Age | Commit message (Collapse) | Author |
|
add IdentityAgent; noticed & ok jmc@
Upstream-ID: 4ba9034b00a4cf1beae627f0728da897802df88a
|
|
allow setting IdentityAgent to SSH_AUTH_SOCK; ok djm@
Upstream-ID: 20c508480d8db3eef18942c0fc39b1fcf25652ac
|
|
move SSH_MSG_NONE, so we don't have to include ssh1.h;
ok deraadt@
Upstream-ID: c2f97502efc761a41b18c17ddf460e138ca7994e
|
|
avoids failures with UsePrivilegedPort=yes
patch from Juan Gallego
|
|
missing const in prototypes (ssh1)
Upstream-ID: 789c6ad4928b5fa557369b88c3a6a34926082c05
|
|
Fix inverted logic for updating StreamLocalBindMask which
would cause the server to set an invalid mask. ok djm@
Upstream-ID: 8a4404c8307a5ef9e07ee2169fc6d8106b527587
|
|
IdentityAgent for specifying specific agent sockets; ok
djm@
Upstream-ID: 3e6a15eb89ea0fd406f108826b7dc7dec4fbfac1
|
|
fix junk characters after quotes
Upstream-ID: cc4d0cd32cb6b55a2ef98975d2f7ae857d0dc578
|
|
correct article;
Upstream-ID: 1fbd5b7ab16d2d9834ec79c3cedd4738fa42a168
|
|
fix overriding of StreamLocalBindMask and
StreamLocalBindUnlink in Match blocks; found the hard way Rogan Dawes
Upstream-ID: 940bc69ec0249ab428d24ccd0722ce35cb932ee2
|
|
don't forget to include StreamLocalBindUnlink in the
config dump output
Upstream-ID: 14a6d970b3b45c8e94272e3c661e9a0b2a0ee7cb
|
|
make nethack^wrandomart fingerprint flag more readily
searchable pointed out by Matt Johnston
Upstream-ID: cb40d0235dc153c478c1aad3bc60b195422a54fb
|
|
clarify ordering of subkeys; pointed out by ietf-ssh AT
stbuehler.de
Upstream-ID: 05ebe9f949449a555ebce8e0aad7c8c9acaf8463
|
|
Use a subshell for constructing key types to work around
different sed behaviours for -portable.
Upstream-Regress-ID: 0f6eb673162df229eda9a134a0f10da16151552d
|
|
correct some typos and remove a long-stale XXX note.
add specification for ed25519 certificates
mention no host certificate options/extensions are currently defined
pointed out by Simon Tatham
Upstream-ID: 7b535ab7dba3340b7d8210ede6791fdaefdf839a
|
|
add ed25519 keys that are supported but missing from this
documents; from Peter Moody
Upstream-ID: 8caac2d8e8cfd2fca6dc304877346e0a064b014b
|
|
Implement IUTF8 as per draft-sgtatham-secsh-iutf8-00. Patch
from Simon Tatham, ok markus@
Upstream-ID: 58268ebdf37d9d467f78216c681705a5e10c58e8
|
|
unbreak config parsing on reexec from previous commit
Upstream-ID: bc69932638a291770955bd05ca55a32660a613ab
|
|
unit and regress tests for SHA256/512; ok markus
Upstream-Regress-ID: a0cd1a92dc824067076a5fcef83c18df9b0bf2c6
|
|
add support for additional fixed DH groups from
draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group)
diffie-hellman-group16-sha512 (4K group)
diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker
ok markus@
Upstream-ID: ac00406ada4f0dfec41585ca0839f039545bc46f
|
|
support SHA256 and SHA512 RSA signatures in certificates;
ok markus@
Upstream-ID: b45be2f2ce8cacd794dc5730edaabc90e5eb434a
|
|
fix signed/unsigned errors reported by clang-3.7; add
sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with
better safety checking; feedback and ok markus@
Upstream-ID: 71f926d9bb3f1efed51319a6daf37e93d57c8820
|
|
close ControlPersist background process stderr when not
in debug mode or when logging to a file or syslog. bz#1988 ok dtucker
Upstream-ID: 4fb726f0fdcb155ad419913cea10dc4afd409d24
|
|
fix comment
Upstream-ID: 313a385bd7b69a82f8e28ecbaf5789c774457b15
|
|
cidr permitted for {allow,deny}users; from lars nooden ok djm
Upstream-ID: 13e7327fe85f6c63f3f7f069e0fdc8c351515d11
|
|
make argument == NULL tests more consistent
Upstream-ID: dc4816678704aa5cbda3a702e0fa2033ff04581d
|
|
tweak previous;
Upstream-ID: 46c1bab91c164078edbccd5f7d06b9058edd814f
|
|
missing bit of Include regress
Upstream-Regress-ID: 1063595f7f40f8489a1b7a27230b9e8acccea34f
|
|
remove redundant CLEANFILES section
Upstream-Regress-ID: 29ef1b267fa56daa60a1463396635e7d53afb587
|
|
sync CLEANFILES with portable, sort
Upstream-Regress-ID: cb782f4f1ab3e079efbc335c6b64942f790766ed
|
|
regression test for ssh_config Include directive
Upstream-Regress-ID: 46a38c8101f635461c506d1aac2d96af80f97f1e
|
|
unbreak test for recent ssh de-duplicated forwarding
change
Upstream-Regress-ID: 6b2b115d99acd7cff13986e6739ea214cf2a3da3
|
|
add test knob and warning for StrictModes
Upstream-Regress-ID: 8cd10952ce7898655ee58945904f2a0a3bdf7682
|
|
Include directive for ssh_config(5); feedback & ok markus@
Upstream-ID: ae3b76e2e343322b9f74acde6f1e1c5f027d5fff
|
|
If PAM is configured to read user-specified environment variables
and UseLogin=yes in sshd_config, then a hostile local user may
attack /bin/login via LD_PRELOAD or similar environment variables
set via PAM.
CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
|
|
make private key loading functions consistently handle NULL
key pointer arguments; ok markus@
Upstream-ID: 92038726ef4a338169c35dacc9c5a07fcc7fa761
|
|
Replace by defining IPPORT_RESERVED to zero on Cygwin, which should have
the same effect without causing problems syncing patches with OpenBSD.
Resync the two affected functions with OpenBSD. ok djm, sanity checked
by Corinna.
|
|
whitespace at EOL
Upstream-ID: 5beffd4e001515da12851b974e2323ae4aa313b6
|
|
We accidentally send an empty string and a zero uint32 with
every direct-streamlocal@openssh.com channel open, in contravention of our
own spec.
Fixing this is too hard wrt existing versions that expect these
fields to be present and fatal() if they aren't, so document them
as "reserved" fields in the PROTOCOL spec as though we always
intended this and let us never speak of it again.
bz#2529, reported by Ron Frederick
Upstream-ID: 34cd326a4d236ca6e39084c4ff796bd97ab833e7
|
|
don't record duplicate LocalForward and RemoteForward
entries; fixes failure with ExitOnForwardFailure+hostname canonicalisation
where the same forwards are added on the second pass through the
configuration file. bz#2562; ok dtucker@
Upstream-ID: 40a51d68b6300f1cc61deecdb7d4847b8b7b0de1
|
|
Another use for fcntl() and thus of the superfluous 3rd
parameter is when sanitising standard fd's before calling daemon().
Use a tweaked version of the ssh(1) function in all three places
found using fcntl() this way.
ok jca@ beck@
Upstream-ID: f16811ffa19a1c5f4ef383c5f0fecb843c84e218
|
|
|
|
|
|
whitespace at EOL
Upstream-ID: 40ae2203d07cb14e0a89e1a0d4c6120ee8fd8c3a
|
|
Remove fallback from moduli to "primes" file that was
deprecated in 2001 and fix log messages referring to primes file. Based on
patch from xnox at ubuntu.com via bz#2559. "kill it" deraadt@
Upstream-ID: 0d4f8c70e2fa7431a83b95f8ca81033147ba8713
|
|
UseDNS affects ssh hostname processing in authorized_keys,
not known_hosts; bz#2554 reported by jjelen AT redhat.com
Upstream-ID: c1c1bb895dde46095fc6d81d8653703928437591
|
|
When Solaris Projects are enabled along with PAM setting the project
is PAM's responsiblity. bz#2425, based on patch from
brent.paulson at gmail.com.
|
|
|
|
unbreak authentication using lone certificate keys in
ssh-agent: when attempting pubkey auth with a certificate, if no separate
private key is found among the keys then try with the certificate key itself.
bz#2550 reported by Peter Moody
Upstream-ID: f939cd76d68e6a9a3d1711b5a943d6ed1e623966
|
|
sanitise characters destined for xauth reported by
github.com/tintinweb feedback and ok deraadt and markus
Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261
|