summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2018-06-07upstream: some permitlisten fixes from markus@ that I missed in mydjm@openbsd.org
insomnia-fueled commits last night OpenBSD-Commit-ID: 26f23622e928996086e85b1419cc1c0f136e359c
2018-06-07upstream: permitlisten/PermitListen unit test from Markusdjm@openbsd.org
OpenBSD-Regress-ID: ab12eb42f0e14926980441cf7c058a6d1d832ea5
2018-06-07upstream: fix regression caused by recent permitlisten option commit:djm@openbsd.org
authorized_keys lines that contained permitopen/permitlisten were being treated as invalid. OpenBSD-Commit-ID: 7ef41d63a5a477b405d142dc925b67d9e7aaa31b
2018-06-07upstream: switch config file parsing to getline(3) as this avoidsmarkus@openbsd.org
static limits noted by gerhard@; ok dtucker@, djm@ OpenBSD-Commit-ID: 6d702eabef0fa12e5a1d75c334a8c8b325298b5c
2018-06-07upstream: regress test for PermitOpendjm@openbsd.org
OpenBSD-Regress-ID: ce8b5f28fc039f09bb297fc4a92319e65982ddaf
2018-06-07upstream: man bits for permitlisten authorized_keys optiondjm@openbsd.org
OpenBSD-Commit-ID: 86910af8f781a4ac5980fea125442eb25466dd78
2018-06-07upstream: man bits for PermitListendjm@openbsd.org
OpenBSD-Commit-ID: 35b200cba4e46a16a4db6a80ef11838ab0fad67c
2018-06-07upstream: permitlisten option for authorized_keys; ok markus@djm@openbsd.org
OpenBSD-Commit-ID: 8650883018d7aa893173d703379e4456a222c672
2018-06-07upstream: Add a PermitListen directive to control which server-sidedjm@openbsd.org
addresses may be listened on when the client requests remote forwarding (ssh -R). This is the converse of the existing PermitOpen directive and this includes some refactoring to share much of its implementation. feedback and ok markus@ OpenBSD-Commit-ID: 15a931238c61a3f2ac74ea18a98c933e358e277f
2018-06-06Use ssh-keygen -A to generate missing host keys.Darren Tucker
Instead of testing for each specific key type, use ssh-keygen -A to generate any missing host key types.
2018-06-04upstream: add missing punctuation after %i in ssh_config.5, andjmc@openbsd.org
make the grammatical format in sshd_config.5 match that in ssh_config.5; OpenBSD-Commit-ID: e325663b9342f3d556e223e5306e0d5fa1a74fa0
2018-06-04upstream: oops - further adjustment to text neccessary;jmc@openbsd.org
OpenBSD-Commit-ID: 23585576c807743112ab956be0fb3c786bdef025
2018-06-04upstream: %U needs to be escaped; tweak text;jmc@openbsd.org
OpenBSD-Commit-ID: 30887b73ece257273fb619ab6f4e86dc92ddc15e
2018-06-04upstream: Apply umask to all incoming files and directories notdtucker@openbsd.org
just files. This makes sure it gets applied to directories too, and prevents a race where files get chmodded after creation. bz#2839, ok djm@ OpenBSD-Commit-ID: 3168ee6c7c39093adac4fd71039600cfa296203b
2018-06-01upstream: Adapt to extra default verboisity from ssh-keygen whendjm@openbsd.org
searching for and hashing known_hosts entries in a single operation (ssh-keygen -HF ...) Patch from Anton Kremenetsky OpenBSD-Regress-ID: 519585a4de35c4611285bd6a7272766c229b19dd
2018-06-01upstream: Add TEST_SSH_FAIL_FATAL variable, to force all failuresdjm@openbsd.org
to instantly abort the test. Useful in capturing clean logs for individual failure cases. OpenBSD-Regress-ID: feba18cf338c2328b9601bd4093cabdd9baa3af1
2018-06-01upstream: Clean up comment.dtucker@openbsd.org
OpenBSD-Regress-ID: 6adb35f384d447e7dcb9f170d4f0d546d3973e10
2018-06-01upstream: whitespacedjm@openbsd.org
OpenBSD-Commit-ID: e5edb5e843ddc9b73a8e46518899be41d5709add
2018-06-01upstream: make ssh_remote_ipaddr() capable of being called afterdjm@openbsd.org
the ssh->state has been torn down; bz#2773 OpenBSD-Commit-ID: 167f12523613ca3d16d7716a690e7afa307dc7eb
2018-06-01upstream: return correct exit code when searching for and hashingdjm@openbsd.org
known_hosts entries in a single operation (ssh-keygen -HF hostname); bz2772 Report and fix from Anton Kremenetsky OpenBSD-Commit-ID: ac10ca13eb9bb0bc50fcd42ad11c56c317437b58
2018-06-01upstream: make UID available as a %-expansion everywhere that thedjm@openbsd.org
username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@ OpenBSD-Commit-ID: c7e912b0213713316cb55db194b3a6415b3d4b95
2018-06-01upstream: prefer argv0 to "ssh" when re-executing ssh for ProxyJumpdjm@openbsd.org
directive; bz2831, feedback and ok dtucker@ OpenBSD-Commit-ID: 3cec709a131499fbb0c1ea8a0a9e0b0915ce769e
2018-05-25upstream: Do not ban PTY allocation when a sshd session is restricteddjm@openbsd.org
because the user password is expired as it breaks password change dialog. regression in openssh-7.7 reported by Daniel Wagner OpenBSD-Commit-ID: 9fc09c584c6f1964b00595e3abe7f83db4d90d73
2018-05-25upstream: Fix return value confusion in several functions (readdir,djm@openbsd.org
download and fsync). These should return -1 on error, not a sftp status code. patch from Petr Cerny in bz#2871 OpenBSD-Commit-ID: 651aa0220ad23c9167d9297a436162d741f97a09
2018-05-25upstream: If select() fails in ssh_packet_read_seqnr go directly todtucker@openbsd.org
the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@ OpenBSD-Commit-ID: 2614edaadbd05a957aa977728aa7a030af7c6f0a
2018-05-25Permit getuid()/geteuid() syscalls.Damien Miller
Requested for Linux/s390; patch from Eduardo Barretto via bz#2752; ok dtucker
2018-05-22upstream: support ProxyJump=none to disable ProxyJumpdjm@openbsd.org
functionality; bz#2869 ok dtucker@ OpenBSD-Commit-ID: 1c06ee08eb78451b5837fcfd8cbebc5ff3a67a01
2018-05-22upstream: correct keyowrd name (permitemptypasswords); from brendanjmc@openbsd.org
macdonell OpenBSD-Commit-ID: ef1bdbc936b2ea693ee37a4c20a94d4d43f5fda3
2018-05-22upstream: Emphasise that -w implicitly sets Tunnel=point-to-pointdjm@openbsd.org
and that users should specify an explicit Tunnel directive if they don't want this. bz#2365. OpenBSD-Commit-ID: 1a8d9c67ae213ead180481900dbbb3e04864560d
2018-05-14sync fmt_scaled.cDamien Miller
revision 1.17 date: 2018/05/14 04:39:04; author: djm; state: Exp; lines: +5 -2; commitid: 53zY8GjViUBnWo8Z; constrain fractional part to [0-9] (less confusing to static analysis); ok ian@
2018-05-11fix key-options.sh on platforms without openpty(3)Damien Miller
Skip the pty tests if the platform lacks openpty(3) and has to chown(2) the pty device explicitly. This typically requires root permissions that this test lacks. bz#2856 ok dtucker@
2018-05-11upstream: implement EMFILE mitigation for ssh-agent: remember thedjm@openbsd.org
fd rlimit and stop accepting new connections when it is exceeded (with some grace). Accept is resumed when enough connections are closed. bz#2576. feedback deraadt; ok dtucker@ OpenBSD-Commit-ID: 6a85d9cec7b85741961e7116a49f8dae777911ea
2018-05-11upstream: Explicit cast when snprintf'ing an uint64. Preventsdtucker@openbsd.org
warnings on platforms where int64 is long not long long. ok djm@ OpenBSD-Commit-ID: 9c5359e2fbfce11dea2d93f7bc257e84419bd001
2018-05-11upstream: Since the previous commit, ssh regress test sftp-chroot wasbluhm@openbsd.org
failing. The sftp program terminated with the wrong exit code as sftp called fatal() instad of exit(0). So when the sigchld handler waits for the child, remember that it was found. Then don't expect that main() can wait again. OK dtucker@ OpenBSD-Commit-ID: bfafd940c0de5297940c71ddf362053db0232266
2018-04-29Use includes.h instead of config.h.Darren Tucker
This ensures it picks up the definition of DEF_WEAK, the lack of which can cause compile errors in some cases (eg modern AIX). From michael at felt.demon.nl.
2018-04-19Omit 3des-cbc if OpenSSL built without DES.Darren Tucker
Patch from hongxu.jia at windriver.com, ok djm@
2018-04-17upstream: Disable SSH2_MSG_DEBUG messages for Twisted Conch clientsdjm@openbsd.org
without version numbers since they choke on them under some circumstances. https://twistedmatrix.com/trac/ticket/9422 via Colin Watson Newer Conch versions have a version number in their ident string and handle debug messages okay. https://twistedmatrix.com/trac/ticket/9424 OpenBSD-Commit-ID: 6cf7be262af0419c58ddae11324d9c0dc1577539
2018-04-15upstream: don't free the %C expansion, it's used later fordjm@openbsd.org
LocalCommand OpenBSD-Commit-ID: 857b5cb37b2d856bfdfce61289a415257a487fb1
2018-04-15upstream: notify user immediately when underlying ssh process dies;djm@openbsd.org
patch from Thomas Kuthan in bz2719; ok dtucker@ OpenBSD-Commit-ID: 78fac88c2f08054d1fc5162c43c24162b131cf78
2018-04-13Allow nanosleep in preauth privsep child.Darren Tucker
The new timing attack mitigation code uses nanosleep in the preauth codepath, allow in systrace andbox too.
2018-04-13Allow nanosleep in preauth privsep child.Darren Tucker
The new timing attack mitigation code uses nanosleep in the preauth codepath, allow in sandbox.
2018-04-13upstream: Defend against user enumeration timing attacks. Thisdtucker@openbsd.org
establishes a minimum time for each failed authentication attempt (5ms) and adds a per-user constant derived from a host secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok markus@ djm@. OpenBSD-Commit-ID: b7845b355bb7381703339c8fb0e57e81a20ae5ca
2018-04-13Using "==" in shell tests is not portable.Darren Tucker
Patch from rsbecker at nexbridge.com.
2018-04-13Fix tunnel forwarding broken in 7.7p1Damien Miller
bz2855, ok dtucker@
2018-04-13prefer to use getrandom() for PRNG seedingDamien Miller
Only applies when built --without-openssl. Thanks Jann Horn for reminder.
2018-04-13Revert $REGRESSTMP changes.Darren Tucker
Revert 3fd2d229 and subsequent changes as they turned out to be a portability hassle.
2018-04-10Many typo fixes from Karsten WeissDamien Miller
Spotted using https://github.com/lucasdemarchi/codespell
2018-04-10upstream: more typos spotted by Karsten Weiss using codespelldjm@openbsd.org
OpenBSD-Regress-ID: d906a2aea0663810a658b7d0bc61a1d2907d4d69
2018-04-10upstream: make this a bit more portable-friendlydjm@openbsd.org
OpenBSD-Regress-ID: 62f7b9e055e8dfaab92b3825f158beeb4ca3f963
2018-04-10upstream: lots of typos in comments/docs. Patch from Karsten Weissdjm@openbsd.org
after checking with codespell tool (https://github.com/lucasdemarchi/codespell) OpenBSD-Commit-ID: 373222f12d7ab606598a2d36840c60be93568528