summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2015-05-29upstream commitdjm@openbsd.org
make this work without SUDO set; ok dtucker@ Upstream-Regress-ID: bca88217b70bce2fe52b23b8e06bdeb82d98c715
2015-05-28upstream commitdjm@openbsd.org
wrap all moduli-related code in #ifdef WITH_OPENSSL. based on patch from Reuben Hawkins; bz#2388 feedback and ok dtucker@ Upstream-ID: d80cfc8be3e6ec65b3fac9e87c4466533b31b7cf
2015-05-28upstream commitdtucker@openbsd.org
Increase the allowed length of the known host file name in the log message to be consistent with other cases. Part of bz#1993, ok deraadt. Upstream-ID: a9e97567be49f25daf286721450968251ff78397
2015-05-28upstream commitdtucker@openbsd.org
Fix typo (keywork->keyword) Upstream-ID: 8aacd0f4089c0a244cf43417f4f9045dfaeab534
2015-05-28upstream commitdjm@openbsd.org
add error message on ftruncate failure; bz#2176 Upstream-ID: cbcc606e0b748520c74a210d8f3cc9718d3148cf
2015-05-28upstream commitdjm@openbsd.org
make ssh-keygen default to ed25519 keys when compiled without OpenSSL; bz#2388, ok dtucker@ Upstream-ID: 85a471fa6d3fa57a7b8e882d22cfbfc1d84cdc71
2015-05-28upstream commitdtucker@openbsd.org
Reorder client proposal to prefer diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1. ok djm@ Upstream-ID: 552c08d47347c3ee1a9a57d88441ab50abe17058
2015-05-28upstream commitdtucker@openbsd.org
Add a stronger (4k bit) fallback group that sshd can use when the moduli file is missing or broken, sourced from RFC3526. bz#2302, ok markus@ (earlier version), djm@ Upstream-ID: b635215746a25a829d117673d5e5a76d4baee7f4
2015-05-28New moduli file from OpenBSD, removing 1k groups.Darren Tucker
Remove 1k bit groups. ok deraadt@, markus@
2015-05-27upstream commitdjm@openbsd.org
support PKCS#11 devices with external PIN entry devices bz#2240, based on patch from Dirk-Willem van Gulik; feedback and ok dtucker@ Upstream-ID: 504568992b55a8fc984375242b1bd505ced61b0d
2015-05-27upstream commitdtucker@openbsd.org
Cap DH-GEX group size at 4kbits for Cisco implementations. Some of them will choke when asked for preferred sizes >4k instead of returning the 4k group that they do have. bz#2209, ok djm@ Upstream-ID: 54b863a19713446b7431f9d06ad0532b4fcfef8d
2015-05-25upstream commitdjm@openbsd.org
add missing 'c' option to getopt(), case statement was already there; from Felix Bolte Upstream-ID: 9b19b4e2e0b54d6fefa0dfac707c51cf4bae3081
2015-05-25upstream commitjsg@openbsd.org
fix a memory leak in an error path ok markus@ dtucker@ Upstream-ID: bc1da0f205494944918533d8780fde65dff6c598
2015-05-22upstream commitdjm@openbsd.org
mention ssh-keygen -E for comparing legacy MD5 fingerprints; bz#2332 Upstream-ID: 079a3669549041dbf10dbc072d9563f0dc3b2859
2015-05-22upstream commitdjm@openbsd.org
Reorder EscapeChar option parsing to avoid a single-byte out- of-bounds read. bz#2396 from Jaak Ristioja; ok dtucker@ Upstream-ID: 1dc6b5b63d1c8d9a88619da0b27ade461d79b060
2015-05-22upstream commitdjm@openbsd.org
add knob to relax GSSAPI host credential check for multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker (kerberos/GSSAPI is not compiled by default on OpenBSD) Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d
2015-05-22Include signal.h for sig_atomic_t, used by kex.h.Darren Tucker
bz#2402, from tomas.kuthan at oracle com.
2015-05-22Import updated moduli file from OpenBSD.Darren Tucker
2015-05-21upstream commitdjm@openbsd.org
Support "ssh-keygen -lF hostname" to find search known_hosts and print key hashes. Already advertised by ssh-keygen(1), but not delivered by code; ok dtucker@ Upstream-ID: 459e0e2bf39825e41b0811c336db2d56a1c23387
2015-05-21conditionalise util.h inclusionDamien Miller
2015-05-21upstream commitdjm@openbsd.org
regress test for AuthorizedPrincipalsCommand Upstream-Regress-ID: c658fbf1ab6b6011dc83b73402322e396f1e1219
2015-05-21upstream commitdjm@openbsd.org
regress test for AuthorizedKeysCommand arguments Upstream-Regress-ID: bbd65c13c6b3be9a442ec115800bff9625898f12
2015-05-21upstream commitdjm@openbsd.org
add AuthorizedPrincipalsCommand that allows getting authorized_principals from a subprocess rather than a file, which is quite useful in deployments with large userbases feedback and ok markus@ Upstream-ID: aa1bdac7b16fc6d2fa3524ef08f04c7258d247f6
2015-05-21upstream commitdjm@openbsd.org
support arguments to AuthorizedKeysCommand bz#2081 loosely based on patch by Sami Hartikainen feedback and ok markus@ Upstream-ID: b080387a14aa67dddd8ece67c00f268d626541f7
2015-05-21upstream commitdjm@openbsd.org
refactor: split base64 encoding of pubkey into its own sshkey_to_base64() function and out of sshkey_write(); ok markus@ Upstream-ID: 54fc38f5832e9b91028900819bda46c3959a0c1a
2015-05-21upstream commitderaadt@openbsd.org
getentropy() and sendsyslog() have been around long enough. openssh-portable may want the #ifdef's but not base. discussed with djm few weeks back Upstream-ID: 0506a4334de108e3fb6c66f8d6e0f9c112866926
2015-05-21upstream commitdtucker@openbsd.org
Use a salted hash of the lock passphrase instead of plain text and do constant-time comparisons of it. Should prevent leaking any information about it via timing, pointed out by Ryan Castellucci. Add a 0.1s incrementing delay for each failed unlock attempt up to 10s. ok markus@ (earlier version), djm@ Upstream-ID: c599fcc325aa1cc65496b25220b622d22208c85f
2015-05-10upstream commitDamien Miller
- tedu@cvs.openbsd.org 2015/01/12 03:20:04 [bcrypt_pbkdf.c] rename blocks to words. bcrypt "blocks" are unrelated to blowfish blocks, nor are they the same size.
2015-05-10upstream commitDamien Miller
- deraadt@cvs.openbsd.org 2015/01/08 00:30:07 [bcrypt_pbkdf.c] declare a local version of MIN(), call it MINIMUM()
2015-05-10upstream commitDamien Miller
- djm@cvs.openbsd.org 2014/12/30 01:41:43 [bcrypt_pbkdf.c] typo in comment: ouput => output
2015-05-10upstream commitdjm@openbsd.org
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern). Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools. ok markus@
2015-05-10upstream commitdjm@openbsd.org
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET. Improves error messages on TCP connection resets. bz#2257 ok dtucker@
2015-05-10upstream commitdjm@openbsd.org
a couple of parse targets were missing activep checks, causing them to be misapplied in match context; bz#2272 diagnosis and original patch from Sami Hartikainen ok dtucker@
2015-05-10upstream commitdjm@openbsd.org
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
2015-05-10upstream commitdjm@openbsd.org
remove failed remote forwards established by muliplexing from the list of active forwards; bz#2363, patch mostly by Yoann Ricordel; ok dtucker@
2015-05-10upstream commitdjm@openbsd.org
reduce stderr spam when using ssh -S /path/mux -O forward -R 0:... ok dtucker@
2015-05-10upstream commitdjm@openbsd.org
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
2015-05-10upstream commitdjm@openbsd.org
Don't make parsing of authorized_keys' environment= option conditional on PermitUserEnv - always parse it, but only use the result if the option is enabled. This prevents the syntax of authorized_keys changing depending on which sshd_config options were enabled. bz#2329; based on patch from coladict AT gmail.com, ok dtucker@
2015-05-10upstream commitdjm@openbsd.org
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern). Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools. ok markus@
2015-05-10upstream commitdtucker@openbsd.org
Add a simple regression test for sshd's configuration parser. Right now, all it does is run the output of sshd -T back through itself and ensure the output is valid and invariant.
2015-05-10upstream commitdjm@openbsd.org
use correct key for nested certificate test
2015-05-10upstream commitdjm@openbsd.org
mention that the user's shell from /etc/passwd is used for commands too; bz#1459 ok dtucker@
2015-05-08upstream commitdjm@openbsd.org
whitespace Upstream-Regress-ID: 6b708a3e709d5b7fd37890f874bafdff1f597519
2015-05-08upstream commitdjm@openbsd.org
whitespace at EOL Upstream-Regress-ID: 9c48911643d5b05173b36a012041bed4080b8554
2015-05-08upstream commitdjm@openbsd.org
moar whitespace at eol Upstream-ID: 64eaf872a3ba52ed41e494287e80d40aaba4b515
2015-05-08upstream commitdjm@openbsd.org
whitespace at EOL Upstream-ID: 57bcf67d666c6fc1ad798aee448fdc3f70f7ec2c
2015-05-08upstream commitdjm@openbsd.org
whitespace at EOL
2015-05-08upstream commitdtucker@openbsd.org
Use diff w/out -u for better portability
2015-05-08upstream commitdtucker@openbsd.org
Use xcalloc for permitted_adm_opens instead of xmalloc to ensure it's zeroed. Fixes post-auth crash with permitopen=none. bz#2355, ok djm@
2015-05-08upstream commitdjm@openbsd.org
don't choke on new-format private keys encrypted with an AEAD cipher; bz#2366, patch from Ron Frederick; ok markus@