| Age | Commit message (Collapse) | Author |
|---|
|
fix use-after-free in ~^Z escape handler path, introduced
in channels.c refactor; spotted by millert@ "makes sense" deraadt@
Upstream-ID: 8fa2cdc65c23ad6420c1e59444b0c955b0589b22
|
|
Prevent type mismatch warning in debug on platforms where
sig_atomic_t != int. ok djm@
Upstream-ID: 306e2375eb0364a4c68e48f091739bea4f4892ed
|
|
Add braces missing after channels refactor. ok markus@
Upstream-ID: 72ab325c84e010680dbc88f226e2aa96b11a3980
|
|
ok dtucker@
|
|
It's still on by default, but now it's possible to turn it off using
--without-hardening. This is useful since it's known to cause problems
with some -fsanitize options. ok dtucker@
|
|
Print SKIPPED if sudo and doas configuration is missing.
Prevents that running the regression test with wrong environment is reported
as failure. Keep the fatal there to avoid interfering with other setups for
portable ssh. OK dtucker@
Upstream-Regress-ID: f0dc60023caef496ded341ac5aade2a606fa234e
|
|
Remove obsolete privsep=no fallback test.
Upstream-Regress-ID: 7d6e1baa1678ac6be50c2a1555662eb1047638df
|
|
Remove non-privsep test since disabling privsep is now
deprecated.
Upstream-Regress-ID: 77ad3f3d8d52e87f514a80f285c6c1229b108ce8
|
|
Don't call fatal from stop_sshd since it calls cleanup
which calls stop_sshd which will probably fail in the same way. Instead,
just bail. Differentiate between sshd dying without cleanup and not shutting
down.
Upstream-Regress-ID: f97315f538618b349e2b0bea02d6b0c9196c6bc4
|
|
Revert commitid: gJtIN6rRTS3CHy9b.
-------------
identify the case where SSHFP records are missing but other DNS RR
types are present and display a more useful error message for this
case; patch by Thordur Bjornsson; bz#2501; ok dtucker@
-------------
This caused unexpected failures when VerifyHostKeyDNS=yes, SSHFP results
are missing but the user already has the key in known_hosts
Spotted by dtucker@
Upstream-ID: 97e31742fddaf72046f6ffef091ec0d823299920
|
|
|
|
unused variable
Upstream-ID: 2f9ba09f2708993d35eac5aa71df910dcc52bac1
|
|
fix tun/tap forwarding case in previous
Upstream-ID: 43ebe37a930320e24bca6900dccc39857840bc53
|
|
Make remote channel ID a u_int
Previously we tracked the remote channel IDs in an int, but this is
strictly incorrect: the wire protocol uses uint32 and there is nothing
in-principle stopping a SSH implementation from sending, say, 0xffff0000.
In practice everyone numbers their channels sequentially, so this has
never been a problem.
ok markus@
Upstream-ID: b9f4cd3dc53155b4a5c995c0adba7da760d03e73
|
|
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.
ok markus@
Upstream-ID: 11828f161656b965cc306576422613614bea2d8f
|
|
typo in comment
Upstream-ID: a93b1e6f30f1f9b854b5b964b9fd092d0c422c47
|
|
tweak previous;
Upstream-ID: bb8cc40b61b15f6a13d81da465ac5bfc65cbfc4b
|
|
These are some basic clang libfuzzer harnesses for signature
verification and public key parsing. Some assembly (metaphorical)
required.
|
|
Some CFLAGS/LDFLAGS may disrupt the configure script's operation,
in particular santization and fuzzer options that break assumptions
about memory and file descriptor dispositions.
This adds two flags to configure --with-cflags-after and
--with-ldflags-after that allow specifying additional compiler and
linker options that are added to the resultant Makefiles but not
used in the configure run itself.
E.g.
env CC=clang-3.9 ./configure \
--with-cflags-after=-fsantize=address \
--with-ldflags-after="-g -fsanitize=address"
|
|
Expand ssh_config's StrictModes option with two new
settings:
StrictModes=accept-new will automatically accept hitherto-unseen keys
but will refuse connections for changed or invalid hostkeys.
StrictModes=off is the same as StrictModes=no
Motivation:
StrictModes=no combines two behaviours for host key processing:
automatically learning new hostkeys and continuing to connect to hosts
with invalid/changed hostkeys. The latter behaviour is quite dangerous
since it removes most of the protections the SSH protocol is supposed to
provide.
Quite a few users want to automatically learn hostkeys however, so
this makes that feature available with less danger.
At some point in the future, StrictModes=no will change to be a synonym
for accept-new, with its current behaviour remaining available via
StrictModes=off.
bz#2400, suggested by Michael Samuel; ok markus
Upstream-ID: 0f55502bf75fc93a74fb9853264a8276b9680b64
|
|
remove blank line;
Upstream-ID: 2f46b51a0ddb3730020791719e94d3e418e9f423
|
|
identify the case where SSHFP records are missing but
other DNS RR types are present and display a more useful error message for
this case; patch by Thordur Bjornsson; bz#2501; ok dtucker@
Upstream-ID: 8f7a5a8344f684823d8317a9708b63e75be2c244
|
|
document available AuthenticationMethods; bz#2453 ok
dtucker@
Upstream-ID: 2c70576f237bb699aff59889dbf2acba4276d3d0
|
|
pass packet state down to some of the channels function
(more to come...); ok markus@
Upstream-ID: d8ce7a94f4059d7ac1e01fb0eb01de0c4b36c81b
|
|
sort options;
Upstream-ID: cf21d68cf54e81968bca629aaeddc87f0c684f3c
|
|
add a -q option to ssh-add to make it quiet on success.
if you want to silence ssh-add without this you generally redirect
the output to /dev/null, but that can hide error output which you
should see.
ok djm@
Upstream-ID: 2f31b9b13f99dcf587e9a8ba443458e6c0d8997c
|
|
Increase the buffer sizes for user prompts to ensure that
they won't be truncated by snprintf. Based on patch from cjwatson at
debian.org via bz#2768, ok djm@
Upstream-ID: 6ffacf1abec8f40b469de5b94bfb29997d96af3e
|
|
FreeBSD's <sys/capability.h> was renamed to <sys/capsicum.h> in 2014 to
avoid future conflicts with POSIX capabilities (the last release that
didn't have it was 9.3) so switch to that. Patch from des at des.no.
|
|
Patch from cjwatson at debian.org via bz#2767.
|
|
platform.o is too heavy for libssh.a use; it calls into the server on
many platforms. Move just the function needed by misc.c into its own
file.
|
|
|
|
add a "quiet" flag to exited_cleanly() that supresses
errors about exit status (failure due to signal is still reported)
Upstream-ID: db85c39c3aa08e6ff67fc1fb4ffa89f807a9d2f0
|
|
Move several subprocess-related functions from various
locations to misc.c. Extend subprocess() to offer a little more control over
stdio disposition.
feedback & ok dtucker@
Upstream-ID: 3573dd7109d13ef9bd3bed93a3deb170fbfce049
|
|
make "--" before the hostname terminate command-line
option processing completely; previous behaviour would not prevent further
options appearing after the hostname (ssh has a supported options after the
hostname for >20 years, so that's too late to change).
ok deraadt@
Upstream-ID: ef5ee50571b98ad94dcdf8282204e877ec88ad89
|
|
Switch from aes256-cbc to aes256-ctr for encrypting
new-style private keys. The latter having the advantage of being supported
for no-OpenSSL builds; bz#2754 ok markus@
Upstream-ID: 54179a2afd28f93470471030567ac40431e56909
|
|
refuse to a private keys when its corresponding .pub key
does not match. bz#2737 ok dtucker@
Upstream-ID: 54ff5e2db00037f9db8d61690f26ef8f16e0d913
|
|
don't print verbose error message when ssh disconnects
under sftp; bz#2750; ok dtucker@
Upstream-ID: 6d83708aed77b933c47cf155a87dc753ec01f370
|
|
Tweak previous keepalive commit: if last_time + keepalive
<= now instead of just "<" so client_alive_check will fire if the select
happens to return on exact second of the timeout. ok djm@
Upstream-ID: e02756bd6038d11bb8522bfd75a4761c3a684fcc
|
|
Keep track of the last time we actually heard from the
client and use this to also schedule a client_alive_check(). Prevents
activity on a forwarded port from indefinitely preventing the select timeout
so that client_alive_check() will eventually (although not optimally) be
called.
Analysis by willchan at google com via bz#2756, feedback & ok djm@
Upstream-ID: c08721e0bbda55c6d18e2760f3fe1b17fb71169e
|
|
bz#2408; ok dtucker@
|
|
This fixes a few problems in the tun forwarding code, mostly to do
with host/network byte order confusion.
Based on a report and patch by stepe AT centaurus.uberspace.de;
bz#2735; ok dtucker@
|
|
Make WinSCP patterns for SSH_OLD_DHGEX more specific to
exclude WinSCP 5.10.x and up. bz#2748, from martin at winscp.net, ok djm@
Upstream-ID: 6fd7c32e99af3952db007aa180e73142ddbc741a
|
|
g/c unused variable; make a little more portable
Upstream-ID: 3f5980481551cb823c6fb2858900f93fa9217dea
|
|
Allow IPQoS=none in ssh/sshd to not set an explicit
ToS/DSCP value and just use the operating system default; ok dtucker@
Upstream-ID: 77906ff8c7b660b02ba7cb1e47b17d66f54f1f7e
|
|
|
|
fix support for unknown key types; ok djm@
Upstream-ID: 53fb29394ed04d616d65b3748dee5aa06b07ab48
|
|
switch from select() to poll() for the ssh-agent
mainloop; ok markus
Upstream-ID: 4a94888ee67b3fd948fd10693973beb12f802448
|
|
Make ""Killed by signal 1" LogLevel verbose so it's not
shown at the default level. Prevents it from appearing during ssh -J and
equivalent ProxyCommand configs. bz#1906, bz#2744, feedback&ok markus@
Upstream-ID: debfaa7e859b272246c2f2633335d288d2e2ae28
|
|
man pages with pseudo synopses which list filenames end
up creating very ugly output in man -k; after some discussion with ingo, we
feel the simplest fix is to remove such SYNOPSIS sections: the info is hardly
helpful at page top, is contained already in FILES, and there are
sufficiently few that just zapping them is simple;
ok schwarze, who also helpfully ran things through a build to check
output;
Upstream-ID: 3e211b99457e2f4c925c5927d608e6f97431336c
|
|
zap redundant Makefile variables. okay djm@
Upstream-ID: e39b3902fe1d6c4a7ba6a3c58e072219f3c1e604
|
