| Age | Commit message (Collapse) | Author |
|---|
|
This patch has been rejected upstream: "None of the OpenSSH developers are
in favour of adding this, and this situation has not changed for several
years. This is not a slight on Simon's patch, which is of fine quality, but
just that a) we don't trust GSSAPI implementations that much and b) we don't
like adding new KEX since they are pre-auth attack surface. This one is
particularly scary, since it requires hooks out to typically root-owned
system resources."
However, quite a lot of people rely on this in Debian, and it's better to
have it merged into the main openssh package rather than having separate
-krb5 packages (as we used to have). It seems to have a generally good
security history.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
Last-Updated: 2015-08-19
Patch-Name: gssapi.patch
|
|
|
|
|
|
|
|
|
|
unbreak for w/SSH1 (default) case; ok markus@ deraadt@
|
|
|
|
fix sshkey_certify() return value for unsupported key types;
ok markus@ deraadt@
|
|
|
|
make these work with !SSH1; ok markus@ deraadt@
|
|
make ssh-add -D work with !SSH1 agent
|
|
|
|
make it possible to run tests w/o ssh1 support; ok djm@
|
|
crank; ok markus, deraadt
|
|
|
|
|
|
add SSH1 Makefile knob to make it easier to build without
SSH1 support; ok markus@
|
|
expand __unused to full __attribute__ for better portability
|
|
|
|
This reverts commit 1598419e38afbaa8aa5df8dd6b0af98301e2c908.
Some system headers have objects named __unused
|
|
fixes builds on systems that use DES_crypt; based on patch
from Roumen Petrov
|
|
fixes builds on BSD/OS
|
|
reorder logic for better portability; patch from Roumen
Petrov
|
|
Allow "ssh -Q protocol-version" to list supported SSH
protocol versions. Useful for detecting builds without SSH v.1 support; idea
and ok markus@
|
|
Make sure we only call getnameinfo() for AF_INET or AF_INET6
sockets. getpeername() of a Unix domain socket may return without error on
some systems without actually setting ss_family so getnameinfo() was getting
called with ss_family set to AF_UNSPEC. OK djm@
|
|
Mostly avoiding "err(1, NULL)"
|
|
from Tom G. Christensen
|
|
|
|
|
|
|
|
|
|
don't printf NULL key comments; reported by Tom Christensen
|
|
zero cmsgbuf before use; we initialise the bits we use
but valgrind still spams warning on it
|
|
fix small memory leak when UpdateHostkeys=no
|
|
This reverts commit d1db656021d0cd8c001a6692f772f1de29b67c8b.
No longer needed with commit 678e473e2af2e4802f24dd913985864d9ead7fb3
|
|
don't leak validity of user in "too many authentication
failures" disconnect message; reported by Sebastian Reitenbach
|
|
add -v (show ASCII art) to -l's synopsis; ok djm@
|
|
Remove ssh_get_progname's dependency on xmalloc, which should reduce
link order problems. ok djm@
|
|
ifdef out some more ECDSA and ECDH tests when built against an OpenSSL
that does not have eliptic curve functionality.
|
|
_NSIG is only unsed in one file, so move it there prevent redefinition
warnings reported by Kevin Brott.
|
|
|
|
|
|
|
|
|
|
Fix name space clash on Solaris 10. Still more to do for Solaris 10
to deal with msghdr structure differences. ok djm@
|
|
a88dd1da119052870bb2654c1a32c51971eade16
(some systems have sig_atomic_t in signal.h, some in sys/signal.h)
Sounds good to me djm@
|
|
|
|
|
|
|
|
Our getaddrinfo implementation always returns numeric values already.
|
