summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2010-01-08 - djm@cvs.openbsd.org 2009/12/20 23:20:40Darren Tucker
[PROTOCOL] fix an incorrect magic number and typo in PROTOCOL; bz#1688 report and fix from ueno AT unixuser.org
2010-01-08 - guenther@cvs.openbsd.org 2009/12/20 07:28:36Darren Tucker
[ssh.c sftp.c scp.c] When passing user-controlled options with arguments to other programs, pass the option and option argument as separate argv entries and not smashed into one (e.g., as -l foo and not -lfoo). Also, always pass a "--" argument to stop option parsing, so that a positional argument that starts with a '-' isn't treated as an option. This fixes some error cases as well as the handling of hostnames and filenames that start with a '-'. Based on a diff by halex@ ok halex@ djm@ deraadt@
2010-01-08 - markus@cvs.openbsd.org 2009/12/11 18:16:33Darren Tucker
[key.c] switch from 35 to the more common value of RSA_F4 == (2**16)+1 == 65537 for the RSA public exponent; discussed with provos; ok djm@
2010-01-08 - dtucker@cvs.openbsd.org 2009/12/06 23:53:54Darren Tucker
[sftp.c] fix potential divide-by-zero in sftp's "df" output when talking to a server that reports zero files on the filesystem (Unix filesystems always have at least the root inode). From Steve McClellan at radisys, ok djm@
2010-01-08 - djm@cvs.openbsd.org 2009/12/06 23:53:45Darren Tucker
[roaming_common.c] use socklen_t for getsockopt optlen parameter; reported by Steve.McClellan AT radisys.com, ok dtucker@
2010-01-08 - dtucker@cvs.openbsd.org 2009/12/06 23:41:15Darren Tucker
[sshconnect2.c] zap unused variable and strlen; from Steve McClellan, ok djm
2010-01-08 - halex@cvs.openbsd.org 2009/11/22 13:18:00Darren Tucker
[sftp.c] make passing of zero-length arguments to ssh safe by passing "-<switch>" "<value>" rather than "-<switch><value>" ok dtucker@, guenther@, djm@
2010-01-08 - djm@cvs.openbsd.org 2009/11/20 03:24:07Darren Tucker
[misc.c] correct off-by-one in percent_expand(): we would fatal() when trying to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually work. Note that nothing in OpenSSH actually uses close to this limit at present. bz#1607 from Jan.Pechanec AT Sun.COM
2010-01-08 - dtucker@cvs.openbsd.org 2009/11/20 00:59:36Darren Tucker
[sshconnect2.c] Use the HostKeyAlias when prompting for passwords. bz#1039, ok djm@
2010-01-08 - djm@cvs.openbsd.org 2009/11/20 00:54:01Darren Tucker
[sftp.c] bz#1588 change "Connecting to host..." message to "Connected to host." and delay it until after the sftp protocol connection has been established. Avoids confusing sequence of messages when the underlying ssh connection experiences problems. ok dtucker@
2010-01-08 - dtucker@cvs.openbsd.org 2009/11/20 00:15:41Darren Tucker
[session.c] Warn but do not fail if stat()ing the subsystem binary fails. This helps with chrootdirectory+forcecommand=sftp-server and restricted shells. bz #1599, ok djm.
2010-01-08 - djm@cvs.openbsd.org 2009/11/19 23:39:50Darren Tucker
[session.c] bz#1606: error when an attempt is made to connect to a server with ForceCommand=internal-sftp with a shell session (i.e. not a subsystem session). Avoids stuck client when attempting to ssh to such a service. ok dtucker@
2010-01-08 - djm@cvs.openbsd.org 2009/11/17 05:31:44Darren Tucker
[clientloop.c] fix incorrect exit status when multiplexing and channel ID 0 is recycled bz#1570 reported by peter.oliver AT eon-is.co.uk; ok dtucker
2010-01-08 - markus@cvs.openbsd.org 2009/11/11 21:37:03Darren Tucker
[channels.c channels.h] fix race condition in x11/agent channel allocation: don't read after the end of the select read/write fdset and make sure a reused FD is not touched before the pre-handlers are called. with and ok djm@
2010-01-08 - dtucker@cvs.openbsd.org 2009/11/10 04:30:45Darren Tucker
[sshconnect2.c channels.c sshconnect.c] Set close-on-exec on various descriptors so they don't get leaked to child processes. bz #1643, patch from jchadima at redhat, ok deraadt.
2010-01-08 - djm@cvs.openbsd.org 2009/11/10 02:58:56Darren Tucker
[sshd_config.5] clarify that StrictModes does not apply to ChrootDirectory. Permissions and ownership are always checked when chrooting. bz#1532
2010-01-08 - djm@cvs.openbsd.org 2009/11/10 02:56:22Darren Tucker
[ssh_config.5] explain the constraints on LocalCommand some more so people don't try to abuse it.
2010-01-08 - jmc@cvs.openbsd.org 2009/10/28 21:45:08Darren Tucker
[sshd_config.5 sftp.1] tweak previous;
2010-01-08 - reyk@cvs.openbsd.org 2009/10/28 16:38:18Darren Tucker
[ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1 sftp.1 sshd_config.5 readconf.c ssh.c misc.c] Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan. ok markus@
2010-01-08 - andreas@cvs.openbsd.org 2009/10/24 11:23:42Darren Tucker
[ssh.c] Request roaming to be enabled if UseRoaming is true and the server supports it. ok markus@
2010-01-08 - andreas@cvs.openbsd.org 2009/10/24 11:22:37Darren Tucker
[roaming_common.c] Do the actual suspend/resume in the client. This won't be useful until the server side supports roaming. Most code from Martin Forssen, maf at appgate dot com. Some changes by me and markus@ ok markus@
2010-01-08 - andreas@cvs.openbsd.org 2009/10/24 11:19:17Darren Tucker
[ssh2.h] Define the KEX messages used when resuming a suspended connection. ok markus@
2010-01-08 - andreas@cvs.openbsd.org 2009/10/24 11:15:29Darren Tucker
[clientloop.c] client_loop() must detect if the session has been suspended and resumed, and take appropriate action in that case. From Martin Forssen, maf at appgate dot com ok markus@
2010-01-08 - andreas@cvs.openbsd.org 2009/10/24 11:13:54Darren Tucker
[sshconnect2.c kex.h kex.c] Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
2010-01-08 - andreas@cvs.openbsd.org 2009/10/24 11:11:58Darren Tucker
[roaming.h] Declarations needed for upcoming changes. ok markus@
2009-12-26 - (tim) [contrib/cygwin/Makefile] Install ssh-copy-id and ssh-copy-id.1Tim Rice
Gzip all man pages. Patch from Corinna Vinschen.
2009-12-21 - (dtucker) [auth-krb5.c platform.{c,h} openbsd-compat/port-aix.{c,h}]Darren Tucker
Bug #1583: Use system's kerberos principal name on AIX if it's available. Based on a patch from and tested by Miguel Sanders.
2009-12-08 - (dtucker) Bug #1470: Disable OOM-killing of the listening sshd on Linux,Darren Tucker
based on a patch from Vaclav Ovsik and Colin Watson. ok djm.
2009-12-07 - (dtucker) Bug #1677: add conditionals around the source for ssh-askpass.Darren Tucker
2009-12-07 - (dtucker) Bug #1160: use pkg-config for opensc config if it's available.Darren Tucker
Tested by Martin Paljak.
2009-11-20 - (tim) [opensshd.init.in] If PidFile is set in sshd_config, use it.Tim Rice
Bug 1628. OK dtucker@
2009-11-20 - (djm) [ssh-rand-helper.c] Print error and usage() when passed command-Damien Miller
line arguments as none are supported. Exit when passed unrecognised commandline flags. bz#1568 from gson AT araneus.fi
2009-11-18 - (djm) [contrib/gnome-ssh-askpass2.c] Make askpass dialog desktop-modal.Damien Miller
bz#1645, patch from jchadima AT redhat.com
2009-11-18 - (djm) [channels.c misc.c misc.h sshd.c] add missing setsockopt() toDamien Miller
set IPV6_V6ONLY for local forwarding with GatwayPorts=yes. Unify setting IPV6_V6ONLY behind a new function misc.c:sock_set_v6only() report and fix from jan.kratochvil AT redhat.com
2009-11-07 - (dtucker) [authfile.c] Fall back to 3DES for the encryption of privateDarren Tucker
keys when built with OpenSSL versions that don't do AES.
2009-11-05 - (dtucker) [authfile.c] Add OpenSSL compat header so this still builds withDarren Tucker
older versions of OpenSSL.
2009-10-24 - (dtucker) [session.c openbsd-compat/port-linux.{c,h}] Bug #1637: if selinuxDarren Tucker
is enabled set the security context to "sftpd_t" before running the internal sftp server Based on a patch from jchadima at redhat.
2009-10-24 - (dtucker) [mdoc2man.awk] Teach it to understand the .Ux macro.Darren Tucker
2009-10-24 - dtucker@cvs.openbsd.org 2009/10/24 00:48:34Darren Tucker
[ssh-keygen.1] ssh-keygen now uses AES-128 for private keys
2009-10-24 - djm@cvs.openbsd.org 2009/10/23 01:57:11Darren Tucker
[sshconnect2.c] disallow a hostile server from checking jpake auth by sending an out-of-sequence success message. (doesn't affect code enabled by default)
2009-10-24 - djm@cvs.openbsd.org 2009/10/22 22:26:13Darren Tucker
[authfile.c] switch from 3DES to AES-128 for encryption of passphrase-protected SSH protocol 2 private keys; ok several
2009-10-24 - sobrado@cvs.openbsd.org 2009/10/22 15:02:12Darren Tucker
[ssh-agent.1 ssh-add.1 ssh.1] write UNIX-domain in a more consistent way; while here, replace a few remaining ".Tn UNIX" macros with ".Ux" ones. pointed out by ratchov@, thanks! ok jmc@
2009-10-24 - sobrado@cvs.openbsd.org 2009/10/22 12:35:53Darren Tucker
[ssh.1 ssh-agent.1 ssh-add.1] use the UNIX-related macros (.At and .Ux) where appropriate. ok jmc@
2009-10-24 - sobrado@cvs.openbsd.org 2009/10/17 12:10:39Darren Tucker
[sftp-server.c] sort flags.
2009-10-24 - (dtucker) OpenBSD CVS SyncDarren Tucker
- djm@cvs.openbsd.org 2009/10/11 23:03:15 [hostfile.c] mention the host name that we are looking for in check_host_in_hostfile()
2009-10-12 - markus@cvs.openbsd.org 2009/10/08 18:04:27Darren Tucker
[regress/test-exec.sh] re-enable protocol v1 for the tests.
2009-10-11 - dtucker@cvs.openbsd.org 2009/10/11 10:41:26Darren Tucker
[sftp-client.c] d_type isn't portable so use lstat to get dirent modes. Suggested by and "looks sane" deraadt@
2009-10-11 - jmc@cvs.openbsd.org 2009/10/08 20:42:12Darren Tucker
[sshd_config.5 ssh_config.5 sshd.8 ssh.1] some tweaks now that protocol 1 is not offered by default; ok markus
2009-10-11 - (dtucker) OpenBSD CVS SyncDarren Tucker
- markus@cvs.openbsd.org 2009/10/08 14:03:41 [sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5] disable protocol 1 by default (after a transition period of about 10 years) ok deraadt
2009-10-11 - (dtucker) [configure.ac sftp-client.c] Remove the gyrations required forDarren Tucker
dirent d_type and DTTOIF as we've switched OpenBSD to the more portable lstat.