summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2019-02-22upstream: perform removal of agent-forwarding directory in forwarddjm@openbsd.org
setup error path with user's privileged. This is a no-op as this code always runs with user privilege now that we no longer support running sshd with privilege separation disabled, but as long as the privsep skeleton is there we should follow the rules. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit bz#2969 with patch from Erik Sjölund OpenBSD-Commit-ID: 2b708401a5a8d6133c865d7698d9852210dca846
2019-02-22upstream: sync the description of ~/.ssh/config with djm's updatedjmc@openbsd.org
description in ssh.1; issue pointed out by andreas kahari ok dtucker djm OpenBSD-Commit-ID: 1b01ef0ae2c6328165150badae317ec92e52b01c
2019-02-13upstream: fix regression in r1.302 reported by naddy@ - only the firstdjm@openbsd.org
public key from the agent was being attempted for use. OpenBSD-Commit-ID: 07116aea521a04888718b2157f1ca723b2f46c8d
2019-02-11upstream: cleanup GSSAPI authentication context after completion of thedjm@openbsd.org
authmethod. Move function-static GSSAPI state to the client Authctxt structure. Make static a bunch of functions that aren't used outside this file. Based on patch from Markus Schmidt <markus@blueflash.cc>; ok markus@ OpenBSD-Commit-ID: 497fb792c0ddb4f1ba631b6eed526861f115dbe5
2019-02-11upstream: ssh-keygen -D pkcs11.so needs to initialize pkcs11benno@openbsd.org
interactive, so it can ask for the smartcards PIN. ok markus@ OpenBSD-Commit-ID: 1be7ccf88f1876e0fc4d7c9b3f96019ac5655bab
2019-02-10upstream: when checking that filenames sent by the server sidedjm@openbsd.org
match what the client requested, be prepared to handle shell-style brace alternations, e.g. "{foo,bar}". "looks good to me" millert@ + in snaps for the last week courtesy deraadt@ OpenBSD-Commit-ID: 3b1ce7639b0b25b2248e3a30f561a548f6815f3e
2019-02-10upstream: syslog when connection is dropped for attempting to run adjm@openbsd.org
command when ForceCommand=internal-sftp is in effect; bz2960; ok dtucker@ OpenBSD-Commit-ID: 8c87fa66d7fc6c0fffa3a3c28e8ab5e8dde234b8
2019-02-08don't set $MAIL if UsePam=yesDamien Miller
PAM typically specifies the user environment if it's enabled, so don't second guess. bz#2937; ok dtucker@
2019-02-08use same close logic for stderr as stdoutDamien Miller
Avoids sending SIGPIPE to child processes after their parent exits if they attempt to write to stderr. Analysis and patch from JD Paul; patch reworked by Jakub Jelen and myself. bz#2071; ok dtucker@
2019-02-08upstream: Adapt code in the non-USE_PIPES codepath to the new packetdtucker@openbsd.org
API. This code is not normally reachable since USE_PIPES is always defined. bz#2961, patch from adrian.fita at gmail com. OpenBSD-Commit-ID: 8d8428d678d1d5eb4bb21921df34e8173e6d238a
2019-02-05upstream: fix NULL-deref crash in PKCS#11 code when attemptingdjm@openbsd.org
login to a token requiring a PIN; reported by benno@ fix mostly by markus@ OpenBSD-Commit-ID: 438d0b114b1b4ba25a9869733db1921209aa9a31
2019-02-04upstream: Remove obsolete "Protocol" from commented out examples. Patchdtucker@openbsd.org
from samy.mahmoudi at gmail com. OpenBSD-Commit-ID: 16aede33dae299725a03abdac5dcb4d73f5d0cbf
2019-02-01upstream: Save connection timeout and restore for 2nd anddtucker@openbsd.org
subsequent attempts, preventing them from having no timeout. bz#2918, ok djm@ OpenBSD-Commit-ID: 4977f1d0521d9b6bba0c9a20d3d226cefac48292
2019-02-01upstream: Add authors for public domain sntrup4591761 code;markus@openbsd.org
confirmed by Daniel J. Bernstein OpenBSD-Commit-ID: b4621f22b8b8ef13e063c852af5e54dbbfa413c1
2019-02-01upstream: add -T to usage();jmc@openbsd.org
OpenBSD-Commit-ID: a7ae14d9436c64e1bd05022329187ea3a0ce1899
2019-01-28upstream: The test sshd_config in in $OBJ.dtucker@openbsd.org
OpenBSD-Regress-ID: 1e5d908a286d8e7de3a15a0020c8857f3a7c9172
2019-01-28upstream: Remove leftover debugging.dtucker@openbsd.org
OpenBSD-Regress-ID: 3d86c3d4867e46b35af3fd2ac8c96df0ffdcfeb9
2019-01-28upstream: Enable ssh-dss for the agent test. Disable it for thedtucker@openbsd.org
certificate test. OpenBSD-Regress-ID: 388c1e03e1def539d350f139b37d69f12334668d
2019-01-28upstream: Count the number of key types instead of assuming theredtucker@openbsd.org
are only two. OpenBSD-Regress-ID: 0998702c41235782cf0beee396ec49b5056eaed9
2019-01-28Cygwin: only tweak sshd_config file if it's new, drop creating sshd userCorinna Vinschen
The sshd_config tweaks were executed even if the old file was still in place. Fix that. Also disable sshd user creation. It's not used on Cygwin.
2019-01-28Cygwin: Change service name to cygsshdCorinna Vinschen
Microsoft hijacked the sshd service name without asking.
2019-01-27upstream: Generate all key supported key types and enable for keyscandtucker@openbsd.org
test. OpenBSD-Regress-ID: 72f72ff49946c61bc949e1692dd9e3d71370891b
2019-01-27upstream: check in scp client that filenames sent duringdjm@openbsd.org
remote->local directory copies satisfy the wildcard specified by the user. This checking provides some protection against a malicious server sending unexpected filenames, but it comes at a risk of rejecting wanted files due to differences between client and server wildcard expansion rules. For this reason, this also adds a new -T flag to disable the check. reported by Harry Sintonen fix approach suggested by markus@; has been in snaps for ~1wk courtesy deraadt@ OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda
2019-01-27upstream: make ssh-keyscan return a non-zero exit status if itdjm@openbsd.org
finds no keys. bz#2903 OpenBSD-Commit-ID: 89f1081fb81d950ebb48e6e73d21807b2723d488
2019-01-25upstream: Accept the host key fingerprint as a synonym for "yes"dtucker@openbsd.org
when accepting an unknown host key. This allows you to paste a fingerprint obtained out of band into the yes/no prompt and have the client do the comparison for you. ok markus@ djm@ OpenBSD-Commit-ID: 3c47d10b9f43d3d345e044fd9ec09709583a2767
2019-01-25upstream: Have progressmeter force an update at the beginning anddtucker@openbsd.org
end of each transfer. Fixes the problem recently introduces where very quick transfers do not display the progressmeter at all. Spotted by naddy@ OpenBSD-Commit-ID: 68dc46c259e8fdd4f5db3ec2a130f8e4590a7a9a
2019-01-24upstream: Check for both EAGAIN and EWOULDBLOCK. This is a no-opdtucker@openbsd.org
in OpenBSD (they are the same value) but makes things easier in -portable where they may be distinct values. "sigh ok" deraadt@ (ID sync only, portable already had this change). OpenBSD-Commit-ID: 91f2bc7c0ecec905915ed59fa37feb9cc90e17d7
2019-01-24upstream: Always initialize 2nd arg to hpdelim2. It populates thatdtucker@openbsd.org
*ONLY IF* there's a delimiter. If there's not (the common case) it checked uninitialized memory, which usually passed, but if not would cause spurious failures when the uninitialized memory happens to contain "/". ok deraadt. OpenBSD-Commit-ID: 4291611eaf2a53d4c92f4a57c7f267c9f944e0d3
2019-01-24upstream: Remove support for obsolete host/port syntax.dtucker@openbsd.org
host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH now supports for some things. Remove the slash notation from ListenAddress and PermitOpen. bz#2335, patch from jjelen at redhat.com, ok markus@ OpenBSD-Commit-ID: fae5f4e23c51a368d6b2d98376069ac2b10ad4b7
2019-01-24upstream: Remove duplicate word. bz#2958, patch from jjelen atdtucker@openbsd.org
redhat.com OpenBSD-Commit-ID: cca3965a8333f2b6aae48b79ec1d72f7a830dd2c
2019-01-24upstream: Remove 3 as a guess for possible generator during modulidtucker@openbsd.org
generation. It's not mentioned in RFC4419 and it's not possible for Sophie-Germain primes greater than 5. bz#2330, from Christian Wittenhorst , ok djm@ tb@ OpenBSD-Commit-ID: 1467652e6802ad3333b0959282d8d49dfe22c8cd
2019-01-24upstream: Sanitize scp filenames via snmprintf. To do this we movedtucker@openbsd.org
the progressmeter formatting outside of signal handler context and have the atomicio callback called for EINTR too. bz#2434 with contributions from djm and jjelen at redhat.com, ok djm@ OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8
2019-01-24For broken read/readv comparisons, poll(RW).Darren Tucker
In the cases where we can't compare to read or readv function pointers for some reason we currently ifdef out the poll() used to block while waiting for reads or writes, falling back to busy waiting. This restores the poll() in this case, but has it always check for read or write, removing an inline ifdef in the process.
2019-01-24Include unistd.h for strmode().Darren Tucker
2019-01-24Also undef SIMPLEQ_FOREACH_SAFE.Darren Tucker
Prevents macro redefinition warning on at least NetBSD 6.1.
2019-01-23upstream: allow auto-incrementing certificate serial number for certsdjm@openbsd.org
signed in a single commandline. OpenBSD-Commit-ID: 39881087641efb8cd83c7ec13b9c98280633f45b
2019-01-23upstream: move a bunch of global flag variables to main(); make thedjm@openbsd.org
rest static OpenBSD-Commit-ID: fa431d92584e81fe99f95882f4c56b43fe3242dc
2019-01-23dependDamien Miller
2019-01-23upstream: switch mainloop from select(2) to poll(2); ok deraadt@djm@openbsd.org
OpenBSD-Commit-ID: 37645419a330037d297f6f0adc3b3663e7ae7b2e
2019-01-23upstream: pass most arguments to the KEX hash functions as sshbufdjm@openbsd.org
rather than pointer+length; ok markus@ OpenBSD-Commit-ID: ef0c89c52ccc89817a13a5205725148a28492bf7
2019-01-23upstream: backoff reading messages from active connections when thedjm@openbsd.org
input buffer is too full to read one, or if the output buffer is too full to enqueue a response; feedback & ok dtucker@ OpenBSD-Commit-ID: df3c5b6d57c968975875de40d8955cbfed05a6c8
2019-01-23upstream: add -m to usage(); reminded by jmc@djm@openbsd.org
OpenBSD-Commit-ID: bca476a5236e8f94210290b3e6a507af0434613e
2019-01-22upstream: Correct some bugs in PKCS#11 token PIN handling atdjm@openbsd.org
initial login, the attempt at reading the PIN could be skipped in some cases especially on devices with integrated PIN readers. based on patch from Daniel Kucera in bz#2652; ok markus@ OpenBSD-Commit-ID: fad70a61c60610afe8bb0db538c90e343e75e58e
2019-01-22upstream: Support keys that set the CKA_ALWAYS_AUTHENTICATE bydjm@openbsd.org
requring a fresh login after the C_SignInit operation. based on patch from Jakub Jelen in bz#2638; ok markus OpenBSD-Commit-ID: a76e66996ba7c0923b46b74d46d499b811786661
2019-01-22upstream: Mention that configuration for the destination host isdjm@openbsd.org
not applied to any ProxyJump/-J hosts. This has confused a few people... OpenBSD-Commit-ID: 03f4f641df6ca236c1bfc69836a256b873db868b
2019-01-22upstream: Include -m in the synopsis for a few more commands thatdjm@openbsd.org
support it Be more explicit in the description of -m about where it may be used Prompted by Jakub Jelen in bz2904 OpenBSD-Commit-ID: 3b398ac5e05d8a6356710d0ff114536c9d71046c
2019-01-22upstream: print the full pubkey being attempted at loglevel >=djm@openbsd.org
debug2; bz2939 OpenBSD-Commit-ID: ac0fe5ca1429ebf4d460bad602adc96de0d7e290
2019-01-22upstream: clarify: ssh-keygen -e only writes public keys, neverdjm@openbsd.org
private OpenBSD-Commit-ID: 7de7ff6d274d82febf9feb641e2415ffd6a30bfb
2019-01-22upstream: mention the new vs. old key formats in the introductiondjm@openbsd.org
and give some hints on how keys may be converted or written in the old format. OpenBSD-Commit-ID: 9c90a9f92eddc249e07fad1204d0e15c8aa13823
2019-01-22upstream: tweak previous;jmc@openbsd.org
OpenBSD-Commit-ID: d2a80e389da8e7ed71978643d8cbaa8605b597a8