summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-12-28GSSAPI key exchange supportSimon Wilkinson
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2016-12-28 Patch-Name: gssapi.patch
2016-12-20Import openssh_7.4p1.orig.tar.gzColin Watson
2016-12-19crank version numbers for releaseDamien Miller
2016-12-19upstream commitdjm@openbsd.org
openssh-7.4 Upstream-ID: 1ee404adba6bbe10ae9277cbae3a94abe2867b79
2016-12-19upstream commitdjm@openbsd.org
remove testcase that depends on exact output and behaviour of snprintf(..., "%s", NULL) Upstream-Regress-ID: cab4288531766bd9593cb556613b91a2eeefb56f
2016-12-19upstream commitdtucker@openbsd.org
Use LOGNAME to get current user and fall back to whoami if not set. Mainly to benefit -portable since some platforms don't have whoami. Upstream-Regress-ID: e3a16b7836a3ae24dc8f8a4e43fdf8127a60bdfa
2016-12-17upstream commitdtucker@openbsd.org
Add regression test for AllowUsers and DenyUsers. Patch from Zev Weiss <zev at bewilderbeest.net> Upstream-Regress-ID: 8f1aac24d52728398871dac14ad26ea38b533fb9
2016-12-16Add missing monitor.h include.Darren Tucker
Fixes warning pointed out by Zev Weiss <zev at bewilderbeest.net>
2016-12-16upstream commitdjm@openbsd.org
revert to rev1.2; the new bits in this test depend on changes to ssh that aren't yet committed Upstream-Regress-ID: 828ffc2c7afcf65d50ff2cf3dfc47a073ad39123
2016-12-16upstream commitdtucker@openbsd.org
Move the "stop sshd" code into its own helper function. Patch from Zev Weiss <zev at bewilderbeest.net>, ok djm@ Upstream-Regress-ID: a113dea77df5bd97fb4633ea31f3d72dbe356329
2016-12-16upstream commitdjm@openbsd.org
regression test for certificates along with private key with no public half. bz#2617, mostly from Adam Eijdenberg Upstream-Regress-ID: 2e74dc2c726f4dc839609b3ce045466b69f01115
2016-12-16upstream commitdtucker@openbsd.org
Use $SUDO to read pidfile in case root's umask is restricted. From portable. Upstream-Regress-ID: f6b1c7ffbc5a0dfb7d430adb2883344899174a98
2016-12-16upstream commitdtucker@openbsd.org
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@ Upstream-ID: d747ace338dcf943b077925f90f85f789714b54e
2016-12-16upstream commitdtucker@openbsd.org
Fix text in error message. Patch from zev at bewilderbeest.net. Upstream-ID: deb0486e175e7282f98f9a15035d76c55c84f7f6
2016-12-14upstream commitdjm@openbsd.org
disable Unix-domain socket forwarding when privsep is disabled Upstream-ID: ab61516ae0faadad407857808517efa900a0d6d0
2016-12-14upstream commitdjm@openbsd.org
log connections dropped in excess of MaxStartups at verbose LogLevel; bz#2613 based on diff from Tomas Kuthan; ok dtucker@ Upstream-ID: 703ae690dbf9b56620a6018f8a3b2389ce76d92b
2016-12-13Get default of TEST_SSH_UTF8 from environment.Darren Tucker
2016-12-13Remove commented-out includes.Darren Tucker
These commented-out includes have "Still needed?" comments. Since they've been commented out for ~13 years I assert that they're not.
2016-12-13Add prototype for strcasestr in compat library.Darren Tucker
2016-12-13Add strcasestr to compat library.Darren Tucker
Fixes build on (at least) Solaris 10.
2016-12-12Force Turkish locales back to C/POSIX; bz#2643Damien Miller
Turkish locales are unique in their handling of the letters 'i' and 'I' (yes, they are different letters) and OpenSSH isn't remotely prepared to deal with that. For now, the best we can do is to force OpenSSH to use the C/POSIX locale and try to preserve the UTF-8 encoding if possible. ok dtucker@
2016-12-09exit is in stdlib.h not unistd.h (that's _exit).Darren Tucker
2016-12-09Include <unistd.h> for exit in utf8 locale test.Darren Tucker
2016-12-08Check for utf8 local support before testing it.Darren Tucker
Check for utf8 local support and if not found, do not attempt to run the utf8 tests. Suggested by djm@
2016-12-08Use AC_PATH_TOOL for krb5-config.Darren Tucker
This will use the host-prefixed version when cross compiling; patch from david.michael at coreos.com.
2016-12-06upstream commitdjm@openbsd.org
make IdentityFile successfully load and use certificates that have no corresponding bare public key. E.g. just a private id_rsa and certificate id_rsa-cert.pub (and no id_rsa.pub). bz#2617 ok dtucker@ Upstream-ID: c1e9699b8c0e3b63cc4189e6972e3522b6292604
2016-12-06Add a gnome-ssh-askpass3 target for GTK+3 versionDamien Miller
Based on patch from Colin Watson via bz#2640
2016-12-06Make gnome-ssh-askpass2.c GTK+3-friendlyDamien Miller
Patch from Colin Watson via bz#2640
2016-12-05upstream commitdjm@openbsd.org
Fix public key authentication when multiple authentication is in use. Instead of deleting and re-preparing the entire keys list, just reset the 'used' flags; the keys list is already in a good order (with already- tried keys at the back) Analysis and patch from Vincent Brillault on bz#2642; ok dtucker@ Upstream-ID: 7123f12dc2f3bcaae715853035a97923d7300176
2016-12-05upstream commitdtucker@openbsd.org
Unlink PidFile on SIGHUP and always recreate it when the new sshd starts. Regression tests (and possibly other things) depend on the pidfile being recreated after SIGHUP, and unlinking it means it won't contain a stale pid if sshd fails to restart. ok djm@ markus@ Upstream-ID: 132dd6dda0c77dd49d2f15b2573b5794f6160870
2016-11-30upstream commitdjm@openbsd.org
test new behaviour of cert force-command restriction vs. authorized_key/ principals Upstream-Regress-ID: 399efa7469d40c404c0b0a295064ce75d495387c
2016-11-30upstream commitjmc@openbsd.org
tweak previous; while here fix up FILES and AUTHORS; Upstream-ID: 93f6e54086145a75df8d8ec7d8689bdadbbac8fa
2016-11-30upstream commitdjm@openbsd.org
add a whitelist of paths from which ssh-agent will load (via ssh-pkcs11-helper) a PKCS#11 module; ok markus@ Upstream-ID: fe79769469d9cd6d26fe0dc15751b83ef2a06e8f
2016-11-30upstream commitdjm@openbsd.org
Add a sshd_config DisableForwaring option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. This, like the 'restrict' authorized_keys flag, is intended to be a simple and future-proof way of restricting an account. Suggested as a complement to 'restrict' by Jann Horn; ok markus@ Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
2016-11-30upstream commitdjm@openbsd.org
When a forced-command appears in both a certificate and an authorized keys/principals command= restriction, refuse to accept the certificate unless they are identical. The previous (documented) behaviour of having the certificate forced- command override the other could be a bit confused and more error-prone. Pointed out by Jann Horn of Project Zero; ok dtucker@ Upstream-ID: 79d811b6eb6bbe1221bf146dde6928f92d2cd05f
2016-11-30upstream commitdtucker@openbsd.org
On startup, check to see if sshd is already daemonized and if so, skip the call to daemon() and do not rewrite the PidFile. This means that when sshd re-execs itself on SIGHUP the process ID will no longer change. Should address bz#2641. ok djm@ markus@. Upstream-ID: 5ea0355580056fb3b25c1fd6364307d9638a37b9
2016-11-30factor out common PRNG reseed before privdropDamien Miller
Add a call to RAND_poll() to ensure than more than pid+time gets stirred into child processes states. Prompted by analysis from Jann Horn at Project Zero. ok dtucker@
2016-11-29upstream commitdtucker@openbsd.org
Allow PuTTY interop tests to run unattended. bz#2639, patch from cjwatson at debian.org. Upstream-Regress-ID: 4345253558ac23b2082aebabccd48377433b6fe0
2016-11-29upstream commitdtucker@openbsd.org
Reverse args to sshd-log-wrapper. Matches change in portable, where it allows sshd do be optionally run under Valgrind. Upstream-Regress-ID: b438d1c6726dc5caa2a45153e6103a0393faa906
2016-11-29upstream commitdtucker@openbsd.org
Fix typo in trace message; from portable. Upstream-Regress-ID: 4c4a2ba0d37faf5fd230a91b4c7edb5699fbd73a
2016-11-29upstream committb@openbsd.org
Clean up MALLOC_OPTIONS. For the unittests, move MALLOC_OPTIONS and TEST_ENV to unittets/Makefile.inc. ok otto Upstream-Regress-ID: 890d497e0a38eeddfebb11cc429098d76cf29f12
2016-11-29upstream committb@openbsd.org
Remove the obsolete A and P flags from MALLOC_OPTIONS. ok dtucker Upstream-Regress-ID: 6cc25024c8174a87e5734a0dc830194be216dd59
2016-11-29upstream commitdtucker@openbsd.org
Factor out code to disconnect from controlling terminal into its own function. ok djm@ Upstream-ID: 39fd9e8ebd7222615a837312face5cc7ae962885
2016-11-29upstream commitdjm@openbsd.org
use sshbuf_allocate() to pre-allocate the buffer used for loading keys. This avoids implicit realloc inside the buffer code, which might theoretically leave fragments of the key on the heap. This doesn't appear to happen in practice for normal sized keys, but was observed for novelty oversize ones. Pointed out by Jann Horn of Project Zero; ok markus@ Upstream-ID: d620e1d46a29fdea56aeadeda120879eddc60ab1
2016-11-29upstream commitdjm@openbsd.org
split allocation out of sshbuf_reserve() into a separate sshbuf_allocate() function; ok markus@ Upstream-ID: 11b8a2795afeeb1418d508a2c8095b3355577ec2
2016-11-24upstream commitmarkus@openbsd.org
allow ClientAlive{Interval,CountMax} in Match; ok dtucker, djm Upstream-ID: 8beb4c1eadd588f1080b58932281983864979f55
2016-11-10upstream commitdjm@openbsd.org
unbreak DenyUsers; reported by henning@ Upstream-ID: 1c67d4148f5e953c35acdb62e7c08ae8e33f7cb2
2016-11-06upstream commitdjm@openbsd.org
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match. Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version) Upstream-ID: 9dfcdd9672b06e65233ea4434c38226680d40bfb
2016-11-06upstream commitdjm@openbsd.org
Improve pkcs11_add_provider() logging: demote some excessively verbose error()s to debug()s, include PKCS#11 provider name and slot in log messages where possible. bz#2610, based on patch from Jakub Jelen Upstream-ID: 3223ef693cfcbff9079edfc7e89f55bf63e1973d
2016-11-01Use ptrace(PT_DENY_ATTACH, ..) on OS X.Darren Tucker