summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2017-09-22upstream commitdtucker@openbsd.org
Use strsignal in debug message instead of casting for the benefit of portable where sig_atomic_t might not be int. "much nicer" deraadt@ Upstream-ID: 2dac6c1e40511c700bd90664cd263ed2299dcf79
2017-09-22upstream commitmillert@openbsd.org
Use explicit_bzero() instead of bzero() before free() to prevent the compiler from optimizing away the bzero() call. OK djm@ Upstream-ID: cdc6197e64c9684c7250e23d60863ee1b53cef1d
2017-09-19upstream commitdjm@openbsd.org
fix use-after-free in ~^Z escape handler path, introduced in channels.c refactor; spotted by millert@ "makes sense" deraadt@ Upstream-ID: 8fa2cdc65c23ad6420c1e59444b0c955b0589b22
2017-09-19upstream commitdtucker@openbsd.org
Prevent type mismatch warning in debug on platforms where sig_atomic_t != int. ok djm@ Upstream-ID: 306e2375eb0364a4c68e48f091739bea4f4892ed
2017-09-19upstream commitdtucker@openbsd.org
Add braces missing after channels refactor. ok markus@ Upstream-ID: 72ab325c84e010680dbc88f226e2aa96b11a3980
2017-09-19add freezero(3) replacementDamien Miller
ok dtucker@
2017-09-19move FORTIFY_SOURCE into hardening options groupDamien Miller
It's still on by default, but now it's possible to turn it off using --without-hardening. This is useful since it's known to cause problems with some -fsanitize options. ok dtucker@
2017-09-18upstream commitbluhm@openbsd.org
Print SKIPPED if sudo and doas configuration is missing. Prevents that running the regression test with wrong environment is reported as failure. Keep the fatal there to avoid interfering with other setups for portable ssh. OK dtucker@ Upstream-Regress-ID: f0dc60023caef496ded341ac5aade2a606fa234e
2017-09-18upstream commitdtucker@openbsd.org
Remove obsolete privsep=no fallback test. Upstream-Regress-ID: 7d6e1baa1678ac6be50c2a1555662eb1047638df
2017-09-18upstream commitdtucker@openbsd.org
Remove non-privsep test since disabling privsep is now deprecated. Upstream-Regress-ID: 77ad3f3d8d52e87f514a80f285c6c1229b108ce8
2017-09-18upstream commitdtucker@openbsd.org
Don't call fatal from stop_sshd since it calls cleanup which calls stop_sshd which will probably fail in the same way. Instead, just bail. Differentiate between sshd dying without cleanup and not shutting down. Upstream-Regress-ID: f97315f538618b349e2b0bea02d6b0c9196c6bc4
2017-09-14upstream commitdjm@openbsd.org
Revert commitid: gJtIN6rRTS3CHy9b. ------------- identify the case where SSHFP records are missing but other DNS RR types are present and display a more useful error message for this case; patch by Thordur Bjornsson; bz#2501; ok dtucker@ ------------- This caused unexpected failures when VerifyHostKeyDNS=yes, SSHFP results are missing but the user already has the key in known_hosts Spotted by dtucker@ Upstream-ID: 97e31742fddaf72046f6ffef091ec0d823299920
2017-09-12adapt portable to channels API changesDamien Miller
2017-09-12upstream commitdjm@openbsd.org
unused variable Upstream-ID: 2f9ba09f2708993d35eac5aa71df910dcc52bac1
2017-09-12upstream commitdjm@openbsd.org
fix tun/tap forwarding case in previous Upstream-ID: 43ebe37a930320e24bca6900dccc39857840bc53
2017-09-12upstream commitdjm@openbsd.org
Make remote channel ID a u_int Previously we tracked the remote channel IDs in an int, but this is strictly incorrect: the wire protocol uses uint32 and there is nothing in-principle stopping a SSH implementation from sending, say, 0xffff0000. In practice everyone numbers their channels sequentially, so this has never been a problem. ok markus@ Upstream-ID: b9f4cd3dc53155b4a5c995c0adba7da760d03e73
2017-09-12upstream commitdjm@openbsd.org
refactor channels.c Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh. Explicitly pass "struct ssh" to all channels functions. Replace use of the legacy packet APIs in channels.c. Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later. ok markus@ Upstream-ID: 11828f161656b965cc306576422613614bea2d8f
2017-09-12upstream commitdjm@openbsd.org
typo in comment Upstream-ID: a93b1e6f30f1f9b854b5b964b9fd092d0c422c47
2017-09-12upstream commitjmc@openbsd.org
tweak previous; Upstream-ID: bb8cc40b61b15f6a13d81da465ac5bfc65cbfc4b
2017-09-08Fuzzer harnesses for sig verify and pubkey parsingDamien Miller
These are some basic clang libfuzzer harnesses for signature verification and public key parsing. Some assembly (metaphorical) required.
2017-09-08Give configure ability to set CFLAGS/LDFLAGS laterDamien Miller
Some CFLAGS/LDFLAGS may disrupt the configure script's operation, in particular santization and fuzzer options that break assumptions about memory and file descriptor dispositions. This adds two flags to configure --with-cflags-after and --with-ldflags-after that allow specifying additional compiler and linker options that are added to the resultant Makefiles but not used in the configure run itself. E.g. env CC=clang-3.9 ./configure \ --with-cflags-after=-fsantize=address \ --with-ldflags-after="-g -fsanitize=address"
2017-09-04upstream commitdjm@openbsd.org
Expand ssh_config's StrictModes option with two new settings: StrictModes=accept-new will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. StrictModes=off is the same as StrictModes=no Motivation: StrictModes=no combines two behaviours for host key processing: automatically learning new hostkeys and continuing to connect to hosts with invalid/changed hostkeys. The latter behaviour is quite dangerous since it removes most of the protections the SSH protocol is supposed to provide. Quite a few users want to automatically learn hostkeys however, so this makes that feature available with less danger. At some point in the future, StrictModes=no will change to be a synonym for accept-new, with its current behaviour remaining available via StrictModes=off. bz#2400, suggested by Michael Samuel; ok markus Upstream-ID: 0f55502bf75fc93a74fb9853264a8276b9680b64
2017-09-04upstream commitjmc@openbsd.org
remove blank line; Upstream-ID: 2f46b51a0ddb3730020791719e94d3e418e9f423
2017-09-04upstream commitdjm@openbsd.org
identify the case where SSHFP records are missing but other DNS RR types are present and display a more useful error message for this case; patch by Thordur Bjornsson; bz#2501; ok dtucker@ Upstream-ID: 8f7a5a8344f684823d8317a9708b63e75be2c244
2017-09-04upstream commitdjm@openbsd.org
document available AuthenticationMethods; bz#2453 ok dtucker@ Upstream-ID: 2c70576f237bb699aff59889dbf2acba4276d3d0
2017-09-04upstream commitdjm@openbsd.org
pass packet state down to some of the channels function (more to come...); ok markus@ Upstream-ID: d8ce7a94f4059d7ac1e01fb0eb01de0c4b36c81b
2017-09-04upstream commitjmc@openbsd.org
sort options; Upstream-ID: cf21d68cf54e81968bca629aaeddc87f0c684f3c
2017-09-04upstream commitdlg@openbsd.org
add a -q option to ssh-add to make it quiet on success. if you want to silence ssh-add without this you generally redirect the output to /dev/null, but that can hide error output which you should see. ok djm@ Upstream-ID: 2f31b9b13f99dcf587e9a8ba443458e6c0d8997c
2017-09-04upstream commitdtucker@openbsd.org
Increase the buffer sizes for user prompts to ensure that they won't be truncated by snprintf. Based on patch from cjwatson at debian.org via bz#2768, ok djm@ Upstream-ID: 6ffacf1abec8f40b469de5b94bfb29997d96af3e
2017-08-28Switch Capsicum header to sys/capsicum.h.Darren Tucker
FreeBSD's <sys/capability.h> was renamed to <sys/capsicum.h> in 2014 to avoid future conflicts with POSIX capabilities (the last release that didn't have it was 9.3) so switch to that. Patch from des at des.no.
2017-08-27Add missing includes for bsd-err.c.Darren Tucker
Patch from cjwatson at debian.org via bz#2767.
2017-08-25Split platform_sys_dir_uid into its own fileDamien Miller
platform.o is too heavy for libssh.a use; it calls into the server on many platforms. Move just the function needed by misc.c into its own file.
2017-08-23misc.c needs functions from platform.c nowDamien Miller
2017-08-23upstream commitdjm@openbsd.org
add a "quiet" flag to exited_cleanly() that supresses errors about exit status (failure due to signal is still reported) Upstream-ID: db85c39c3aa08e6ff67fc1fb4ffa89f807a9d2f0
2017-08-23upstream commitdjm@openbsd.org
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition. feedback & ok dtucker@ Upstream-ID: 3573dd7109d13ef9bd3bed93a3deb170fbfce049
2017-08-12upstream commitdjm@openbsd.org
make "--" before the hostname terminate command-line option processing completely; previous behaviour would not prevent further options appearing after the hostname (ssh has a supported options after the hostname for >20 years, so that's too late to change). ok deraadt@ Upstream-ID: ef5ee50571b98ad94dcdf8282204e877ec88ad89
2017-08-12upstream commitdjm@openbsd.org
Switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. The latter having the advantage of being supported for no-OpenSSL builds; bz#2754 ok markus@ Upstream-ID: 54179a2afd28f93470471030567ac40431e56909
2017-08-12upstream commitdjm@openbsd.org
refuse to a private keys when its corresponding .pub key does not match. bz#2737 ok dtucker@ Upstream-ID: 54ff5e2db00037f9db8d61690f26ef8f16e0d913
2017-08-12upstream commitdjm@openbsd.org
don't print verbose error message when ssh disconnects under sftp; bz#2750; ok dtucker@ Upstream-ID: 6d83708aed77b933c47cf155a87dc753ec01f370
2017-08-12upstream commitdtucker@openbsd.org
Tweak previous keepalive commit: if last_time + keepalive <= now instead of just "<" so client_alive_check will fire if the select happens to return on exact second of the timeout. ok djm@ Upstream-ID: e02756bd6038d11bb8522bfd75a4761c3a684fcc
2017-08-12upstream commitdtucker@openbsd.org
Keep track of the last time we actually heard from the client and use this to also schedule a client_alive_check(). Prevents activity on a forwarded port from indefinitely preventing the select timeout so that client_alive_check() will eventually (although not optimally) be called. Analysis by willchan at google com via bz#2756, feedback & ok djm@ Upstream-ID: c08721e0bbda55c6d18e2760f3fe1b17fb71169e
2017-07-28Expose list of completed auth methods to PAMDamien Miller
bz#2408; ok dtucker@
2017-07-28fix problems in tunnel forwarding portability codeDamien Miller
This fixes a few problems in the tun forwarding code, mostly to do with host/network byte order confusion. Based on a report and patch by stepe AT centaurus.uberspace.de; bz#2735; ok dtucker@
2017-07-28upstream commitdtucker@openbsd.org
Make WinSCP patterns for SSH_OLD_DHGEX more specific to exclude WinSCP 5.10.x and up. bz#2748, from martin at winscp.net, ok djm@ Upstream-ID: 6fd7c32e99af3952db007aa180e73142ddbc741a
2017-07-24upstream commitdjm@openbsd.org
g/c unused variable; make a little more portable Upstream-ID: 3f5980481551cb823c6fb2858900f93fa9217dea
2017-07-24upstream commitdjm@openbsd.org
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@ Upstream-ID: 77906ff8c7b660b02ba7cb1e47b17d66f54f1f7e
2017-07-21mention libeditDamien Miller
2017-07-21upstream commitmarkus@openbsd.org
fix support for unknown key types; ok djm@ Upstream-ID: 53fb29394ed04d616d65b3748dee5aa06b07ab48
2017-07-21upstream commitdjm@openbsd.org
switch from select() to poll() for the ssh-agent mainloop; ok markus Upstream-ID: 4a94888ee67b3fd948fd10693973beb12f802448
2017-07-21upstream commitdtucker@openbsd.org
Make ""Killed by signal 1" LogLevel verbose so it's not shown at the default level. Prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744, feedback&ok markus@ Upstream-ID: debfaa7e859b272246c2f2633335d288d2e2ae28