summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2010-08-31 - djm@cvs.openbsd.org 2010/08/31 09:58:37Damien Miller
[auth-options.c auth1.c auth2.c bufaux.c buffer.h kex.c key.c packet.c] [packet.h ssh-dss.c ssh-rsa.c] Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function. Use the new API in a few sensitive places. * actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
2010-08-31 - djm@cvs.openbsd.org 2010/08/16 04:06:06Damien Miller
[ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c] backout previous temporarily; discussed with deraadt@
2010-08-31 - tedu@cvs.openbsd.org 2010/08/12 23:34:39Damien Miller
[ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c] OpenSSL_add_all_algorithms is the name of the function we have a man page for, so use that. ok djm
2010-08-31 - jmc@cvs.openbsd.org 2010/08/08 19:36:30Damien Miller
[ssh-keysign.8 ssh.1 sshd.8] use the same template for all FILES sections; i.e. -compact/.Pp where we have multiple items, and .Pa for path names;
2010-08-27 - (dtucker) [contrib/redhat/sshd.init] Bug #1810: initlog is deprecated,Darren Tucker
remove. Patch from martynas at venck us.
2010-08-23 - (djm) Release OpenSSH-5.6p1Damien Miller
2010-08-17- (djm) [regress/README.regress] typoDamien Miller
2010-08-17 - djm@cvs.openbsd.org 2010/08/12 21:49:44Damien Miller
[ssh.c] close any extra file descriptors inherited from parent at start and reopen stdin/stdout to /dev/null when forking for ControlPersist. prevents tools that fork and run a captive ssh for communication from failing to exit when the ssh completes while they wait for these fds to close. The inherited fds may persist arbitrarily long if a background mux master has been started by ControlPersist. cvs and scp were effected by this. "please commit" markus@
2010-08-16 - (dtucker) [configure.ac openbsd-compat/Makefile.inDarren Tucker
openbsd-compat/openbsd-compat.h openbsd-compat/strptime.c] Add strptime to the compat library which helps on platforms like old IRIX. Based on work by djm, tested by Tom Christensen.
2010-08-12 - (tim) [auth.c] add cast to quiet compiler. Change only affects SVR5 systems.Tim Rice
2010-08-12 - (tim) [regress/login-timeout.sh regress/reconfigure.sh regress/reexec.shTim Rice
regress/test-exec.sh] Under certain conditions when testing with sudo tests would fail because the pidfile could not be read by a regular user. "cat: cannot open ...../regress/pidfile: Permission denied (error 13)" Make sure cat is run by $SUDO. no objection from me. djm@
2010-08-10 - (dtucker) bug #1530: strip trailing ":" from hostname in ssh-copy-id.Darren Tucker
based in part on a patch from Colin Watson, ok djm@
2010-08-10 - (djm) bz#1561: don't bother setting IFF_UP on tun(4) device if it isDamien Miller
already set. Makes FreeBSD user openable tunnels useful; patch from richard.burakowski+ossh AT mrburak.net, ok dtucker@
2010-08-09 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]Damien Miller
[contrib/suse/openssh.spec] Crank version numbers
2010-08-09 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2010/08/08 16:26:42 [version.h] crank to 5.6
2010-08-09unbreak datestampsDamien Miller
2010-08-05 - djm@cvs.openbsd.org 2010/08/05 13:08:42Damien Miller
[channels.c] Fix a trio of bugs in the local/remote window calculation for datagram data channels (i.e. TunnelForward): Calculate local_consumed correctly in channel_handle_wfd() by measuring the delta to buffer_len(c->output) from when we start to when we finish. The proximal problem here is that the output_filter we use in portable modified the length of the dequeued datagram (to futz with the headers for !OpenBSD). In channel_output_poll(), don't enqueue datagrams that won't fit in the peer's advertised packet size (highly unlikely to ever occur) or which won't fit in the peer's remaining window (more likely). In channel_input_data(), account for the 4-byte string header in datagram packets that we accept from the peer and enqueue in c->output. report, analysis and testing 2/3 cases from wierbows AT us.ibm.com; "looks good" markus@
2010-08-05 - djm@cvs.openbsd.org 2010/08/04 06:08:40Damien Miller
[ssh-keysign.c] clean for -Wuninitialized (Id sync only; portable had this change)
2010-08-05 - djm@cvs.openbsd.org 2010/08/04 06:07:11Damien Miller
[ssh-keygen.1 ssh-keygen.c] Support CA keys in PKCS#11 tokens; feedback and ok markus@
2010-08-05 - djm@cvs.openbsd.org 2010/08/04 05:49:22Damien Miller
[authfile.c] commited the wrong version of the hostbased certificate diff; this version replaces some strlc{py,at} verbosity with xasprintf() at the request of markus@
2010-08-05 - djm@cvs.openbsd.org 2010/08/04 05:42:47Damien Miller
[auth.c auth2-hostbased.c authfile.c authfile.h ssh-keysign.8] [ssh-keysign.c ssh.c] enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
2010-08-05 - djm@cvs.openbsd.org 2010/08/04 05:40:39Damien Miller
[PROTOCOL.certkeys ssh-keygen.c] tighten the rules for certificate encoding by requiring that options appear in lexical order and make our ssh-keygen comply. ok markus@
2010-08-05 - djm@cvs.openbsd.org 2010/08/04 05:37:01Damien Miller
[ssh.1 ssh_config.5 sshd.8] Remove mentions of weird "addr/port" alternate address format for IPv6 addresses combinations. It hasn't worked for ages and we have supported the more commen "[addr]:port" format for a long time. ok jmc@ markus@
2010-08-03 - dtucker@cvs.openbsd.org 2010/07/23 08:49:25Damien Miller
[ssh.1] Ciphers is documented in ssh_config(5) these days
2010-08-03 - djm@cvs.openbsd.org 2010/07/21 02:10:58Damien Miller
[misc.c] sync timingsafe_bcmp() with the one dempsky@ committed to sys/lib/libkern
2010-08-03 - djm@cvs.openbsd.org 2010/07/19 09:15:12Damien Miller
[clientloop.c readconf.c readconf.h ssh.c ssh_config.5] add a "ControlPersist" option that automatically starts a background ssh(1) multiplex master when connecting. This connection can stay alive indefinitely, or can be set to automatically close after a user-specified duration of inactivity. bz#1330 - patch by dwmw2 AT infradead.org, but further hacked on by wmertens AT cisco.com, apb AT cequrux.com, martin-mindrot-bugzilla AT earth.li and myself; "looks ok" markus@
2010-08-03 - djm@cvs.openbsd.org 2010/07/19 03:16:33Damien Miller
[sftp-client.c] bz#1797: fix swapped args in upload_dir_internal(), breaking recursive upload depth checks and causing verbose printing of transfers to always be turned on; patch from imorgan AT nas.nasa.gov
2010-08-03 - djm@cvs.openbsd.org 2010/07/16 14:07:35Damien Miller
[ssh-rsa.c] more timing paranoia - compare all parts of the expected decrypted data before returning. AFAIK not exploitable in the SSH protocol. "groovy" deraadt@
2010-08-03 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2010/07/16 04:45:30 [ssh-keygen.c] avoid bogus compiler warning
2010-08-03 - (dtucker) [monitor.c] Bug #1795: Initialize the values to be returned fromDarren Tucker
PAM to sane values in case the PAM method doesn't write to them. Spotted by Bitman Zhou, ok djm@.
2010-07-19 - (dtucker) [contrib/ssh-copy-ud.1] Bug #1786: update ssh-copy-id.1 with moreDarren Tucker
details about its behaviour WRT existing directories. Patch from asguthrie at gmail com, ok djm.
2010-07-16 - schwarze@cvs.openbsd.org 2010/07/15 21:20:38Damien Miller
[ssh-keygen.1] repair incorrect block nesting, which screwed up indentation; problem reported and fix OK by jmc@
2010-07-16 - jmc@cvs.openbsd.org 2010/07/14 17:06:58Damien Miller
[ssh.1] finally ssh synopsis looks nice again! this commit just removes a ton of hacks we had in place to make it work with old groff;
2010-07-16 - djm@cvs.openbsd.org 2010/07/13 23:13:16Damien Miller
[auth-rsa.c channels.c jpake.c key.c misc.c misc.h monitor.c packet.c] [ssh-rsa.c] s/timing_safe_cmp/timingsafe_bcmp/g
2010-07-16 - djm@cvs.openbsd.org 2010/07/13 11:52:06Damien Miller
[auth-rsa.c channels.c jpake.c key.c misc.c misc.h monitor.c] [packet.c ssh-rsa.c] implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
2010-07-16 - djm@cvs.openbsd.org 2010/07/12 22:41:13Damien Miller
[ssh.c ssh_config.5] expand %h to the hostname in ssh_config Hostname options. While this sounds useless, it is actually handy for working with unqualified hostnames: Host *.* Hostname %h Host * Hostname %h.example.org "I like it" markus@
2010-07-16 - djm@cvs.openbsd.org 2010/07/12 22:38:52Damien Miller
[ssh.c] Make ExitOnForwardFailure work with fork-after-authentication ("ssh -f") for protocol 2. ok markus@
2010-07-16 - djm@cvs.openbsd.org 2010/07/02 04:32:44Damien Miller
[misc.c] unbreak strdelim() skipping past quoted strings, e.g. AllowUsers "blah blah" blah was broken; report and fix in bz#1757 from bitman.zhou AT centrify.com ok dtucker;
2010-07-14 - (tim) [contrib/redhat/openssh.spec] Bug 1796: Test for skip_x11_askpassTim Rice
(line 77) should have been for no_x11_askpass.
2010-07-02 - djm@cvs.openbsd.org 2010/06/29 23:59:54Damien Miller
[cert-userkey.sh] regress tests for key options in AuthorizedPrincipals
2010-07-02 - phessler@cvs.openbsd.org 2010/06/27 19:19:56Damien Miller
[Makefile] fix how we run the tests so we can successfully use SUDO='sudo -E' in our env
2010-07-02 - millert@cvs.openbsd.org 2010/07/01 13:06:59Damien Miller
[scp.c] Fix a longstanding problem where if you suspend scp at the password/passphrase prompt the terminal mode is not restored. OK djm@
2010-07-02 - jmc@cvs.openbsd.org 2010/06/30 07:28:34Damien Miller
[sshd_config.5] tweak previous;
2010-07-02 - jmc@cvs.openbsd.org 2010/06/30 07:26:03Damien Miller
[ssh-keygen.c] sort usage();
2010-07-02 - jmc@cvs.openbsd.org 2010/06/30 07:24:25Damien Miller
[ssh-keygen.1] tweak previous;
2010-07-02 - djm@cvs.openbsd.org 2010/06/29 23:16:46Damien Miller
[auth2-pubkey.c sshd_config.5] allow key options (command="..." and friends) in AuthorizedPrincipals; ok markus@
2010-07-02 - djm@cvs.openbsd.org 2010/06/29 23:15:30Damien Miller
[ssh-keygen.1 ssh-keygen.c] allow import (-i) and export (-e) of PEM and PKCS#8 encoded keys; bz#1749; ok markus@
2010-07-02 - djm@cvs.openbsd.org 2010/06/26 23:04:04Damien Miller
[ssh.c] oops, forgot to #include <canohost.h>; spotted and patch from chl@
2010-07-02 - jmc@cvs.openbsd.org 2010/06/26 00:57:07Damien Miller
[ssh_config.5] tweak previous;
2010-06-26 - (tim) [openbsd-compat/port-uw.c] Reorder includes. auth-options.h now needsTim Rice
key.h.