summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2008-06-13 - djm@cvs.openbsd.org 2008/06/12 05:15:41Darren Tucker
[PROTOCOL] document tun@openssh.com forwarding method
2008-06-13 - djm@cvs.openbsd.org 2008/06/12 04:24:06Darren Tucker
[ssh.c] thal shalt not code past the eightieth column
2008-06-13 - djm@cvs.openbsd.org 2008/06/12 04:17:47Darren Tucker
[clientloop.c] thall shalt not code past the eightieth column
2008-06-13 - djm@cvs.openbsd.org 2008/06/12 04:06:00Darren Tucker
[clientloop.h ssh.c clientloop.c] maintain an ordered queue of outstanding global requests that we expect replies to, similar to the per-channel confirmation queue. Use this queue to verify success or failure for remote forward establishment in a race free way. ok dtucker@
2008-06-13 - djm@cvs.openbsd.org 2008/06/12 03:40:52Darren Tucker
[clientloop.h mux.c channels.c clientloop.c channels.h] Enable ~ escapes for multiplex slave sessions; give each channel its own escape state and hook the escape filters up to muxed channels. bz #1331 Mux slaves do not currently support the ~^Z and ~& escapes. NB. this change cranks the mux protocol version, so a new ssh mux client will not be able to connect to a running old ssh mux master. ok dtucker@
2008-06-13 - otto@cvs.openbsd.org 2008/06/12 00:13:13Darren Tucker
[key.c] use an odd number of rows and columns and a separate start marker, looks better; ok grunk@
2008-06-13 - grunk@cvs.openbsd.org 2008/06/12 00:13:55Darren Tucker
[sshconnect.c] Make ssh print the random art also when ssh'ing to a host using IP only. spotted by naddy@, ok and help djm@ dtucker@
2008-06-13 - dtucker@cvs.openbsd.org 2008/06/12 00:03:49Darren Tucker
[dns.c canohost.c sshconnect.c] Do not pass "0" strings as ports to getaddrinfo because the lookups can slow things down and we never use the service info anyway. bz #859, patch from YOSHIFUJI Hideaki and John Devitofranceschi. ok deraadt@ djm@ djm belives that the reason for the "0" strings is to ensure that it's not possible to call getaddrinfo with both host and port being NULL. In the case of canohost.c host is a local array. In the case of sshconnect.c, it's checked for null immediately before use. In dns.c it ultimately comes from ssh.c:main() and is guaranteed to be non-null but it's not obvious, so I added a warning message in case it is ever passed a null.
2008-06-13 - grunk@cvs.openbsd.org 2008/06/11 23:51:57Darren Tucker
[key.c] #define statements that are not atoms need braces around them, else they will cause trouble in some cases. Also do a computation of -1 once, and not in a loop several times. spotted by otto@
2008-06-13 - grunk@cvs.openbsd.org 2008/06/11 23:03:56Darren Tucker
[ssh_config.5] CheckHostIP set to ``fingerprint'' will display both hex and random art spotted by naddy@
2008-06-13 - otto@cvs.openbsd.org 2008/06/11 23:02:22Darren Tucker
[key.c] simpler way of computing the augmentations; ok grunk@
2008-06-13 - grunk@cvs.openbsd.org 2008/06/11 22:20:46Darren Tucker
[ssh-keygen.c ssh-keygen.1] ssh-keygen would write fingerprints to STDOUT, and random art to STDERR, that is not how it was envisioned. Also correct manpage saying that -v is needed along with -l for it to work. spotted by naddy@
2008-06-13 - grunk@cvs.openbsd.org 2008/06/11 21:38:25Darren Tucker
[ssh-keygen.c] ssh-keygen -lv -f /etc/ssh/ssh_host_rsa_key.pub would not display you the random art as intended, spotted by canacar@
2008-06-13 - grunk@cvs.openbsd.org 2008/06/11 21:01:35Darren Tucker
[ssh_config.5 key.h readconf.c readconf.h ssh-keygen.1 ssh-keygen.c key.c sshconnect.c] Introduce SSH Fingerprint ASCII Visualization, a technique inspired by the graphical hash visualization schemes known as "random art", and by Dan Kaminsky's musings on the subject during a BlackOp talk at the 23C3 in Berlin. Scientific publication (original paper): "Hash Visualization: a New Technique to improve Real-World Security", Perrig A. and Song D., 1999, International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99) http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf The algorithm used here is a worm crawling over a discrete plane, leaving a trace (augmenting the field) everywhere it goes. Movement is taken from dgst_raw 2bit-wise. Bumping into walls makes the respective movement vector be ignored for this turn, thus switching to the other color of the chessboard. Graphs are not unambiguous for now, because circles in graphs can be walked in either direction. discussions with several people, help, corrections and ok markus@ djm@
2008-06-13 - jmc@cvs.openbsd.org 2008/06/11 07:30:37Darren Tucker
[sshd.8] kill trailing whitespace;
2008-06-12 - (djm) [channels.c configure.ac]Damien Miller
Do not set SO_REUSEADDR on wildcard X11 listeners (X11UseLocalhost=no) bz#1464; ok dtucker
2008-06-11 - (dtucker) [Makefile.in] Move addrmatch.o to libssh.a where it's needed now.Darren Tucker
2008-06-11 - dtucker@cvs.openbsd.org 2008/06/10 23:13:43Darren Tucker
[Makefile regress/key-options.sh] Add regress test for key options. ok djm@
2008-06-11 - dtucker@cvs.openbsd.org 2008/06/10 23:21:34Darren Tucker
[bufaux.c] Use '\0' for a nul byte rather than unadorned 0. ok djm@
2008-06-11 - djm@cvs.openbsd.org 2008/06/10 23:06:19Darren Tucker
[auth-options.c match.c servconf.c addrmatch.c sshd.8] support CIDR address matching in .ssh/authorized_keys from="..." stanzas ok and extensive testing dtucker@
2008-06-11 - djm@cvs.openbsd.org 2008/06/10 22:15:23Darren Tucker
[PROTOCOL ssh.c serverloop.c] Add a no-more-sessions@openssh.com global request extension that the client sends when it knows that it will never request another session (i.e. when session multiplexing is disabled). This allows a server to disallow further session requests and terminate the session. Why would a non-multiplexing client ever issue additional session requests? It could have been attacked with something like SSH'jack: http://www.storm.net.nz/projects/7 feedback & ok markus
2008-06-11 - dtucker@cvs.openbsd.org 2008/06/10 18:21:24Darren Tucker
[ssh_config.5] clarify that Host patterns are space-separated. ok deraadt
2008-06-11 - (dtucker) [Makefile.in] Define TEST_SSH_IPV6 in make's arguments as wellDarren Tucker
as environment.
2008-06-11 - (dtucker) [Makefile.in configure.ac regress/addrmatch.sh] Skip IPv6Darren Tucker
specific tests on platforms that don't do IPv6.
2008-06-11 - dtucker@cvs.openbsd.org 2008/06/10 15:28:49Darren Tucker
[test-exec.sh] Add quotes
2008-06-11 - dtucker@cvs.openbsd.org 2008/06/10 15:21:41Darren Tucker
[test-exec.sh] Use a more portable construct for checking if we're running a putty test
2008-06-11fix version tagDarren Tucker
2008-06-10 - (dtucker) [openbsd-compat/fake-rfc2553.h] Add sin6_scope_id to sockaddr_in6Darren Tucker
since the new CIDR code in addmatch.c references it.
2008-06-10 - dtucker@cvs.openbsd.org 2008/06/10 05:23:32Darren Tucker
[addrmatch.sh Makefile] Regress test for Match CIDR rules. ok djm@
2008-06-10 - dtucker@cvs.openbsd.org 2008/06/09 18:06:32Darren Tucker
[regress/test-exec.sh] Don't generate putty keys if we're not going to use them. ok djm
2008-06-10 - jmc@cvs.openbsd.org 2008/06/10 08:17:40Darren Tucker
[sshd.8 sshd.c] - update usage() - fix SYNOPSIS, and sort options - some minor additional fixes
2008-06-10 - jmc@cvs.openbsd.org 2008/06/10 07:12:00Darren Tucker
[sshd_config.5] tweak previous;
2008-06-10 - dtucker@cvs.openbsd.org 2008/06/10 04:50:25Darren Tucker
[sshd.c channels.h channels.c log.c servconf.c log.h servconf.h sshd.8] Add extended test mode (-T) and connection parameters for test mode (-C). -T causes sshd to write its effective configuration to stdout and exit. -C causes any relevant Match rules to be applied before output. The combination allows tesing of the parser and config files. ok deraadt djm
2008-06-10 - djm@cvs.openbsd.org 2008/06/10 04:17:46Darren Tucker
[sshd_config.5] better reference for pattern-list
2008-06-10 - (dtucker) OpenBSD CVS SyncDarren Tucker
- djm@cvs.openbsd.org 2008/06/10 03:57:27 [servconf.c match.h sshd_config.5] support CIDR address matching in sshd_config "Match address" blocks, with full support for negation and fall-back to classic wildcard matching. For example: Match address 192.0.2.0/24,3ffe:ffff::/32,!10.* PasswordAuthentication yes addrmatch.c code mostly lifted from flowd's addr.c feedback and ok dtucker@
2008-06-09 - dtucker@cvs.openbsd.org 2008/06/09 13:38:46Darren Tucker
[PROTOCOL] Use a $OpenBSD tag so our scripts will sync changes.
2008-06-09 - dtucker@cvs.openbsd.org 2008/06/08 20:15:29Darren Tucker
[PROTOCOL] Have the sftp client store the statvfs replies in wire format, which prevents problems when the server's native sizes exceed the client's. Also extends the sizes of the remaining 32bit wire format to 64bit, they're specified as unsigned long in the standard.
2008-06-09 - djm@cvs.openbsd.org 2008/06/07 21:52:46Darren Tucker
[PROTOCOL] statvfs member fsid needs to be wider, increase it to 64 bits and crank extension revision number to 2; prodded and ok dtucker@
2008-06-09 - dtucker@cvs.openbsd.org 2008/06/09 13:02:39Darren Tucker
Extend 32bit -> 64bit values for statvfs extension missed in previous commit.
2008-06-09 - dtucker@cvs.openbsd.org 2008/06/08 20:15:29Darren Tucker
[sftp.c sftp-client.c sftp-client.h] Have the sftp client store the statvfs replies in wire format, which prevents problems when the server's native sizes exceed the client's. Also extends the sizes of the remaining 32bit wire format to 64bit, they're specified as unsigned long in the standard.
2008-06-09 - dtucker@cvs.openbsd.org 2008/06/08 17:04:41Darren Tucker
[sftp-server.c] Add case for ENOSYS in errno_to_portable; ok deraadt
2008-06-09 - (dtucker) [configure.ac defines.h sftp-client.c M sftp-server.c] Add aDarren Tucker
macro to convert fsid to unsigned long for platforms where fsid is a 2-member array.
2008-06-09 - (dtucker) [configure.ac defines.h sftp-client.c sftp-server.c sftp.cDarren Tucker
openbsd-compat/Makefile.in openbsd-compat/openbsd-compat.h openbsd-compat/bsd-statvfs.{c,h}] Add a null implementation of statvfs and fstatvfs and remove #defines around statvfs code. ok djm@
2008-06-08 - djm@cvs.openbsd.org 2008/06/07 21:52:46Darren Tucker
[sftp-server.c sftp-client.c] statvfs member fsid needs to be wider, increase it to 64 bits and crank extension revision number to 2; prodded and ok dtucker@
2008-06-08 - djm@cvs.openbsd.org 2008/05/19 20:53:52Darren Tucker
[clientloop.c] unbreak tree by committing this bit that I missed from: Fix sending tty modes when stdin is not a tty (bz#1199). Previously we would send the modes corresponding to a zeroed struct termios, whereas we should have been sending an empty list of modes. Based on patch from daniel.ritz AT alcatel.ch; ok dtucker@ markus@
2008-06-08 - djm@cvs.openbsd.org 2008/05/19 15:46:31Darren Tucker
[ssh-keygen.c] support -l (print fingerprint) in combination with -F (find host) to search for a host in ~/.ssh/known_hosts and display its fingerprint; ok markus@
2008-06-08 - djm@cvs.openbsd.org 2008/05/19 15:45:07Darren Tucker
[sshtty.c ttymodes.c sshpty.h] Fix sending tty modes when stdin is not a tty (bz#1199). Previously we would send the modes corresponding to a zeroed struct termios, whereas we should have been sending an empty list of modes. Based on patch from daniel.ritz AT alcatel.ch; ok dtucker@ markus@
2008-06-08 - djm@cvs.openbsd.org 2008/05/19 06:14:02Darren Tucker
[packet.c] unbreak protocol keepalive timeouts bz#1465; ok dtucker@
2008-06-08 - (dtucker) [configure.ac defines.h sftp-client.c sftp-server.c sftp.c] Do ↵Darren Tucker
not enable statvfs extensions on platforms that do not have statvfs. ok djm@
2008-06-07 - (dtucker) [mux.c] Include paths.h inside ifdef HAVE_PATHS_H.Darren Tucker