Age | Commit message (Collapse) | Author |
|
[contrib/redhat/openssh.spec contrib/suse/openssh.spec] Update versions
|
|
nc from stdin, it's more portable
|
|
is closed; avoid regress failures when stdin is /dev/null
|
|
a better solution, but this will have to do for now.
|
|
[sftp-server.8 sshd_config.5]
some systems no longer need /dev/log;
issue noticed by jirib;
ok deraadt
|
|
[ssh-agent.c]
Clear buffer used for handling messages. This prevents keys being
left in memory after they have been expired or deleted in some cases
(but note that ssh-agent is setgid so you would still need root to
access them). Pointed out by Kevin Burns, ok deraadt
|
|
- millert@cvs.openbsd.org 2014/07/24 22:57:10
[ssh.1]
Mention UNIX-domain socket forwarding too. OK jmc@ deraadt@
|
|
pointed out by Christian Hesse
|
|
[regress/unittests/sshkey/testdata/*]
Regenerate test keys with certs signed with ed25519 instead of ecdsa.
These can be used in -portable on platforms that don't support ECDSA.
|
|
[regress/unittests/sshkey/mktestdata.sh]
Add $OpenBSD tag to make syncs easier
|
|
[regress/unittests/sshkey/mktestdata.sh]
Sign test certs with ed25519 instead of ecdsa so that they'll work in
-portable on platforms that don't have ECDSA in their OpenSSL. ok djm
|
|
[regress/multiplex.sh]
change the test for still-open Unix domain sockets to be robust against
nc implementations that produce error messages. from -portable
(Id sync only)
|
|
[umac.c]
Convert from <sys/endian.h> to the shiney new <endian.h>
ok dtucker@, who also confirmed that -portable handles this already
(ID sync only, includes.h pulls in endian.h if available.)
|
|
[key.c]
Prevent spam from key_load_private_pem during hostbased auth. ok djm@
|
|
specific tests inside OPENSSL_HAS_ECC.
|
|
domain sockets to be robust against nc implementations that produce
error messages.
|
|
put it back
|
|
OPENSSL_HAS_ECC.
|
|
|
|
[forwarding.sh multiplex.sh]
Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@
|
|
{common,test_file,test_fuzz,test_sshkey}.c] Wrap stdint.h includes in
ifdefs.
|
|
needed to build AES CTR mode against OpenSSL 0.9.8f and above. ok djm
|
|
in servconf.h.
|
|
|
|
tests.
|
|
in servconf.h.
|
|
[ssh-agent.c]
restore umask around listener socket creation (dropped in streamlocal patch
merge)
|
|
[mux.c ssh.c]
reflect stdio-forward ("ssh -W host:port ...") failures in exit status.
previously we were always returning 0. bz#2255 reported by Brendan
Germain; ok dtucker
|
|
[key.c]
silence "incorrect passphrase" error spam; reported and ok dtucker@
|
|
[mux.c]
preserve errno across syscall
|
|
[sandbox-systrace.c]
ifdef SYS_sendsyslog so this will compile without patching on -stable
|
|
[ssh.1]
add the streamlocal* options to ssh's -o list; millert says they're
irrelevant for scp/sftp;
ok markus millert
|
|
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
[auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
[auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
[clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
[readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
[ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
[sshd_config.5 sshlogin.c]
Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@
|
|
[myproposal.h]
by popular demand, add back hamc-sha1 to server proposal for better compat
with many clients still in use. ok deraadt
|
|
[sandbox-systrace.c]
Permit use of SYS_sendsyslog from inside the sandbox. Clock is ticking,
update your kernels and sshd soon.. libc will start using sendsyslog()
in about 4 days.
|
|
Reported by Petr Lautrbach.
|
|
has been located; fixes builds agains libressl-portable
|
|
- benno@cvs.openbsd.org 2014/07/09 14:15:56
[ssh-add.c]
fix ssh-add crash while loading more than one key
ok markus@
|
|
[multiplex.sh]
remove forced-fatal that I stuck in there to test the new cleanup
logic and forgot to remove...
|
|
[multiplex.sh test-exec.sh]
add a hook to the cleanup() function to kill $SSH_PID if it is set
use it to kill the mux master started in multiplex.sh (it was being left
around on fatal failures)
|
|
[key.c]
downgrade more error() to debug() to better match what old authfile.c
did; suppresses spurious errors with hostbased authentication enabled
|
|
[sftp.c]
more useful error message when GLOB_NOSPACE occurs;
bz#2254, patch from Orion Poplawski
|
|
[ssh_config.5]
mention that ProxyCommand is executed using shell "exec" to avoid
a lingering process; bz#1977
|
|
[channels.c]
fix remote-forward cancel regression; ok markus@
|
|
[authfile.h]
remove leakmalloc droppings
|
|
[servconf.c servconf.h session.c sshd.8 sshd_config.5]
Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is
executed, mirroring the no-user-rc authorized_keys option;
bz#2160; ok markus@
|
|
[channels.c]
allow explicit ::1 and 127.0.0.1 forwarding bind addresses when
GatewayPorts=no; allows client to choose address family;
bz#2222 ok markus@
|
|
[sshconnect.c]
when rekeying, skip file/DNS lookup if it is the same as the key sent
during initial key exchange. bz#2154 patch from Iain Morgan; ok markus@
|
|
[cipher-chachapoly.c]
Call chacha_ivsetup() immediately before chacha_encrypt_bytes() - this
makes it easier to verify that chacha_encrypt_bytes() is only called once
per chacha_ivsetup() call.
ok djm@
|
|
[auth.c auth.h auth1.c auth2.c]
make the "Too many authentication failures" message include the
user, source address, port and protocol in a format similar to the
authentication success / failure messages; bz#2199, ok dtucker
|