summaryrefslogtreecommitdiff
path: root/ChangeLog
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2020-10-18 12:04:32 +0100
committerColin Watson <cjwatson@debian.org>2020-10-18 12:04:32 +0100
commit2b2c99658e3e8ed452e28f88f9cdbcdfb2a461cb (patch)
tree336445493163aa0370cb7830d97ebd8819b2e2c5 /ChangeLog
parent202f5a676221c244cd450086c334c2b59f339e86 (diff)
parent279261e1ea8150c7c64ab5fe7cb4a4ea17acbb29 (diff)
Import openssh_8.4p1.orig.tar.gz
Diffstat (limited to 'ChangeLog')
-rw-r--r--ChangeLog3743
1 files changed, 1779 insertions, 1964 deletions
diff --git a/ChangeLog b/ChangeLog
index f283a8b3f..bcaa38f94 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,10 +1,1675 @@
1commit 9ca7e9c861775dd6c6312bc8aaab687403d24676 1commit 279261e1ea8150c7c64ab5fe7cb4a4ea17acbb29
2Author: Damien Miller <djm@mindrot.org> 2Author: Damien Miller <djm@mindrot.org>
3Date: Wed May 27 10:38:00 2020 +1000 3Date: Sun Sep 27 17:25:01 2020 +1000
4
5 update version numbers
6
7commit 58ca6ab6ff035ed12b5078e3e9c7199fe72c8587
8Author: djm@openbsd.org <djm@openbsd.org>
9Date: Sun Sep 27 07:22:05 2020 +0000
10
11 upstream: openssh 8.4
12
13 OpenBSD-Commit-ID: a29e5b372d2c00e297da8a35a3b87c9beb3b4a58
14
15commit 9bb8a303ce05ff13fb421de991b495930be103c3
16Author: Damien Miller <djm@mindrot.org>
17Date: Tue Sep 22 10:07:43 2020 +1000
18
19 sync with upstream ssh-copy-id rev f0da1a1b7
20
21commit 0a4a5571ada76b1b012bec9cf6ad1203fc19ec8d
22Author: djm@openbsd.org <djm@openbsd.org>
23Date: Mon Sep 21 07:29:09 2020 +0000
24
25 upstream: close stdin when forking after authentication too; ok markus
26
27 OpenBSD-Commit-ID: 43db17e4abc3e6b4a7b033aa8cdab326a7cb6c24
28
29commit d14fe25e6c3b89f8af17e2894046164ac3b45688
30Author: djm@openbsd.org <djm@openbsd.org>
31Date: Sun Sep 20 23:31:46 2020 +0000
32
33 upstream: close stdout/stderr after "ssh -f ..." forking
34
35 bz#3137, ok markus
36
37 OpenBSD-Commit-ID: e2d83cc4dea1665651a7aa924ad1ed6bcaaab3e2
38
39commit 53a33a0d745179c02108589e1722457ca8ae4372
40Author: Damien Miller <djm@mindrot.org>
41Date: Sun Sep 20 15:57:09 2020 +1000
42
43 .depend
44
45commit 107eb3eeafcd390e1fa7cc7672a05e994d14013e
46Author: djm@openbsd.org <djm@openbsd.org>
47Date: Sun Sep 20 05:47:25 2020 +0000
48
49 upstream: cap channel input buffer size at 16MB; avoids high memory use
50
51 when peer advertises a large window but is slow to consume the data we send
52 (e.g. because of a slow network)
53
54 reported by Pierre-Yves David
55
56 fix with & ok markus@
57
58 OpenBSD-Commit-ID: 1452771f5e5e768876d3bfe2544e3866d6ade216
59
60commit acfe2ac5fe033e227ad3a56624fbbe4af8b5da04
61Author: Damien Miller <djm@mindrot.org>
62Date: Fri Sep 18 22:02:53 2020 +1000
63
64 libfido2 1.5.0 is recommended
65
66commit 52a03e9fca2d74eef953ddd4709250f365ca3975
67Author: djm@openbsd.org <djm@openbsd.org>
68Date: Fri Sep 18 08:16:38 2020 +0000
69
70 upstream: handle multiple messages in a single read()
71
72 PR#183 by Dennis Kaarsemaker; feedback and ok markus@
73
74 OpenBSD-Commit-ID: 8570bb4d02d00cf70b98590716ea6a7d1cce68d1
75
76commit dc098405b2939146e17567a25b08fc6122893cdf
77Author: pedro martelletto <pedro@ambientworks.net>
78Date: Fri Sep 18 08:57:29 2020 +0200
79
80 configure.ac: add missing includes
81
82 when testing, make sure to include the relevant header files that
83 declare the types of the functions used by the test:
84
85 - stdio.h for printf();
86 - stdlib.h for exit();
87 - string.h for strcmp();
88 - unistd.h for unlink(), _exit(), fork(), getppid(), sleep().
89
90commit b3855ff053f5078ec3d3c653cdaedefaa5fc362d
91Author: djm@openbsd.org <djm@openbsd.org>
92Date: Fri Sep 18 05:23:03 2020 +0000
93
94 upstream: tweak the client hostkey preference ordering algorithm to
95
96 prefer the default ordering if the user has a key that matches the
97 best-preference default algorithm.
98
99 feedback and ok markus@
100
101 OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
102
103commit f93b187ab900c7d12875952cc63350fe4de8a0a8
104Author: Damien Miller <djm@mindrot.org>
105Date: Fri Sep 18 14:55:48 2020 +1000
106
107 control over the colours in gnome-ssh-askpass[23]
108
109 Optionally set the textarea colours via $GNOME_SSH_ASKPASS_FG_COLOR and
110 $GNOME_SSH_ASKPASS_BG_COLOR. These accept the usual three or six digit
111 hex colours.
112
113commit 9d3d36bdb10b66abd1af42e8655502487b6ba1fa
114Author: Damien Miller <djm@mindrot.org>
115Date: Fri Sep 18 14:50:38 2020 +1000
116
117 focus improvement for gnome-ssh-askpass[23]
118
119 When serving a SSH_ASKPASS_PROMPT=none information dialog, ensure
120 then <enter> doesn't immediately close the dialog. Instead, require an
121 explicit <tab> to reach the close button, or <esc>.
122
123commit d6f507f37e6c75a899db0ef8224e72797c5563b6
124Author: dtucker@openbsd.org <dtucker@openbsd.org>
125Date: Wed Sep 16 03:07:31 2020 +0000
126
127 upstream: Remove unused buf, last user was removed when switching
128
129 to the sshbuf API. Patch from Sebastian Andrzej Siewior.
130
131 OpenBSD-Commit-ID: 250fa17f0cec01039cc4abd95917d9746e24c889
132
133commit c3c786c3a0973331ee0922b2c51832a3b8d7f20f
134Author: djm@openbsd.org <djm@openbsd.org>
135Date: Wed Sep 9 21:57:27 2020 +0000
136
137 upstream: For the hostkey confirmation message:
138
139 > Are you sure you want to continue connecting (yes/no/[fingerprint])?
140
141 compare the fingerprint case sensitively; spotted Patrik Lundin
142 ok dtucker
143
144 OpenBSD-Commit-ID: 73097afee1b3a5929324e345ba4a4a42347409f2
145
146commit f2950baf0bafe6aa20dfe2e8d1ca4b23528df617
147Author: Darren Tucker <dtucker@dtucker.net>
148Date: Fri Sep 11 14:45:23 2020 +1000
149
150 New config-build-time dependency on automake.
151
152commit 600c1c27abd496372bd0cf83d21a1c119dfdf9a5
153Author: Darren Tucker <dtucker@dtucker.net>
154Date: Sun Sep 6 21:56:36 2020 +1000
155
156 Add aclocal.m4 and config.h.in~ to .gitignore.
157
158 aclocal.m4 is now generated by autoreconf.
159
160commit 4bf7e1d00b1dcd3a6b3239f77465c019e61c6715
161Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
162Date: Sat Sep 5 17:50:03 2020 +0200
163
164 Quote the definition of OSSH_CHECK_HEADER_FOR_FIELD
165
166 autoreconf complains about underquoted definition of
167 OSSH_CHECK_HEADER_FOR_FIELD after aclocal.m4 has been and now is beeing
168 recreated.
169
170 Quote OSSH_CHECK_HEADER_FOR_FIELD as suggested.
171
172 Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
173
174commit a2f3ae386b5f7938ed3c565ad71f30c4f7f010f1
175Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
176Date: Sat Sep 5 17:50:02 2020 +0200
177
178 Move the local m4 macros
179
180 The `aclocal' step is skipped during `autoreconf' because aclocal.m4 is
181 present.
182 Move the current aclocal.m4 which contains local macros into the m4/
183 folder. With this change the aclocal.m4 will be re-created during
184 changes to the m4/ macro.
185 This is needed so the `aclocal' can fetch m4 macros from the system if
186 they are references in the configure script. This is a prerequisite to
187 use PKG_CHECK_MODULES.
188
189 Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
190
191commit 8372bff3a895b84fd78a81dc39da10928b662f5a
192Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
193Date: Sat Sep 5 17:50:01 2020 +0200
194
195 Remove HAVE_MMAP and BROKEN_MMAP
196
197 BROKEN_MMAP is no longer defined since commit
198 1cfd5c06efb12 ("Remove portability support for mmap")
199
200 this commit also removed other HAVE_MMAP user. I didn't find anything
201 that defines HAVE_MMAP. The check does not trigger because compression
202 on server side is by default COMP_DELAYED (2) so it never triggers.
203
204 Remove remaining HAVE_MMAP and BROKEN_MMAP bits.
205
206 Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
207
208commit bbf20ac8065905f9cb9aeb8f1df57fcab52ee2fb
209Author: djm@openbsd.org <djm@openbsd.org>
210Date: Wed Sep 9 03:10:21 2020 +0000
211
212 upstream: adapt to SSH_SK_VERSION_MAJOR crank
213
214 OpenBSD-Regress-ID: 0f3e76bdc8f9dbd9d22707c7bdd86051d5112ab8
215
216commit 9afe2a150893b20bdf9eab764978d817b9a7b783
217Author: dtucker@openbsd.org <dtucker@openbsd.org>
218Date: Fri Aug 28 03:17:13 2020 +0000
219
220 upstream: Ensure that address/mask mismatches are flagged at
221
222 config-check time. ok djm@
223
224 OpenBSD-Regress-ID: 8f5f4c2c0bf00e6ceae7a1755a444666de0ea5c2
225
226commit c76773524179cb654ff838dd43ba1ddb155bafaa
227Author: djm@openbsd.org <djm@openbsd.org>
228Date: Wed Sep 9 03:08:01 2020 +0000
229
230 upstream: when writing an attestation blob for a FIDO key, record all
231
232 the data needed to verify the attestation. Previously we were missing the
233 "authenticator data" that is included in the signature.
234
235 spotted by Ian Haken
236 feedback Pedro Martelletto and Ian Haken; ok markus@
237
238 OpenBSD-Commit-ID: 8439896e63792b2db99c6065dd9a45eabbdb7e0a
239
240commit c1c44eeecddf093a7983bd91e70b446de789b363
241Author: pedro martelletto <pedro@ambientworks.net>
242Date: Tue Sep 1 17:01:55 2020 +0200
243
244 configure.ac: fix libfido2 back-compat
245
246 - HAVE_FIDO_CRED_PROD -> HAVE_FIDO_CRED_PROT;
247 - check for fido_dev_get_touch_begin(), so that
248 HAVE_FIDO_DEV_GET_TOUCH_BEGIN gets defined.
249
250commit 785f0f315bf7ac5909e988bb1ac3e019fb5e1594
251Author: djm@openbsd.org <djm@openbsd.org>
252Date: Mon Aug 31 04:33:17 2020 +0000
253
254 upstream: refuse to add verify-required (PINful) FIDO keys to
255
256 ssh-agent until the agent supports them properly
257
258 OpenBSD-Commit-ID: 125bd55a8df32c87c3ec33c6ebe437673a3d037e
259
260commit 39e88aeff9c7cb6862b37ad1a87a03ebbb38c233
261Author: djm@openbsd.org <djm@openbsd.org>
262Date: Mon Aug 31 00:17:41 2020 +0000
263
264 upstream: Add RCS IDs to the few files that are missing them; from
265
266 Pedro Martelletto
267
268 OpenBSD-Commit-ID: 39aa37a43d0c75ec87f1659f573d3b5867e4a3b3
269
270commit 72730249b38a676da94a1366b54a6e96e6928bcb
271Author: dtucker@openbsd.org <dtucker@openbsd.org>
272Date: Fri Aug 28 03:15:52 2020 +0000
273
274 upstream: Check that the addresses supplied to Match Address and
275
276 Match LocalAddress are valid when parsing in config-test mode. This will
277 catch address/mask mismatches before they cause problems at runtime. Found by
278 Daniel Stocker, ok djm@
279
280 OpenBSD-Commit-ID: 2d0b10c69fad5d8fda4c703e7c6804935289378b
281
282commit 2a3a9822311a565a9df48ed3b6a3c972f462bd7d
283Author: jmc@openbsd.org <jmc@openbsd.org>
284Date: Thu Aug 27 12:34:00 2020 +0000
285
286 upstream: sentence fix; from pedro martelletto
287
288 OpenBSD-Commit-ID: f95b84a1e94e9913173229f3787448eea2f8a575
289
290commit ce178be0d954b210c958bc2b9e998cd6a7aa73a9
291Author: Damien Miller <djm@mindrot.org>
292Date: Thu Aug 27 20:01:52 2020 +1000
293
294 tweak back-compat for older libfido2
295
296commit d6f45cdde031acdf434bbb27235a1055621915f4
297Author: djm@openbsd.org <djm@openbsd.org>
298Date: Thu Aug 27 09:46:04 2020 +0000
299
300 upstream: debug()-print a little info about FIDO-specific key
301
302 fields via "ssh-keygen -vyf /path/key"
303
304 OpenBSD-Commit-ID: cf315c4fe77db43947d111b00155165cb6b577cf
305
306commit b969072cc3d62d05cb41bc6d6f3c22c764ed932f
307Author: djm@openbsd.org <djm@openbsd.org>
308Date: Thu Aug 27 09:43:28 2020 +0000
309
310 upstream: skip a bit more FIDO token selection logic when only a
311
312 single token is attached.
313
314 with Pedro Martelletto
315
316 OpenBSD-Commit-ID: e4a324bd9814227ec1faa8cb619580e661cca9ac
317
318commit 744df42a129d7d7db26947b7561be32edac89f88
319Author: jmc@openbsd.org <jmc@openbsd.org>
320Date: Thu Aug 27 06:15:22 2020 +0000
321
322 upstream: tweak previous;
323
324 OpenBSD-Commit-ID: 92714b6531e244e4da401b2defaa376374e24be7
325
326commit e32479645ce649b444ba5c6e7151304306a09654
327Author: djm@openbsd.org <djm@openbsd.org>
328Date: Thu Aug 27 03:55:22 2020 +0000
329
330 upstream: adapt to API changes
331
332 OpenBSD-Regress-ID: 5f147990cb67094fe554333782ab268a572bb2dd
333
334commit bbcc858ded3fbc46abfa7760e40389e3ca93884c
335Author: Damien Miller <djm@mindrot.org>
336Date: Thu Aug 27 12:37:12 2020 +1000
337
338 degrade semi-gracefully when libfido2 is too old
339
340commit 9cbbdc12cb6a2ab1e9ffe9974cca91d213c185c2
341Author: djm@openbsd.org <djm@openbsd.org>
342Date: Thu Aug 27 01:15:36 2020 +0000
343
344 upstream: dummy firmware needs to match API version numner crank (for
345
346 verify-required resident keys) even though it doesn't implement this feature
347
348 OpenBSD-Regress-ID: 86579ea2891e18e822e204413d011b2ae0e59657
349
350commit c1e76c64956b424ba260fd4eec9970e5b5859039
351Author: djm@openbsd.org <djm@openbsd.org>
352Date: Thu Aug 27 02:11:09 2020 +0000
353
354 upstream: remove unreachable code I forgot to delete in r1.334
355
356 OpenBSD-Commit-ID: 9ed6078251a0959ee8deda443b9ae42484fd8b18
357
358commit 0caff05350bd5fc635674c9e051a0322faba5ae3
359Author: djm@openbsd.org <djm@openbsd.org>
360Date: Thu Aug 27 01:08:45 2020 +0000
361
362 upstream: Request PIN ahead of time for certain FIDO actions
363
364 When we know that a particular action will require a PIN, such as
365 downloading resident keys or generating a verify-required key, request
366 the PIN before attempting it.
367
368 joint work with Pedro Martelletto; ok markus@
369
370 OpenBSD-Commit-ID: 863182d38ef075bad1f7d20ca485752a05edb727
371
372commit b649b3daa6d4b8ebe1bd6de69b3db5d2c03c9af0
373Author: djm@openbsd.org <djm@openbsd.org>
374Date: Thu Aug 27 01:08:19 2020 +0000
375
376 upstream: preserve verify-required for resident FIDO keys
377
378 When downloading a resident, verify-required key from a FIDO token,
379 preserve the verify-required in the private key that is written to
380 disk. Previously we weren't doing that because of lack of support
381 in the middleware API.
382
383 from Pedro Martelletto; ok markus@ and myself
384
385 OpenBSD-Commit-ID: 201c46ccdd227cddba3d64e1bdbd082afa956517
386
387commit 642e06d0df983fa2af85126cf4b23440bb2985bf
388Author: djm@openbsd.org <djm@openbsd.org>
389Date: Thu Aug 27 01:07:51 2020 +0000
390
391 upstream: major rework of FIDO token selection logic
392
393 When PINs are in use and multiple FIDO tokens are attached to a host, we
394 cannot just blast requests at all attached tokens with the PIN specified
395 as this will cause the per-token PIN failure counter to increment. If
396 this retry counter hits the token's limit (usually 3 attempts), then the
397 token will lock itself and render all (web and SSH) of its keys invalid.
398 We don't want this.
399
400 So this reworks the key selection logic for the specific case of
401 multiple keys being attached. When multiple keys are attached and the
402 operation requires a PIN, then the user must touch the key that they
403 wish to use first in order to identify it.
404
405 This may require multiple touches, but only if there are multiple keys
406 attached AND (usually) the operation requires a PIN. The usual case of a
407 single key attached should be unaffected.
408
409 Work by Pedro Martelletto; ok myself and markus@
410
411 OpenBSD-Commit-ID: 637d3049ced61b7a9ee796914bbc4843d999a864
412
413commit 801c9f095e6d8b7b91aefd98f5001c652ea13488
414Author: djm@openbsd.org <djm@openbsd.org>
415Date: Thu Aug 27 01:07:09 2020 +0000
416
417 upstream: support for requiring user verified FIDO keys in sshd
418
419 This adds a "verify-required" authorized_keys flag and a corresponding
420 sshd_config option that tells sshd to require that FIDO keys verify the
421 user identity before completing the signing/authentication attempt.
422 Whether or not user verification was performed is already baked into the
423 signature made on the FIDO token, so this is just plumbing that flag
424 through and adding ways to require it.
425
426 feedback and ok markus@
427
428 OpenBSD-Commit-ID: 3a2313aae153e043d57763d766bb6d55c4e276e6
429
430commit 9b8ad93824c682ce841f53f3b5762cef4e7cc4dc
431Author: djm@openbsd.org <djm@openbsd.org>
432Date: Thu Aug 27 01:06:18 2020 +0000
433
434 upstream: support for user-verified FIDO keys
435
436 FIDO2 supports a notion of "user verification" where the user is
437 required to demonstrate their identity to the token before particular
438 operations (e.g. signing). Typically this is done by authenticating
439 themselves using a PIN that has been set on the token.
440
441 This adds support for generating and using user verified keys where
442 the verification happens via PIN (other options might be added in the
443 future, but none are in common use now). Practically, this adds
444 another key generation option "verify-required" that yields a key that
445 requires a PIN before each authentication.
446
447 feedback markus@ and Pedro Martelletto; ok markus@
448
449 OpenBSD-Commit-ID: 57fd461e4366f87c47502c5614ec08573e6d6a15
450
451commit 1196d7f49d4fbc90f37e550de3056561613b0960
452Author: cheloha@openbsd.org <cheloha@openbsd.org>
453Date: Wed Aug 12 01:23:45 2020 +0000
454
455 upstream: ssh-keyscan(1): simplify conloop() with timercmp(3),
456
457 timersub(3); ok djm@
458
459 OpenBSD-Commit-ID: a102acb544f840d33ad73d40088adab4a687fa27
460
461commit d0a195c89e26766d3eb8f3e4e2a00ebc98b57795
462Author: djm@openbsd.org <djm@openbsd.org>
463Date: Tue Aug 11 09:49:57 2020 +0000
464
465 upstream: let ssh_config(5)'s AddKeysToAgent keyword accept a time
466
467 limit for keys in addition to its current flag options. Time-limited keys
468 will automatically be removed from ssh-agent after their expiry time has
469 passed; ok markus@
470
471 OpenBSD-Commit-ID: 792e71cacbbc25faab5424cf80bee4a006119f94
472
473commit e9c2002891a7b8e66f4140557a982978f372e5a3
474Author: djm@openbsd.org <djm@openbsd.org>
475Date: Tue Aug 11 09:45:54 2020 +0000
476
477 upstream: let the "Confirm user presence for key ..." ssh-askpass
478
479 notification respect $SSH_ASKPASS_REQUIRE; ok markus@
480
481 OpenBSD-Commit-ID: 7c1a616b348779bda3b9ad46bf592741f8e206c1
482
483commit eaf8672b1b52db2815a229745f4e4b08681bed6d
484Author: Darren Tucker <dtucker@dtucker.net>
485Date: Fri Aug 21 00:04:13 2020 +1000
486
487 Remove check for 'ent' command.
488
489 It was added in 8d1fd57a9 for measuring entropy of ssh_prng_cmds which
490 has long since been removed and there are no other references to it.
491
492commit 05c215de8d224e094a872d97d45f37f60c06206b
493Author: Darren Tucker <dtucker@dtucker.net>
494Date: Mon Aug 17 21:34:32 2020 +1000
495
496 Wrap stdint.h include in ifdef HAVE_STDINT_H.
497
498commit eaf2765efe8bc74feba85c34295d067637fc6635
499Author: Damien Miller <djm@mindrot.org>
500Date: Mon Aug 10 13:24:09 2020 +1000
501
502 sync memmem.c with OpenBSD
503
504commit ed6bef77f5bb5b8f9ca2914478949e29f2f0a780
505Author: Darren Tucker <dtucker@dtucker.net>
506Date: Fri Aug 7 17:12:16 2020 +1000
507
508 Always send any PAM account messages.
509
510 If the PAM account stack reaturns any messages, send them to the user
511 not just if the check succeeds. bz#2049, ok djm@
512
513commit a09e98dcae1e26f026029b7142b0e0d10130056f
514Author: Darren Tucker <dtucker@dtucker.net>
515Date: Fri Aug 7 15:37:37 2020 +1000
516
517 Output test debug logs on failure.
518
519commit eb122b1eebe58b29a83a507ee814cbcf8aeded1b
520Author: Darren Tucker <dtucker@dtucker.net>
521Date: Fri Aug 7 15:11:42 2020 +1000
522
523 Add ability to specify exact test target.
524
525commit c2ec7a07f8caabb4d8e00c66e7cd46bf2cd1e922
526Author: Darren Tucker <dtucker@dtucker.net>
527Date: Fri Aug 7 14:21:15 2020 +1000
528
529 Document --without-openssl and --without-zlib.
530
531commit 651bb3a31949bbdc3a78b2ede95a77bce0c72984
532Author: Darren Tucker <dtucker@dtucker.net>
533Date: Fri Aug 7 14:15:11 2020 +1000
534
535 Add without-openssl without-zlib test target.
536
537commit 9499f2bb01dc1032ae155999b2d7764b9491341f
538Author: Stefan Schindler <dns2utf8@estada.ch>
539Date: Wed Aug 5 19:00:52 2020 +0200
540
541 Add CI with prepare script
542
543 * Only use heimdal kerberos implementation
544 * Fetch yubico/libfido2 (see: https://github.com/Yubico/libfido2)
545 * Add one target for
546 * all features
547 * each feature alone
548 * no features
549
550commit ea1f649046546a860f68b97ddc3015b7e44346ca
551Author: Damien Miller <djm@mindrot.org>
552Date: Wed Aug 5 08:58:57 2020 +1000
553
554 support NetBSD's utmpx.ut_ss address field
555
556 bz#960, ok dtucker
557
558commit 32c63e75a70a0ed9d6887a55fcb0e4531a6ad617
559Author: Damien Miller <djm@mindrot.org>
560Date: Tue Aug 4 14:59:21 2020 +1000
561
562 wrap a declaration in the same ifdefs as its use
563
564 avoids warnings on NetBSD
565
566commit c9e3be9f4b41fda32a2a0138d54c7a6b563bc94d
567Author: Damien Miller <djm@mindrot.org>
568Date: Tue Aug 4 14:58:46 2020 +1000
569
570 undef TAILQ_CONCAT and friends
571
572 Needed for NetBSD. etc that supply these macros
573
574commit 2d8a3b7e8b0408dfeb933ac5cfd3a58f5bac49af
575Author: djm@openbsd.org <djm@openbsd.org>
576Date: Mon Aug 3 02:53:51 2020 +0000
577
578 upstream: ensure that certificate extensions are lexically sorted.
579
580 Previously if the user specified a custom extension then the everything would
581 be in order except the custom ones. bz3198 ok dtucker markus
582
583 OpenBSD-Commit-ID: d97deb90587b06cb227c66ffebb2d9667bf886f0
584
585commit a8732d74cb8e72f0c6366015687f1e649f60be87
586Author: djm@openbsd.org <djm@openbsd.org>
587Date: Mon Aug 3 02:43:41 2020 +0000
588
589 upstream: allow -A to explicitly enable agent forwarding in scp and
590
591 sftp. The default remains to not forward an agent, even when ssh_config
592 enables it. ok jmc dtucker markus
593
594 OpenBSD-Commit-ID: 36cc526aa3b0f94e4704b8d7b969dd63e8576822
595
596commit ab9105470a83ed5d8197959a1b1f367399958ba1
597Author: deraadt@openbsd.org <deraadt@openbsd.org>
598Date: Mon Aug 3 02:42:49 2020 +0000
599
600 upstream: clang -Wimplicit-fallthrough does not recognise /*
601
602 FALLTHROUGH */ comments, which is the style we currently use, and gives too
603 many boring warnings. ok djm
604
605 OpenBSD-Commit-ID: 07b5031e9f49f2b69ac5e85b8da4fc9e393992a0
606
607commit ced327b9fb78c94d143879ef4b2a02cbc5d38690
608Author: dtucker@openbsd.org <dtucker@openbsd.org>
609Date: Fri Jul 31 04:19:37 2020 +0000
610
611 upstream: Also compare username when checking for JumpHost loops.
612
613 bz#3057, ok djm@
614
615 OpenBSD-Commit-ID: 9bbc1d138adb34c54f3c03a15a91f75dbf418782
616
617commit ae7527010c44b3376b85d036a498f136597b2099
618Author: Darren Tucker <dtucker@dtucker.net>
619Date: Fri Jul 31 15:19:04 2020 +1000
620
621 Remove AC_REVISION.
622
623 It hasn't been useful since we switched to git in 2014. ok djm@
624
625commit 89fc3f414be0ce4e8008332a9739a7d721269e50
626Author: Darren Tucker <dtucker@dtucker.net>
627Date: Tue Jul 28 19:40:30 2020 +1000
628
629 Use argv in OSSH_CHECK_CFLAG_COMPILE test.
630
631 configure.ac is not detecting -Wextra in compilers that implement the
632 option. The problem is that -Wextra implies -Wunused-parameter, and the
633 C excerpt used by aclocal.m4 does not use argv. Patch from pedro at
634 ambientworks.net, ok djm@
635
636commit 62c81ef531b0cc7ff655455dd34f5f0c94f48e82
637Author: Darren Tucker <dtucker@dtucker.net>
638Date: Mon Jul 20 22:12:07 2020 +1000
639
640 Skip ECDSA-SK webauthn test when built w/out ECC
641
642commit 3ec9a6d7317236a9994887d8bd5d246af403a00d
643Author: Damien Miller <djm@mindrot.org>
644Date: Mon Jul 20 13:09:25 2020 +1000
645
646 Add ssh-sk-helper and manpage to RPM spec file
647
648 Based on patch from Fabio Pedretti
649
650commit a2855c048b3f4b17d8787bd3f24232ec0cd79abe
651Author: dtucker@openbsd.org <dtucker@openbsd.org>
652Date: Fri Jul 17 07:09:24 2020 +0000
653
654 upstream: Add %k to the TOKENs for Match Exec for consistency with
655
656 the other keywords that recently got %k.
657
658 OpenBSD-Commit-ID: 1857d1c40f270cbc254fca91e66110641dddcfdb
659
660commit 69860769fa9f4529d8612ec055ae11912f7344cf
661Author: jmc@openbsd.org <jmc@openbsd.org>
662Date: Fri Jul 17 05:59:05 2020 +0000
663
664 upstream: fix macro slip in previous;
665
666 OpenBSD-Commit-ID: 624e47ab209450ad9ad5c69f54fa69244de5ed9a
667
668commit 40649bd0822883b684183854b16d0b8461d5697b
669Author: dtucker@openbsd.org <dtucker@openbsd.org>
670Date: Fri Jul 17 07:10:24 2020 +0000
671
672 upstream: Add test for '%k' (HostKeyAlias) TOKEN.
673
674 OpenBSD-Regress-ID: 8ed1ba1a811790031aad3fcea860a34ad7910456
675
676commit 6736fe680704a3518cb4f3f8f6723b00433bd3dd
677Author: dtucker@openbsd.org <dtucker@openbsd.org>
678Date: Fri Jul 17 03:26:58 2020 +0000
679
680 upstream: Add tests for expansions on UserKnownHostsFile.
681
682 OpenBSD-Regress-ID: bccf8060306c841bbcceb1392644f906a4d6ca51
683
684commit 287dc6396e0f9cb2393f901816dbd7f2a7dfbb5f
685Author: djm@openbsd.org <djm@openbsd.org>
686Date: Fri Jul 17 03:51:32 2020 +0000
687
688 upstream: log error message for process_write() write failures
689
690 OpenBSD-Commit-ID: f733d7b3b05e3c68967dc18dfe39b9e8fad29851
691
692commit 8df5774a42d2eaffe057bd7f293fc6a4b1aa411c
693Author: dtucker@openbsd.org <dtucker@openbsd.org>
694Date: Fri Jul 17 03:43:42 2020 +0000
695
696 upstream: Add a '%k' TOKEN that expands to the effective HostKey of
697
698 the destination. This allows, eg, keeping host keys in individual files
699 using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k". bz#1654, ok djm@, jmc@
700 (man page bits)
701
702 OpenBSD-Commit-ID: 7084d723c9cc987a5c47194219efd099af5beadc
703
704commit c4f239944a4351810fd317edf408bdcd5c0102d9
705Author: dtucker@openbsd.org <dtucker@openbsd.org>
706Date: Fri Jul 17 03:23:10 2020 +0000
707
708 upstream: Add %-TOKEN, environment variable and tilde expansion to
709
710 UserKnownHostsFile, allowing the file to be automagically split up in the
711 configuration (eg bz#1654). ok djm@, man page parts jmc@
712
713 OpenBSD-Commit-ID: 7e1b406caf147638bb51558836a72d6cc0bd1b18
714
715commit dbaaa01daedb423c38124a72c471982fb08a16fb
716Author: solene@openbsd.org <solene@openbsd.org>
717Date: Wed Jul 15 07:50:46 2020 +0000
718
719 upstream: - Add [-a rounds] in ssh-keygen man page and usage() -
720
721 Reorder parameters list in the first usage() case - Sentence rewording
722
723 ok dtucker@
724 jmc@ noticed usage() missed -a flag too
725
726 OpenBSD-Commit-ID: f06b9afe91cc96f260b929a56e9930caecbde246
727
728commit 69924a92c3af7b99a7541aa544a2334ec0fb092c
729Author: jmc@openbsd.org <jmc@openbsd.org>
730Date: Wed Jul 15 05:40:05 2020 +0000
731
732 upstream: start sentence with capital letter;
733
734 OpenBSD-Commit-ID: ab06581d51b2b4cc1b4aab781f7f3cfa56cad973
735
736commit 5b56bd0affea7b02b540bdbc4d1d271b0e4fc885
737Author: Damien Miller <djm@mindrot.org>
738Date: Fri Jul 17 13:15:50 2020 +1000
739
740 detect Linux/X32 systems
741
742 This is a frankenstein monster of AMD64 instructions/calling conventions
743 but with a 4GB address space. Allegedly deprecated but people still run
744 into it causing weird sandbox failures, e.g. bz#3085
745
746commit 9c9ddc1391d6af8d09580a2424ab467d0a5df3c7
747Author: dtucker@openbsd.org <dtucker@openbsd.org>
748Date: Wed Jul 15 06:43:16 2020 +0000
749
750 upstream: Fix previous by calling the correct function.
751
752 OpenBSD-Regress-ID: 821cdd1dff9c502cceff4518b6afcb81767cad5a
753
754commit f1a4798941b4372bfe5e46f1c0f8672fe692d9e4
755Author: dtucker@openbsd.org <dtucker@openbsd.org>
756Date: Wed Jul 15 05:36:50 2020 +0000
757
758 upstream: Update test to match recent change in match.c
759
760 OpenBSD-Regress-ID: 965bda1f95f09a765050707340c73ad755f41167
761
762commit d7e71be4fd57b7c7e620d733cdf2333b27bfa924
763Author: Darren Tucker <dtucker@dtucker.net>
764Date: Wed Jul 15 15:30:43 2020 +1000
765
766 Adjust portable code to match changes in 939d787d,
767
768commit fec89f32a84fd0aa1afc81deec80a460cbaf451a
769Author: dtucker@openbsd.org <dtucker@openbsd.org>
770Date: Wed Jul 15 04:27:34 2020 +0000
771
772 upstream: Add default for number of rounds (-a). ok djm@
773
774 OpenBSD-Commit-ID: cb7e9aa04ace01a98e63e4bd77f34a42ab169b15
775
776commit aaa8b609a7b332be836cd9a3b782422254972777
777Author: djm@openbsd.org <djm@openbsd.org>
778Date: Tue Jul 14 23:57:01 2020 +0000
779
780 upstream: allow some additional control over the use of ssh-askpass
781
782 via $SSH_ASKPASS_REQUIRE, including force-enable/disable. bz#69 ok markus@
783
784 OpenBSD-Commit-ID: 3a1e6cbbf6241ddc4405c4246caa2c249f149eb2
785
786commit 6368022cd4dd508671c4999a59ec5826df098530
787Author: deraadt@openbsd.org <deraadt@openbsd.org>
788Date: Tue Jul 7 02:47:21 2020 +0000
789
790 upstream: correct recently broken comments
791
792 OpenBSD-Commit-ID: 964d9a88f7de1d0eedd3f8070b43fb6e426351f1
793
794commit 6d755706a0059eb9e2d63517f288b75cbc3b4701
795Author: djm@openbsd.org <djm@openbsd.org>
796Date: Sun Jul 5 23:59:45 2020 +0000
797
798 upstream: some language improvements; ok markus
799
800 OpenBSD-Commit-ID: 939d787d571b4d5da50b3b721fd0b2ac236acaa8
801
802commit b0c1e8384d5e136ebdf895d1434aea7dd8661a1c
803Author: markus@openbsd.org <markus@openbsd.org>
804Date: Fri Jul 3 10:12:26 2020 +0000
805
806 upstream: update setproctitle after re-exec; ok djm
807
808 OpenBSD-Commit-ID: bc92d122f9184ec2a9471ade754b80edd034ce8b
809
810commit cd119a5ec2bf0ed5df4daff3bd14f8f7566dafd3
811Author: markus@openbsd.org <markus@openbsd.org>
812Date: Fri Jul 3 10:11:33 2020 +0000
813
814 upstream: keep ignoring HUP after fork+exec; ok djm
815
816 OpenBSD-Commit-ID: 7679985a84ee5ceb09839905bb6f3ddd568749a2
817
818commit 8af4a743693ccbea3e15fc9e93edbeb610fa94f4
819Author: markus@openbsd.org <markus@openbsd.org>
820Date: Fri Jul 3 10:10:17 2020 +0000
821
822 upstream: don't exit the listener on send_rexec_state errors; ok
823
824 djm
825
826 OpenBSD-Commit-ID: 57cbd757d130d3f45b7d41310b3a15eeec137d5c
827
828commit 03da4c2b70468f04ed1c08518ea0a70e67232739
829Author: dtucker@openbsd.org <dtucker@openbsd.org>
830Date: Wed Jul 15 04:55:47 2020 +0000
831
832 upstream: Use $OBJ to find key files. Fixes test when run on an obj
833
834 directory (on OpenBSD) or out of tree (in Portable).
835
836 OpenBSD-Regress-ID: 938fa8ac86adaa527d64a305bd2135cfbb1c0a17
837
838commit 73f20f195ad18f1cf633eb7d8be95dc1b6111eea
839Author: Darren Tucker <dtucker@dtucker.net>
840Date: Sat Jul 4 23:11:23 2020 +1000
841
842 Wrap stdint.h in ifdef HAVE_STDINT_H.
843
844commit aa6fa4bf3023fa0e5761cd8f4b2cd015d2de74dd
845Author: djm@openbsd.org <djm@openbsd.org>
846Date: Fri Jul 3 07:25:18 2020 +0000
847
848 upstream: put back the mux_ctx memleak fix, but only for channels of
849
850 type SSH_CHANNEL_MUX_LISTENER; Specifically SSH_CHANNEL_MUX_PROXY channels
851 should not have this structure freed.
852
853 OpenBSD-Commit-ID: f3b213ae60405f77439e2b06262f054760c9d325
854
855commit d8195914eb43b20b13381f4e5a74f9f8a14f0ded
856Author: djm@openbsd.org <djm@openbsd.org>
857Date: Fri Jul 3 07:17:35 2020 +0000
858
859 upstream: revert r1.399 - the lifetime of c->mux_ctx is more complex;
860
861 simply freeing it here causes other problems
862
863 OpenBSD-Commit-ID: c6fee8ca94e2485faa783839541962be2834c5ed
864
865commit 20b5fab9f773b3d3c7f06cb15b8f69a2c081ee80
866Author: djm@openbsd.org <djm@openbsd.org>
867Date: Fri Jul 3 07:02:37 2020 +0000
868
869 upstream: avoid tilde_expand_filename() in expanding ~/.ssh/rc - if
870
871 sshd is in chroot mode, the likely absence of a password database will cause
872 tilde_expand_filename() to fatal; ok dtucker@
873
874 OpenBSD-Commit-ID: e20aee6159e8b79190d18dba1513fc1b7c8b7ee1
875
876commit c8935081db35d73ee6355999142fa0776a2af912
877Author: djm@openbsd.org <djm@openbsd.org>
878Date: Fri Jul 3 06:46:41 2020 +0000
879
880 upstream: when redirecting sshd's log output to a file, undo this
881
882 redirection after the session child process is forked(); ok dtucker@
883
884 OpenBSD-Commit-ID: 6df86dd653c91f5bc8ac1916e7680d9d24690865
885
886commit 183c4aaef944af3a1a909ffa01058c65bac55748
887Author: djm@openbsd.org <djm@openbsd.org>
888Date: Fri Jul 3 06:29:57 2020 +0000
889
890 upstream: start ClientAliveInterval bookkeeping before first pass
891
892 through select() loop; fixed theoretical case where busy sshd may ignore
893 timeouts from client; inspired by and ok dtucker
894
895 OpenBSD-Commit-ID: 96bfc4b1f86c7da313882a84755b2b47eb31957f
896
897commit 6fcfd303d67f16695198cf23d109a988e40eefb6
898Author: Damien Miller <djm@mindrot.org>
899Date: Fri Jul 3 15:28:27 2020 +1000
900
901 add check for fido_cred_set_prot() to configure
902
903commit f11b23346309e4d5138e733a49321aedd6eeaa2f
904Author: dtucker@openbsd.org <dtucker@openbsd.org>
905Date: Fri Jul 3 05:09:06 2020 +0000
906
907 upstream: Only reset the serveralive check when we receive traffic from
908
909 the server and ignore traffic from a port forwarding client, preventing a
910 client from keeping a connection alive when it should be terminated. Based
911 on a patch from jxraynor at gmail.com via openssh-unix-dev and bz#2265, ok
912 djm@
913
914 OpenBSD-Commit-ID: a941a575a5cbc244c0ef5d7abd0422bbf02c2dcd
915
916commit adfdbf1211914b631c038f0867a447db7b519937
917Author: Damien Miller <djm@mindrot.org>
918Date: Fri Jul 3 15:15:15 2020 +1000
919
920 sync sys-queue.h with OpenBSD upstream
921
922 needed for TAILQ_CONCAT
923
924commit 1b90ddde49e2ff377204082b6eb130a096411dc1
925Author: djm@openbsd.org <djm@openbsd.org>
926Date: Fri Jul 3 05:08:41 2020 +0000
927
928 upstream: fix memory leak of mux_ctx; patch from Sergiy Lozovsky
929
930 via bz3189 ok dtucker
931
932 OpenBSD-Commit-ID: db249bd4526fd42d0f4f43f72f7b8b7705253bde
933
934commit 55ef3e9cbd5b336bd0f89205716924886fcf86de
935Author: markus@openbsd.org <markus@openbsd.org>
936Date: Wed Jul 1 16:28:31 2020 +0000
937
938 upstream: free kex in ssh_packet_close; ok djm semarie
939
940 OpenBSD-Commit-ID: dbc181e90d3d32fd97b10d75e68e374270e070a2
941
942commit e1c401109b61f7dbc199b5099933d579e7fc5dc9
943Author: bket@openbsd.org <bket@openbsd.org>
944Date: Sat Jun 27 13:39:09 2020 +0000
945
946 upstream: Replace TAILQ concatenation loops with TAILQ_CONCAT
947
948 OK djm@
949
950 OpenBSD-Commit-ID: 454b40e09a117ddb833794358970a65b14c431ef
951
952commit 14beca57ac92d62830c42444c26ba861812dc837
953Author: semarie@openbsd.org <semarie@openbsd.org>
954Date: Fri Jun 26 11:26:01 2020 +0000
955
956 upstream: backout 1.293 fix kex mem-leak in ssh_packet_close at markus
957
958 request
959
960 the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after
961 calling ssh_packet_clear_keys())
962
963 OpenBSD-Commit-ID: 9c9a6721411461b0b1c28dc00930d7251a798484
964
965commit 598c3a5e3885080ced0d7c40fde00f1d5cdbb32b
966Author: Damien Miller <djm@mindrot.org>
967Date: Fri Jun 26 16:07:12 2020 +1000
968
969 document a PAM spec problem in a frustrated comment
970
971commit 976c4f86286d52a0cb2aadf4a095d379c0da752e
972Author: djm@openbsd.org <djm@openbsd.org>
973Date: Fri Jun 26 05:42:16 2020 +0000
974
975 upstream: avoid spurious error message when ssh-keygen creates files
976
977 outside ~/.ssh; with dtucker@
978
979 OpenBSD-Commit-ID: ac0c662d44607e00ec78c266ee60752beb1c7e08
980
981commit 32b2502a9dfdfded1ccdc1fd6dc2b3fe41bfc205
982Author: Damien Miller <djm@mindrot.org>
983Date: Fri Jun 26 15:30:06 2020 +1000
984
985 missing ifdef SELINUX; spotted by dtucker
986
987commit e073106f370cdd2679e41f6f55a37b491f0e82fe
988Author: djm@openbsd.org <djm@openbsd.org>
989Date: Fri Jun 26 05:12:21 2020 +0000
990
991 upstream: regress test for ssh-add -d; ok dtucker@
992
993 OpenBSD-Regress-ID: 3a2e044be616afc7dd4f56c100179e83b33d8abf
994
995commit c809daaa1bad6b1c305b0e0b5440360f32546c84
996Author: markus@openbsd.org <markus@openbsd.org>
997Date: Wed Jun 24 15:16:23 2020 +0000
998
999 upstream: add test for mux w/-Oproxy; ok djm
1000
1001 OpenBSD-Regress-ID: 764d5c696e2a259f1316a056e225e50023abb027
1002
1003commit 3d06ff4bbd3dca8054c238d2a94c0da563ef7eee
1004Author: djm@openbsd.org <djm@openbsd.org>
1005Date: Fri Jun 26 05:16:38 2020 +0000
1006
1007 upstream: handle EINTR in waitfd() and timeout_connect() helpers;
1008
1009 bz#3071; ok dtucker@
1010
1011 OpenBSD-Commit-ID: 08fa87be50070bd8b754d9b1ebb1138d7bc9d8ee
1012
1013commit fe2ec0b9c19adeab0cd9f04b8152dc17f31c31e5
1014Author: djm@openbsd.org <djm@openbsd.org>
1015Date: Fri Jun 26 05:04:07 2020 +0000
1016
1017 upstream: allow "ssh-add -d -" to read keys to be deleted from
1018
1019 stdin bz#3180; ok dtucker@
1020
1021 OpenBSD-Commit-ID: 15c7f10289511eb19fce7905c9cae8954e3857ff
1022
1023commit a3e0c376ffc11862fa3568b28188bd12965973e1
1024Author: djm@openbsd.org <djm@openbsd.org>
1025Date: Fri Jun 26 05:03:36 2020 +0000
1026
1027 upstream: constify a few things; ok dtucker (as part of another
1028
1029 diff)
1030
1031 OpenBSD-Commit-ID: 7c17fc987085994d752304bd20b1ae267a9bcdf6
1032
1033commit 74344c3ca42c3f53b00b025daf09ae7f6aa38076
1034Author: dtucker@openbsd.org <dtucker@openbsd.org>
1035Date: Fri Jun 26 05:02:03 2020 +0000
1036
1037 upstream: Defer creation of ~/.ssh by ssh(1) until we attempt to
1038
1039 write to it so we don't leave an empty .ssh directory when it's not needed.
1040 Use the same function to replace the code in ssh-keygen that does the same
1041 thing. bz#3156, ok djm@
1042
1043 OpenBSD-Commit-ID: 59c073b569be1a60f4de36f491a4339bc4ae870f
1044
1045commit c9e24daac6324fcbdba171392c325bf9ccc3c768
1046Author: dtucker@openbsd.org <dtucker@openbsd.org>
1047Date: Fri Jun 26 04:45:11 2020 +0000
1048
1049 upstream: Expand path to ~/.ssh/rc rather than relying on it
1050
1051 being relative to the current directory, so that it'll still be found if the
1052 shell startup changes its directory. Since the path is potentially longer,
1053 make the cmd buffer that uses it dynamically sized. bz#3185, with & ok djm@
1054
1055 OpenBSD-Commit-ID: 36e33ff01497af3dc8226d0c4c1526fc3a1e46bf
1056
1057commit 07f5f369a25e228a7357ef6c57205f191f073d99
1058Author: markus@openbsd.org <markus@openbsd.org>
1059Date: Wed Jun 24 15:12:09 2020 +0000
1060
1061 upstream: fix kex mem-leak in ssh_packet_close; ok djm
1062
1063 OpenBSD-Commit-ID: e2e9533f393620383afd0b68ef435de8d5e8abe4
1064
1065commit e35995088cd6691a712bfd586bae8084a3a922ba
1066Author: markus@openbsd.org <markus@openbsd.org>
1067Date: Wed Jun 24 15:10:38 2020 +0000
1068
1069 upstream: fix ssh -O proxy w/mux which got broken by no longer
1070
1071 making ssh->kex optional in packet.c revision 1.278 ok djm@
1072
1073 OpenBSD-Commit-ID: 2b65df04a064c2c6277359921d2320c90ab7d917
1074
1075commit 250246fef22b87a54a63211c60a2def9be431fbd
1076Author: markus@openbsd.org <markus@openbsd.org>
1077Date: Wed Jun 24 15:09:53 2020 +0000
1078
1079 upstream: support loading big sshd_config files w/o realloc; ok
1080
1081 djm
1082
1083 OpenBSD-Commit-ID: ba9238e810074ac907f0cf8cee1737ac04983171
1084
1085commit 89b54900ac61986760452f132bbe3fb7249cfdac
1086Author: markus@openbsd.org <markus@openbsd.org>
1087Date: Wed Jun 24 15:08:53 2020 +0000
1088
1089 upstream: allow sshd_config longer than 256k; ok djm
1090
1091 OpenBSD-Commit-ID: 83f40dd5457a64c1d3928eb4364461b22766beb3
1092
1093commit e3fa6249e6d9ceb57c14b04dd4c0cfab12fa7cd5
1094Author: markus@openbsd.org <markus@openbsd.org>
1095Date: Wed Jun 24 15:07:33 2020 +0000
1096
1097 upstream: only call sshkey_xmss_init() once for KEY_XMSS_CERT; ok
1098
1099 djm
1100
1101 OpenBSD-Commit-ID: d0002ffb7f20f538b014d1d0735facd5a81ff096
1102
1103commit 37f2da069c0619f2947fb92785051d82882876d7
1104Author: djm@openbsd.org <djm@openbsd.org>
1105Date: Mon Jun 22 23:44:27 2020 +0000
1106
1107 upstream: some clarifying comments
1108
1109 OpenBSD-Commit-ID: 5268479000fd97bfa30ab819f3517139daa054a2
1110
1111commit b659319a5bc9e8adf3c4facc51f37b670d2a7426
1112Author: jmc@openbsd.org <jmc@openbsd.org>
1113Date: Mon Jun 22 06:37:38 2020 +0000
1114
1115 upstream: updated argument name for -P in first synopsis was
1116
1117 missed in previous;
1118
1119 OpenBSD-Commit-ID: 8d84dc3050469884ea91e29ee06a371713f2d0b7
1120
1121commit 02a9222cbce7131d639984c2f6c71d1551fc3333
1122Author: jmc@openbsd.org <jmc@openbsd.org>
1123Date: Mon Jun 22 06:36:40 2020 +0000
1124
1125 upstream: supply word missing in previous;
1126
1127 OpenBSD-Commit-ID: 16a38b049f216108f66c8b699aa046063381bd23
1128
1129commit 5098b3b6230852a80ac6cef5d53a785c789a5a56
1130Author: Damien Miller <djm@mindrot.org>
1131Date: Mon Jun 22 16:54:02 2020 +1000
1132
1133 missing files for webauthn/sshsig unit test
1134
1135commit 354535ff79380237924ac8fdc98f8cdf83e67da6
1136Author: djm@openbsd.org <djm@openbsd.org>
1137Date: Mon Jun 22 06:00:06 2020 +0000
1138
1139 upstream: add support for verification of webauthn sshsig signature,
1140
1141 and example HTML/JS to generate webauthn signatures in SSH formats (also used
1142 to generate the testdata/* for the test).
1143
1144 OpenBSD-Regress-ID: dc575be5bb1796fdf4b8aaee0ef52a6671a0f6fb
1145
1146commit bb52e70fa5330070ec9a23069c311d9e277bbd6f
1147Author: djm@openbsd.org <djm@openbsd.org>
1148Date: Mon Jun 22 05:58:35 2020 +0000
1149
1150 upstream: Add support for FIDO webauthn (verification only).
1151
1152 webauthn is a standard for using FIDO keys in web browsers. webauthn
1153 signatures are a slightly different format to plain FIDO signatures - this
1154 support allows verification of these. Feedback and ok markus@
1155
1156 OpenBSD-Commit-ID: ab7e3a9fb5782d99d574f408614d833379e564ad
1157
1158commit 64bc121097f377142f1387ffb2df7592c49935af
1159Author: djm@openbsd.org <djm@openbsd.org>
1160Date: Mon Jun 22 05:56:23 2020 +0000
1161
1162 upstream: refactor ECDSA-SK verification a little ahead of adding
1163
1164 support for FIDO webauthn signature verification support; ok markus@
1165
1166 OpenBSD-Commit-ID: c9f478fd8e0c1bd17e511ce8694f010d8e32043e
1167
1168commit 12848191f8fe725af4485d3600e0842d92f8637f
1169Author: djm@openbsd.org <djm@openbsd.org>
1170Date: Mon Jun 22 05:54:10 2020 +0000
1171
1172 upstream: support for RFC4648 base64url encoding; ok markus
1173
1174 OpenBSD-Commit-ID: 0ef22c55e772dda05c112c88412c0797fec66eb4
1175
1176commit 473b4af43db12127137c7fc1a10928313f5a16d2
1177Author: djm@openbsd.org <djm@openbsd.org>
1178Date: Mon Jun 22 05:53:26 2020 +0000
1179
1180 upstream: better terminology for permissions; feedback & ok markus@
1181
1182 OpenBSD-Commit-ID: ff2a71803b5ea57b83cc3fa9b3be42b70e462fb9
1183
1184commit fc270baf264248c3ee3050b13a6c8c0919e6559f
1185Author: djm@openbsd.org <djm@openbsd.org>
1186Date: Mon Jun 22 05:52:05 2020 +0000
1187
1188 upstream: better terminology for permissions; feedback & ok markus@
1189
1190 OpenBSD-Commit-ID: ffb220b435610741dcb4de0e7fc68cbbdc876d2c
1191
1192commit 00531bb42f1af17ddabea59c3d9c4b0629000d27
1193Author: dtucker@openbsd.org <dtucker@openbsd.org>
1194Date: Fri Jun 19 07:21:42 2020 +0000
1195
1196 upstream: Correct synopsis and usage for the options accepted when
1197
1198 passing a command to ssh-agent. ok jmc@
1199
1200 OpenBSD-Commit-ID: b36f0679cb0cac0e33b361051b3406ade82ea846
1201
1202commit b4556c8ad7177e379f0b60305a0cd70f12180e7c
1203Author: Darren Tucker <dtucker@dtucker.net>
1204Date: Fri Jun 19 19:22:00 2020 +1000
1205
1206 Add OPENBSD ORIGINAL marker to bcrypt_pbkdf.
1207
1208commit 1babb8bb14c423011ca34c2f563bb1c51c8fbf1d
1209Author: Darren Tucker <dtucker@dtucker.net>
1210Date: Fri Jun 19 19:10:47 2020 +1000
1211
1212 Extra brackets around sizeof() in bcrypt.
1213
1214 Prevents following warning from clang 10:
1215 bcrypt_pbkdf.c:94:40: error: expression does not compute the number of
1216 elements in this array; element type is ´uint32_tÂ[...]
1217 place parentheses around the ´sizeof(uint64_t)´ expression to
1218 silence this warning
1219
1220commit 9e065729592633290e5ddb6852792913b2286545
1221Author: Darren Tucker <dtucker@dtucker.net>
1222Date: Fri Jun 19 18:47:56 2020 +1000
1223
1224 Add includes.h to new test.
1225
1226 Fixes warnings eg "´bounded´ attribute directive ignor" from gcc.
1227
1228commit e684b1ea365e070433f282a3c1dabc3e2311ce49
1229Author: Darren Tucker <dtucker@dtucker.net>
1230Date: Fri Jun 19 18:38:39 2020 +1000
1231
1232 Skip OpenSSL specific tests w/out OpenSSL.
1233
1234 Allows unit tests to pass when configure'ed --without-openssl.
1235
1236commit 80610e97a76407ca982e62fd051c9be03622fe7b
1237Author: Darren Tucker <dtucker@dtucker.net>
1238Date: Fri Jun 19 17:15:27 2020 +1000
1239
1240 Hook sshsig tests up to Portable Makefiles.
1241
1242commit 5dba1fcabacaab46693338ec829b42a1293d1f52
1243Author: dtucker@openbsd.org <dtucker@openbsd.org>
1244Date: Fri Jun 19 05:07:09 2020 +0000
1245
1246 upstream: Test that ssh-agent exits when running as as subprocess
1247
1248 of a specified command (ie "ssh-agent command"). Would have caught bz#3181.
1249
1250 OpenBSD-Regress-ID: 895b4765ba5153eefaea3160a7fe08ac0b6db8b3
1251
1252commit 68e8294f6b04f9590ea227e63d3e129398a49e27
1253Author: djm@openbsd.org <djm@openbsd.org>
1254Date: Fri Jun 19 04:34:21 2020 +0000
1255
1256 upstream: run sshsig unit tests
1257
1258 OpenBSD-Regress-ID: 706ef17e2b545b64873626e0e35553da7c06052a
1259
1260commit 5edfa1690e9a75048971fd8775f7c16d153779db
1261Author: djm@openbsd.org <djm@openbsd.org>
1262Date: Fri Jun 19 04:32:09 2020 +0000
1263
1264 upstream: basic unit test for sshsig.[ch], including FIDO keys
1265
1266 verification only so far
1267
1268 OpenBSD-Regress-ID: fb1f946c8fc59206bc6a6666e577b5d5d7e45896
1269
1270commit e95c0a0e964827722d29b4bc00d5c0ff4afe0ed2
1271Author: djm@openbsd.org <djm@openbsd.org>
1272Date: Fri Jun 19 03:48:49 2020 +0000
1273
1274 upstream: basic unit test for FIDO kep parsing
1275
1276 OpenBSD-Regress-ID: 8089b88393dd916d7c95422b442a6fd4cfe00c82
1277
1278commit 7775819c6de3e9547ac57b87c7dd2bfd28cefcc5
1279Author: djm@openbsd.org <djm@openbsd.org>
1280Date: Thu Jun 18 23:34:19 2020 +0000
1281
1282 upstream: check public host key matches private; ok markus@ (as
1283
1284 part of previous diff)
1285
1286 OpenBSD-Commit-ID: 65a4f66436028748b59fb88b264cb8c94ce2ba63
1287
1288commit c514f3c0522855b4d548286eaa113e209051a6d2
1289Author: djm@openbsd.org <djm@openbsd.org>
1290Date: Thu Jun 18 23:33:38 2020 +0000
1291
1292 upstream: avoid spurious "Unable to load host key" message when
1293
1294 sshd can load a private key but no public counterpart; with & ok markus@
1295
1296 OpenBSD-Commit-ID: 0713cbdf9aa1ff8ac7b1f78b09ac911af510f81b
1297
1298commit 7fafaeb5da365f4a408fec355dac04a774f27193
1299Author: djm@openbsd.org <djm@openbsd.org>
1300Date: Fri Jun 12 05:26:37 2020 +0000
1301
1302 upstream: correct RFC number; from HARUYAMA Seigo via GH PR191
1303
1304 OpenBSD-Commit-ID: 8d03b6c96ca98bfbc23d3754c3c33e1fe0852e10
1305
1306commit 3a7f654d5bcb20df24a134b6581b0d235da4564a
1307Author: djm@openbsd.org <djm@openbsd.org>
1308Date: Fri Jun 5 06:18:07 2020 +0000
1309
1310 upstream: unbreak "sshd -ddd" - close of config passing fd happened too
1311
1312 early. ok markus@
1313
1314 OpenBSD-Commit-ID: 49346e945c6447aca3e904e65fc400128d2f8ed0
1315
1316commit 3de02be39e5c0c2208d9682a3844991651620fcc
1317Author: Andreas Schwab <schwab@suse.de>
1318Date: Mon May 25 11:10:44 2020 +0200
1319
1320 Add support for AUDIT_ARCH_RISCV64
1321
1322commit ea547eb0329c2f8da77a4ac05f6c330bd49bdaab
1323Author: djm@openbsd.org <djm@openbsd.org>
1324Date: Fri Jun 5 03:25:35 2020 +0000
1325
1326 upstream: make sshbuf_putb(b, NULL) a no-op
1327
1328 OpenBSD-Commit-ID: 976fdc99b500e347023d430df372f31c1dd128f7
1329
1330commit 69796297c812640415c6cea074ea61afc899cbaa
1331Author: djm@openbsd.org <djm@openbsd.org>
1332Date: Fri Jun 5 03:24:36 2020 +0000
1333
1334 upstream: make sshbuf_dump() args const
1335
1336 OpenBSD-Commit-ID: b4a5accae750875d665b862504169769bcf663bd
1337
1338commit 670428895739d1f79894bdb2457891c3afa60a59
1339Author: djm@openbsd.org <djm@openbsd.org>
1340Date: Fri Jun 5 03:24:16 2020 +0000
1341
1342 upstream: wrap long line
1343
1344 OpenBSD-Commit-ID: ed405a12bd27bdc9c52e169bc5ff3529b4ebbbb2
1345
1346commit 2f648cf222882719040906722b3593b01df4ad1a
1347Author: dtucker@openbsd.org <dtucker@openbsd.org>
1348Date: Fri Jun 5 03:15:26 2020 +0000
1349
1350 upstream: Correct historical comment: provos@ modified OpenSSH to
1351
1352 work with SSLeay (very quickly replaced by OpenSSL) not SSL in general. ok
1353 deraadt, historical context markus@
1354
1355 OpenBSD-Commit-ID: 7209e07a2984b50411ed8ca5a4932da5030d2b90
1356
1357commit 56548e4efcc3e3e8093c2eba30c75b23e561b172
1358Author: dtucker@openbsd.org <dtucker@openbsd.org>
1359Date: Wed Jun 3 08:23:18 2020 +0000
1360
1361 upstream: Import regenerated moduli file.
1362
1363 OpenBSD-Commit-ID: 52ff0e3205036147b2499889353ac082e505ea54
1364
1365commit 8da801f585dd9c534c0cbe487a3b1648036bf2fb
1366Author: Darren Tucker <dtucker@dtucker.net>
1367Date: Fri Jun 5 13:20:10 2020 +1000
1368
1369 Test fallthrough in OSSH_CHECK_CFLAG_COMPILE.
1370
1371 clang 10's -Wimplicit-fallthrough does not understand /* FALLTHROUGH */
1372 comments and we don't use the __attribute__((fallthrough)) that it's
1373 looking for. This has the effect of turning off -Wimplicit-fallthrough
1374 where it does not currently help (particularly with -Werror). ok djm@
1375
1376commit 049297de975b92adcc2db77e3fb7046c0e3c695d
1377Author: dtucker@openbsd.org <dtucker@openbsd.org>
1378Date: Wed Jun 3 08:23:18 2020 +0000
1379
1380 upstream: Import regenerated moduli file.
1381
1382 OpenBSD-Commit-ID: 52ff0e3205036147b2499889353ac082e505ea54
1383
1384commit b458423a38a3140ac022ffcffcb332609faccfe3
1385Author: dtucker@openbsd.org <dtucker@openbsd.org>
1386Date: Mon Jun 1 07:11:38 2020 +0000
1387
1388 upstream: Remove now-unused proto_spec and associated definitions.
1389
1390 ok djm@
1391
1392 OpenBSD-Commit-ID: 2e2b18e3aa6ee22a7b69c39f2d3bd679ec35c362
1393
1394commit 5ad3c3a33ef038b55a14ebd31faeeec46073db2c
1395Author: millert@openbsd.org <millert@openbsd.org>
1396Date: Fri May 29 21:22:02 2020 +0000
1397
1398 upstream: Fix error message on close(2) and add printf format
1399
1400 attributes. From Christos Zoulas, OK markus@
1401
1402 OpenBSD-Commit-ID: 41523c999a9e3561fcc7082fd38ea2e0629ee07e
1403
1404commit 712ac1efb687a945a89db6aa3e998c1a17b38653
1405Author: dtucker@openbsd.org <dtucker@openbsd.org>
1406Date: Fri May 29 11:17:56 2020 +0000
1407
1408 upstream: Make dollar_expand variadic and pass a real va_list to
1409
1410 vdollar_percent_expand. Fixes build error on arm64 spotted by otto@.
1411
1412 OpenBSD-Commit-ID: 181910d7ae489f40ad609b4cf4a20f3d068a7279
1413
1414commit 837ffa9699a9cba47ae7921d2876afaccc027133
1415Author: Darren Tucker <dtucker@dtucker.net>
1416Date: Fri May 29 20:39:00 2020 +1000
1417
1418 Omit ToS setting if we don't have IPV6_TCLASS too.
1419
1420 Fixes tests on old BSDs.
1421
1422commit f85b118d2150847cc333895296bc230e367be6b5
1423Author: dtucker@openbsd.org <dtucker@openbsd.org>
1424Date: Fri May 29 09:02:44 2020 +0000
1425
1426 upstream: Pass a NULL instead of zeroed out va_list from
1427
1428 dollar_expand. The original intent was in case there's some platform where
1429 va_list is not a pointer equivalent, but on i386 this chokes on the memset.
1430 This unbreaks that build, but will require further consideration.
1431
1432 OpenBSD-Commit-ID: 7b90afcd8e1137a1d863204060052aef415baaf7
1433
1434commit ec1d50b01c84ff667240ed525f669454c4ebc8e9
1435Author: jmc@openbsd.org <jmc@openbsd.org>
1436Date: Fri May 29 05:48:39 2020 +0000
1437
1438 upstream: remove a stray .El;
1439
1440 OpenBSD-Commit-ID: 58ddfe6f8a15fe10209db6664ecbe7896f1d167c
1441
1442commit 058674a62ffe33f01d871d46e624bc2a2c22d91f
1443Author: dtucker@openbsd.org <dtucker@openbsd.org>
1444Date: Fri May 29 04:32:26 2020 +0000
1445
1446 upstream: Add regression and unit tests for ${ENV} style
1447
1448 environment variable expansion in various keywords (bz#3140). ok djm@
1449
1450 OpenBSD-Regress-ID: 4d9ceb95d89365b7b674bc26cf064c15a5bbb197
1451
1452commit 0b15892fc47d6840eba1291a6be9be1a70bc8972
1453Author: dtucker@openbsd.org <dtucker@openbsd.org>
1454Date: Fri May 29 01:21:35 2020 +0000
1455
1456 upstream: Unit test for convtime. ok djm@
1457
1458 OpenBSD-Regress-ID: cec4239efa2fc4c7062064f07a847e1cbdbcd5dd
1459
1460commit 188e332d1c8f9f24e5b6659e9680bf083f837df9
1461Author: djm@openbsd.org <djm@openbsd.org>
1462Date: Fri May 29 05:37:03 2020 +0000
1463
1464 upstream: mention that wildcards are processed in lexical order;
1465
1466 bz#3165
1467
1468 OpenBSD-Commit-ID: 8856f3d1612bd42e9ee606d89386cae456dd165c
1469
1470commit 4a1b46e6d032608b7ec00ae51c4e25b82f460b05
1471Author: dtucker@openbsd.org <dtucker@openbsd.org>
1472Date: Fri May 29 04:25:40 2020 +0000
1473
1474 upstream: Allow some keywords to expand shell-style ${ENV}
1475
1476 environment variables on the client side. The supported keywords are
1477 CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus
1478 LocalForward and RemoteForward when used for Unix domain socket paths. This
1479 would for example allow forwarding of Unix domain socket paths that change at
1480 runtime. bz#3140, ok djm@
1481
1482 OpenBSD-Commit-ID: a4a2e801fc2d4df2fe0e58f50d9c81b03822dffa
1483
1484commit c9bab1d3a9e183cef3a3412f57880a0374cc8cb2
1485Author: Damien Miller <djm@mindrot.org>
1486Date: Fri May 29 14:49:16 2020 +1000
4 1487
5 depend 1488 depend
6 1489
7commit b6d251ed9af90e16c08a72c4aac2cb8ace8f94b1 1490commit 0b0d219313bf9239ca043f20b1a095db0245588f
1491Author: sobrado <sobrado@openbsd.org>
1492Date: Thu Sep 3 23:06:28 2015 +0000
1493
1494 partial sync of regress/netcat.c with upstream
1495
1496 synchronize synopsis and usage.
1497
1498commit 0f04c8467f589f85a523e19fd684c4f6c4ed9482
1499Author: chl <chl@openbsd.org>
1500Date: Sun Jul 26 19:12:28 2015 +0000
1501
1502 partial sync of regress/netcat.c with upstream
1503
1504 remove unused variable
1505
1506 ok tedu@
1507
1508commit d6a81050ace2630b06c3c6dd39bb4eef5d1043f8
1509Author: tobias <tobias@openbsd.org>
1510Date: Thu Mar 26 21:22:50 2015 +0000
1511
1512 partial sync of regress/netcat.c with upstream
1513
1514 The code in socks.c writes multiple times in a row to a socket. If the socket becomes invalid between these calls (e.g. connection closed), write will throw SIGPIPE. With this patch, SIGPIPE is ignored so we can handle write's -1 return value (errno will be EPIPE). Ultimately, it leads to program exit, too -- but with nicer error message. :)
1515
1516 with input by and ok djm
1517
1518commit bf3893dddd35e16def04bf48ed2ee1ad695b8f82
1519Author: tobias <tobias@openbsd.org>
1520Date: Thu Mar 26 10:36:03 2015 +0000
1521
1522 partial sync of regress/netcat.c with upstream
1523
1524 Check for short writes in fdpass(). Clean up while at it.
1525
1526 ok djm
1527
1528commit e18435fec124b4c08eb6bbbbee9693dc04f4befb
1529Author: jca <jca@openbsd.org>
1530Date: Sat Feb 14 22:40:22 2015 +0000
1531
1532 partial sync of regress/netcat.c with upstream
1533
1534 Support for nc -T on IPv6 addresses.
1535
1536 ok sthen@
1537
1538commit 4c607244054a036ad3b2449a6cb4c15feb846a76
1539Author: djm@openbsd.org <djm@openbsd.org>
1540Date: Fri May 29 03:14:02 2020 +0000
1541
1542 upstream: fix compilation on !HAVE_DLOPEN platforms; stub function
1543
1544 was not updated to match API change. From Dale Rahn via beck@ ok markus@
1545
1546 OpenBSD-Commit-ID: 2b8d054afe34c9ac85e417dae702ef981917b836
1547
1548commit 224418cf55611869a4ace1b8b07bba0dff77a9c3
1549Author: djm@openbsd.org <djm@openbsd.org>
1550Date: Fri May 29 03:11:54 2020 +0000
1551
1552 upstream: fix exit status for downloading of FIDO resident keys;
1553
1554 from Pedro Martelletto, ok markus@
1555
1556 OpenBSD-Commit-ID: 0da77dc24a1084798eedd83c39a002a9d231faef
1557
1558commit 1001dd148ed7c57bccf56afb40cb77482ea343a6
1559Author: dtucker@openbsd.org <dtucker@openbsd.org>
1560Date: Fri May 29 01:20:46 2020 +0000
1561
1562 upstream: Fix multiplier in convtime when handling seconds after
1563
1564 other units. bz#3171, spotted by ronf at timeheart.net, ok djm@.
1565
1566 OpenBSD-Commit-ID: 95b7a848e1083974a65fbb6ccb381d438e1dd5be
1567
1568commit 7af1e92cd289b7eaa9a683e9a6f2fddd98f37a01
1569Author: djm@openbsd.org <djm@openbsd.org>
1570Date: Wed May 27 22:37:53 2020 +0000
1571
1572 upstream: fix Include before Match in sshd_config; bz#3122 patch
1573
1574 from Jakub Jelen
1575
1576 OpenBSD-Commit-ID: 1b0aaf135fe6732b5d326946042665dd3beba5f4
1577
1578commit 0a9a611619b0a1fecd0195ec86a9885f5d681c84
1579Author: djm@openbsd.org <djm@openbsd.org>
1580Date: Wed May 27 21:59:11 2020 +0000
1581
1582 upstream: Do not call process_queued_listen_addrs() for every
1583
1584 included file from sshd_config; patch from Jakub Jelen
1585
1586 OpenBSD-Commit-ID: 0ff603d6f06a7fab4881f12503b53024799d0a49
1587
1588commit 16ea1fdbe736648f79a827219134331f8d9844fb
1589Author: djm@openbsd.org <djm@openbsd.org>
1590Date: Wed May 27 21:25:18 2020 +0000
1591
1592 upstream: fix crash in recallocarray when deleting SendEnv
1593
1594 variables; spotted by & ok sthen@
1595
1596 OpenBSD-Commit-ID: b881e8e849edeec5082b5c0a87d8d7cff091a8fd
1597
1598commit 47adfdc07f4f8ea0064a1495500244de08d311ed
1599Author: djm@openbsd.org <djm@openbsd.org>
1600Date: Wed May 27 22:35:19 2020 +0000
1601
1602 upstream: two new tests for Include in sshd_config, checking whether
1603
1604 Port directives are processed correctly and handling of Include directives
1605 that appear before Match. Both tests currently fail. bz#3122 and bz#3169 -
1606 patch from Jakub Jelen
1607
1608 OpenBSD-Regress-ID: 8ad5a4a385a63f0a1c59c59c763ff029b45715df
1609
1610commit 47faad8f794516c33864d866aa1b55d88416f94c
1611Author: Darren Tucker <dtucker@dtucker.net>
1612Date: Wed May 27 23:26:23 2020 +1000
1613
1614 Document that libfido2 >= 1.4.0 is needed.
1615
1616commit 4be563994c0cbe9856e7dd3078909f41beae4a9c
1617Author: djm@openbsd.org <djm@openbsd.org>
1618Date: Tue May 26 01:59:46 2020 +0000
1619
1620 upstream: fix memleak of signature; from Pedro Martelletto
1621
1622 OpenBSD-Commit-ID: d0a6eb07e77c001427d738b220dd024ddc64b2bb
1623
1624commit 0c111eb84efba7c2a38b2cc3278901a0123161b9
1625Author: djm@openbsd.org <djm@openbsd.org>
1626Date: Tue May 26 01:26:58 2020 +0000
1627
1628 upstream: Restrict ssh-agent from signing web challenges for FIDO
1629
1630 keys.
1631
1632 When signing messages in ssh-agent using a FIDO key that has an
1633 application string that does not start with "ssh:", ensure that the
1634 message being signed is one of the forms expected for the SSH protocol
1635 (currently pubkey authentication and sshsig signatures).
1636
1637 This prevents ssh-agent forwarding on a host that has FIDO keys
1638 attached granting the ability for the remote side to sign challenges
1639 for web authentication using those keys too.
1640
1641 Note that the converse case of web browsers signing SSH challenges is
1642 already precluded because no web RP can have the "ssh:" prefix in the
1643 application string that we require.
1644
1645 ok markus@
1646
1647 OpenBSD-Commit-ID: 9ab6012574ed0352d2f097d307f4a988222d1b19
1648
1649commit 9c5f64b6cb3a68b99915202d318b842c6c76cf14
1650Author: djm@openbsd.org <djm@openbsd.org>
1651Date: Tue May 26 01:09:05 2020 +0000
1652
1653 upstream: improve logging for MaxStartups connection throttling:
1654
1655 have sshd log when it starts and stops throttling and periodically while in
1656 this state. bz#3055 ok markus@
1657
1658 OpenBSD-Commit-ID: 2e07a09a62ab45d790d3d2d714f8cc09a9ac7ab9
1659
1660commit 756c6f66aee83a5862a6f936a316f761532f3320
1661Author: djm@openbsd.org <djm@openbsd.org>
1662Date: Tue May 26 01:06:52 2020 +0000
1663
1664 upstream: add fmt_timeframe() (from bgpd) to format a time
1665
1666 interval in a human- friendly format. Switch copyright for this file from BSD
1667 to MIT to make it easier to add Henning's copyright for this function. ok
1668 markus@
1669
1670 OpenBSD-Commit-ID: 414a831c662df7e68893e5233e86f2cac081ccf9
1671
1672commit 2a63ce5cd6d0e782783bf721462239b03757dd49
8Author: djm@openbsd.org <djm@openbsd.org> 1673Author: djm@openbsd.org <djm@openbsd.org>
9Date: Mon May 18 04:29:35 2020 +0000 1674Date: Mon May 18 04:29:35 2020 +0000
10 1675
@@ -12,6 +1677,117 @@ Date: Mon May 18 04:29:35 2020 +0000
12 1677
13 OpenBSD-Commit-ID: e6099c3fbb70aa67eb106e84d8b43f1fa919b721 1678 OpenBSD-Commit-ID: e6099c3fbb70aa67eb106e84d8b43f1fa919b721
14 1679
1680commit 4b307faf2fb0e63e51a550b37652f7f972df9676
1681Author: markus@openbsd.org <markus@openbsd.org>
1682Date: Fri May 15 08:34:03 2020 +0000
1683
1684 upstream: sshd listener must not block if reexecd sshd exits
1685
1686 in write(2) on config_s[0] if the forked child exits early before finishing
1687 recv_rexec_state (e.g. with fatal()) because config_s[1] stays open in the
1688 parent. this prevents the parent from accepting new connections. ok djm,
1689 deraadt
1690
1691 OpenBSD-Commit-ID: 92ccfeb939ccd55bda914dc3fe84582158c4a9ef
1692
1693commit af8b16fb2cce880341c0ee570ceb0d84104bdcc0
1694Author: djm@openbsd.org <djm@openbsd.org>
1695Date: Fri May 15 03:57:33 2020 +0000
1696
1697 upstream: fix off-by-one error that caused sftp downloads to make
1698
1699 one more concurrent request that desired. This prevented using sftp(1) in
1700 unpipelined request/response mode, which is useful when debugging. Patch from
1701 Stephen Goetze in bz#3054
1702
1703 OpenBSD-Commit-ID: 41b394ebe57037dbc43bdd0eef21ff0511191f28
1704
1705commit d7d753e2979f2d3c904b03a08d30856cd2a6e892
1706Author: deraadt@openbsd.org <deraadt@openbsd.org>
1707Date: Wed May 13 22:38:41 2020 +0000
1708
1709 upstream: we are still aiming for pre-C99 ...
1710
1711 OpenBSD-Commit-ID: a240fc9cbe60bc4e6c3d24d022eb4ab01fe1cb38
1712
1713commit 2ad7b7e46408dbebf2a4efc4efd75a9544197d57
1714Author: djm@openbsd.org <djm@openbsd.org>
1715Date: Wed May 13 10:08:02 2020 +0000
1716
1717 upstream: Enable credProtect extension when generating a resident
1718
1719 key.
1720
1721 The FIDO 2.1 Client to Authenticator Protocol introduced a "credProtect"
1722 feature to better protect resident keys. This option allows (amone other
1723 possibilities) requiring a PIN prior to all operations that may retrieve
1724 the key handle.
1725
1726 Patch by Pedro Martelletto; ok djm and markus
1727
1728 OpenBSD-Commit-ID: 013bc06a577dcaa66be3913b7f183eb8cad87e73
1729
1730commit 1e70dc3285fc9b4f6454975acb81e8702c23dd89
1731Author: djm@openbsd.org <djm@openbsd.org>
1732Date: Wed May 13 09:57:17 2020 +0000
1733
1734 upstream: always call fido_init(); previous behaviour only called
1735
1736 fido_init() when SK_DEBUG was defined. Harmless with current libfido2, but
1737 this isn't guaranteed in the future.
1738
1739 OpenBSD-Commit-ID: c7ea20ff2bcd98dd12015d748d3672d4f01f0864
1740
1741commit f2d84f1b3fa68d77c99238d4c645d0266fae2a74
1742Author: djm@openbsd.org <djm@openbsd.org>
1743Date: Wed May 13 09:55:57 2020 +0000
1744
1745 upstream: preserve group/world read permission on known_hosts
1746
1747 file across runs of "ssh-keygen -Rf /path". The old behaviour was to remove
1748 all rights for group/other. bz#3146 ok dtucker@
1749
1750 OpenBSD-Commit-ID: dc369d0e0b5dd826430c63fd5f4b269953448a8a
1751
1752commit 05a651400da6fbe12296c34e3d3bcf09f034fbbf
1753Author: djm@openbsd.org <djm@openbsd.org>
1754Date: Wed May 13 09:52:41 2020 +0000
1755
1756 upstream: when ordering the hostkey algorithms to request from a
1757
1758 server, prefer certificate types if the known_hosts files contain a key
1759 marked as a @cert-authority; bz#3157 ok markus@
1760
1761 OpenBSD-Commit-ID: 8f194573e5bb7c01b69bbfaabc68f27c9fa5e0db
1762
1763commit 829451815ec207e14bd54ff5cf7e22046816f042
1764Author: djm@openbsd.org <djm@openbsd.org>
1765Date: Tue May 12 01:41:32 2020 +0000
1766
1767 upstream: fix non-ASCII quote that snuck in; spotted by Gabriel
1768
1769 Kihlman
1770
1771 OpenBSD-Commit-ID: 04bcde311de2325d9e45730c744c8de079b49800
1772
1773commit 5a442cec92c0efd6fffb4af84bf99c70af248ef3
1774Author: djm@openbsd.org <djm@openbsd.org>
1775Date: Mon May 11 02:11:29 2020 +0000
1776
1777 upstream: clarify role of FIDO tokens in multi-factor
1778
1779 authentictation; mostly from Pedro Martelletto
1780
1781 OpenBSD-Commit-ID: fbe05685a1f99c74b1baca7130c5a03c2df7c0ac
1782
1783commit ecb2c02d994b3e21994f31a70ff911667c262f1f
1784Author: djm@openbsd.org <djm@openbsd.org>
1785Date: Fri May 8 05:13:14 2020 +0000
1786
1787 upstream: fix compilation with DEBUG_KEXDH; bz#3160 ok dtucker@
1788
1789 OpenBSD-Commit-ID: 832e771948fb45f2270e8b8895aac36d176ba17a
1790
15commit 3ab6fccc3935e9b778ff52f9c8d40f215d58e01d 1791commit 3ab6fccc3935e9b778ff52f9c8d40f215d58e01d
16Author: Damien Miller <djm@mindrot.org> 1792Author: Damien Miller <djm@mindrot.org>
17Date: Thu May 14 12:22:09 2020 +1000 1793Date: Thu May 14 12:22:09 2020 +1000
@@ -10714,1964 +12490,3 @@ Date: Tue Oct 2 12:40:07 2018 +0000
10714 ok markus@ dtucker@ 12490 ok markus@ dtucker@
10715 12491
10716 OpenBSD-Commit-ID: 4bea826f575862eaac569c4bedd1056a268be1c3 12492 OpenBSD-Commit-ID: 4bea826f575862eaac569c4bedd1056a268be1c3
10717
10718commit dba50258333f2604a87848762af07ba2cc40407a
10719Author: djm@openbsd.org <djm@openbsd.org>
10720Date: Wed Sep 26 07:32:44 2018 +0000
10721
10722 upstream: remove big ugly TODO comment from start of file. Some of
10723
10724 the mentioned tasks are obsolete and, of the remainder, most are already
10725 captured in PROTOCOL.mux where they better belong
10726
10727 OpenBSD-Commit-ID: 16d9d76dee42a5bb651c9d6740f7f0ef68aeb407
10728
10729commit 92b61a38ee9b765f5049f03cd1143e13f3878905
10730Author: djm@openbsd.org <djm@openbsd.org>
10731Date: Wed Sep 26 07:30:05 2018 +0000
10732
10733 upstream: Document mux proxy mode; added by Markus in openssh-7.4
10734
10735 Also add a little bit of information about the overall packet format
10736
10737 OpenBSD-Commit-ID: bdb6f6ea8580ef96792e270cae7857786ad84a95
10738
10739commit 9d883a1ce4f89b175fd77405ff32674620703fb2
10740Author: djm@openbsd.org <djm@openbsd.org>
10741Date: Wed Sep 26 01:48:57 2018 +0000
10742
10743 upstream: s/process_mux_master/mux_master_process/ in mux master
10744
10745 function names,
10746
10747 Gives better symmetry with the existing mux_client_*() names and makes
10748 it more obvious when a message comes from the master vs client (they
10749 are interleved in ControlMaster=auto mode).
10750
10751 no functional change beyond prefixing a could of log messages with
10752 __func__ where they were previously lacking.
10753
10754 OpenBSD-Commit-ID: b01f7c3fdf92692e1713a822a89dc499333daf75
10755
10756commit c2fa53cd6462da82d3a851dc3a4a3f6b920337c8
10757Author: Darren Tucker <dtucker@dtucker.net>
10758Date: Sat Sep 22 14:41:24 2018 +1000
10759
10760 Remove unused variable in _ssh_compat_fflush.
10761
10762commit d1b3540c21212624af907488960d703c7d987b42
10763Author: Darren Tucker <dtucker@dtucker.net>
10764Date: Thu Sep 20 18:08:43 2018 +1000
10765
10766 Import updated moduli.
10767
10768commit b5e412a8993ad17b9e1141c78408df15d3d987e1
10769Author: djm@openbsd.org <djm@openbsd.org>
10770Date: Fri Sep 21 12:46:22 2018 +0000
10771
10772 upstream: Allow ssh_config ForwardX11Timeout=0 to disable the
10773
10774 timeout and allow X11 connections in untrusted mode indefinitely. ok dtucker@
10775
10776 OpenBSD-Commit-ID: ea1ceed3f540b48e5803f933e59a03b20db10c69
10777
10778commit cb24d9fcc901429d77211f274031653476864ec6
10779Author: djm@openbsd.org <djm@openbsd.org>
10780Date: Fri Sep 21 12:23:17 2018 +0000
10781
10782 upstream: when compiled with GSSAPI support, cache supported method
10783
10784 OIDs by calling ssh_gssapi_prepare_supported_oids() regardless of whether
10785 GSSAPI authentication is enabled in the main config.
10786
10787 This avoids sandbox violations for configurations that enable GSSAPI
10788 auth later, e.g.
10789
10790 Match user djm
10791 GSSAPIAuthentication yes
10792
10793 bz#2107; ok dtucker@
10794
10795 OpenBSD-Commit-ID: a5dd42d87c74e27cfb712b15b0f97ab20e0afd1d
10796
10797commit bbc8af72ba68da014d4de6e21a85eb5123384226
10798Author: djm@openbsd.org <djm@openbsd.org>
10799Date: Fri Sep 21 12:20:12 2018 +0000
10800
10801 upstream: In sshkey_in_file(), ignore keys that are considered for
10802
10803 being too short (i.e. SSH_ERR_KEY_LENGTH). These keys will not be considered
10804 to be "in the file". This allows key revocation lists to contain short keys
10805 without the entire revocation list being considered invalid.
10806
10807 bz#2897; ok dtucker
10808
10809 OpenBSD-Commit-ID: d9f3d857d07194a42ad7e62889a74dc3f9d9924b
10810
10811commit 383a33d160cefbfd1b40fef81f72eadbf9303a66
10812Author: djm@openbsd.org <djm@openbsd.org>
10813Date: Fri Sep 21 03:11:36 2018 +0000
10814
10815 upstream: Treat connections with ProxyJump specified the same as ones
10816
10817 with a ProxyCommand set with regards to hostname canonicalisation (i.e. don't
10818 try to canonicalise the hostname unless CanonicalizeHostname is set to
10819 'always').
10820
10821 Patch from Sven Wegener via bz#2896
10822
10823 OpenBSD-Commit-ID: 527ff501cf98bf65fb4b29ed0cb847dda10f4d37
10824
10825commit 0cbed248ed81584129b67c348dbb801660f25a6a
10826Author: djm@openbsd.org <djm@openbsd.org>
10827Date: Thu Sep 20 23:40:16 2018 +0000
10828
10829 upstream: actually make CASignatureAlgorithms available as a config
10830
10831 option
10832
10833 OpenBSD-Commit-ID: 93fa7ff58314ed7b1ab7744090a6a91232e6ae52
10834
10835commit 62528870c0ec48cd86a37dd7320fb85886c3e6ee
10836Author: dtucker@openbsd.org <dtucker@openbsd.org>
10837Date: Thu Sep 20 08:07:03 2018 +0000
10838
10839 upstream: Import updated moduli.
10840
10841 OpenBSD-Commit-ID: 04431e8e7872f49a2129bf080a6b73c19d576d40
10842
10843commit e6933a2ffa0659d57f3c7b7c457b2c62b2a84613
10844Author: jmc@openbsd.org <jmc@openbsd.org>
10845Date: Thu Sep 20 06:58:48 2018 +0000
10846
10847 upstream: reorder CASignatureAlgorithms, and add them to the
10848
10849 various -o lists; ok djm
10850
10851 OpenBSD-Commit-ID: ecb88baecc3c54988b4d1654446ea033da359288
10852
10853commit aa083aa9624ea7b764d5a81c4c676719a1a3e42b
10854Author: djm@openbsd.org <djm@openbsd.org>
10855Date: Thu Sep 20 03:31:49 2018 +0000
10856
10857 upstream: fix "ssh -Q sig" to show correct signature algorithm list
10858
10859 (it was erroneously showing certificate algorithms); prompted by markus@
10860
10861 OpenBSD-Commit-ID: 1cdee002f2f0c21456979deeb887fc889afb154d
10862
10863commit ecac7e1f7add6b28874959a11f2238d149dc2c07
10864Author: djm@openbsd.org <djm@openbsd.org>
10865Date: Thu Sep 20 03:30:44 2018 +0000
10866
10867 upstream: add CASignatureAlgorithms option for the client, allowing
10868
10869 it to specify which signature algorithms may be used by CAs when signing
10870 certificates. Useful if you want to ban RSA/SHA1; ok markus@
10871
10872 OpenBSD-Commit-ID: 9159e5e9f67504829bf53ff222057307a6e3230f
10873
10874commit 86e5737c39153af134158f24d0cab5827cbd5852
10875Author: djm@openbsd.org <djm@openbsd.org>
10876Date: Thu Sep 20 03:28:06 2018 +0000
10877
10878 upstream: Add sshd_config CASignatureAlgorithms option to allow
10879
10880 control over which signature algorithms a CA may use when signing
10881 certificates. In particular, this allows a sshd to ban certificates signed
10882 with RSA/SHA1.
10883
10884 ok markus@
10885
10886 OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac
10887
10888commit f80e68ea7d62e2dfafc12f1a60ab544ae4033a0f
10889Author: djm@openbsd.org <djm@openbsd.org>
10890Date: Wed Sep 19 02:03:02 2018 +0000
10891
10892 upstream: Make "ssh-add -q" do what it says on the tin: silence
10893
10894 output from successful operations.
10895
10896 Based on patch from Thijs van Dijk; ok dtucker@ deraadt@
10897
10898 OpenBSD-Commit-ID: c4f754ecc055c10af166116ce7515104aa8522e1
10899
10900commit 5e532320e9e51de720d5f3cc2596e95d29f6e98f
10901Author: millert@openbsd.org <millert@openbsd.org>
10902Date: Mon Sep 17 15:40:14 2018 +0000
10903
10904 upstream: When choosing a prime from the moduli file, avoid
10905
10906 re-using the linenum variable for something that is not a line number to
10907 avoid the confusion that resulted in the bug in rev. 1.64. This also lets us
10908 pass the actual linenum to parse_prime() so the error messages include the
10909 correct line number. OK markus@ some time ago.
10910
10911 OpenBSD-Commit-ID: 4d8e5d3e924d6e8eb70053e3defa23c151a00084
10912
10913commit cce8cbe0ed7d1ba3a575310e0b63c193326ae616
10914Author: Darren Tucker <dtucker@dtucker.net>
10915Date: Sat Sep 15 19:44:06 2018 +1000
10916
10917 Fix openssl-1.1 fallout for --without-openssl.
10918
10919 ok djm@
10920
10921commit 149519b9f201dac755f3cba4789f4d76fecf0ee1
10922Author: Damien Miller <djm@mindrot.org>
10923Date: Sat Sep 15 19:37:48 2018 +1000
10924
10925 add futex(2) syscall to seccomp sandbox
10926
10927 Apparently needed for some glibc/openssl combinations.
10928
10929 Patch from Arkadiusz Miśkiewicz
10930
10931commit 4488ae1a6940af704c4dbf70f55bf2f756a16536
10932Author: Damien Miller <djm@mindrot.org>
10933Date: Sat Sep 15 19:36:55 2018 +1000
10934
10935 really add source for authopt_fuzz this time
10936
10937commit 9201784b4a257c8345fbd740bcbdd70054885707
10938Author: Damien Miller <djm@mindrot.org>
10939Date: Sat Sep 15 19:35:40 2018 +1000
10940
10941 remove accidentally checked-in authopt_fuzz binary
10942
10943commit beb9e522dc7717df08179f9e59f36b361bfa14ab
10944Author: djm@openbsd.org <djm@openbsd.org>
10945Date: Fri Sep 14 05:26:27 2018 +0000
10946
10947 upstream: second try, deals properly with missing and private-only
10948
10949 Use consistent format in debug log for keys readied, offered and
10950 received during public key authentication.
10951
10952 This makes it a little easier to see what is going on, as each message
10953 now contains (where available) the key filename, its type and fingerprint,
10954 and whether the key is hosted in an agent or a token.
10955
10956 OpenBSD-Commit-ID: f1c6a8e9cfc4e108c359db77f24f9a40e1e25ea7
10957
10958commit 6bc5a24ac867bfdc3ed615589d69ac640f51674b
10959Author: Damien Miller <djm@mindrot.org>
10960Date: Fri Sep 14 15:16:34 2018 +1000
10961
10962 fuzzer harness for authorized_keys option parsing
10963
10964commit 6c8b82fc6929b6a9a3f645151b6ec26c5507d9ef
10965Author: djm@openbsd.org <djm@openbsd.org>
10966Date: Fri Sep 14 04:44:04 2018 +0000
10967
10968 upstream: revert following; deals badly with agent keys
10969
10970 revision 1.285
10971 date: 2018/09/14 04:17:12; author: djm; state: Exp; lines: +47 -26; commitid: lflGFcNb2X2HebaK;
10972 Use consistent format in debug log for keys readied, offered and
10973 received during public key authentication.
10974
10975 This makes it a little easier to see what is going on, as each message
10976 now contains the key filename, its type and fingerprint, and whether
10977 the key is hosted in an agent or a token.
10978
10979 OpenBSD-Commit-ID: e496bd004e452d4b051f33ed9ae6a54ab918f56d
10980
10981commit 6da046f9c3374ce7e269ded15d8ff8bc45017301
10982Author: djm@openbsd.org <djm@openbsd.org>
10983Date: Fri Sep 14 04:17:44 2018 +0000
10984
10985 upstream: garbage-collect moribund ssh_new_private() API.
10986
10987 OpenBSD-Commit-ID: 7c05bf13b094093dfa01848a9306c82eb6e95f6c
10988
10989commit 1f24ac5fc05252ceb1c1d0e8cab6a283b883c780
10990Author: djm@openbsd.org <djm@openbsd.org>
10991Date: Fri Sep 14 04:17:12 2018 +0000
10992
10993 upstream: Use consistent format in debug log for keys readied,
10994
10995 offered and received during public key authentication.
10996
10997 This makes it a little easier to see what is going on, as each message
10998 now contains the key filename, its type and fingerprint, and whether
10999 the key is hosted in an agent or a token.
11000
11001 OpenBSD-Commit-ID: 2a01d59285a8a7e01185bb0a43316084b4f06a1f
11002
11003commit 488c9325bb7233e975dbfbf89fa055edc3d3eddc
11004Author: millert@openbsd.org <millert@openbsd.org>
11005Date: Thu Sep 13 15:23:32 2018 +0000
11006
11007 upstream: Fix warnings caused by user_from_uid() and group_from_gid()
11008
11009 now returning const char *.
11010
11011 OpenBSD-Commit-ID: b5fe571ea77cfa7b9035062829ab05eb87d7cc6f
11012
11013commit 0aa1f230846ebce698e52051a107f3127024a05a
11014Author: Damien Miller <djm@mindrot.org>
11015Date: Fri Sep 14 10:31:47 2018 +1000
11016
11017 allow SIGUSR1 as synonym for SIGINFO
11018
11019 Lets users on those unfortunate operating systems that lack SIGINFO
11020 still be able to obtain progress information from unit tests :)
11021
11022commit d64e78526596f098096113fcf148216798c327ff
11023Author: Damien Miller <djm@mindrot.org>
11024Date: Thu Sep 13 19:05:48 2018 +1000
11025
11026 add compat header
11027
11028commit a3fd8074e2e2f06602e25618721f9556c731312c
11029Author: djm@openbsd.org <djm@openbsd.org>
11030Date: Thu Sep 13 09:03:20 2018 +0000
11031
11032 upstream: missed a bit of openssl-1.0.x API in this unittest
11033
11034 OpenBSD-Regress-ID: a73a54d7f7381856a3f3a2d25947bee7a9a5dbc9
11035
11036commit 86e0a9f3d249d5580390daf58e015e68b01cef10
11037Author: djm@openbsd.org <djm@openbsd.org>
11038Date: Thu Sep 13 05:06:51 2018 +0000
11039
11040 upstream: use only openssl-1.1.x API here too
11041
11042 OpenBSD-Regress-ID: ae877064597c349954b1b443769723563cecbc8f
11043
11044commit 48f54b9d12c1c79fba333bc86d455d8f4cda8cfc
11045Author: Damien Miller <djm@mindrot.org>
11046Date: Thu Sep 13 12:13:50 2018 +1000
11047
11048 adapt -portable to OpenSSL 1.1x API
11049
11050 Polyfill missing API with replacement functions extracted from LibreSSL
11051
11052commit 86112951d63d48839f035b5795be62635a463f99
11053Author: Damien Miller <djm@mindrot.org>
11054Date: Thu Sep 13 12:12:42 2018 +1000
11055
11056 forgot to stage these test files in commit d70d061
11057
11058commit 482d23bcacdd3664f21cc82a5135f66fc598275f
11059Author: djm@openbsd.org <djm@openbsd.org>
11060Date: Thu Sep 13 02:08:33 2018 +0000
11061
11062 upstream: hold our collective noses and use the openssl-1.1.x API in
11063
11064 OpenSSH; feedback and ok tb@ jsing@ markus@
11065
11066 OpenBSD-Commit-ID: cacbcac87ce5da0d3ca7ef1b38a6f7fb349e4417
11067
11068commit d70d061828730a56636ab6f1f24fe4a8ccefcfc1
11069Author: djm@openbsd.org <djm@openbsd.org>
11070Date: Wed Sep 12 01:36:45 2018 +0000
11071
11072 upstream: Include certs with multiple RSA signature variants in
11073
11074 test data Ensure that cert->signature_key is populated correctly
11075
11076 OpenBSD-Regress-ID: 56e68f70fe46cb3a193ca207385bdb301fd6603a
11077
11078commit f803b2682992cfededd40c91818b653b5d923ef5
11079Author: djm@openbsd.org <djm@openbsd.org>
11080Date: Wed Sep 12 01:23:48 2018 +0000
11081
11082 upstream: test revocation by explicit hash and by fingerprint
11083
11084 OpenBSD-Regress-ID: 079c18a9ab9663f4af419327c759fc1e2bc78fd8
11085
11086commit 2de78bc7da70e1338b32feeefcc6045cf49efcd4
11087Author: djm@openbsd.org <djm@openbsd.org>
11088Date: Wed Sep 12 01:22:43 2018 +0000
11089
11090 upstream: s/sshkey_demote/sshkey_from_private/g
11091
11092 OpenBSD-Regress-ID: 782bde7407d94a87aa8d1db7c23750e09d4443c4
11093
11094commit 41c115a5ea1cb79a6a3182773c58a23f760e8076
11095Author: Damien Miller <djm@mindrot.org>
11096Date: Wed Sep 12 16:50:01 2018 +1000
11097
11098 delete the correct thing; kexfuzz binary
11099
11100commit f0fcd7e65087db8c2496f13ed39d772f8e38b088
11101Author: djm@openbsd.org <djm@openbsd.org>
11102Date: Wed Sep 12 06:18:59 2018 +0000
11103
11104 upstream: fix edit mistake; spotted by jmc@
11105
11106 OpenBSD-Commit-ID: dd724e1c52c9d6084f4cd260ec7e1b2b138261c6
11107
11108commit 4cc259bac699f4d2a5c52b92230f9e488c88a223
11109Author: djm@openbsd.org <djm@openbsd.org>
11110Date: Wed Sep 12 01:34:02 2018 +0000
11111
11112 upstream: add SSH_ALLOWED_CA_SIGALGS - the default list of
11113
11114 signature algorithms that are allowed for CA signatures. Notably excludes
11115 ssh-dsa.
11116
11117 ok markus@
11118
11119 OpenBSD-Commit-ID: 1628e4181dc8ab71909378eafe5d06159a22deb4
11120
11121commit ba9e788315b1f6a350f910cb2a9e95b2ce584e89
11122Author: djm@openbsd.org <djm@openbsd.org>
11123Date: Wed Sep 12 01:32:54 2018 +0000
11124
11125 upstream: add sshkey_check_cert_sigtype() that checks a
11126
11127 cert->signature_type against a supplied whitelist; ok markus
11128
11129 OpenBSD-Commit-ID: caadb8073292ed7a9535e5adc067d11d356d9302
11130
11131commit a70fd4ad7bd9f2ed223ff635a3d41e483057f23b
11132Author: djm@openbsd.org <djm@openbsd.org>
11133Date: Wed Sep 12 01:31:30 2018 +0000
11134
11135 upstream: add cert->signature_type field and keep it in sync with
11136
11137 certificate signature wrt loading and certification operations; ok markus@
11138
11139 OpenBSD-Commit-ID: e8b8b9f76b66707a0cd926109c4383db8f664df3
11140
11141commit 357128ac48630a9970e3af0e6ff820300a28da47
11142Author: djm@openbsd.org <djm@openbsd.org>
11143Date: Wed Sep 12 01:30:10 2018 +0000
11144
11145 upstream: Add "ssh -Q sig" to allow listing supported signature
11146
11147 algorithms ok markus@
11148
11149 OpenBSD-Commit-ID: 7a8c6eb6c249dc37823ba5081fce64876d10fe2b
11150
11151commit 9405c6214f667be604a820c6823b27d0ea77937d
11152Author: djm@openbsd.org <djm@openbsd.org>
11153Date: Wed Sep 12 01:21:34 2018 +0000
11154
11155 upstream: allow key revocation by SHA256 hash and allow ssh-keygen
11156
11157 to create KRLs using SHA256/base64 key fingerprints; ok markus@
11158
11159 OpenBSD-Commit-ID: a0590fd34e7f1141f2873ab3acc57442560e6a94
11160
11161commit 50e2687ee0941c0ea216d6ffea370ffd2c1f14b9
11162Author: djm@openbsd.org <djm@openbsd.org>
11163Date: Wed Sep 12 01:19:12 2018 +0000
11164
11165 upstream: log certificate fingerprint in authentication
11166
11167 success/failure message (previously we logged only key ID and CA key
11168 fingerprint).
11169
11170 ok markus@
11171
11172 OpenBSD-Commit-ID: a8ef2d172b7f1ddbcce26d6434b2de6d94f6c05d
11173
11174commit de37ca909487d23e5844aca289b3f5e75d3f1e1f
11175Author: dtucker@openbsd.org <dtucker@openbsd.org>
11176Date: Fri Sep 7 04:26:56 2018 +0000
11177
11178 upstream: Add FALLTHROUGH comments where appropriate. Patch from
11179
11180 jjelen at redhat via bz#2687.
11181
11182 OpenBSD-Commit-ID: c48eb457be697a19d6d2950c6d0879f3ccc851d3
11183
11184commit 247766cd3111d5d8c6ea39833a3257ca8fb820f2
11185Author: djm@openbsd.org <djm@openbsd.org>
11186Date: Fri Sep 7 01:42:54 2018 +0000
11187
11188 upstream: ssh -MM requires confirmation for all operations that
11189
11190 change the multiplexing state, not just new sessions.
11191
11192 mention that confirmation is checked via ssh-askpass
11193
11194 OpenBSD-Commit-ID: 0f1b45551ebb9cc5c9a4fe54ad3b23ce90f1f5c2
11195
11196commit db8bb80e3ac1bcb3e1305d846cd98c6b869bf03f
11197Author: mestre@openbsd.org <mestre@openbsd.org>
11198Date: Tue Aug 28 12:25:53 2018 +0000
11199
11200 upstream: fix misplaced parenthesis inside if-clause. it's harmless
11201
11202 and the only issue is showing an unknown error (since it's not defined)
11203 during fatal(), if it ever an error occurs inside that condition.
11204
11205 OK deraadt@ markus@ djm@
11206
11207 OpenBSD-Commit-ID: acb0a8e6936bfbe590504752d01d1d251a7101d8
11208
11209commit 086cc614f550b7d4f100c95e472a6b6b823938ab
11210Author: mestre@openbsd.org <mestre@openbsd.org>
11211Date: Tue Aug 28 12:17:45 2018 +0000
11212
11213 upstream: fix build with DEBUG_PK enabled
11214
11215 OK dtucker@
11216
11217 OpenBSD-Commit-ID: ec1568cf27726e9638a0415481c20c406e7b441c
11218
11219commit 2678833013e97f8b18f09779b7f70bcbf5eb2ab2
11220Author: Darren Tucker <dtucker@dtucker.net>
11221Date: Fri Sep 7 14:41:53 2018 +1000
11222
11223 Handle ngroups>_SC_NGROUPS_MAX.
11224
11225 Based on github pull request #99 from Darren Maffat at Oracle: Solaris'
11226 getgrouplist considers _SC_NGROUPS_MAX more of a guideline and can return
11227 a larger number of groups. In this case, retry getgrouplist with a
11228 larger array and defer allocating groups_byname. ok djm@
11229
11230commit 039bf2a81797b8f3af6058d34005a4896a363221
11231Author: Darren Tucker <dtucker@dtucker.net>
11232Date: Fri Sep 7 14:06:57 2018 +1000
11233
11234 Initial len for the fmt=NULL case.
11235
11236 Patch from jjelen at redhat via bz#2687. (OpenSSH never calls
11237 setproctitle with a null format so len is always initialized).
11238
11239commit ea9c06e11d2e8fb2f4d5e02f8a41e23d2bd31ca9
11240Author: Darren Tucker <dtucker@dtucker.net>
11241Date: Fri Sep 7 14:01:39 2018 +1000
11242
11243 Include stdlib.h.
11244
11245 Patch from jjelen at redhat via bz#2687.
11246
11247commit 9617816dbe73ec4d65075f4d897443f63a97c87f
11248Author: Damien Miller <djm@mindrot.org>
11249Date: Mon Aug 27 13:08:01 2018 +1000
11250
11251 document some more regress control env variables
11252
11253 Specifically SKIP_UNIT, USE_VALGRING and LTESTS. Sort the list of
11254 environment variables.
11255
11256 Based on patch from Jakub Jelen
11257
11258commit 71508e06fab14bc415a79a08f5535ad7bffa93d9
11259Author: Damien Miller <djm@mindrot.org>
11260Date: Thu Aug 23 15:41:42 2018 +1000
11261
11262 shorten temporary SSH_REGRESS_TMP path
11263
11264 Previous path was exceeding max socket length on at least one platform (OSX)
11265
11266commit 26739cf5bdc9030a583b41ae5261dedd862060f0
11267Author: Damien Miller <djm@mindrot.org>
11268Date: Thu Aug 23 13:06:02 2018 +1000
11269
11270 rebuild dependencies
11271
11272commit ff729025c7463cf5d0a8d1ca1823306e48c6d4cf
11273Author: Damien Miller <djm@mindrot.org>
11274Date: Thu Aug 23 13:03:32 2018 +1000
11275
11276 fix path in distclean target
11277
11278 Patch from Jakub Jelen
11279
11280commit 7fef173c28f7462dcd8ee017fdf12b5073f54c02
11281Author: djm@openbsd.org <djm@openbsd.org>
11282Date: Thu Aug 23 03:01:08 2018 +0000
11283
11284 upstream: memleak introduced in r1.83; from Colin Watson
11285
11286 OpenBSD-Commit-ID: 5c019104c280cbd549a264a7217b67665e5732dc
11287
11288commit b8ae02a2896778b8984c7f51566c7f0f56fa8b56
11289Author: schwarze@openbsd.org <schwarze@openbsd.org>
11290Date: Tue Aug 21 13:56:27 2018 +0000
11291
11292 upstream: AIX reports the CODESET as "ISO8859-1" in the POSIX locale.
11293
11294 Treating that as a safe encoding is OK because even when other systems return
11295 that string for real ISO8859-1, it is still safe in the sense that it is
11296 ASCII-compatible and stateless.
11297
11298 Issue reported by Val dot Baranov at duke dot edu. Additional
11299 information provided by Michael dot Felt at felt dot demon dot nl.
11300 Tested by Michael Felt on AIX 6.1 and by Val Baranov on AIX 7.1.
11301 Tweak and OK djm@.
11302
11303 OpenBSD-Commit-ID: 36f1210e0b229817d10eb490d6038f507b8256a7
11304
11305commit bc44ee088ad269d232e514f037c87ada4c2fd3f0
11306Author: Tim Rice <tim@multitalents.net>
11307Date: Tue Aug 21 08:57:24 2018 -0700
11308
11309 modified: openbsd-compat/port-uw.c
11310 remove obsolete and un-needed include
11311
11312commit 829fc28a9c54e3f812ee7248c7a3e31eeb4f0b3a
11313Author: Damien Miller <djm@mindrot.org>
11314Date: Mon Aug 20 15:57:29 2018 +1000
11315
11316 Missing unistd.h for regress/mkdtemp.c
11317
11318commit c8313e492355a368a91799131520d92743d8d16c
11319Author: Damien Miller <djm@mindrot.org>
11320Date: Fri Aug 17 05:45:20 2018 +1000
11321
11322 update version numbers in anticipation of release
11323
11324commit 477b49a34b89f506f4794b35e3c70b3e2e83cd38
11325Author: Corinna Vinschen <vinschen@redhat.com>
11326Date: Mon Aug 13 17:08:51 2018 +0200
11327
11328 configure: work around GCC shortcoming on Cygwin
11329
11330 Cygwin's latest 7.x GCC allows to specify -mfunction-return=thunk
11331 as well as -mindirect-branch=thunk on the command line, albeit
11332 producing invalid code, leading to an error at link stage.
11333
11334 The check in configure.ac only checks if the option is present,
11335 but not if it produces valid code.
11336
11337 This patch fixes it by special-casing Cygwin. Another solution
11338 may be to change these to linker checks.
11339
11340 Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
11341
11342commit b0917945efa374be7648d67dbbaaff323ab39edc
11343Author: Corinna Vinschen <vinschen@redhat.com>
11344Date: Mon Aug 13 17:05:05 2018 +0200
11345
11346 cygwin: add missing stdarg.h include
11347
11348 Further header file standarization in Cygwin uncovered a lazy
11349 indirect include in bsd-cygwin_util.c
11350
11351 Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
11352
11353commit c3903c38b0fd168ab3d925c2b129d1a599593426
11354Author: djm@openbsd.org <djm@openbsd.org>
11355Date: Mon Aug 13 02:41:05 2018 +0000
11356
11357 upstream: revert compat.[ch] section of the following change. It
11358
11359 causes double-free under some circumstances.
11360
11361 --
11362
11363 date: 2018/07/31 03:07:24; author: djm; state: Exp; lines: +33 -18; commitid: f7g4UI8eeOXReTPh;
11364 fix some memory leaks spotted by Coverity via Jakub Jelen in bz#2366
11365 feedback and ok dtucker@
11366
11367 OpenBSD-Commit-ID: 1e77547f60fdb5e2ffe23e2e4733c54d8d2d1137
11368
11369commit 1b9dd4aa15208100fbc3650f33ea052255578282
11370Author: djm@openbsd.org <djm@openbsd.org>
11371Date: Sun Aug 12 20:19:13 2018 +0000
11372
11373 upstream: better diagnosics on alg list assembly errors; ok
11374
11375 deraadt@ markus@
11376
11377 OpenBSD-Commit-ID: 5a557e74b839daf13cc105924d2af06a1560faee
11378
11379commit e36a5f61b0f5bebf6d49c215d228cd99dfe86e28
11380Author: Damien Miller <djm@mindrot.org>
11381Date: Sat Aug 11 18:08:45 2018 -0700
11382
11383 Some AIX fixes; report from Michael Felt
11384
11385commit 2f4766ceefe6657c5ad5fe92d13c411872acae0e
11386Author: dtucker@openbsd.org <dtucker@openbsd.org>
11387Date: Fri Aug 10 01:35:49 2018 +0000
11388
11389 upstream: The script that cooks up PuTTY format host keys does not
11390
11391 understand the new key format so convert back to old format to create the
11392 PuTTY key and remove it once done.
11393
11394 OpenBSD-Regress-ID: 2a449a18846c3a144bc645135b551ba6177e38d3
11395
11396commit e1b26ce504662a5d5b991091228984ccfd25f280
11397Author: djm@openbsd.org <djm@openbsd.org>
11398Date: Fri Aug 10 00:44:01 2018 +0000
11399
11400 upstream: improve
11401
11402 OpenBSD-Commit-ID: 40d839db0977b4e7ac8b647b16d5411d4faf2f60
11403
11404commit 7c712966a3139622f7fb55045368d05de4e6782c
11405Author: djm@openbsd.org <djm@openbsd.org>
11406Date: Fri Aug 10 00:42:29 2018 +0000
11407
11408 upstream: Describe pubkey format, prompted by bz#2853
11409
11410 While I'm here, describe and link to the remaining local PROTOCOL.*
11411 docs that weren't already mentioned (PROTOCOL.key, PROTOCOL.krl and
11412 PROTOCOL.mux)
11413
11414 OpenBSD-Commit-ID: 2a900f9b994ba4d53e7aeb467d44d75829fd1231
11415
11416commit ef100a2c5a8ed83afac0b8f36520815803da227a
11417Author: djm@openbsd.org <djm@openbsd.org>
11418Date: Fri Aug 10 00:27:15 2018 +0000
11419
11420 upstream: fix numbering
11421
11422 OpenBSD-Commit-ID: bc7a1764dff23fa4c5ff0e3379c9c4d5b63c9596
11423
11424commit ed7bd5d93fe14c7bd90febd29b858ea985d14d45
11425Author: djm@openbsd.org <djm@openbsd.org>
11426Date: Wed Aug 8 01:16:01 2018 +0000
11427
11428 upstream: Use new private key format by default. This format is
11429
11430 suported by OpenSSH >= 6.5 (released January 2014), so it should be supported
11431 by most OpenSSH versions in active use.
11432
11433 It is possible to convert new-format private keys to the older
11434 format using "ssh-keygen -f /path/key -pm PEM".
11435
11436 ok deraadt dtucker
11437
11438 OpenBSD-Commit-ID: e3bd4f2509a2103bfa2f710733426af3ad6d8ab8
11439
11440commit 967226a1bdde59ea137e8f0df871854ff7b91366
11441Author: djm@openbsd.org <djm@openbsd.org>
11442Date: Sat Aug 4 00:55:06 2018 +0000
11443
11444 upstream: invalidate dh->priv_key after freeing it in error path;
11445
11446 avoids unlikely double-free later. Reported by Viktor Dukhovni via
11447 https://github.com/openssh/openssh-portable/pull/96 feedback jsing@ tb@
11448
11449 OpenBSD-Commit-ID: e317eb17c3e05500ae851f279ef6486f0457c805
11450
11451commit 74287f5df9966a0648b4a68417451dd18f079ab8
11452Author: djm@openbsd.org <djm@openbsd.org>
11453Date: Tue Jul 31 03:10:27 2018 +0000
11454
11455 upstream: delay bailout for invalid authentic
11456
11457 =?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?=
11458 =?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20by=20Dar?=
11459 =?UTF-8?q?iusz=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=
11460 MIME-Version: 1.0
11461 Content-Type: text/plain; charset=UTF-8
11462 Content-Transfer-Encoding: 8bit
11463
11464 OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d
11465
11466commit 1a66079c0669813306cc69e5776a4acd9fb49015
11467Author: djm@openbsd.org <djm@openbsd.org>
11468Date: Tue Jul 31 03:07:24 2018 +0000
11469
11470 upstream: fix some memory leaks spotted by Coverity via Jakub Jelen
11471
11472 in bz#2366 feedback and ok dtucker@
11473
11474 OpenBSD-Commit-ID: 8402bbae67d578bedbadb0ce68ff7c5a136ef563
11475
11476commit 87f08be054b7eeadbb9cdeb3fb4872be79ccf218
11477Author: Damien Miller <djm@mindrot.org>
11478Date: Fri Jul 20 13:18:28 2018 +1000
11479
11480 Remove support for S/Key
11481
11482 Most people will 1) be using modern multi-factor authentication methods
11483 like TOTP/OATH etc and 2) be getting support for multi-factor
11484 authentication via PAM or BSD Auth.
11485
11486commit 5d14019ba2ff54acbfd20a6b9b96bb860a8c7c31
11487Author: markus@openbsd.org <markus@openbsd.org>
11488Date: Fri Jul 27 12:03:17 2018 +0000
11489
11490 upstream: avoid expensive channel_open_message() calls; ok djm@
11491
11492 OpenBSD-Commit-ID: aea3b5512ad681cd8710367d743e8a753d4425d9
11493
11494commit e655ee04a3cb7999dbf9641b25192353e2b69418
11495Author: dtucker@openbsd.org <dtucker@openbsd.org>
11496Date: Fri Jul 27 05:34:42 2018 +0000
11497
11498 upstream: Now that ssh can't be setuid, remove the
11499
11500 original_real_uid and original_effective_uid globals and replace with calls
11501 to plain getuid(). ok djm@
11502
11503 OpenBSD-Commit-ID: 92561c0cd418d34e6841e20ba09160583e27b68c
11504
11505commit 73ddb25bae4c33a0db361ac13f2e3a60d7c6c4a5
11506Author: dtucker@openbsd.org <dtucker@openbsd.org>
11507Date: Fri Jul 27 05:13:02 2018 +0000
11508
11509 upstream: Remove uid checks from low port binds. Now that ssh
11510
11511 cannot be setuid and sshd always has privsep on, we can remove the uid checks
11512 for low port binds and just let the system do the check. We leave a sanity
11513 check for the !privsep case so long as the code is stil there. with & ok
11514 djm@
11515
11516 OpenBSD-Commit-ID: 9535cfdbd1cd54486fdbedfaee44ce4367ec7ca0
11517
11518commit c12033e102760d043bc5c98e6c8180e4d331b0df
11519Author: dtucker@openbsd.org <dtucker@openbsd.org>
11520Date: Fri Jul 27 03:55:22 2018 +0000
11521
11522 upstream: ssh(1) no longer supports being setuid root. Remove reference
11523
11524 to crc32 which went with protocol 1. Pointed out by deraadt@.
11525
11526 OpenBSD-Commit-ID: f8763c25fd96ed91dd1abdab5667fd2e27e377b6
11527
11528commit 4492e2ec4e1956a277ef507f51d66e5c2aafaaf8
11529Author: Damien Miller <djm@mindrot.org>
11530Date: Fri Jul 27 14:15:28 2018 +1000
11531
11532 correct snprintf truncation check in closefrom()
11533
11534 Truncation cannot happen unless the system has set PATH_MAX to some
11535 nonsensically low value.
11536
11537 bz#2862, patch from Daniel Le
11538
11539commit 149cab325a8599a003364ed833f878449c15f259
11540Author: Darren Tucker <dtucker@dtucker.net>
11541Date: Fri Jul 27 13:46:06 2018 +1000
11542
11543 Include stdarg.h in mkdtemp for va_list.
11544
11545commit 6728f31bdfdc864d192773c32465b1860e23f556
11546Author: deraadt@openbsd.org <deraadt@openbsd.org>
11547Date: Wed Jul 25 17:12:35 2018 +0000
11548
11549 upstream: Don't redefine Makefile choices which come correct from
11550
11551 bsd.*.mk ok markus
11552
11553 OpenBSD-Commit-ID: 814b2f670df75759e1581ecef530980b2b3d7e0f
11554
11555commit 21fd477a855753c1a8e450963669e28e39c3b5d2
11556Author: deraadt@openbsd.org <deraadt@openbsd.org>
11557Date: Wed Jul 25 13:56:23 2018 +0000
11558
11559 upstream: fix indent; Clemens Goessnitzer
11560
11561 OpenBSD-Commit-ID: b5149a6d92b264d35f879d24608087b254857a83
11562
11563commit 8e433c2083db8664c41499ee146448ea7ebe7dbf
11564Author: beck@openbsd.org <beck@openbsd.org>
11565Date: Wed Jul 25 13:10:56 2018 +0000
11566
11567 upstream: Use the caller provided (copied) pwent struct in
11568
11569 load_public_identity_files instead of calling getpwuid() again and discarding
11570 the argument. This prevents a client crash where tilde_expand_filename calls
11571 getpwuid() again before the pwent pointer is used. Issue noticed and reported
11572 by Pierre-Olivier Martel <pom@apple.com> ok djm@ deraadt@
11573
11574 OpenBSD-Commit-ID: a067d74b5b098763736c94cc1368de8ea3f0b157
11575
11576commit e2127abb105ae72b6fda64fff150e6b24b3f1317
11577Author: jmc@openbsd.org <jmc@openbsd.org>
11578Date: Mon Jul 23 19:53:55 2018 +0000
11579
11580 upstream: oops, failed to notice that SEE ALSO got messed up;
11581
11582 OpenBSD-Commit-ID: 61c1306542cefdc6e59ac331751afe961557427d
11583
11584commit ddf1b797c2d26bbbc9d410aa4f484cbe94673587
11585Author: kn@openbsd.org <kn@openbsd.org>
11586Date: Mon Jul 23 19:02:49 2018 +0000
11587
11588 upstream: Point to glob in section 7 for the actual list of special
11589
11590 characters instead the C API in section 3.
11591
11592 OK millert jmc nicm, "the right idea" deraadt
11593
11594 OpenBSD-Commit-ID: a74fd215488c382809e4d041613aeba4a4b1ffc6
11595
11596commit 01c98d9661d0ed6156e8602b650f72eed9fc4d12
11597Author: dtucker@openbsd.org <dtucker@openbsd.org>
11598Date: Sun Jul 22 12:16:59 2018 +0000
11599
11600 upstream: Switch authorized_keys example from ssh-dss to ssh-rsa
11601
11602 since the former is no longer enabled by default. Pointed out by Daniel A.
11603 Maierhofer, ok jmc
11604
11605 OpenBSD-Commit-ID: 6a196cef53d7524e0c9b58cdbc1b5609debaf8c7
11606
11607commit 472269f8fe19343971c2d08f504ab5cbb8234b33
11608Author: djm@openbsd.org <djm@openbsd.org>
11609Date: Fri Jul 20 05:01:10 2018 +0000
11610
11611 upstream: slightly-clearer description for AuthenticationMethods - the
11612
11613 lists have comma-separated elements; bz#2663 from Hans Meier
11614
11615 OpenBSD-Commit-ID: 931c983d0fde4764d0942fb2c2b5017635993b5a
11616
11617commit c59aca8adbdf7f5597084ad360a19bedb3f80970
11618Author: Damien Miller <djm@mindrot.org>
11619Date: Fri Jul 20 14:53:42 2018 +1000
11620
11621 Create control sockets in clean temp directories
11622
11623 Adds a regress/mkdtemp tool and uses it to create empty temp
11624 directories for tests needing control sockets.
11625
11626 Patch from Colin Watson via bz#2660; ok dtucker
11627
11628commit 6ad8648e83e4f4ace37b742a05c2a6b6b872514e
11629Author: djm@openbsd.org <djm@openbsd.org>
11630Date: Fri Jul 20 03:46:34 2018 +0000
11631
11632 upstream: remove unused zlib.h
11633
11634 OpenBSD-Commit-ID: 8d274a9b467c7958df12668b49144056819f79f1
11635
11636commit 3ba6e6883527fe517b6e4a824876e2fe62af22fc
11637Author: dtucker@openbsd.org <dtucker@openbsd.org>
11638Date: Thu Jul 19 23:03:16 2018 +0000
11639
11640 upstream: Fix typo in comment. From Alexandru Iacob via github.
11641
11642 OpenBSD-Commit-ID: eff4ec07c6c8c5483533da43a4dda37d72ef7f1d
11643
11644commit c77bc73c91bc656e343a1961756e09dd1b170820
11645Author: Darren Tucker <dtucker@dtucker.net>
11646Date: Fri Jul 20 13:48:51 2018 +1000
11647
11648 Explicitly include openssl before zlib.
11649
11650 Some versions of OpenSSL have "free_func" in their headers, which zlib
11651 typedefs. Including openssl after zlib (eg via sshkey.h) results in
11652 "syntax error before `free_func'", which this fixes.
11653
11654commit 95d41e90eafcd1286a901e8e361e4a37b98aeb52
11655Author: dtucker@openbsd.org <dtucker@openbsd.org>
11656Date: Thu Jul 19 10:28:47 2018 +0000
11657
11658 upstream: Deprecate UsePrivilegedPort now that support for running
11659
11660 ssh(1) setuid has been removed, remove supporting code and clean up
11661 references to it in the man pages
11662
11663 We have not shipped ssh(1) the setuid bit since 2002. If ayone
11664 really needs to make connections from a low port number this can
11665 be implemented via a small setuid ProxyCommand.
11666
11667 ok markus@ jmc@ djm@
11668
11669 OpenBSD-Commit-ID: d03364610b7123ae4c6792f5274bd147b6de717e
11670
11671commit 258dc8bb07dfb35a46e52b0822a2c5b7027df60a
11672Author: dtucker@openbsd.org <dtucker@openbsd.org>
11673Date: Wed Jul 18 11:34:04 2018 +0000
11674
11675 upstream: Remove support for running ssh(1) setuid and fatal if
11676
11677 attempted. Do not link uidwap.c into ssh any more. Neuters
11678 UsePrivilegedPort, which will be marked as deprecated shortly. ok markus@
11679 djm@
11680
11681 OpenBSD-Commit-ID: c4ba5bf9c096f57a6ed15b713a1d7e9e2e373c42
11682
11683commit ac590760b251506b0a152551abbf8e8d6dc2f527
11684Author: dtucker@openbsd.org <dtucker@openbsd.org>
11685Date: Mon Jul 16 22:25:01 2018 +0000
11686
11687 upstream: Slot 0 in the hostbased key array was previously RSA1,
11688
11689 but that is now gone and the slot is unused so remove it. Remove two
11690 now-unused macros, and add an array bounds check to the two remaining ones
11691 (array is statically sized, so mostly a safety check on future changes). ok
11692 markus@
11693
11694 OpenBSD-Commit-ID: 2e4c0ca6cc1d8daeccead2aa56192a3f9d5e1e7a
11695
11696commit 26efc2f5df0e3bcf6a6bbdd0506fd682d60c2145
11697Author: dtucker@openbsd.org <dtucker@openbsd.org>
11698Date: Mon Jul 16 11:05:41 2018 +0000
11699
11700 upstream: Remove support for loading HostBasedAuthentication keys
11701
11702 directly in ssh(1) and always use ssh-keysign. This removes one of the few
11703 remaining reasons why ssh(1) might be setuid. ok markus@
11704
11705 OpenBSD-Commit-ID: 97f01e1448707129a20d75f86bad5d27c3cf0b7d
11706
11707commit 3eb7f1038d17af7aea3c2c62d1e30cd545607640
11708Author: djm@openbsd.org <djm@openbsd.org>
11709Date: Mon Jul 16 07:06:50 2018 +0000
11710
11711 upstream: keep options.identity_file_userprovided array in sync when we
11712
11713 load keys, fixing some spurious error messages; ok markus
11714
11715 OpenBSD-Commit-ID: c63e3d5200ee2cf9e35bda98de847302566c6a00
11716
11717commit 2f131e1b34502aa19f345e89cabf6fa3fc097f09
11718Author: djm@openbsd.org <djm@openbsd.org>
11719Date: Mon Jul 16 03:09:59 2018 +0000
11720
11721 upstream: memleak in unittest; found by valgrind
11722
11723 OpenBSD-Regress-ID: 168c23b0fb09fc3d0b438628990d3fd9260a8a5e
11724
11725commit de2997a4cf22ca0a524f0e5b451693c583e2fd89
11726Author: djm@openbsd.org <djm@openbsd.org>
11727Date: Mon Jul 16 03:09:13 2018 +0000
11728
11729 upstream: memleaks; found by valgrind
11730
11731 OpenBSD-Commit-ID: 6c3ba22be53e753c899545f771e8399fc93cd844
11732
11733commit 61cc0003eb37fa07603c969c12b7c795caa498f3
11734Author: Darren Tucker <dtucker@dtucker.net>
11735Date: Sat Jul 14 16:49:01 2018 +1000
11736
11737 Undef a few new macros in sys-queue.h.
11738
11739 Prevents macro redefinition warnings on OSX.
11740
11741commit 30a2c213877a54a44dfdffb6ca8db70be5b457e0
11742Author: Darren Tucker <dtucker@dtucker.net>
11743Date: Fri Jul 13 13:40:20 2018 +1000
11744
11745 Include unistd.h for geteuid declaration.
11746
11747commit 1dd32c23f2a85714dfafe2a9cc516971d187caa4
11748Author: Darren Tucker <dtucker@dtucker.net>
11749Date: Fri Jul 13 13:38:10 2018 +1000
11750
11751 Fallout from buffer conversion in AUDIT_EVENTS.
11752
11753 Supply missing "int r" and fix error path for sshbuf_new().
11754
11755commit 7449c178e943e5c4f6c8416a4e41d93b70c11c9e
11756Author: djm@openbsd.org <djm@openbsd.org>
11757Date: Fri Jul 13 02:13:50 2018 +0000
11758
11759 upstream: make this use ssh_proxy rather than starting/stopping a
11760
11761 daemon for each testcase
11762
11763 OpenBSD-Regress-ID: 608b7655ea65b1ba8fff5a13ce9caa60ef0c8166
11764
11765commit dbab02f9208d9baa134cec1d007054ec82b96ca9
11766Author: djm@openbsd.org <djm@openbsd.org>
11767Date: Fri Jul 13 02:13:19 2018 +0000
11768
11769 upstream: fix leaks in unit test; with this, all unit tests are
11770
11771 leak free (as far as valgrind can spot anyway)
11772
11773 OpenBSD-Regress-ID: b824d8b27998365379963440e5d18b95ca03aa17
11774
11775commit 2f6accff5085eb79b0dbe262d8b85ed017d1a51c
11776Author: Damien Miller <djm@mindrot.org>
11777Date: Fri Jul 13 11:39:25 2018 +1000
11778
11779 Enable leak checks for unit tests with valgrind
11780
11781 Leave the leak checking on unconditionally when running with valgrind.
11782 The unit tests are leak-free and I want them to stay that way.
11783
11784commit e46cfbd9db5e907b821bf4fd0184d4dab99815ee
11785Author: Damien Miller <djm@mindrot.org>
11786Date: Fri Jul 13 11:38:59 2018 +1000
11787
11788 increase timeout to match cfgmatch.sh
11789
11790 lets test pass under valgrind (on my workstation at least)
11791
11792commit 6aa1bf475cf3e7a2149acc5a1e80e904749f064c
11793Author: Damien Miller <djm@mindrot.org>
11794Date: Thu Jul 12 14:54:18 2018 +1000
11795
11796 rm regress/misc/kexfuzz/*.o in distclean target
11797
11798commit eef1447ddb559c03725a23d4aa6d03f40e8b0049
11799Author: Damien Miller <djm@mindrot.org>
11800Date: Thu Jul 12 14:49:26 2018 +1000
11801
11802 repair !WITH_OPENSSL build
11803
11804commit 4d3b2f36fd831941d1627ac587faae37b6d3570f
11805Author: Damien Miller <djm@mindrot.org>
11806Date: Thu Jul 12 14:49:14 2018 +1000
11807
11808 missing headers
11809
11810commit 3f420a692b293921216549c1099c2e46ff284eae
11811Author: Darren Tucker <dtucker@dtucker.net>
11812Date: Thu Jul 12 14:57:46 2018 +1000
11813
11814 Remove key.h from portable files too.
11815
11816 Commit 5467fbcb removed key.h so stop including it in portable files
11817 too. Fixes builds on lots of platforms.
11818
11819commit e2c4af311543093f16005c10044f7e06af0426f0
11820Author: djm@openbsd.org <djm@openbsd.org>
11821Date: Thu Jul 12 04:35:25 2018 +0000
11822
11823 upstream: remove prototype to long-gone function
11824
11825 OpenBSD-Commit-ID: 0414642ac7ce01d176b9f359091a66a8bbb640bd
11826
11827commit 394a842e60674bf8ee5130b9f15b01452a0b0285
11828Author: markus@openbsd.org <markus@openbsd.org>
11829Date: Wed Jul 11 18:55:11 2018 +0000
11830
11831 upstream: treat ssh_packet_write_wait() errors as fatal; ok djm@
11832
11833 OpenBSD-Commit-ID: f88ba43c9d54ed2d911218aa8d3f6285430629c3
11834
11835commit 5467fbcb09528ecdcb914f4f2452216c24796790
11836Author: markus@openbsd.org <markus@openbsd.org>
11837Date: Wed Jul 11 18:53:29 2018 +0000
11838
11839 upstream: remove legacy key emulation layer; ok djm@
11840
11841 OpenBSD-Commit-ID: 2b1f9619259e222bbd4fe9a8d3a0973eafb9dd8d
11842
11843commit 5dc4c59d5441a19c99e7945779f7ec9051126c25
11844Author: martijn@openbsd.org <martijn@openbsd.org>
11845Date: Wed Jul 11 08:19:35 2018 +0000
11846
11847 upstream: s/wuth/with/ in comment
11848
11849 OpenBSD-Commit-ID: 9de41468afd75f54a7f47809d2ad664aa577902c
11850
11851commit 1c688801e9dd7f9889fb2a29bc2b6fbfbc35a11f
11852Author: Darren Tucker <dtucker@dtucker.net>
11853Date: Wed Jul 11 12:12:38 2018 +1000
11854
11855 Include stdlib.h for declaration of free.
11856
11857 Fixes build with -Werror on at least Fedora and probably others.
11858
11859commit fccfa239def497615f92ed28acc57cfe63da3666
11860Author: Damien Miller <djm@mindrot.org>
11861Date: Wed Jul 11 10:19:56 2018 +1000
11862
11863 VALGRIND_CHECK_LEAKS logic was backwards :(
11864
11865commit 416287d45fcde0a8e66eee8b99aa73bd58607588
11866Author: Darren Tucker <dtucker@dtucker.net>
11867Date: Wed Jul 11 10:10:26 2018 +1000
11868
11869 Fix sshbuf_new error path in skey.
11870
11871commit 7aab109b8b90a353c1af780524f1ac0d3af47bab
11872Author: Darren Tucker <dtucker@dtucker.net>
11873Date: Wed Jul 11 10:06:18 2018 +1000
11874
11875 Supply missing third arg in skey.
11876
11877 During the change to the new buffer api the third arg to
11878 sshbuf_get_cstring was ommitted. Fixes build when configured with skey.
11879
11880commit 380320bb72cc353a901790ab04b6287fd335dc4a
11881Author: Darren Tucker <dtucker@dtucker.net>
11882Date: Wed Jul 11 10:03:34 2018 +1000
11883
11884 Supply some more missing "int r" in skey
11885
11886commit d20720d373d8563ee737d1a45dc5e0804d622dbc
11887Author: Damien Miller <djm@mindrot.org>
11888Date: Wed Jul 11 09:56:36 2018 +1000
11889
11890 disable valgrind memleak checking by default
11891
11892 Add VALGRIND_CHECK_LEAKS knob to turn it back on.
11893
11894commit 79c9d35018f3a5e30ae437880b669aa8636cd3cd
11895Author: Darren Tucker <dtucker@dtucker.net>
11896Date: Wed Jul 11 09:54:00 2018 +1000
11897
11898 Supply missing "int r" in skey code.
11899
11900commit 984bacfaacbbe31c35191b828fb5b5b2f0362c36
11901Author: sf@openbsd.org <sf@openbsd.org>
11902Date: Tue Jul 10 09:36:58 2018 +0000
11903
11904 upstream: re-remove some pre-auth compression bits
11905
11906 This time, make sure to not remove things that are necessary for
11907 pre-auth compression on the client. Add a comment that pre-auth
11908 compression is still supported in the client.
11909
11910 ok markus@
11911
11912 OpenBSD-Commit-ID: 282c6fec7201f18a5c333bbb68d9339734d2f784
11913
11914commit 120a1ec74e8d9d29f4eb9a27972ddd22351ddef9
11915Author: Damien Miller <djm@mindrot.org>
11916Date: Tue Jul 10 19:39:52 2018 +1000
11917
11918 Adapt portable to legacy buffer API removal
11919
11920commit 0f3958c1e6ffb8ea4ba27e2a97a00326fce23246
11921Author: djm@openbsd.org <djm@openbsd.org>
11922Date: Tue Jul 10 09:13:30 2018 +0000
11923
11924 upstream: kerberos/gssapi fixes for buffer removal
11925
11926 OpenBSD-Commit-ID: 1cdf56fec95801e4563c47f21696f04cd8b60c4c
11927
11928commit c74ae8e7c45f325f3387abd48fa7dfef07a08069
11929Author: djm@openbsd.org <djm@openbsd.org>
11930Date: Tue Jul 10 06:45:29 2018 +0000
11931
11932 upstream: buffer.[ch] and bufaux.c are no more
11933
11934 OpenBSD-Commit-ID: d1a1852284e554f39525eb4d4891b207cfb3d3a0
11935
11936commit a881e5a133d661eca923fb0633a03152ab2b70b2
11937Author: djm@openbsd.org <djm@openbsd.org>
11938Date: Tue Jul 10 06:43:52 2018 +0000
11939
11940 upstream: one mention of Buffer that almost got away :)
11941
11942 OpenBSD-Commit-ID: 30d7c27a90b4544ad5dfacf654595710cd499f02
11943
11944commit 49f47e656b60bcd1d1db98d88105295f4b4e600d
11945Author: markus@openbsd.org <markus@openbsd.org>
11946Date: Mon Jul 9 21:59:10 2018 +0000
11947
11948 upstream: replace cast with call to sshbuf_mutable_ptr(); ok djm@
11949
11950 OpenBSD-Commit-ID: 4dfe9d29fa93d9231645c89084f7217304f7ba29
11951
11952commit cb30cd47041edb03476be1c8ef7bc1f4b69d1555
11953Author: markus@openbsd.org <markus@openbsd.org>
11954Date: Mon Jul 9 21:56:06 2018 +0000
11955
11956 upstream: remove legacy buffer API emulation layer; ok djm@
11957
11958 OpenBSD-Commit-ID: 2dd5dc17cbc23195be4299fa93be2707a0e08ad9
11959
11960commit 235c7c4e3bf046982c2d8242f30aacffa01073d1
11961Author: markus@openbsd.org <markus@openbsd.org>
11962Date: Mon Jul 9 21:53:45 2018 +0000
11963
11964 upstream: sshd: switch monitor to sshbuf API; lots of help & ok
11965
11966 djm@
11967
11968 OpenBSD-Commit-ID: d89bd02d33974fd35ca0b8940d88572227b34a48
11969
11970commit b8d9214d969775e409e1408ecdf0d58fad99b344
11971Author: markus@openbsd.org <markus@openbsd.org>
11972Date: Mon Jul 9 21:37:55 2018 +0000
11973
11974 upstream: sshd: switch GSSAPI to sshbuf API; ok djm@
11975
11976 OpenBSD-Commit-ID: e48449ab4be3f006f7ba33c66241b7d652973e30
11977
11978commit c7d39ac8dc3587c5f05bdd5bcd098eb5c201c0c8
11979Author: markus@openbsd.org <markus@openbsd.org>
11980Date: Mon Jul 9 21:35:50 2018 +0000
11981
11982 upstream: sshd: switch authentication to sshbuf API; ok djm@
11983
11984 OpenBSD-Commit-ID: 880aa06bce4b140781e836bb56bec34873290641
11985
11986commit c3cb7790e9efb14ba74b2d9f543ad593b3d55b31
11987Author: markus@openbsd.org <markus@openbsd.org>
11988Date: Mon Jul 9 21:29:36 2018 +0000
11989
11990 upstream: sshd: switch config to sshbuf API; ok djm@
11991
11992 OpenBSD-Commit-ID: 72b02017bac7feac48c9dceff8355056bea300bd
11993
11994commit 2808d18ca47ad3d251836c555f0e22aaca03d15c
11995Author: markus@openbsd.org <markus@openbsd.org>
11996Date: Mon Jul 9 21:26:02 2018 +0000
11997
11998 upstream: sshd: switch loginmsg to sshbuf API; ok djm@
11999
12000 OpenBSD-Commit-ID: f3cb4e54bff15c593602d95cc43e32ee1a4bac42
12001
12002commit 89dd615b8b531979be63f05f9d5624367c9b28e6
12003Author: markus@openbsd.org <markus@openbsd.org>
12004Date: Mon Jul 9 21:20:26 2018 +0000
12005
12006 upstream: ttymodes: switch to sshbuf API; ok djm@
12007
12008 OpenBSD-Commit-ID: 5df340c5965e822c9da21e19579d08dea3cbe429
12009
12010commit f4608a7065480516ab46214f554e5f853fb7870f
12011Author: markus@openbsd.org <markus@openbsd.org>
12012Date: Mon Jul 9 21:18:10 2018 +0000
12013
12014 upstream: client: switch mux to sshbuf API; with & ok djm@
12015
12016 OpenBSD-Commit-ID: 5948fb98d704f9c4e075b92edda64e0290b5feb2
12017
12018commit cecee2d607099a7bba0a84803e2325d15be4277b
12019Author: markus@openbsd.org <markus@openbsd.org>
12020Date: Mon Jul 9 21:03:30 2018 +0000
12021
12022 upstream: client: switch to sshbuf API; ok djm@
12023
12024 OpenBSD-Commit-ID: 60cb0356114acc7625ab85105f6f6a7cd44a8d05
12025
12026commit ff55f4ad898137d4703e7a2bcc81167dfe8e9324
12027Author: markus@openbsd.org <markus@openbsd.org>
12028Date: Mon Jul 9 20:39:28 2018 +0000
12029
12030 upstream: pkcs11: switch to sshbuf API; ok djm@
12031
12032 OpenBSD-Commit-ID: 98cc4e800f1617c51caf59a6cb3006f14492db79
12033
12034commit 168b46f405d6736960ba7930389eecb9b6710b7e
12035Author: sf@openbsd.org <sf@openbsd.org>
12036Date: Mon Jul 9 13:37:10 2018 +0000
12037
12038 upstream: Revert previous two commits
12039
12040 It turns out we still support pre-auth compression on the client.
12041 Therefore revert the previous two commits:
12042
12043 date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE;
12044 Rename COMP_DELAYED to COMP_ZLIB
12045
12046 Only delayed compression is supported nowadays.
12047
12048 ok markus@
12049
12050 date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP;
12051 Remove leftovers from pre-authentication compression
12052
12053 Support for this has been removed in 2016.
12054 COMP_DELAYED will be renamed in a later commit.
12055
12056 ok markus@
12057
12058 OpenBSD-Commit-ID: cdfef526357e4e1483c86cf599491b2dafb77772
12059
12060commit ab39267fa1243d02b6c330615539fc4b21e17dc4
12061Author: sf@openbsd.org <sf@openbsd.org>
12062Date: Fri Jul 6 09:06:14 2018 +0000
12063
12064 upstream: Rename COMP_DELAYED to COMP_ZLIB
12065
12066 Only delayed compression is supported nowadays.
12067
12068 ok markus@
12069
12070 OpenBSD-Commit-ID: 5b1dbaf3d9a4085aaa10fec0b7a4364396561821
12071
12072commit 95db395d2e56a6f868193aead6cadb2493f036c6
12073Author: sf@openbsd.org <sf@openbsd.org>
12074Date: Fri Jul 6 09:05:01 2018 +0000
12075
12076 upstream: Remove leftovers from pre-authentication compression
12077
12078 Support for this has been removed in 2016.
12079 COMP_DELAYED will be renamed in a later commit.
12080
12081 ok markus@
12082
12083 OpenBSD-Commit-ID: 6a99616c832627157113fcb0cf5a752daf2e6b58
12084
12085commit f28a4d5cd24c4aa177e96b4f96957991e552cb70
12086Author: sf@openbsd.org <sf@openbsd.org>
12087Date: Fri Jul 6 09:03:02 2018 +0000
12088
12089 upstream: Remove unused ssh_packet_start_compression()
12090
12091 ok markus@
12092
12093 OpenBSD-Commit-ID: 9d34cf2f59aca5422021ae2857190578187dc2b4
12094
12095commit 872517ddbb72deaff31d4760f28f2b0a1c16358f
12096Author: Darren Tucker <dtucker@dtucker.net>
12097Date: Fri Jul 6 13:32:02 2018 +1000
12098
12099 Defer setting bufsiz in getdelim.
12100
12101 Do not write to bufsiz until we are sure the malloc has succeeded,
12102 in case any callers rely on it (which they shouldn't). ok djm@
12103
12104commit 3deb56f7190a414dc264e21e087a934fa1847283
12105Author: Darren Tucker <dtucker@dtucker.net>
12106Date: Thu Jul 5 13:32:01 2018 +1000
12107
12108 Fix other callers of read_environment_file.
12109
12110 read_environment_file recently gained an extra argument Some platform
12111 specific code also calls it so add the argument to those too. Fixes
12112 build on Solaris and AIX.
12113
12114commit 314908f451e6b2d4ccf6212ad246fa4619c721d3
12115Author: djm@openbsd.org <djm@openbsd.org>
12116Date: Wed Jul 4 13:51:45 2018 +0000
12117
12118 upstream: deal with API rename: match_filter_list() =>
12119
12120 match_filter_blacklist()
12121
12122 OpenBSD-Regress-ID: 2da342be913efeb51806351af906fab01ba4367f
12123
12124commit 89f54cdf6b9cf1cf5528fd33897f1443913ddfb4
12125Author: djm@openbsd.org <djm@openbsd.org>
12126Date: Wed Jul 4 13:51:12 2018 +0000
12127
12128 upstream: exercise new expansion behaviour of
12129
12130 PubkeyAcceptedKeyTypes and, by proxy, test kex_assemble_names()
12131
12132 ok markus@
12133
12134 OpenBSD-Regress-ID: 292978902e14d5729aa87e492dd166c842f72736
12135
12136commit 187633f24c71564e970681c8906df5a6017dcccf
12137Author: djm@openbsd.org <djm@openbsd.org>
12138Date: Tue Jul 3 13:53:26 2018 +0000
12139
12140 upstream: add a comment that could have saved me 45 minutes of wild
12141
12142 goose chasing
12143
12144 OpenBSD-Regress-ID: d469b29ffadd3402c090e21b792d627d46fa5297
12145
12146commit 312d2f2861a2598ed08587cb6c45c0e98a85408f
12147Author: djm@openbsd.org <djm@openbsd.org>
12148Date: Wed Jul 4 13:49:31 2018 +0000
12149
12150 upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSA
12151
12152 signature work - returns ability to add/remove/specify algorithms by
12153 wildcard.
12154
12155 Algorithm lists are now fully expanded when the server/client configs
12156 are finalised, so errors are reported early and the config dumps
12157 (e.g. "ssh -G ...") now list the actual algorithms selected.
12158
12159 Clarify that, while wildcards are accepted in algorithm lists, they
12160 aren't full pattern-lists that support negation.
12161
12162 (lots of) feedback, ok markus@
12163
12164 OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
12165
12166commit 303af5803bd74bf05d375c04e1a83b40c30b2be5
12167Author: djm@openbsd.org <djm@openbsd.org>
12168Date: Tue Jul 3 11:43:49 2018 +0000
12169
12170 upstream: some magic for RSA-SHA2 checks
12171
12172 OpenBSD-Regress-ID: e5a9b11368ff6d86e7b25ad10ebe43359b471cd4
12173
12174commit 7d68e262944c1fff1574600fe0e5e92ec8b398f5
12175Author: Damien Miller <djm@mindrot.org>
12176Date: Tue Jul 3 23:27:11 2018 +1000
12177
12178 depend
12179
12180commit b4d4eda633af433d20232cbf7e855ceac8b83fe5
12181Author: djm@openbsd.org <djm@openbsd.org>
12182Date: Tue Jul 3 13:20:25 2018 +0000
12183
12184 upstream: some finesse to fix RSA-SHA2 certificate authentication
12185
12186 for certs hosted in ssh-agent
12187
12188 OpenBSD-Commit-ID: e5fd5edd726137dda2d020e1cdebc464110a010f
12189
12190commit d78b75df4a57e0f92295f24298e5f2930e71c172
12191Author: djm@openbsd.org <djm@openbsd.org>
12192Date: Tue Jul 3 13:07:58 2018 +0000
12193
12194 upstream: check correct variable; unbreak agent keys
12195
12196 OpenBSD-Commit-ID: c36981fdf1f3ce04966d3310826a3e1e6233d93e
12197
12198commit 2f30300c5e15929d0e34013f38d73e857f445e12
12199Author: djm@openbsd.org <djm@openbsd.org>
12200Date: Tue Jul 3 11:42:12 2018 +0000
12201
12202 upstream: crank version number to 7.8; needed for new compat flag
12203
12204 for prior version; part of RSA-SHA2 strictification, ok markus@
12205
12206 OpenBSD-Commit-ID: 84a11fc0efd2674c050712336b5093f5d408e32b
12207
12208commit 4ba0d54794814ec0de1ec87987d0c3b89379b436
12209Author: djm@openbsd.org <djm@openbsd.org>
12210Date: Tue Jul 3 11:39:54 2018 +0000
12211
12212 upstream: Improve strictness and control over RSA-SHA2 signature
12213
12214 In ssh, when an agent fails to return a RSA-SHA2 signature when
12215 requested and falls back to RSA-SHA1 instead, retry the signature to
12216 ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
12217 matches the one in the signature itself.
12218
12219 In sshd, strictly enforce that the public key algorithm sent in the
12220 SSH_MSG_USERAUTH message matches what appears in the signature.
12221
12222 Make the sshd_config PubkeyAcceptedKeyTypes and
12223 HostbasedAcceptedKeyTypes options control accepted signature algorithms
12224 (previously they selected supported key types). This allows these
12225 options to ban RSA-SHA1 in favour of RSA-SHA2.
12226
12227 Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
12228 "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
12229 with certificate keys.
12230
12231 feedback and ok markus@
12232
12233 OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
12234
12235commit 95344c257412b51199ead18d54eaed5bafb75617
12236Author: djm@openbsd.org <djm@openbsd.org>
12237Date: Tue Jul 3 10:59:35 2018 +0000
12238
12239 upstream: allow sshd_config PermitUserEnvironment to accept a
12240
12241 pattern-list of whitelisted environment variable names in addition to yes|no.
12242
12243 bz#1800, feedback and ok markus@
12244
12245 OpenBSD-Commit-ID: 77dc2b468e0bf04b53f333434ba257008a1fdf24
12246
12247commit 6f56fe4b9578b0627667f8bce69d4d938a88324c
12248Author: millert@openbsd.org <millert@openbsd.org>
12249Date: Tue Jun 26 11:23:59 2018 +0000
12250
12251 upstream: Fix "WARNING: line 6 disappeared in /etc/moduli, giving up"
12252
12253 when choosing a prime. An extra increment of linenum snuck in as part of the
12254 conversion to getline(). OK djm@ markus@
12255
12256 OpenBSD-Commit-ID: 0019225cb52ed621b71cd9f19ee2e78e57e3dd38
12257
12258commit 1eee79a11c1b3594f055b01e387c49c9a6e80005
12259Author: dtucker@openbsd.org <dtucker@openbsd.org>
12260Date: Mon Jul 2 14:13:30 2018 +0000
12261
12262 upstream: One ampersand is enough to backgroud an process. OpenBSD
12263
12264 doesn't seem to mind, but some platforms in -portable object to the second.
12265
12266 OpenBSD-Regress-ID: d6c3e404871764343761dc25c3bbe29c2621ff74
12267
12268commit 6301e6c787d4e26bfae1119ab4f747bbcaa94e44
12269Author: Darren Tucker <dtucker@dtucker.net>
12270Date: Mon Jul 2 21:16:58 2018 +1000
12271
12272 Add implementation of getline.
12273
12274 Add getline for the benefit of platforms that don't have it. Sourced
12275 from NetBSD (OpenBSD's implementation is a little too chummy with the
12276 internals of FILE).
12277
12278commit 84623e0037628f9992839063151f7a9f5f13099a
12279Author: djm@openbsd.org <djm@openbsd.org>
12280Date: Tue Jun 26 02:02:36 2018 +0000
12281
12282 upstream: whitespace
12283
12284 OpenBSD-Commit-ID: 9276951caf4daf555f6d262e95720e7f79244572
12285
12286commit 90e51d672711c19a36573be1785caf35019ae7a8
12287Author: djm@openbsd.org <djm@openbsd.org>
12288Date: Mon Jun 25 22:28:33 2018 +0000
12289
12290 upstream: fix NULL dereference in open_listen_match_tcpip()
12291
12292 OpenBSD-Commit-ID: c968c1d29e392352383c0f9681fcc1e93620c4a9
12293
12294commit f535ff922a67d9fcc5ee69d060d1b21c8bb01d14
12295Author: jmc@openbsd.org <jmc@openbsd.org>
12296Date: Tue Jun 19 05:36:57 2018 +0000
12297
12298 upstream: spelling;
12299
12300 OpenBSD-Commit-ID: db542918185243bea17202383a581851736553cc
12301
12302commit 80e199d6175904152aafc5c297096c3e18297691
12303Author: djm@openbsd.org <djm@openbsd.org>
12304Date: Tue Jun 19 03:02:17 2018 +0000
12305
12306 upstream: test PermitListen with bare port numbers
12307
12308 OpenBSD-Regress-ID: 4b50a02dfb0ccaca08247f3877c444126ba901b3
12309
12310commit 87ddd676da0f3abd08b778b12b53b91b670dc93c
12311Author: djm@openbsd.org <djm@openbsd.org>
12312Date: Tue Jun 19 02:59:41 2018 +0000
12313
12314 upstream: allow bare port numbers to appear in PermitListen directives,
12315
12316 e.g.
12317
12318 PermitListen 2222 8080
12319
12320 is equivalent to:
12321
12322 PermitListen *:2222 *:8080
12323
12324 Some bonus manpage improvements, mostly from markus@
12325
12326 "looks fine" markus@
12327
12328 OpenBSD-Commit-ID: 6546b0cc5aab7f53d65ad0a348ca0ae591d6dd24
12329
12330commit 26f96ca10ad0ec5da9b05b99de1e1ccea15a11be
12331Author: djm@openbsd.org <djm@openbsd.org>
12332Date: Fri Jun 15 07:01:11 2018 +0000
12333
12334 upstream: invalidate supplemental group cache used by
12335
12336 temporarily_use_uid() when the target uid differs; could cause failure to
12337 read authorized_keys under some configurations. patch by Jakub Jelen via
12338 bz2873; ok dtucker, markus
12339
12340 OpenBSD-Commit-ID: 48a345f0ee90f6c465a078eb5e89566b23abd8a1
12341
12342commit 89a85d724765b6b82e0135ee5a1181fdcccea9c6
12343Author: djm@openbsd.org <djm@openbsd.org>
12344Date: Sun Jun 10 23:45:41 2018 +0000
12345
12346 upstream: unbreak SendEnv; patch from tb@
12347
12348 OpenBSD-Commit-ID: fc808daced813242563b80976e1478de95940056
12349
12350commit acf4260f0951f89c64e1ebbc4c92f451768871ad
12351Author: jmc@openbsd.org <jmc@openbsd.org>
12352Date: Sat Jun 9 06:36:31 2018 +0000
12353
12354 upstream: sort previous;
12355
12356 OpenBSD-Commit-ID: 27d80d8b8ca99bc33971dee905e8ffd0053ec411
12357
12358commit 1678d4236451060b735cb242d2e26e1ac99f0947
12359Author: djm@openbsd.org <djm@openbsd.org>
12360Date: Sat Jun 9 03:18:11 2018 +0000
12361
12362 upstream: slightly better wording re handing of $TERM, from Jakub
12363
12364 Jelen via bz2386
12365
12366 OpenBSD-Commit-ID: 14bea3f069a93c8be66a7b97794255a91fece964
12367
12368commit 28013759f09ed3ebf7e8335e83a62936bd7a7f47
12369Author: djm@openbsd.org <djm@openbsd.org>
12370Date: Sat Jun 9 03:03:10 2018 +0000
12371
12372 upstream: add a SetEnv directive for sshd_config to allow an
12373
12374 administrator to explicitly specify environment variables set in sessions
12375 started by sshd. These override the default environment and any variables set
12376 by user configuration (PermitUserEnvironment, etc), but not the SSH_*
12377 variables set by sshd itself.
12378
12379 ok markus@
12380
12381 OpenBSD-Commit-ID: b6a96c0001ccd7dd211df6cae9e961c20fd718c0
12382
12383commit 7082bb58a2eb878d23ec674587c742e5e9673c36
12384Author: djm@openbsd.org <djm@openbsd.org>
12385Date: Sat Jun 9 03:01:12 2018 +0000
12386
12387 upstream: add a SetEnv directive to ssh_config that allows setting
12388
12389 environment variables for the remote session (subject to the server accepting
12390 them)
12391
12392 refactor SendEnv to remove the arbitrary limit of variable names.
12393
12394 ok markus@
12395
12396 OpenBSD-Commit-ID: cfbb00d9b0e10c1ffff1d83424351fd961d1f2be
12397
12398commit 3b9798bda15bd3f598f5ef07595d64e23504da91
12399Author: djm@openbsd.org <djm@openbsd.org>
12400Date: Sat Jun 9 02:58:02 2018 +0000
12401
12402 upstream: reorder child environment preparation so that variables
12403
12404 read from ~/.ssh/environment (if enabled) do not override SSH_* variables set
12405 by the server.
12406
12407 OpenBSD-Commit-ID: 59f9d4c213cdcef2ef21f4b4ae006594dcf2aa7a
12408
12409commit 0368889f82f63c82ff8db9f8c944d89e7c657db4
12410Author: djm@openbsd.org <djm@openbsd.org>
12411Date: Fri Jun 8 03:35:36 2018 +0000
12412
12413 upstream: fix incorrect expansion of %i in
12414
12415 load_public_identity_files(); reported by Roumen Petrov
12416
12417 OpenBSD-Commit-ID: a827289e77149b5e0850d72a350c8b0300e7ef25
12418
12419commit 027607fc2db6a0475a3380f8d95c635482714cb0
12420Author: djm@openbsd.org <djm@openbsd.org>
12421Date: Fri Jun 8 01:55:40 2018 +0000
12422
12423 upstream: fix some over-long lines and __func__ up some debug
12424
12425 messages
12426
12427 OpenBSD-Commit-ID: c70a60b4c8207d9f242fc2351941ba50916bb267
12428
12429commit 6ff6fda705bc204456a5fa12518dde6e8790bb02
12430Author: jmc@openbsd.org <jmc@openbsd.org>
12431Date: Thu Jun 7 11:26:14 2018 +0000
12432
12433 upstream: tweak previous;
12434
12435 OpenBSD-Commit-ID: f98f16af10b28e24bcecb806cb71ea994b648fd6
12436
12437commit f2c06ab8dd90582030991f631a2715216bf45e5a
12438Author: Darren Tucker <dtucker@dtucker.net>
12439Date: Fri Jun 8 17:43:36 2018 +1000
12440
12441 Remove ability to override $LD.
12442
12443 Since autoconf always uses $CC to link C programs, allowing users to
12444 override LD caused mismatches between what LD_LINK_IFELSE thought worked
12445 and what ld thought worked. If you do need to do this kind of thing you
12446 need to set a compiler flag such as gcc's -fuse-ld in LDFLAGS.
12447
12448commit e1542a80797b4ea40a91d2896efdcc76a57056d2
12449Author: Darren Tucker <dtucker@dtucker.net>
12450Date: Fri Jun 8 13:55:59 2018 +1000
12451
12452 Better detection of unsupported compiler options.
12453
12454 Should prevent "unsupported -Wl,-z,retpoline" warnings during linking.
12455 ok djm@
12456
12457commit 57379dbd013ad32ee3f9989bf5f5741065428360
12458Author: djm@openbsd.org <djm@openbsd.org>
12459Date: Thu Jun 7 14:29:43 2018 +0000
12460
12461 upstream: test the correct configuration option name
12462
12463 OpenBSD-Regress-ID: 492279ea9f65657f97a970e0e7c7fd0b339fee23
12464
12465commit 6d41815e202fbd6182c79780b6cc90e1ec1c9981
12466Author: djm@openbsd.org <djm@openbsd.org>
12467Date: Thu Jun 7 09:26:42 2018 +0000
12468
12469 upstream: some permitlisten fixes from markus@ that I missed in my
12470
12471 insomnia-fueled commits last night
12472
12473 OpenBSD-Commit-ID: 26f23622e928996086e85b1419cc1c0f136e359c
12474
12475commit 4319f7a868d86d435fa07112fcb6153895d03a7f
12476Author: djm@openbsd.org <djm@openbsd.org>
12477Date: Thu Jun 7 04:46:34 2018 +0000
12478
12479 upstream: permitlisten/PermitListen unit test from Markus
12480
12481 OpenBSD-Regress-ID: ab12eb42f0e14926980441cf7c058a6d1d832ea5
12482
12483commit fa09076410ffc2d34d454145af23c790d728921e
12484Author: djm@openbsd.org <djm@openbsd.org>
12485Date: Thu Jun 7 04:31:51 2018 +0000
12486
12487 upstream: fix regression caused by recent permitlisten option commit:
12488
12489 authorized_keys lines that contained permitopen/permitlisten were being
12490 treated as invalid.
12491
12492 OpenBSD-Commit-ID: 7ef41d63a5a477b405d142dc925b67d9e7aaa31b
12493
12494commit 7f90635216851f6cb4bf3999e98b825f85d604f8
12495Author: markus@openbsd.org <markus@openbsd.org>
12496Date: Wed Jun 6 18:29:18 2018 +0000
12497
12498 upstream: switch config file parsing to getline(3) as this avoids
12499
12500 static limits noted by gerhard@; ok dtucker@, djm@
12501
12502 OpenBSD-Commit-ID: 6d702eabef0fa12e5a1d75c334a8c8b325298b5c
12503
12504commit 392db2bc83215986a91c0b65feb0e40e7619ce7e
12505Author: djm@openbsd.org <djm@openbsd.org>
12506Date: Wed Jun 6 18:25:33 2018 +0000
12507
12508 upstream: regress test for PermitOpen
12509
12510 OpenBSD-Regress-ID: ce8b5f28fc039f09bb297fc4a92319e65982ddaf
12511
12512commit 803d896ef30758135e2f438bdd1a0be27989e018
12513Author: djm@openbsd.org <djm@openbsd.org>
12514Date: Wed Jun 6 18:24:15 2018 +0000
12515
12516 upstream: man bits for permitlisten authorized_keys option
12517
12518 OpenBSD-Commit-ID: 86910af8f781a4ac5980fea125442eb25466dd78
12519
12520commit 04df43208b5b460d7360e1598f876b92a32f5922
12521Author: djm@openbsd.org <djm@openbsd.org>
12522Date: Wed Jun 6 18:24:00 2018 +0000
12523
12524 upstream: man bits for PermitListen
12525
12526 OpenBSD-Commit-ID: 35b200cba4e46a16a4db6a80ef11838ab0fad67c
12527
12528commit 93c06ab6b77514e0447fe4f1d822afcbb2a9be08
12529Author: djm@openbsd.org <djm@openbsd.org>
12530Date: Wed Jun 6 18:23:32 2018 +0000
12531
12532 upstream: permitlisten option for authorized_keys; ok markus@
12533
12534 OpenBSD-Commit-ID: 8650883018d7aa893173d703379e4456a222c672
12535
12536commit 115063a6647007286cc8ca70abfd2a7585f26ccc
12537Author: djm@openbsd.org <djm@openbsd.org>
12538Date: Wed Jun 6 18:22:41 2018 +0000
12539
12540 upstream: Add a PermitListen directive to control which server-side
12541
12542 addresses may be listened on when the client requests remote forwarding (ssh
12543 -R).
12544
12545 This is the converse of the existing PermitOpen directive and this
12546 includes some refactoring to share much of its implementation.
12547
12548 feedback and ok markus@
12549
12550 OpenBSD-Commit-ID: 15a931238c61a3f2ac74ea18a98c933e358e277f
12551
12552commit 7703ae5f5d42eb302ded51705166ff6e19c92892
12553Author: Darren Tucker <dtucker@dtucker.net>
12554Date: Wed Jun 6 16:04:29 2018 +1000
12555
12556 Use ssh-keygen -A to generate missing host keys.
12557
12558 Instead of testing for each specific key type, use ssh-keygen -A to
12559 generate any missing host key types.
12560
12561commit e8d59fef1098e24f408248dc64e5c8efa5d01f3c
12562Author: jmc@openbsd.org <jmc@openbsd.org>
12563Date: Fri Jun 1 06:23:10 2018 +0000
12564
12565 upstream: add missing punctuation after %i in ssh_config.5, and
12566
12567 make the grammatical format in sshd_config.5 match that in ssh_config.5;
12568
12569 OpenBSD-Commit-ID: e325663b9342f3d556e223e5306e0d5fa1a74fa0
12570
12571commit a1f737d6a99314e291a87856122cb4dbaf64c641
12572Author: jmc@openbsd.org <jmc@openbsd.org>
12573Date: Fri Jun 1 05:52:26 2018 +0000
12574
12575 upstream: oops - further adjustment to text neccessary;
12576
12577 OpenBSD-Commit-ID: 23585576c807743112ab956be0fb3c786bdef025
12578
12579commit 294028493471e0bd0c7ffe55dc0c0a67cba6ec41
12580Author: jmc@openbsd.org <jmc@openbsd.org>
12581Date: Fri Jun 1 05:50:18 2018 +0000
12582
12583 upstream: %U needs to be escaped; tweak text;
12584
12585 OpenBSD-Commit-ID: 30887b73ece257273fb619ab6f4e86dc92ddc15e
12586
12587commit e5019da3c5a31e6e729a565f2b886a80c4be96cc
12588Author: dtucker@openbsd.org <dtucker@openbsd.org>
12589Date: Fri Jun 1 04:31:48 2018 +0000
12590
12591 upstream: Apply umask to all incoming files and directories not
12592
12593 just files. This makes sure it gets applied to directories too, and prevents
12594 a race where files get chmodded after creation. bz#2839, ok djm@
12595
12596 OpenBSD-Commit-ID: 3168ee6c7c39093adac4fd71039600cfa296203b
12597
12598commit a1dcafc41c376332493b9385ee39f9754dc145ec
12599Author: djm@openbsd.org <djm@openbsd.org>
12600Date: Fri Jun 1 03:52:37 2018 +0000
12601
12602 upstream: Adapt to extra default verboisity from ssh-keygen when
12603
12604 searching for and hashing known_hosts entries in a single operation
12605 (ssh-keygen -HF ...) Patch from Anton Kremenetsky
12606
12607 OpenBSD-Regress-ID: 519585a4de35c4611285bd6a7272766c229b19dd
12608
12609commit 76f314c75dffd4a55839d50ee23622edad52c168
12610Author: djm@openbsd.org <djm@openbsd.org>
12611Date: Tue May 22 00:22:49 2018 +0000
12612
12613 upstream: Add TEST_SSH_FAIL_FATAL variable, to force all failures
12614
12615 to instantly abort the test. Useful in capturing clean logs for individual
12616 failure cases.
12617
12618 OpenBSD-Regress-ID: feba18cf338c2328b9601bd4093cabdd9baa3af1
12619
12620commit 065c8c055df8d83ae7c92e5e524a579d87668aab
12621Author: dtucker@openbsd.org <dtucker@openbsd.org>
12622Date: Fri May 11 03:51:06 2018 +0000
12623
12624 upstream: Clean up comment.
12625
12626 OpenBSD-Regress-ID: 6adb35f384d447e7dcb9f170d4f0d546d3973e10
12627
12628commit 01b048c8eba3b021701bd0ab26257fc82903cba8
12629Author: djm@openbsd.org <djm@openbsd.org>
12630Date: Fri Jun 1 04:21:29 2018 +0000
12631
12632 upstream: whitespace
12633
12634 OpenBSD-Commit-ID: e5edb5e843ddc9b73a8e46518899be41d5709add
12635
12636commit 854ae209f992465a276de0b5f10ef770510c2418
12637Author: djm@openbsd.org <djm@openbsd.org>
12638Date: Fri Jun 1 04:05:29 2018 +0000
12639
12640 upstream: make ssh_remote_ipaddr() capable of being called after
12641
12642 the ssh->state has been torn down; bz#2773
12643
12644 OpenBSD-Commit-ID: 167f12523613ca3d16d7716a690e7afa307dc7eb
12645
12646commit 3e088aaf236ef35beeef3c9be93fd53700df5861
12647Author: djm@openbsd.org <djm@openbsd.org>
12648Date: Fri Jun 1 03:51:34 2018 +0000
12649
12650 upstream: return correct exit code when searching for and hashing
12651
12652 known_hosts entries in a single operation (ssh-keygen -HF hostname); bz2772
12653 Report and fix from Anton Kremenetsky
12654
12655 OpenBSD-Commit-ID: ac10ca13eb9bb0bc50fcd42ad11c56c317437b58
12656
12657commit 9c935dd9bf05628826ad2495d3e8bdf3d3271c21
12658Author: djm@openbsd.org <djm@openbsd.org>
12659Date: Fri Jun 1 03:33:53 2018 +0000
12660
12661 upstream: make UID available as a %-expansion everywhere that the
12662
12663 username is available currently. In the client this is via %i, in the server
12664 %U (since %i was already used in the client in some places for this, but used
12665 for something different in the server); bz#2870, ok dtucker@
12666
12667 OpenBSD-Commit-ID: c7e912b0213713316cb55db194b3a6415b3d4b95
12668
12669commit d8748b91d1d6c108c0c260ed41fa55f37b9ef34b
12670Author: djm@openbsd.org <djm@openbsd.org>
12671Date: Fri Jun 1 03:11:49 2018 +0000
12672
12673 upstream: prefer argv0 to "ssh" when re-executing ssh for ProxyJump
12674
12675 directive; bz2831, feedback and ok dtucker@
12676
12677 OpenBSD-Commit-ID: 3cec709a131499fbb0c1ea8a0a9e0b0915ce769e