Age | Commit message (Collapse) | Author |
|
Use a subshell for constructing key types to work around
different sed behaviours for -portable.
Upstream-Regress-ID: 0f6eb673162df229eda9a134a0f10da16151552d
|
|
correct some typos and remove a long-stale XXX note.
add specification for ed25519 certificates
mention no host certificate options/extensions are currently defined
pointed out by Simon Tatham
Upstream-ID: 7b535ab7dba3340b7d8210ede6791fdaefdf839a
|
|
add ed25519 keys that are supported but missing from this
documents; from Peter Moody
Upstream-ID: 8caac2d8e8cfd2fca6dc304877346e0a064b014b
|
|
Implement IUTF8 as per draft-sgtatham-secsh-iutf8-00. Patch
from Simon Tatham, ok markus@
Upstream-ID: 58268ebdf37d9d467f78216c681705a5e10c58e8
|
|
unbreak config parsing on reexec from previous commit
Upstream-ID: bc69932638a291770955bd05ca55a32660a613ab
|
|
unit and regress tests for SHA256/512; ok markus
Upstream-Regress-ID: a0cd1a92dc824067076a5fcef83c18df9b0bf2c6
|
|
add support for additional fixed DH groups from
draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group)
diffie-hellman-group16-sha512 (4K group)
diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker
ok markus@
Upstream-ID: ac00406ada4f0dfec41585ca0839f039545bc46f
|
|
support SHA256 and SHA512 RSA signatures in certificates;
ok markus@
Upstream-ID: b45be2f2ce8cacd794dc5730edaabc90e5eb434a
|
|
fix signed/unsigned errors reported by clang-3.7; add
sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with
better safety checking; feedback and ok markus@
Upstream-ID: 71f926d9bb3f1efed51319a6daf37e93d57c8820
|
|
close ControlPersist background process stderr when not
in debug mode or when logging to a file or syslog. bz#1988 ok dtucker
Upstream-ID: 4fb726f0fdcb155ad419913cea10dc4afd409d24
|
|
fix comment
Upstream-ID: 313a385bd7b69a82f8e28ecbaf5789c774457b15
|
|
cidr permitted for {allow,deny}users; from lars nooden ok djm
Upstream-ID: 13e7327fe85f6c63f3f7f069e0fdc8c351515d11
|
|
make argument == NULL tests more consistent
Upstream-ID: dc4816678704aa5cbda3a702e0fa2033ff04581d
|
|
tweak previous;
Upstream-ID: 46c1bab91c164078edbccd5f7d06b9058edd814f
|
|
missing bit of Include regress
Upstream-Regress-ID: 1063595f7f40f8489a1b7a27230b9e8acccea34f
|
|
remove redundant CLEANFILES section
Upstream-Regress-ID: 29ef1b267fa56daa60a1463396635e7d53afb587
|
|
sync CLEANFILES with portable, sort
Upstream-Regress-ID: cb782f4f1ab3e079efbc335c6b64942f790766ed
|
|
regression test for ssh_config Include directive
Upstream-Regress-ID: 46a38c8101f635461c506d1aac2d96af80f97f1e
|
|
unbreak test for recent ssh de-duplicated forwarding
change
Upstream-Regress-ID: 6b2b115d99acd7cff13986e6739ea214cf2a3da3
|
|
add test knob and warning for StrictModes
Upstream-Regress-ID: 8cd10952ce7898655ee58945904f2a0a3bdf7682
|
|
Include directive for ssh_config(5); feedback & ok markus@
Upstream-ID: ae3b76e2e343322b9f74acde6f1e1c5f027d5fff
|
|
If PAM is configured to read user-specified environment variables
and UseLogin=yes in sshd_config, then a hostile local user may
attack /bin/login via LD_PRELOAD or similar environment variables
set via PAM.
CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
|
|
make private key loading functions consistently handle NULL
key pointer arguments; ok markus@
Upstream-ID: 92038726ef4a338169c35dacc9c5a07fcc7fa761
|
|
Replace by defining IPPORT_RESERVED to zero on Cygwin, which should have
the same effect without causing problems syncing patches with OpenBSD.
Resync the two affected functions with OpenBSD. ok djm, sanity checked
by Corinna.
|
|
whitespace at EOL
Upstream-ID: 5beffd4e001515da12851b974e2323ae4aa313b6
|
|
We accidentally send an empty string and a zero uint32 with
every direct-streamlocal@openssh.com channel open, in contravention of our
own spec.
Fixing this is too hard wrt existing versions that expect these
fields to be present and fatal() if they aren't, so document them
as "reserved" fields in the PROTOCOL spec as though we always
intended this and let us never speak of it again.
bz#2529, reported by Ron Frederick
Upstream-ID: 34cd326a4d236ca6e39084c4ff796bd97ab833e7
|
|
don't record duplicate LocalForward and RemoteForward
entries; fixes failure with ExitOnForwardFailure+hostname canonicalisation
where the same forwards are added on the second pass through the
configuration file. bz#2562; ok dtucker@
Upstream-ID: 40a51d68b6300f1cc61deecdb7d4847b8b7b0de1
|
|
Another use for fcntl() and thus of the superfluous 3rd
parameter is when sanitising standard fd's before calling daemon().
Use a tweaked version of the ssh(1) function in all three places
found using fcntl() this way.
ok jca@ beck@
Upstream-ID: f16811ffa19a1c5f4ef383c5f0fecb843c84e218
|
|
|
|
|
|
whitespace at EOL
Upstream-ID: 40ae2203d07cb14e0a89e1a0d4c6120ee8fd8c3a
|
|
Remove fallback from moduli to "primes" file that was
deprecated in 2001 and fix log messages referring to primes file. Based on
patch from xnox at ubuntu.com via bz#2559. "kill it" deraadt@
Upstream-ID: 0d4f8c70e2fa7431a83b95f8ca81033147ba8713
|
|
UseDNS affects ssh hostname processing in authorized_keys,
not known_hosts; bz#2554 reported by jjelen AT redhat.com
Upstream-ID: c1c1bb895dde46095fc6d81d8653703928437591
|
|
When Solaris Projects are enabled along with PAM setting the project
is PAM's responsiblity. bz#2425, based on patch from
brent.paulson at gmail.com.
|
|
|
|
unbreak authentication using lone certificate keys in
ssh-agent: when attempting pubkey auth with a certificate, if no separate
private key is found among the keys then try with the certificate key itself.
bz#2550 reported by Peter Moody
Upstream-ID: f939cd76d68e6a9a3d1711b5a943d6ed1e623966
|
|
sanitise characters destined for xauth reported by
github.com/tintinweb feedback and ok deraadt and markus
Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261
|
|
This allows us to activate only the supported options during the malloc
option portion of the connect-privsep test.
|
|
Pointed out by des at des.no.
|
|
The variable $L_TMP_ID_FILE needs to be surrounded by quotes in order to
survive paths containing whitespace. bz#2551, from Corinna Vinschen via
Philip Hands.
|
|
From alex at cooperi.net.
|
|
|
|
Apply all of the portability changes in monotime() to monotime() double.
Fixes build on at least older FreeBSD systems.
|
|
Easier to build all the regression/unit test binaries in one pass
than going through all of ${REGRESS_BINARIES}
|
|
|
|
|
|
"refactor canohost.c" replaced get_canonical_hostname, this makes the
same change to some portable-specific code.
|
|
refactor canohost.c: move functions that cache results closer
to the places that use them (authn and session code). After this, no state is
cached in canohost.c
feedback and ok markus@
Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
|
|
|
|
Filter debug messages out of log before picking the last
two lines. Should prevent problems if any more debug output is added late in
the connection.
Upstream-Regress-ID: 345d0a9589c381e7d640a4ead06cfaadf4db1363
|