Age | Commit message (Collapse) | Author |
|
- Enable pre-auth sandboxing by default for new installs.
- Allow "PermitOpen none" to refuse all port-forwarding requests
(closes: #543683).
|
|
|
|
|
|
|
|
for compatibility with future mingw-w64 headers. Patch from vinschen at
redhat com.
|
|
|
|
to support unusual terminal emulators on clients (closes: #675362).
|
|
SELinux policies require this (closes: #658675).
|
|
[contrib/suse/openssh.spec] Update version numbers
|
|
[version.h]
openssh 6.1
|
|
[servconf.c]
handle long comments in config files better. bz#2025, ok markus
|
|
|
|
[servconf.c servconf.h sshd.c sshd_config]
Turn on systrace sandboxing of pre-auth sshd by default for new installs
by shipping a config that overrides the current UsePrivilegeSeparation=yes
default. Make it easier to flip the default in the future by adding too.
|
|
[ssh-keygen.c]
missing full stop in usage();
|
|
|
|
- Add Indonesian (thanks, Andika Triwidada; closes: #681670).
|
|
[ssh.c]
move setting of tty_flag to after config parsing so RequestTTY options
are correctly picked up. bz#1995 patch from przemoc AT gmail.com;
ok dtucker@
|
|
[mux.c]
fix memory leak of passed-in environment variables and connection
context when new session message is malformed; bz#2003 from Bert.Wesarg
AT googlemail.com
|
|
[moduli.c ssh-keygen.1 ssh-keygen.c]
Add options to specify starting line number and number of lines to process
when screening moduli candidates. This allows processing of different
parts of a candidate moduli file in parallel. man page help jmc@, ok djm@
|
|
unexpanded $(prefix) embedded. bz#2007 patch from nix-corp AT
esperi.org.uk; ok dtucker@
|
|
not available. Allows use of sshd compiled on host with a filter-capable
kernel on hosts that lack the support. bz#2011 ok dtucker@
|
|
platforms that don't have it. "looks good" tim@
|
|
setrlimit(RLIMIT_FSIZE, rl_zero) and skip it if it's not supported. Its
benefit is minor, so it's not worth disabling the sandbox if it doesn't
work.
|
|
setrlimit(RLIMIT_NOFILE, rl_zero) and disable the rlimit sandbox on those.
|
|
|
|
Move cygwin detection to test-exec and use to skip reexec test on cygwin.
|
|
[regress/connect-privsep.sh]
remove exit from end of test since it prevents reporting failure
|
|
[ssh-pkcs11-helper.c sftp-client.c]
fix a couple of "assigned but not used" warnings. ok markus@
|
|
[ssh.c]
set interactive ToS for forwarded X11 sessions. ok djm@
|
|
[sandbox-systrace.c sshd.c]
fix a during the load of the sandbox policies (child can still make
the read-syscall and wait forever for systrace-answers) by replacing
the read/write synchronisation with SIGSTOP/SIGCONT;
report and help hshoexer@; ok djm@, dtucker@
|
|
[ssh_config.5 sshd_config.5]
match the documented MAC order of preference to the actual one;
ok dtucker@
|
|
the required functions in libcrypto.
|
|
|
|
[regress/try-ciphers.sh regress/cipher-speed.sh]
Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed
from draft6 of the spec and will not be in the RFC when published. Patch
from mdb at juniper net via bz#2023, ok markus
|
|
[regress/connect-privsep.sh]
test sandbox with every malloc option
|
|
[regress/sftp-cmds.sh]
don't delete .* on cleanup due to unintended env expansion; pointed out in
bz#2014 by openssh AT roumenpetrov.info
|
|
[multiplex.sh forwarding.sh]
append to rather than truncate test log; bz#2013 from openssh AT
roumenpetrov.
|
|
[regress/addrmatch.sh]
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests
to match. Feedback and ok djm@ markus@.
|
|
[ssh_config.5 sshd_config.5]
match the documented MAC order of preference to the actual one; ok dtucker@
(actual patch accidentally committed with previous)
|
|
[mac.c myproposal.h ssh_config.5 sshd_config.5]
Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed
from draft6 of the spec and will not be in the RFC when published. Patch
from mdb at juniper net via bz#2023, ok markus.
|
|
[sandbox-systrace.c]
Add mquery to the list of allowed syscalls for "UsePrivilegeSeparation
sandbox" since malloc now uses it. From johnw.mail at gmail com.
|
|
[sftp.c]
Remove unused variable leftover from tab-completion changes.
From Steve.McClellan at radisys com, ok markus@
|
|
[monitor.c sshconnect2.c]
remove dead code following 'for (;;)' loops.
From Steve.McClellan at radisys com, ok markus@
|
|
[addrmatch.c]
fix strlcpy truncation check. from carsten at debian org, ok markus
|
|
pointer deref in the client when built with LDNS and using DNSSEC with a
CNAME. Patch from gregdlg+mr at hochet info.
|
|
|
|
"fix" version at build time (closes: #678661).
|
|
can logon as a service. Patch from vinschen at redhat com.
|
|
[clientloop.c serverloop.c]
initialise accept() backoff timer to avoid EINVAL from select(2) in
rekeying
|
|
[sshd_config.5]
tweak previous; ok markus
|