summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2010-09-24 - jmc@cvs.openbsd.org 2010/09/22 08:30:08Damien Miller
[ssh.1 ssh_config.5] ssh.1: add kexalgorithms to the -o list ssh_config.5: format the kexalgorithms in a more consistent (prettier!) way ok djm
2010-09-24 - djm@cvs.openbsd.org 2010/09/22 05:01:30Damien Miller
[kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c readconf.c readconf.h] [servconf.c servconf.h ssh_config.5 sshconnect2.c sshd.c sshd_config.5] add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference. ok markus@
2010-09-24 - djm@cvs.openbsd.org 2010/09/20 07:19:27Damien Miller
[mux.c] "atomically" create the listening mux socket by binding it on a temorary name and then linking it into position after listen() has succeeded. this allows the mux clients to determine that the server socket is either ready or stale without races. stale server sockets are now automatically removed ok deraadt
2010-09-24 - djm@cvs.openbsd.org 2010/09/20 04:54:07Damien Miller
[jpake.c] missing #include
2010-09-24 - djm@cvs.openbsd.org 2010/09/20 04:50:53Damien Miller
[jpake.c schnorr.c] check that received values are smaller than the group size in the disabled and unfinished J-PAKE code. avoids catastrophic security failure found by Sebastien Martini
2010-09-24 - djm@cvs.openbsd.org 2010/09/20 04:41:47Damien Miller
[ssh.c] install a SIGCHLD handler to reap expiried child process; ok markus@
2010-09-24 - jmc@cvs.openbsd.org 2010/09/19 21:30:05Damien Miller
[sftp.1] more wacky macro fixing;
2010-09-24 - djm@cvs.openbsd.org 2010/09/11 21:44:20Damien Miller
[ssh.1] mention RFC 5656 for ECC stuff
2010-09-24 - naddy@cvs.openbsd.org 2010/09/10 15:19:29Damien Miller
[ssh-keygen.1] * mention ECDSA in more places * less repetition in FILES section * SSHv1 keys are still encrypted with 3DES help and ok jmc@
2010-09-10 - (dtucker) [kex.h key.c packet.h ssh-agent.c ssh.c] A few more ECC ifdefsDarren Tucker
for missing headers and compiler warnings.
2010-09-10 - (djm) [authfd.c authfile.c bufec.c buffer.h configure.ac kex.h kexecdh.c]Damien Miller
[kexecdhc.c kexecdhs.c key.c key.h myproposal.h packet.c readconf.c] [ssh-agent.c ssh-ecdsa.c ssh-keygen.c ssh.c] Disable ECDH and ECDSA on platforms that don't have the requisite OpenSSL support. ok dtucker@
2010-09-10 - djm@cvs.openbsd.org 2010/09/09 10:45:45Damien Miller
[kex.c kex.h kexecdh.c key.c key.h monitor.c ssh-ecdsa.c] ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases. This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client. ok naddy@
2010-09-10 - deraadt@cvs.openbsd.org 2010/09/08 04:13:31Damien Miller
[compress.c] work around name-space collisions some buggy compilers (looking at you gcc, at least in earlier versions, but this does not forgive your current transgressions) seen between zlib and openssl ok djm
2010-09-10 - djm@cvs.openbsd.org 2010/09/08 03:54:36Damien Miller
[authfile.c] typo
2010-09-10 - naddy@cvs.openbsd.org 2010/09/06 17:10:19Damien Miller
[sshd_config] add ssh_host_ecdsa_key to /etc; from Mattieu Baptiste <mattieu.b@gmail.com> ok deraadt@
2010-09-10 - jmc@cvs.openbsd.org 2010/09/04 09:38:34Damien Miller
[ssh-add.1 ssh.1] two more EXIT STATUS sections;
2010-09-10 - jmc@cvs.openbsd.org 2010/09/03 11:09:29Damien Miller
[scp.1] add an EXIT STATUS section for /usr/bin;
2010-09-10 - naddy@cvs.openbsd.org 2010/09/02 17:21:50Damien Miller
[ssh-keygen.c] Switch ECDSA default key size to 256 bits, which according to RFC5656 should still be better than our current RSA-2048 default. ok djm@, markus@
2010-09-10 - markus@cvs.openbsd.org 2010/09/02 16:08:39Damien Miller
[ssh.c] unbreak ControlPersist=yes for ControlMaster=yes; ok djm@
2010-09-10 - markus@cvs.openbsd.org 2010/09/02 16:07:25Damien Miller
[ssh-keygen.c] permit -b 256, 384 or 521 as key size for ECDSA; ok djm@
2010-09-10 - djm@cvs.openbsd.org 2010/09/01 22:42:13Damien Miller
[myproposal.h] prefer ECDH in a 256 bit curve field; prompted by naddy@
2010-09-10 - naddy@cvs.openbsd.org 2010/09/01 15:21:35Damien Miller
[servconf.c] pick up ECDSA host key by default; ok djm@
2010-09-10 - jmc@cvs.openbsd.org 2010/08/31 21:14:58Damien Miller
[ssh.1] small text tweak to accommodate previous;
2010-09-10 - jmc@cvs.openbsd.org 2010/08/31 17:40:54Damien Miller
[ssh-agent.1] fix some macro abuse;
2010-09-10 - djm@cvs.openbsd.org 2010/08/31 12:33:38Damien Miller
[ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c] reintroduce commit from tedu@, which I pulled out for release engineering: OpenSSL_add_all_algorithms is the name of the function we have a man page for, so use that. ok djm
2010-09-10 - (dtucker) [openbsd-compat/port-linux.c] Check is_selinux_enabled for exactDarren Tucker
return code since it can apparently return -1 under some conditions. From openssh bugs werbittewas de, ok djm@
2010-08-31 - (djm) [bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c] includeDamien Miller
includes.h
2010-08-31 - (djm) [Makefile.in] Add new ECC filesDamien Miller
2010-08-31 - djm@cvs.openbsd.org 2010/08/31 11:54:45Damien Miller
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c] [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c] [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c] [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c] [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h] [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5] [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c] Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented). Certificate host and user keys using the new ECDSA key types are supported. Note that this code has not been tested for interoperability and may be subject to change. feedback and ok markus@
2010-08-31 - djm@cvs.openbsd.org 2010/08/31 09:58:37Damien Miller
[auth-options.c auth1.c auth2.c bufaux.c buffer.h kex.c key.c packet.c] [packet.h ssh-dss.c ssh-rsa.c] Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function. Use the new API in a few sensitive places. * actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
2010-08-31 - djm@cvs.openbsd.org 2010/08/16 04:06:06Damien Miller
[ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c] backout previous temporarily; discussed with deraadt@
2010-08-31 - tedu@cvs.openbsd.org 2010/08/12 23:34:39Damien Miller
[ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c] OpenSSL_add_all_algorithms is the name of the function we have a man page for, so use that. ok djm
2010-08-31 - jmc@cvs.openbsd.org 2010/08/08 19:36:30Damien Miller
[ssh-keysign.8 ssh.1 sshd.8] use the same template for all FILES sections; i.e. -compact/.Pp where we have multiple items, and .Pa for path names;
2010-08-27 - (dtucker) [contrib/redhat/sshd.init] Bug #1810: initlog is deprecated,Darren Tucker
remove. Patch from martynas at venck us.
2010-08-23 - (djm) Release OpenSSH-5.6p1Damien Miller
2010-08-17- (djm) [regress/README.regress] typoDamien Miller
2010-08-17 - djm@cvs.openbsd.org 2010/08/12 21:49:44Damien Miller
[ssh.c] close any extra file descriptors inherited from parent at start and reopen stdin/stdout to /dev/null when forking for ControlPersist. prevents tools that fork and run a captive ssh for communication from failing to exit when the ssh completes while they wait for these fds to close. The inherited fds may persist arbitrarily long if a background mux master has been started by ControlPersist. cvs and scp were effected by this. "please commit" markus@
2010-08-16 - (dtucker) [configure.ac openbsd-compat/Makefile.inDarren Tucker
openbsd-compat/openbsd-compat.h openbsd-compat/strptime.c] Add strptime to the compat library which helps on platforms like old IRIX. Based on work by djm, tested by Tom Christensen.
2010-08-12 - (tim) [auth.c] add cast to quiet compiler. Change only affects SVR5 systems.Tim Rice
2010-08-12 - (tim) [regress/login-timeout.sh regress/reconfigure.sh regress/reexec.shTim Rice
regress/test-exec.sh] Under certain conditions when testing with sudo tests would fail because the pidfile could not be read by a regular user. "cat: cannot open ...../regress/pidfile: Permission denied (error 13)" Make sure cat is run by $SUDO. no objection from me. djm@
2010-08-10 - (dtucker) bug #1530: strip trailing ":" from hostname in ssh-copy-id.Darren Tucker
based in part on a patch from Colin Watson, ok djm@
2010-08-10 - (djm) bz#1561: don't bother setting IFF_UP on tun(4) device if it isDamien Miller
already set. Makes FreeBSD user openable tunnels useful; patch from richard.burakowski+ossh AT mrburak.net, ok dtucker@
2010-08-09 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]Damien Miller
[contrib/suse/openssh.spec] Crank version numbers
2010-08-09 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2010/08/08 16:26:42 [version.h] crank to 5.6
2010-08-09unbreak datestampsDamien Miller
2010-08-05 - djm@cvs.openbsd.org 2010/08/05 13:08:42Damien Miller
[channels.c] Fix a trio of bugs in the local/remote window calculation for datagram data channels (i.e. TunnelForward): Calculate local_consumed correctly in channel_handle_wfd() by measuring the delta to buffer_len(c->output) from when we start to when we finish. The proximal problem here is that the output_filter we use in portable modified the length of the dequeued datagram (to futz with the headers for !OpenBSD). In channel_output_poll(), don't enqueue datagrams that won't fit in the peer's advertised packet size (highly unlikely to ever occur) or which won't fit in the peer's remaining window (more likely). In channel_input_data(), account for the 4-byte string header in datagram packets that we accept from the peer and enqueue in c->output. report, analysis and testing 2/3 cases from wierbows AT us.ibm.com; "looks good" markus@
2010-08-05 - djm@cvs.openbsd.org 2010/08/04 06:08:40Damien Miller
[ssh-keysign.c] clean for -Wuninitialized (Id sync only; portable had this change)
2010-08-05 - djm@cvs.openbsd.org 2010/08/04 06:07:11Damien Miller
[ssh-keygen.1 ssh-keygen.c] Support CA keys in PKCS#11 tokens; feedback and ok markus@
2010-08-05 - djm@cvs.openbsd.org 2010/08/04 05:49:22Damien Miller
[authfile.c] commited the wrong version of the hostbased certificate diff; this version replaces some strlc{py,at} verbosity with xasprintf() at the request of markus@
2010-08-05 - djm@cvs.openbsd.org 2010/08/04 05:42:47Damien Miller
[auth.c auth2-hostbased.c authfile.c authfile.h ssh-keysign.8] [ssh-keysign.c ssh.c] enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@