summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2012-12-13 - (djm) [configure.ac cipher-ctr.c] Adapt EVP AES CTR change to retain ourDamien Miller
compat code for older OpenSSL
2012-12-13 - markus@cvs.openbsd.org 2012/12/12 16:45:52Damien Miller
[packet.c] reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
2012-12-12 - (djm) [regress/Makefile] fix t-exec ruleDamien Miller
2012-12-12- (djm) [regress/integrity.sh] Fix awk quoting, packet length skipDamien Miller
2012-12-12 - (djm) [regress/Makefile regress/integrity.sh] Make the integrity.sh testDamien Miller
work on platforms without 'jot'
2012-12-12 - (djm) [mac.c] fix merge botchDamien Miller
2012-12-12 - markus@cvs.openbsd.org 2012/12/11 23:12:13Damien Miller
[try-ciphers.sh] add hmac-ripemd160-etm@openssh.com
2012-12-12 - markus@cvs.openbsd.org 2012/12/11 22:42:11Damien Miller
[regress/Makefile regress/modpipe.c regress/integrity.sh] test the integrity of the packets; with djm@
2012-12-12 - markus@cvs.openbsd.org 2012/12/11 22:32:56Damien Miller
[regress/try-ciphers.sh] add etm modes
2012-12-12 - sthen@cvs.openbsd.org 2012/12/11 22:51:45Damien Miller
[mac.c] fix typo, s/tem/etm in hmac-ripemd160-tem. ok markus@
2012-12-12 - markus@cvs.openbsd.org 2012/12/11 22:31:18Damien Miller
[PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h] [packet.c ssh_config.5 sshd_config.5] add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
2012-12-12 - markus@cvs.openbsd.org 2012/12/11 22:16:21Damien Miller
[monitor.c] drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
2012-12-07 - dtucker@cvs.openbsd.org 2012/12/07 01:51:35Darren Tucker
[serverloop.c] Cast signal to int for logging. A no-op on openbsd (they're always ints) but will prevent warnings in portable. ok djm@
2012-12-07 - markus@cvs.openbsd.org 2012/12/05 15:42:52Darren Tucker
[ssh-add.c] prevent double-free of comment; ok djm@
2012-12-07 - jmc@cvs.openbsd.org 2012/12/03 08:33:03Darren Tucker
[ssh-add.1 sshd_config.5] tweak previous;
2012-12-07 - dtucker@cvs.openbsd.org 2012/12/06 06:06:54Darren Tucker
[regress/keys-command.sh] Fix some problems with the keys-command test: - use string comparison rather than numeric comparison - check for existing KEY_COMMAND file and don't clobber if it exists - clean up KEY_COMMAND file if we do create it. - check that KEY_COMMAND is executable (which it won't be if eg /var/run is mounted noexec). ok djm.
2012-12-0420121205Tim Rice
- (tim) [defines.h] Some platforms are missing ULLONG_MAX. Feedback djm@.
2012-12-03 - (djm) [configure.ac] Revert previous. configure.ac already does thisDamien Miller
for us.
2012-12-03 - (djm) [configure.ac] Turn on -g for gcc compilers. Helps pre-installationDamien Miller
debugging. ok dtucker@
2012-12-03 - djm@cvs.openbsd.org 2012/12/03 00:14:06Damien Miller
[auth2-chall.c ssh-keygen.c] Fix compilation with -Wall -Werror (trivial type fixes)
2012-12-03 - djm@cvs.openbsd.org 2012/12/02 20:47:48Damien Miller
[Makefile regress/forward-control.sh] regress for AllowTcpForwarding local/remote; ok markus@
2012-12-03 - djm@cvs.openbsd.org 2012/11/22 22:49:30Damien Miller
[regress/Makefile regress/keys-command.sh] regress for AuthorizedKeysCommand; hints from markus@
2012-12-03 - djm@cvs.openbsd.org 2012/10/19 05:10:42Damien Miller
[regress/cert-userkey.sh] include a serial number when generating certs
2012-12-03 - dtucker@cvs.openbsd.org 2012/10/05 02:20:48Damien Miller
[regress/cipher-speed.sh regress/try-ciphers.sh] Add umac-128@openssh.com to the list of MACs to be tested
2012-12-03 - dtucker@cvs.openbsd.org 2012/10/05 02:05:30Damien Miller
[regress/multiplex.sh] Use 'kill -0' to test for the presence of a pid since it's more portable
2012-12-03 - djm@cvs.openbsd.org 2012/12/02 20:34:10Damien Miller
[auth.c auth.h auth1.c auth2-chall.c auth2-gss.c auth2-jpake.c auth2.c] [monitor.c monitor.h] Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state. Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive. Fix multiple authentication when one of the methods is keyboard-interactive. ok markus@
2012-12-03 - djm@cvs.openbsd.org 2012/12/02 20:46:11Damien Miller
[auth-options.c channels.c servconf.c servconf.h serverloop.c session.c] [sshd_config.5] make AllowTcpForwarding accept "local" and "remote" in addition to its current "yes"/"no" to allow the server to specify whether just local or remote TCP forwarding is enabled. ok markus@
2012-12-03 - djm@cvs.openbsd.org 2012/12/02 20:42:15Damien Miller
[ssh-add.1 ssh-add.c] make deleting explicit keys "ssh-add -d" symmetric with adding keys - try to delete the corresponding certificate too and respect the -k option to allow deleting of the key only; feedback and ok markus@
2012-12-03 - djm@cvs.openbsd.org 2012/12/02 20:26:11Damien Miller
[ssh_config.5 sshconnect2.c] Make IdentitiesOnly apply to keys obtained from a PKCS11Provider. This allows control of which keys are offered from tokens using IdentityFile. ok markus@
2012-12-03 - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD to getDamien Miller
TAILQ_FOREACH_SAFE needed for upcoming changes.
2012-11-14 - djm@cvs.openbsd.org 2012/11/14 02:32:15Damien Miller
[ssh-keygen.c] allow the full range of unsigned serial numbers; 'fine' deraadt@
2012-11-14 - djm@cvs.openbsd.org 2012/11/14 02:24:27Damien Miller
[auth2-pubkey.c] fix username passed to helper program prepare stdio fds before closefrom() spotted by landry@
2012-11-07 - jmc@cvs.openbsd.org 2012/09/26 17:34:38Damien Miller
[moduli.5] last stage of rfc changes, using consistent Rs/Re blocks, and moving the references into a STANDARDS section;
2012-11-07 - eric@cvs.openbsd.org 2011/11/28 08:46:27Damien Miller
[moduli.5] fix formula ok djm@
2012-11-05 - (dtucker) [auth2-pubkey.c] wrap paths.h in an ifdef for platforms thatDarren Tucker
don't have it. Spotted by tim@.
2012-11-05 - (dtucker) [uidswap.c openbsd-compat/Makefile.inDarren Tucker
openbsd-compat/bsd-setres_id.c openbsd-compat/bsd-setres_id.h openbsd-compat/openbsd-compat.h] Move the fallback code for setting uids and gids from uidswap.c to the compat library, which allows it to work with the new setresuid calls in auth2-pubkey. with tim@, ok djm@
2012-11-04 - djm@cvs.openbsd.org 2012/11/04 11:09:15Damien Miller
[auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c] [sshd_config.5] Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
2012-11-04 - djm@cvs.openbsd.org 2012/11/04 10:38:43Damien Miller
[auth2-pubkey.c sshd.c sshd_config.5] Remove default of AuthorizedCommandUser. Administrators are now expected to explicitly specify a user. feedback and ok markus@
2012-11-04 - OpenBSD CVS SyncDamien Miller
- jmc@cvs.openbsd.org 2012/10/31 08:04:50 [sshd_config.5] tweak previous;
2012-10-31 - djm@cvs.openbsd.org 2012/10/30 21:29:55Damien Miller
[auth-rsa.c auth.c auth.h auth2-pubkey.c servconf.c servconf.h] [sshd.c sshd_config sshd_config.5] new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option. patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
2012-10-31 - (djm) OpenBSD CVS SyncDamien Miller
- markus@cvs.openbsd.org 2012/10/05 12:34:39 [sftp.c] fix signed vs unsigned warning; feedback & ok: djm@
2012-10-18 - (tim) [buildpkg.sh.in] Double up on some backslashes so they end up inTim Rice
the generated file as intended.
2012-10-05 - [Makefile.in] "Using $< in a non-suffix rule context is a GNUmake idiom"Darren Tucker
2012-10-05 - [umac.c] Enforce allowed umac output sizes. From djm@.Darren Tucker
2012-10-05 - dtucker@cvs.openbsd.org 2012/09/10 01:51:19Darren Tucker
[regress/multiplex.sh] use -Ocheck and waiting for completions by PID to make multiplexing test less racy and (hopefully) more reliable on slow hardware.
2012-10-05 - dtucker@cvs.openbsd.org 2012/09/10 00:49:21Darren Tucker
[regress/multiplex.sh] Log -O cmd output to the log file and make logging consistent with the other tests. Test clean shutdown of an existing channel when testing "stop".
2012-10-05 - dtucker@cvs.openbsd.org 2012/09/09 11:51:25Darren Tucker
[multiplex.sh] Add test for ssh -Ostop
2012-10-05 - dtucker@cvs.openbsd.org 2012/09/06 04:11:07Darren Tucker
[regress/try-ciphers.sh] Restore missing space. (Id sync only).
2012-10-05 - [Makefile umac.c] Add special-case target to build umac128.o.Darren Tucker
2012-10-05remove stray '+' from syncDarren Tucker