summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2014-04-20 - djm@cvs.openbsd.org 2014/04/18 23:52:25Damien Miller
[compat.c compat.h sshconnect2.c sshd.c version.h] OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections using the curve25519-sha256@libssh.org KEX exchange method to fail when connecting with something that implements the spec properly. Disable this KEX method when speaking to one of the affected versions. reported by Aris Adamantiadis; ok markus@
2014-04-20 - djm@cvs.openbsd.org 2014/04/16 23:28:12Damien Miller
[ssh-agent.1] remove the identity files from this manpage - ssh-agent doesn't deal with them at all and the same information is duplicated in ssh-add.1 (which does deal with them); prodded by deraadt@
2014-04-20 - djm@cvs.openbsd.org 2014/04/16 23:22:45Damien Miller
[bufaux.c] skip leading zero bytes in buffer_put_bignum2_from_string(); reported by jan AT mojzis.com; ok markus@
2014-04-20 - djm@cvs.openbsd.org 2014/04/12 04:55:53Damien Miller
[sshd.c] avoid crash at exit: check that pmonitor!=NULL before dereferencing; bz#2225, patch from kavi AT juniper.net
2014-04-20 - djm@cvs.openbsd.org 2014/04/01 05:32:57Damien Miller
[packet.c] demote a debug3 to PACKET_DEBUG; ok markus@
2014-04-20 - djm@cvs.openbsd.org 2014/04/01 03:34:10Damien Miller
[sshconnect.c] When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any certificate keys to plain keys and attempt SSHFP resolution. Prevents a server from skipping SSHFP lookup and forcing a new-hostkey dialog by offering only certificate keys. Reported by mcv21 AT cam.ac.uk
2014-04-20 - djm@cvs.openbsd.org 2014/04/01 02:05:27Damien Miller
[ssh-keysign.c] include fingerprint of key not found use arc4random_buf() instead of loop+arc4random()
2014-04-20 - jmc@cvs.openbsd.org 2014/03/31 13:39:34Damien Miller
[ssh-keygen.1] the text for the -K option was inserted in the wrong place in -r1.108; fix From: Matthew Clarke
2014-04-20 - naddy@cvs.openbsd.org 2014/03/28 05:17:11Damien Miller
[ssh_config.5 sshd_config.5] sync available and default algorithms, improve algorithm list formatting help from jmc@ and schwarze@, ok deraadt@
2014-04-20 - tedu@cvs.openbsd.org 2014/03/26 19:58:37Damien Miller
[sshd.8 sshd.c] remove libwrap support. ok deraadt djm mfriedl
2014-04-20 - djm@cvs.openbsd.org 2014/03/26 04:55:35Damien Miller
[chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c [misc.h poly1305.h ssh-pkcs11.c] use __bounded(...) attribute recently added to sys/cdefs.h instead of longform __attribute__(__bounded(...)); for brevity and a warning free compilation with llvm/clang
2014-04-20Three commits in one (since they touch the same heavily-diverged fileDamien Miller
repeatedly): - markus@cvs.openbsd.org 2014/03/25 09:40:03 [myproposal.h] trimm default proposals. This commit removes the weaker pre-SHA2 hashes, the broken ciphers (arcfour), and the broken modes (CBC) from the default configuration (the patch only changes the default, all the modes are still available for the config files). ok djm@, reminded by tedu@ & naddy@ and discussed with many - deraadt@cvs.openbsd.org 2014/03/26 17:16:26 [myproposal.h] The current sharing of myproposal[] between both client and server code makes the previous diff highly unpallatable. We want to go in that direction for the server, but not for the client. Sigh. Brought up by naddy. - markus@cvs.openbsd.org 2014/03/27 23:01:27 [myproposal.h ssh-keyscan.c sshconnect2.c sshd.c] disable weak proposals in sshd, but keep them in ssh; ok djm@
2014-04-20 - tedu@cvs.openbsd.org 2014/03/19 14:42:44Damien Miller
[scp.1] there is no need for rcp anymore ok deraadt millert
2014-04-20 - tedu@cvs.openbsd.org 2014/03/17 19:44:10Damien Miller
[ssh.1] old descriptions of des and blowfish are old. maybe ok deraadt
2014-04-20 - deraadt@cvs.openbsd.org 2014/03/15 17:28:26Damien Miller
[ssh-agent.c ssh-keygen.1 ssh-keygen.c] Improve usage() and documentation towards the standard form. In particular, this line saves a lot of man page reading time. usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1] [-N new_passphrase] [-C comment] [-f output_keyfile] ok schwarze jmc
2014-04-20 - naddy@cvs.openbsd.org 2014/03/12 13:06:59Damien Miller
[ssh-keyscan.1] scan for Ed25519 keys by default too
2014-04-20 - djm@cvs.openbsd.org 2014/03/12 04:51:12Damien Miller
[authfile.c] correct test that kdf name is not "none" or "bcrypt"
2014-04-20 - djm@cvs.openbsd.org 2014/03/12 04:50:32Damien Miller
[auth-bsdauth.c ssh-keygen.c] don't count on things that accept arguments by reference to clear things for us on error; most things do, but it's unsafe form.
2014-04-20 - djm@cvs.openbsd.org 2014/03/12 04:44:58Damien Miller
[ssh-keyscan.c] scan for Ed25519 keys by default too
2014-04-20 - djm@cvs.openbsd.org 2014/03/03 22:22:30Damien Miller
[session.c] ignore enviornment variables with embedded '=' or '\0' characters; spotted by Jann Horn; ok deraadt@ Id sync only - portable already has this.
2014-04-01 - (djm) Use full release (e.g. 6.5p1) in debug output rather than justDamien Miller
version. From des@des.no
2014-04-01 - (djm) On platforms that support it, use prctl() to prevent sftp-serverDamien Miller
from accessing /proc/self/{mem,maps}; patch from jann AT thejh.net
2014-03-17 - (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX toDamien Miller
remind myself to add sandbox violation logging via the log socket.
2014-03-1420140314Tim Rice
- (tim) [opensshd.init.in] Add support for ed25519
2014-03-13 - (djm) Release OpenSSH 6.6Damien Miller
2014-03-04 - djm@cvs.openbsd.org 2014/03/03 22:22:30Damien Miller
[session.c] ignore enviornment variables with embedded '=' or '\0' characters; spotted by Jann Horn; ok deraadt@
2014-03-02 - (djm) [regress/Makefile] Disable dhgex regress test; it breaks whenDamien Miller
no moduli file exists at the expected location.
2014-02-28 - (djm) [regress/host-expand.sh] Add RCS IdDamien Miller
2014-02-28 - djm@cvs.openbsd.org 2014/02/27 21:21:25Damien Miller
[agent-ptrace.sh agent.sh] keep return values that are printed in error messages; from portable (Id sync only)
2014-02-28 - djm@cvs.openbsd.org 2014/02/27 20:04:16Damien Miller
[login-timeout.sh] remove any existing LoginGraceTime from sshd_config before adding a specific one for the test back in
2014-02-28 - djm@cvs.openbsd.org 2014/01/26 10:49:17Damien Miller
[scp-ssh-wrapper.sh scp.sh] make sure $SCP is tested on the remote end rather than whichever one happens to be in $PATH; from portable (Id sync only)
2014-02-28 - djm@cvs.openbsd.org 2014/01/26 10:22:10Damien Miller
[regress/cert-hostkey.sh] automatically generate revoked keys from listed keys rather than manually specifying each type; from portable (Id sync only)
2014-02-28 - dtucker@cvs.openbsd.org 2014/01/25 04:35:32Damien Miller
[regress/Makefile regress/dhgex.sh] Add a test for DH GEX sizes
2014-02-28 - dtucker@cvs.openbsd.org 2014/01/20 00:00:30Damien Miller
[sftp-chroot.sh] append to rather than truncating the log file
2014-02-28 - dtucker@cvs.openbsd.org 2014/01/19 23:43:02Damien Miller
[regress/sftp-chroot.sh] Don't use -q on sftp as it suppresses logging, instead redirect the output to the regress logfile.
2014-02-28 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]Damien Miller
[contrib/suse/openssh.spec] Crank version numbers
2014-02-28 - djm@cvs.openbsd.org 2014/02/27 22:57:40Damien Miller
[version.h] openssh-6.6
2014-02-28 - djm@cvs.openbsd.org 2014/02/27 22:47:07Damien Miller
[sshd_config.5] bz#2184 clarify behaviour of a keyword that appears in multiple matching Match blocks; ok dtucker@
2014-02-28 - djm@cvs.openbsd.org 2014/02/27 08:25:09Damien Miller
[bufbn.c] off by one in range check
2014-02-28 - djm@cvs.openbsd.org 2014/02/27 00:41:49Damien Miller
[bufbn.c] fix unsigned overflow that could lead to reading a short ssh protocol 1 bignum value; found by Ben Hawkes; ok deraadt@
2014-02-27 - markus@cvs.openbsd.org 2014/02/26 21:53:37Damien Miller
[sshd.c] ssh_gssapi_prepare_supported_oids needs GSSAPI
2014-02-27 - djm@cvs.openbsd.org 2014/02/26 20:29:29Damien Miller
[channels.c] don't assume that the socks4 username is \0 terminated; spotted by Ben Hawkes; ok markus@
2014-02-27 - djm@cvs.openbsd.org 2014/02/26 20:28:44Damien Miller
[auth2-gss.c gss-serv.c ssh-gss.h sshd.c] bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep sandboxing, as running this code in the sandbox can cause violations; ok markus@
2014-02-27 - djm@cvs.openbsd.org 2014/02/26 20:18:37Damien Miller
[ssh.c] bz#2205: avoid early hostname lookups unless canonicalisation is enabled; ok dtucker@ markus@
2014-02-24 - djm@cvs.openbsd.org 2014/02/23 20:11:36Damien Miller
[readconf.c readconf.h ssh.c ssh_config.5] reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes the hostname. This allows users to write configurations that always refer to canonical hostnames, e.g. CanonicalizeHostname yes CanonicalDomains int.example.org example.org CanonicalizeFallbackLocal no Host *.int.example.org Compression off Host *.example.org User djm ok markus@
2014-02-24 - djm@cvs.openbsd.org 2014/02/23 20:03:42Damien Miller
[ssh-ed25519.c] check for unsigned overflow; not reachable in OpenSSH but others might copy our code...
2014-02-24 - djm@cvs.openbsd.org 2014/02/22 01:32:19Damien Miller
[readconf.c] when processing Match blocks, skip 'exec' clauses if previous predicates failed to match; ok markus@
2014-02-24 - djm@cvs.openbsd.org 2014/02/15 23:05:36Damien Miller
[channels.c] avoid spurious "getsockname failed: Bad file descriptor" errors in ssh -W; bz#2200, debian#738692 via Colin Watson; ok dtucker@
2014-02-24 - djm@cvs.openbsd.org 2014/02/07 06:55:54Damien Miller
[cipher.c mac.c] remove some logging that makes ssh debugging output very verbose; ok markus
2014-02-2120140221Tim Rice
- (tim) [configure.ac] Fix cut-and-paste error. Patch from Bryan Drewery.