summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2008-06-10 - (dtucker) [openbsd-compat/fake-rfc2553.h] Add sin6_scope_id to sockaddr_in6Darren Tucker
since the new CIDR code in addmatch.c references it.
2008-06-10 - dtucker@cvs.openbsd.org 2008/06/10 05:23:32Darren Tucker
[addrmatch.sh Makefile] Regress test for Match CIDR rules. ok djm@
2008-06-10 - dtucker@cvs.openbsd.org 2008/06/09 18:06:32Darren Tucker
[regress/test-exec.sh] Don't generate putty keys if we're not going to use them. ok djm
2008-06-10 - jmc@cvs.openbsd.org 2008/06/10 08:17:40Darren Tucker
[sshd.8 sshd.c] - update usage() - fix SYNOPSIS, and sort options - some minor additional fixes
2008-06-10 - jmc@cvs.openbsd.org 2008/06/10 07:12:00Darren Tucker
[sshd_config.5] tweak previous;
2008-06-10 - dtucker@cvs.openbsd.org 2008/06/10 04:50:25Darren Tucker
[sshd.c channels.h channels.c log.c servconf.c log.h servconf.h sshd.8] Add extended test mode (-T) and connection parameters for test mode (-C). -T causes sshd to write its effective configuration to stdout and exit. -C causes any relevant Match rules to be applied before output. The combination allows tesing of the parser and config files. ok deraadt djm
2008-06-10 - djm@cvs.openbsd.org 2008/06/10 04:17:46Darren Tucker
[sshd_config.5] better reference for pattern-list
2008-06-10 - (dtucker) OpenBSD CVS SyncDarren Tucker
- djm@cvs.openbsd.org 2008/06/10 03:57:27 [servconf.c match.h sshd_config.5] support CIDR address matching in sshd_config "Match address" blocks, with full support for negation and fall-back to classic wildcard matching. For example: Match address 192.0.2.0/24,3ffe:ffff::/32,!10.* PasswordAuthentication yes addrmatch.c code mostly lifted from flowd's addr.c feedback and ok dtucker@
2008-06-09 - dtucker@cvs.openbsd.org 2008/06/09 13:38:46Darren Tucker
[PROTOCOL] Use a $OpenBSD tag so our scripts will sync changes.
2008-06-09 - dtucker@cvs.openbsd.org 2008/06/08 20:15:29Darren Tucker
[PROTOCOL] Have the sftp client store the statvfs replies in wire format, which prevents problems when the server's native sizes exceed the client's. Also extends the sizes of the remaining 32bit wire format to 64bit, they're specified as unsigned long in the standard.
2008-06-09 - djm@cvs.openbsd.org 2008/06/07 21:52:46Darren Tucker
[PROTOCOL] statvfs member fsid needs to be wider, increase it to 64 bits and crank extension revision number to 2; prodded and ok dtucker@
2008-06-09 - dtucker@cvs.openbsd.org 2008/06/09 13:02:39Darren Tucker
Extend 32bit -> 64bit values for statvfs extension missed in previous commit.
2008-06-09 - dtucker@cvs.openbsd.org 2008/06/08 20:15:29Darren Tucker
[sftp.c sftp-client.c sftp-client.h] Have the sftp client store the statvfs replies in wire format, which prevents problems when the server's native sizes exceed the client's. Also extends the sizes of the remaining 32bit wire format to 64bit, they're specified as unsigned long in the standard.
2008-06-09 - dtucker@cvs.openbsd.org 2008/06/08 17:04:41Darren Tucker
[sftp-server.c] Add case for ENOSYS in errno_to_portable; ok deraadt
2008-06-09 - (dtucker) [configure.ac defines.h sftp-client.c M sftp-server.c] Add aDarren Tucker
macro to convert fsid to unsigned long for platforms where fsid is a 2-member array.
2008-06-09 - (dtucker) [configure.ac defines.h sftp-client.c sftp-server.c sftp.cDarren Tucker
openbsd-compat/Makefile.in openbsd-compat/openbsd-compat.h openbsd-compat/bsd-statvfs.{c,h}] Add a null implementation of statvfs and fstatvfs and remove #defines around statvfs code. ok djm@
2008-06-08 - djm@cvs.openbsd.org 2008/06/07 21:52:46Darren Tucker
[sftp-server.c sftp-client.c] statvfs member fsid needs to be wider, increase it to 64 bits and crank extension revision number to 2; prodded and ok dtucker@
2008-06-08 - djm@cvs.openbsd.org 2008/05/19 20:53:52Darren Tucker
[clientloop.c] unbreak tree by committing this bit that I missed from: Fix sending tty modes when stdin is not a tty (bz#1199). Previously we would send the modes corresponding to a zeroed struct termios, whereas we should have been sending an empty list of modes. Based on patch from daniel.ritz AT alcatel.ch; ok dtucker@ markus@
2008-06-08 - djm@cvs.openbsd.org 2008/05/19 15:46:31Darren Tucker
[ssh-keygen.c] support -l (print fingerprint) in combination with -F (find host) to search for a host in ~/.ssh/known_hosts and display its fingerprint; ok markus@
2008-06-08 - djm@cvs.openbsd.org 2008/05/19 15:45:07Darren Tucker
[sshtty.c ttymodes.c sshpty.h] Fix sending tty modes when stdin is not a tty (bz#1199). Previously we would send the modes corresponding to a zeroed struct termios, whereas we should have been sending an empty list of modes. Based on patch from daniel.ritz AT alcatel.ch; ok dtucker@ markus@
2008-06-08 - djm@cvs.openbsd.org 2008/05/19 06:14:02Darren Tucker
[packet.c] unbreak protocol keepalive timeouts bz#1465; ok dtucker@
2008-06-08 - (dtucker) [configure.ac defines.h sftp-client.c sftp-server.c sftp.c] Do ↵Darren Tucker
not enable statvfs extensions on platforms that do not have statvfs. ok djm@
2008-06-07 - (dtucker) [mux.c] Include paths.h inside ifdef HAVE_PATHS_H.Darren Tucker
2008-06-04 - (djm) [openbsd-compat/bsd-arc4random.c] Fix math bug that caused biasDamien Miller
in arc4random_uniform with upper_bound in (2^30,2*31). Note that OpenSSH did not make requests with upper bounds in this range.
2008-05-20 - (djm) [configure.ac mux.c sftp.c openbsd-compat/Makefile.in]Damien Miller
[openbsd-compat/fmt_scaled.c openbsd-compat/openbsd-compat.h] Fix compilation on Linux, including pulling in fmt_scaled(3) implementation from OpenBSD's libutil.
2008-05-19 - djm@cvs.openbsd.org 2008/05/16 08:30:42Damien Miller
[PROTOCOL] document our protocol extensions and deviations; ok markus@ - djm@cvs.openbsd.org 2008/05/17 01:31:56 [PROTOCOL] grammar and correctness fixes from stevesk@
2008-05-19 - djm@cvs.openbsd.org 2008/05/18 21:29:05Damien Miller
[sftp-server.c] comment extension announcement
2008-05-19 - djm@cvs.openbsd.org 2008/05/15 23:52:24Damien Miller
[nchan2.ms] document eow message in ssh protocol 2 channel state machine; feedback and ok markus@
2008-05-19 - pvalchev@cvs.openbsd.org 2008/05/12 20:52:20Damien Miller
[umac.c] Ensure nh_result lies on a 64-bit boundary (fixes warnings observed on Itanium on Linux); from Dale Talcott (bug #1462); ok djm@
2008-05-19 - markus@cvs.openbsd.org 2008/05/09 16:21:13Damien Miller
[channels.h clientloop.c nchan.c serverloop.c] unbreak ssh -2 localhost od /bin/ls | true ignoring SIGPIPE by adding a new channel message (EOW) that signals the peer that we're not interested in any data it might send. fixes bz #85; discussion, debugging and ok djm@
2008-05-19 - markus@cvs.openbsd.org 2008/05/09 16:17:51Damien Miller
[channels.c] error-fd race: don't enable the error fd in the select bitmask for channels with both in- and output closed, since the channel will go away before we call select(); report, lots of debugging help and ok djm@
2008-05-19 - markus@cvs.openbsd.org 2008/05/09 16:16:06Damien Miller
[session.c] re-add the USE_PIPES code and enable it. without pipes shutdown-read from the sshd does not trigger a SIGPIPE when the forked program does a write. ok djm@ (Id sync only, USE_PIPES never left portable OpenSSH)
2008-05-19 - djm@cvs.openbsd.org 2008/05/09 14:26:08Damien Miller
[ssh.c] dingo stole my diff hunk
2008-05-19 - djm@cvs.openbsd.org 2008/05/09 14:18:44Damien Miller
[clientloop.c clientloop.h ssh.c mux.c] tidy up session multiplexing code, moving it into its own file and making the function names more consistent - making ssh.c and clientloop.c a fair bit more readable. ok markus@
2008-05-19 - djm@cvs.openbsd.org 2008/05/09 04:55:56Damien Miller
[channels.c channels.h clientloop.c serverloop.c] Try additional addresses when connecting to a port forward destination whose DNS name resolves to more than one address. The previous behaviour was to try the first address and give up. Reported by stig AT venaas.com in bz#343 great feedback and ok markus@
2008-05-19 - djm@cvs.openbsd.org 2008/05/08 13:06:11Damien Miller
[clientloop.c clientloop.h ssh.c] Use new channel status confirmation callback system to properly deal with "important" channel requests that fail, in particular command exec, shell and subsystem requests. Previously we would optimistically assume that the requests would always succeed, which could cause hangs if they did not (e.g. when the server runs out of fds) or were unimplemented by the server (bz #1384) Also, properly report failing multiplex channel requests via the mux client stderr (subject to LogLevel in the mux master) - better than silently failing. most bits ok markus@ (as part of a larger diff)
2008-05-19 - djm@cvs.openbsd.org 2008/05/08 12:21:16Damien Miller
[monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c] [sshd_config sshd_config.5] Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions. Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal(). bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com ok markus@
2008-05-19 - (djm) [openbsd-compat/port-tun.c] needs sys/queue.hDamien Miller
2008-05-19- (djm) [openbsd-compat/bsd-arc4random.c] Warning fixesDamien Miller
2008-05-19 - djm@cvs.openbsd.org 2008/05/08 12:02:23Damien Miller
[auth-options.c auth1.c channels.c channels.h clientloop.c gss-serv.c] [monitor.c monitor_wrap.c nchan.c servconf.c serverloop.c session.c] [ssh.c sshd.c] Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel). Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory. ok markus@ (as part of a larger diff)
2008-05-19 - markus@cvs.openbsd.org 2008/05/08 06:59:01Damien Miller
[bufaux.c buffer.h channels.c packet.c packet.h] avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
2008-05-19 - jmc@cvs.openbsd.org 2008/05/07 08:00:14Damien Miller
[sshd_config.5] sort;
2008-05-19 - pyr@cvs.openbsd.org 2008/05/07 06:43:35Damien Miller
[sshd_config] push the sshd_config bits in, spotted by ajacoutot@
2008-05-19 - pyr@cvs.openbsd.org 2008/05/07 05:49:37Damien Miller
[servconf.c servconf.h session.c sshd_config.5] Enable the AllowAgentForwarding option in sshd_config (global and match context), to specify if agents should be permitted on the server. As the man page states: ``Note that disabling Agent forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.'' ok djm@, ok and a mild frown markus@
2008-05-19 - djm@cvs.openbsd.org 2008/04/30 10:14:03Damien Miller
[ssh-keyscan.1 ssh-keyscan.c] default to rsa (protocol 2) keys, instead of rsa1 keys; spotted by larsnooden AT openoffice.org
2008-05-19 - otto@cvs.openbsd.org 2008/04/29 11:20:31Damien Miller
[monitor_mm.h] garbage collect two unused fields in struct mm_master; ok markus@
2008-05-19 - djm@cvs.openbsd.org 2008/04/18 22:01:33Damien Miller
[session.c] remove unneccessary parentheses
2008-05-19 - jmc@cvs.openbsd.org 2008/04/18 17:15:47Damien Miller
[sftp.1] macro fixage;
2008-05-19 - djm@cvs.openbsd.org 2008/04/18 12:32:11Damien Miller
[sftp-client.c sftp-client.h sftp-server.c sftp.1 sftp.c sftp.h] introduce sftp extension methods statvfs@openssh.com and fstatvfs@openssh.com that implement statvfs(2)-like operations, based on a patch from miklos AT szeredi.hu (bz#1399) also add a "df" command to the sftp client that uses the statvfs@openssh.com to produce a df(1)-like display of filesystem space and inode utilisation ok markus@
2008-05-19 - (djm) OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2008/04/13 00:22:17 [dh.c sshd.c] Use arc4random_buf() when requesting more than a single word of output Use arc4random_uniform() when the desired random number upper bound is not a power of two ok deraadt@ millert@