Age | Commit message (Collapse) | Author |
|
adapt tests to new minimum RSA size and default FP format
Upstream-Regress-ID: a4b30afd174ce82b96df14eb49fb0b81398ffd0e
|
|
legacy v00 certificates are gone; adapt and don't try to
test them; "sure" markus@ dtucker@
Upstream-Regress-ID: c57321e69b3cd4a3b3396dfcc43f0803d047da12
|
|
don't expect SSH v.1 in unittests
Upstream-Regress-ID: f8812b16668ba78e6a698646b2a652b90b653397
|
|
turn SSH1 back on to match src/usr.bin/ssh being tested
Upstream-Regress-ID: 6c4f763a2f0cc6893bf33983919e9030ae638333
|
|
Add "PuTTY_Local:" to the clients to which we do not
offer DH-GEX. This was the string that was used for development versions
prior to September 2014 and they don't do RFC4419 DH-GEX, but unfortunately
there are some extant products based on those versions. bx2424 from Jay
Rouman, ok markus@ djm@
Upstream-ID: be34d41e18b966832fe09ca243d275b81882e1d5
|
|
Turn off DSA by default; add HostKeyAlgorithms to the
server and PubkeyAcceptedKeyTypes to the client side, so it still can be
tested or turned back on; feedback and ok djm@
Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
|
|
re-enable ed25519-certs if compiled w/o openssl; ok djm
Upstream-ID: e10c90808b001fd2c7a93778418e9b318f5c4c49
|
|
no need to include the old buffer/key API
Upstream-ID: fb13c9f7c0bba2545f3eb0a0e69cb0030819f52b
|
|
typedefs for Cipher&CipherContext are unused
Upstream-ID: 50e6a18ee92221d23ad173a96d5b6c42207cf9a7
|
|
xmalloc.h is unused
Upstream-ID: afb532355b7fa7135a60d944ca1e644d1d63cb58
|
|
compress.c is gone
Upstream-ID: 174fa7faa9b9643cba06164b5e498591356fbced
|
|
another SSH_RSA_MINIMUM_MODULUS_SIZE that needed
cranking
Upstream-ID: 9d8826cafe96aab4ae8e2f6fd22800874b7ffef1
|
|
add an XXX reminder for getting correct key paths from
sshd_config
Upstream-ID: feae52b209d7782ad742df04a4260e9fe41741db
|
|
refuse to generate or accept RSA keys smaller than 1024
bits; feedback and ok dtucker@
Upstream-ID: 7ea3d31271366ba264f06e34a3539bf1ac30f0ba
|
|
turn off 1024 bit diffie-hellman-group1-sha1 key
exchange method (already off in server, this turns it off in the client by
default too) ok dtucker@
Upstream-ID: f59b88f449210ab7acf7d9d88f20f1daee97a4fa
|
|
delete support for legacy v00 certificates; "sure"
markus@ dtucker@
Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f
|
|
Compile-time disable SSH v.1 again
Upstream-ID: 1d4b513a3a06232f02650b73bad25100d1b800af
|
|
twiddle PermitRootLogin back
Upstream-ID: 2bd23976305d0512e9f84d054e1fc23cd70b89f2
|
|
twiddle; (this commit marks the openssh-6.9 release)
Upstream-ID: 78500582819f61dd8adee36ec5cc9b9ac9351234
|
|
better refuse ForwardX11Trusted=no connections attempted
after ForwardX11Timeout expires; reported by Jann Horn
Upstream-ID: bf0fddadc1b46a0334e26c080038313b4b6dea21
|
|
put back default PermitRootLogin=no
Upstream-ID: 7bdedd5cead99c57ed5571f3b6b7840922d5f728
|
|
openssh-6.9
Upstream-ID: 6cfe8e1904812531080e6ab6e752d7001b5b2d45
|
|
reset default PermitRootLogin to 'yes' (momentarily, for
release)
Upstream-ID: cad8513527066e65dd7a1c16363d6903e8cefa24
|
|
|
|
|
|
fatal() when a remote window update causes the window
value to overflow. Reported by Georg Wicherski, ok markus@
Upstream-ID: ead397a9aceb3bf74ebfa5fcaf259d72e569f351
|
|
Fix math error in remote window calculations that causes
eventual stalls for datagram channels. Reported by Georg Wicherski, ok
markus@
Upstream-ID: be54059d11bf64e0d85061f7257f53067842e2ab
|
|
with Tim Rice
|
|
add getpid to sandbox, reachable by grace_alarm_handler
reported by Jakub Jelen; bz#2419
Upstream-ID: d0da1117c16d4c223954995d35b0f47c8f684cd8
|
|
Fix \-escaping bug that caused forward path parsing to skip
two characters and skip past the end of the string.
Based on patch by Salvador Fandino; ok dtucker@
Upstream-ID: 7b879dc446335677cbe4cb549495636a0535f3bd
|
|
patch from Jakub Jelen
|
|
correct test to sshkey_sign(); spotted by Albert S.
Upstream-ID: 5f7347f40f0ca6abdaca2edb3bd62f4776518933
|
|
Revert previous commit. We still want to call setgroups
in the case where there are zero groups to remove any that we might otherwise
inherit (as pointed out by grawity at gmail.com) and since the 2nd argument
to setgroups is always a static global it's always valid to dereference in
this case. ok deraadt@ djm@
Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01
|
|
Revert previous commit. We still want to call setgroups in
the case where there are zero groups to remove any that we might otherwise
inherit (as pointed out by grawity at gmail.com) and since the 2nd argument
to setgroups is always a static global it's always valid to dereference in
this case. ok deraadt@ djm@
Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01
|
|
Don't count successful partial authentication as failures
in monitor; this may have caused the monitor to refuse multiple
authentications that would otherwise have successfully completed; ok markus@
Upstream-ID: eb74b8e506714d0f649bd5c300f762a527af04a3
|
|
Don't call setgroups if we have zero groups; there's no
guarantee that it won't try to deref the pointer. Based on a patch from mail
at quitesimple.org, ok djm deraadt
Upstream-ID: 2fff85e11d7a9a387ef7fddf41fbfaf566708ab1
|
|
|
|
If AuthorizedPrincipalsCommand is specified, however
AuthorizedPrincipalsFile is not (or is set to "none"), authentication will
potentially fail due to key_cert_check_authority() failing to locate a
principal that matches the username, even though an authorized principal has
already been matched in the output of the subprocess. Fix this by using the
same logic to determine if pw->pw_name should be passed, as is used to
determine if a authorized principal must be matched earlier on.
ok djm@
Upstream-ID: 43b42302ec846b0ea68aceb40677245391b9409d
|
|
Make the arguments to match_principals_command() similar
to match_principals_file(), by changing the last argument a struct
sshkey_cert * and dereferencing key->cert in the caller.
No functional change.
ok djm@
Upstream-ID: 533f99b844b21b47342b32b62e198dfffcf8651c
|
|
When doing arg inspection and the syscall doesn't match, skip
past the instruction that reloads the syscall into the accumulator,
since the accumulator hasn't been modified at this point.
|
|
Also resort and tidy syscall list. Based on patches by Jakub Jelen
bz#2361; ok dtucker@
|
|
return failure on RSA signature error; reported by Albert S
Upstream-ID: e61bb93dbe0349625807b0810bc213a6822121fa
|
|
|
|
For "ssh -L 12345:/tmp/sock" don't fail with "No forward host
name." (we have a path, not a host name). Based on a diff from Jared
Yanovich. OK djm@
Upstream-ID: 2846b0a8c7de037e33657f95afbd282837fc213f
|
|
typo: accidental repetition; bz#2386
Upstream-ID: 45e620d99f6bc301e5949d34a54027374991c88b
|
|
Stopgap to resolve bz#2409 because we are so close to release and will
update config.guess and friends shortly after the release. ok djm@
|
|
|
|
|
|
|
|
mention CheckHostIP adding addresses to known_hosts;
bz#1993; ok dtucker@
Upstream-ID: fd44b68440fd0dc29abf9f2d3f703d74a2396cb7
|