 15:12:20 +11:00
dtucker@openbsd.org
b8d4eafe29 upstream commit
Improve precision of progressmeter for sftp and scp by
 storing sub-second timestamps.  Pointed out by mmcc@, ok deraadt@ markus@

Upstream-ID: 38fd83a3d83dbf81c8ff7b5d1302382fe54970ab
2016-03-04 15:12:19 +11:00
jca@openbsd.org
18f64b969c upstream commit
Print ssize_t with %zd; ok deraadt@ mmcc@

Upstream-ID: 0590313bbb013ff6692298c98f7e0be349d124bd
2016-03-04 15:12:17 +11:00
djm@openbsd.org
6e7f68ce38 upstream commit
rearrange DH public value tests to be a little more clear

rearrange DH private value generation to explain rationale more
clearly and include an extra sanity check.

ok deraadt

Upstream-ID: 9ad8a07e1a12684e1b329f9bd88941b249d4b2ad
2016-03-04 15:12:16 +11:00
Darren Tucker
2ed17aa340 Import updated moduli file from OpenBSD.
Note that 1.5k bit groups have been removed.
2016-03-01 15:24:20 +11:00
Darren Tucker
72b061d4ba Add a note about using xlc on AIX. 2016-02-26 14:40:04 +11:00
Darren Tucker
fd4e4f2416 Skip PrintLastLog in config dump mode.
When DISABLE_LASTLOG is set, do not try to include PrintLastLog in the
config dump since it'll be reported as UNKNOWN.
2016-02-24 10:44:25 +11:00
Damien Miller
99135c764f update spec/README versions ahead of release 2016-02-23 20:17:23 +11:00