summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2008-05-19 - markus@cvs.openbsd.org 2008/05/09 16:17:51Damien Miller
[channels.c] error-fd race: don't enable the error fd in the select bitmask for channels with both in- and output closed, since the channel will go away before we call select(); report, lots of debugging help and ok djm@
2008-05-19 - markus@cvs.openbsd.org 2008/05/09 16:16:06Damien Miller
[session.c] re-add the USE_PIPES code and enable it. without pipes shutdown-read from the sshd does not trigger a SIGPIPE when the forked program does a write. ok djm@ (Id sync only, USE_PIPES never left portable OpenSSH)
2008-05-19 - djm@cvs.openbsd.org 2008/05/09 14:26:08Damien Miller
[ssh.c] dingo stole my diff hunk
2008-05-19 - djm@cvs.openbsd.org 2008/05/09 14:18:44Damien Miller
[clientloop.c clientloop.h ssh.c mux.c] tidy up session multiplexing code, moving it into its own file and making the function names more consistent - making ssh.c and clientloop.c a fair bit more readable. ok markus@
2008-05-19 - djm@cvs.openbsd.org 2008/05/09 04:55:56Damien Miller
[channels.c channels.h clientloop.c serverloop.c] Try additional addresses when connecting to a port forward destination whose DNS name resolves to more than one address. The previous behaviour was to try the first address and give up. Reported by stig AT venaas.com in bz#343 great feedback and ok markus@
2008-05-19 - djm@cvs.openbsd.org 2008/05/08 13:06:11Damien Miller
[clientloop.c clientloop.h ssh.c] Use new channel status confirmation callback system to properly deal with "important" channel requests that fail, in particular command exec, shell and subsystem requests. Previously we would optimistically assume that the requests would always succeed, which could cause hangs if they did not (e.g. when the server runs out of fds) or were unimplemented by the server (bz #1384) Also, properly report failing multiplex channel requests via the mux client stderr (subject to LogLevel in the mux master) - better than silently failing. most bits ok markus@ (as part of a larger diff)
2008-05-19 - djm@cvs.openbsd.org 2008/05/08 12:21:16Damien Miller
[monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c] [sshd_config sshd_config.5] Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions. Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal(). bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com ok markus@
2008-05-19 - (djm) [openbsd-compat/port-tun.c] needs sys/queue.hDamien Miller
2008-05-19- (djm) [openbsd-compat/bsd-arc4random.c] Warning fixesDamien Miller
2008-05-19 - djm@cvs.openbsd.org 2008/05/08 12:02:23Damien Miller
[auth-options.c auth1.c channels.c channels.h clientloop.c gss-serv.c] [monitor.c monitor_wrap.c nchan.c servconf.c serverloop.c session.c] [ssh.c sshd.c] Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel). Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory. ok markus@ (as part of a larger diff)
2008-05-19 - markus@cvs.openbsd.org 2008/05/08 06:59:01Damien Miller
[bufaux.c buffer.h channels.c packet.c packet.h] avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
2008-05-19 - jmc@cvs.openbsd.org 2008/05/07 08:00:14Damien Miller
[sshd_config.5] sort;
2008-05-19 - pyr@cvs.openbsd.org 2008/05/07 06:43:35Damien Miller
[sshd_config] push the sshd_config bits in, spotted by ajacoutot@
2008-05-19 - pyr@cvs.openbsd.org 2008/05/07 05:49:37Damien Miller
[servconf.c servconf.h session.c sshd_config.5] Enable the AllowAgentForwarding option in sshd_config (global and match context), to specify if agents should be permitted on the server. As the man page states: ``Note that disabling Agent forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.'' ok djm@, ok and a mild frown markus@
2008-05-19 - djm@cvs.openbsd.org 2008/04/30 10:14:03Damien Miller
[ssh-keyscan.1 ssh-keyscan.c] default to rsa (protocol 2) keys, instead of rsa1 keys; spotted by larsnooden AT openoffice.org
2008-05-19 - otto@cvs.openbsd.org 2008/04/29 11:20:31Damien Miller
[monitor_mm.h] garbage collect two unused fields in struct mm_master; ok markus@
2008-05-19 - djm@cvs.openbsd.org 2008/04/18 22:01:33Damien Miller
[session.c] remove unneccessary parentheses
2008-05-19 - jmc@cvs.openbsd.org 2008/04/18 17:15:47Damien Miller
[sftp.1] macro fixage;
2008-05-19 - djm@cvs.openbsd.org 2008/04/18 12:32:11Damien Miller
[sftp-client.c sftp-client.h sftp-server.c sftp.1 sftp.c sftp.h] introduce sftp extension methods statvfs@openssh.com and fstatvfs@openssh.com that implement statvfs(2)-like operations, based on a patch from miklos AT szeredi.hu (bz#1399) also add a "df" command to the sftp client that uses the statvfs@openssh.com to produce a df(1)-like display of filesystem space and inode utilisation ok markus@
2008-05-19 - (djm) OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2008/04/13 00:22:17 [dh.c sshd.c] Use arc4random_buf() when requesting more than a single word of output Use arc4random_uniform() when the desired random number upper bound is not a power of two ok deraadt@ millert@
2008-05-19 - (djm) [openbsd-compat/bsd-arc4random.c openbsd-compat/openbsd-compat.c]Damien Miller
[configure.ac] Implement arc4random_buf(), import implementation of arc4random_uniform() from OpenBSD
2008-05-19 - djm@cvs.openbsd.org 2008/04/05 02:46:02Damien Miller
[sshd_config.5] HostbasedAuthentication is supported under Match too
2008-05-19 - djm@cvs.openbsd.org 2008/04/04 06:44:26Damien Miller
[sshd_config.5] oops, some unrelated stuff crept into that commit - backout. spotted by jmc@
2008-05-19 - (djm) OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2008/04/04 05:14:38 [sshd_config.5] ChrootDirectory is supported in Match blocks (in fact, it is most useful there). Spotted by Minstrel AT minstrel.org.uk
2008-05-16 - (djm) Force string arguments to replacement setproctitle() thoughDamien Miller
strnvis first. Ok dtucker@
2008-04-04 - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile-Damien Miller
time warnings on LynxOS. Patch from ops AT iki.fi
2008-04-03 - (djm) Release 5.0p1Damien Miller
2008-04-03 - (djm) [README] Update link to release notesDamien Miller
2008-04-03 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]Damien Miller
[contrib/suse/openssh.spec] Crank version numbers in RPM spec files
2008-04-03 - djm@cvs.openbsd.org 2008/04/03 09:50:14Damien Miller
[version.h] openssh-5.0
2008-04-03 - jmc@cvs.openbsd.org 2008/03/27 22:37:57Damien Miller
[sshd.8] remove trailing whitespace;
2008-04-03 - markus@cvs.openbsd.org 2008/04/02 15:36:51Damien Miller
[channels.c] avoid possible hijacking of x11-forwarded connections (back out 1.183) CVE-2008-1483; ok djm@
2008-03-27 - (djm) Release 4.9p1Damien Miller
2008-03-27 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]Damien Miller
[contrib/suse/openssh.spec] Crank version numbers in RPM spec files
2008-03-27 - (djm) [README] Update link to release notesDamien Miller
2008-03-27 - (djm) [regress/Makefile] cleanup PuTTY interop test droppingsDamien Miller
2008-03-27 - (djm) [configure.ac] --with-selinux tooDamien Miller
2008-03-27 - (djm) [configure.ac] fix alignment of --without-stackprotect descriptionDamien Miller
2008-03-27 - djm@cvs.openbsd.org 2008/03/24 21:46:54Damien Miller
[regress/sftp-badcmds.sh] disable no-replace rename test now that we prefer a POSIX rename; spotted by dkrause@
2008-03-27 - djm@cvs.openbsd.org 2008/03/27 00:16:49Damien Miller
[version.h] openssh-4.9
2008-03-27 - djm@cvs.openbsd.org 2008/03/26 21:28:14Damien Miller
[auth-options.c auth-options.h session.c sshd.8] add no-user-rc authorized_keys option to disable execution of ~/.ssh/rc
2008-03-27 - djm@cvs.openbsd.org 2008/03/25 23:01:41Damien Miller
[session.c] last patch had backwards test; spotted by termim AT gmail.com
2008-03-27 - djm@cvs.openbsd.org 2008/03/25 11:58:02Damien Miller
[session.c sshd_config.5] ignore ~/.ssh/rc if a sshd_config ForceCommand is specified; from dtucker@ ok deraadt@ djm@
2008-03-27 - deraadt@cvs.openbsd.org 2008/03/24 16:11:07Damien Miller
[monitor_fdpass.c] msg_controllen has to be CMSG_SPACE so that the kernel can account for each cmsg_len (ie. msg_controllen = sum of CMSG_ALIGN(cmsg_len). This works now that kernel fd passing has been fixed to accept a bit of sloppiness because of this ABI repair. lots of discussion with kettenis
2008-03-27 - djm@cvs.openbsd.org 2008/03/23 12:54:01Damien Miller
[sftp-client.c] prefer POSIX-style file renaming over filexfer rename behaviour if the server supports the posix-rename@openssh.com extension. Note that the old (filexfer) behaviour would refuse to clobber an existing file. Users who depended on this should adjust their sftp(1) usage. ok deraadt@ markus@
2008-03-27 - deraadt@cvs.openbsd.org 2008/03/15 16:19:02Damien Miller
[monitor_fdpass.c] Repair the simple cases for msg_controllen where it should just be CMSG_SIZE(sizeof(int)), not sizeof(buffer) which may be larger because of alignment; ok kettenis hshoexer
2008-03-27 - deraadt@cvs.openbsd.org 2008/03/13 01:49:53Damien Miller
[monitor_fdpass.c] Correct CMSG_SPACE and CMSG_LEN usage everywhere in the tree. Due to an extensive discussion with otto, kettenis, millert, and hshoexer
2008-03-27 - jmc@cvs.openbsd.org 2008/02/11 07:58:28Damien Miller
[ssh.1 sshd.8 sshd_config.5] bump Mdocdate for pages committed in "febuary", necessary because of a typo in rcs.c;
2008-03-27 - (djm) Fix RCS ident in sftp-server-main.cDamien Miller
2008-03-27 - (dtucker) Cache selinux status earlier so we know if it's enabled after aDarren Tucker
chroot. Allows ChrootDirectory to work with selinux support compiled in but not enabled. Using it with selinux enabled will require some selinux support inside the chroot. "looks sane" djm@