summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2015-05-10upstream commitdjm@openbsd.org
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET. Improves error messages on TCP connection resets. bz#2257 ok dtucker@
2015-05-10upstream commitdjm@openbsd.org
a couple of parse targets were missing activep checks, causing them to be misapplied in match context; bz#2272 diagnosis and original patch from Sami Hartikainen ok dtucker@
2015-05-10upstream commitdjm@openbsd.org
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
2015-05-10upstream commitdjm@openbsd.org
remove failed remote forwards established by muliplexing from the list of active forwards; bz#2363, patch mostly by Yoann Ricordel; ok dtucker@
2015-05-10upstream commitdjm@openbsd.org
reduce stderr spam when using ssh -S /path/mux -O forward -R 0:... ok dtucker@
2015-05-10upstream commitdjm@openbsd.org
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
2015-05-10upstream commitdjm@openbsd.org
Don't make parsing of authorized_keys' environment= option conditional on PermitUserEnv - always parse it, but only use the result if the option is enabled. This prevents the syntax of authorized_keys changing depending on which sshd_config options were enabled. bz#2329; based on patch from coladict AT gmail.com, ok dtucker@
2015-05-10upstream commitdjm@openbsd.org
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern). Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools. ok markus@
2015-05-10upstream commitdtucker@openbsd.org
Add a simple regression test for sshd's configuration parser. Right now, all it does is run the output of sshd -T back through itself and ensure the output is valid and invariant.
2015-05-10upstream commitdjm@openbsd.org
use correct key for nested certificate test
2015-05-10upstream commitdjm@openbsd.org
mention that the user's shell from /etc/passwd is used for commands too; bz#1459 ok dtucker@
2015-05-08upstream commitdjm@openbsd.org
whitespace Upstream-Regress-ID: 6b708a3e709d5b7fd37890f874bafdff1f597519
2015-05-08upstream commitdjm@openbsd.org
whitespace at EOL Upstream-Regress-ID: 9c48911643d5b05173b36a012041bed4080b8554
2015-05-08upstream commitdjm@openbsd.org
moar whitespace at eol Upstream-ID: 64eaf872a3ba52ed41e494287e80d40aaba4b515
2015-05-08upstream commitdjm@openbsd.org
whitespace at EOL Upstream-ID: 57bcf67d666c6fc1ad798aee448fdc3f70f7ec2c
2015-05-08upstream commitdjm@openbsd.org
whitespace at EOL
2015-05-08upstream commitdtucker@openbsd.org
Use diff w/out -u for better portability
2015-05-08upstream commitdtucker@openbsd.org
Use xcalloc for permitted_adm_opens instead of xmalloc to ensure it's zeroed. Fixes post-auth crash with permitopen=none. bz#2355, ok djm@
2015-05-08upstream commitdjm@openbsd.org
don't choke on new-format private keys encrypted with an AEAD cipher; bz#2366, patch from Ron Frederick; ok markus@
2015-05-08upstream commitdtucker@openbsd.org
Clarify pseudo-terminal request behaviour and use "pseudo-terminal" consistently. bz#1716, ok jmc@ "I like it" deraadt@.
2015-05-08upstream commitdtucker@openbsd.org
Blacklist DH-GEX for specific PuTTY versions known to send non-RFC4419 DH-GEX messages rather than all versions of PuTTY. According to Simon Tatham, 0.65 and newer versions will send RFC4419 DH-GEX messages. ok djm@
2015-05-08upstream commitdtucker@openbsd.org
WinSCP doesn't implement RFC4419 DH-GEX so flag it so we don't offer that KEX method. ok markus@
2015-05-08upstream commitjsg@openbsd.org
use the sizeof the struct not the sizeof a pointer to the struct in ssh_digest_start() This file is only used if ssh is built with OPENSSL=no ok markus@
2015-05-08Put brackets around mblen() compat constant.Darren Tucker
This might help with the reported problem cross compiling for Android ("error: expected identifier or '(' before numeric constant") but shouldn't hurt in any case.
2015-04-30xrealloc -> xreallocarray in portable code too.Darren Tucker
2015-04-29upstream commitdtucker@openbsd.org
Allow ListenAddress, Port and AddressFamily in any order. bz#68, ok djm@, jmc@ (for the man page bit).
2015-04-29upstream commitjmc@openbsd.org
enviroment -> environment: apologies to darren for not spotting that first time round...
2015-04-29upstream commitdtucker@openbsd.org
Fix typo in previous
2015-04-29upstream commitdtucker@openbsd.org
Document that the TERM environment variable is not subject to SendEnv and AcceptEnv. bz#2386, based loosely on a patch from jjelen at redhat, help and ok jmc@
2015-04-29upstream commitdjm@openbsd.org
Make sshd default to PermitRootLogin=no; ok deraadt@ rpe@
2015-04-29upstream commitdjm@openbsd.org
fix compilation with OPENSSL=no; ok dtucker@
2015-04-29upstream commitdtucker@openbsd.org
Include stdio.h for FILE (used in sshkey.h) so it compiles with OPENSSL=no.
2015-04-29upstream commitdjm@openbsd.org
allow "sshd -f none" to skip reading the config file, much like "ssh -F none" does. ok dtucker
2015-04-29upstream commitjmc@openbsd.org
combine -Dd onto one line and update usage();
2015-04-29upstream commitdjm@openbsd.org
add ssh-agent -D to leave ssh-agent in foreground without enabling debug mode; bz#2381 ok dtucker@
2015-04-29upstream commitderaadt@openbsd.org
2*len -> use xreallocarray() ok djm
2015-04-29upstream commitderaadt@openbsd.org
rename xrealloc() to xreallocarray() since it follows that form. ok djm
2015-04-29upstream commitdtucker@openbsd.org
Two small fixes for sshd -T: ListenAddress'es are added to a list head so reverse the order when printing them to ensure the behaviour remains the same, and print StreamLocalBindMask as octal with leading zero. ok deraadt@
2015-04-29upstream commitdtucker@openbsd.org
Check for and reject missing arguments for VersionAddendum and ForceCommand. bz#2281, patch from plautrba at redhat com, ok djm@
2015-04-29upstream commitdjm@openbsd.org
unknown certificate extensions are non-fatal, so don't fatal when they are encountered; bz#2387 reported by Bob Van Zant; ok dtucker@
2015-04-29upstream commitjsg@openbsd.org
Add back a backslash removed in rev 1.42 so KEX_SERVER_ENCRYPT will include aes again. ok deraadt@
2015-04-29upstream commitdjm@openbsd.org
s/recommended/required/ that private keys be og-r this wording change was made a while ago but got accidentally reverted
2015-04-29upstream commitdjm@openbsd.org
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
2015-04-29upstream commitdjm@openbsd.org
use error/logit/fatal instead of fprintf(stderr, ...) and exit(0), fix a few errors that were being printed to stdout instead of stderr and a few non-errors that were going to stderr instead of stdout bz#2325; ok dtucker
2015-04-29upstream commitdjm@openbsd.org
debug log missing DISPLAY environment when X11 forwarding requested; bz#1682 ok dtucker@
2015-04-29upstream commitdjm@openbsd.org
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
2015-04-29upstream commitdtucker@openbsd.org
Add some missing options to sshd -T and fix the output of VersionAddendum HostCertificate. bz#2346, patch from jjelen at redhat com, ok djm.
2015-04-29upstream commitdtucker@openbsd.org
Document "none" for PidFile XAuthLocation TrustedUserCAKeys and RevokedKeys. bz#2382, feedback from jmc@, ok djm@
2015-04-29upstream commitdtucker@openbsd.org
Plug leak of address passed to logging. bz#2373, patch from jjelen at redhat, ok markus@
2015-04-29upstream commitdtucker@openbsd.org
Output remote username in debug output since with Host and Match it's not always obvious what it will be. bz#2368, ok djm@