Age | Commit message (Collapse) | Author |
|
because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
OpenBSD-Commit-ID: 9fc09c584c6f1964b00595e3abe7f83db4d90d73
|
|
download and fsync). These should return -1 on error, not a sftp status code.
patch from Petr Cerny in bz#2871
OpenBSD-Commit-ID: 651aa0220ad23c9167d9297a436162d741f97a09
|
|
the error path instead of trying to read from the socket on the way out,
which resets errno and causes the true error to be misreported. ok djm@
OpenBSD-Commit-ID: 2614edaadbd05a957aa977728aa7a030af7c6f0a
|
|
Requested for Linux/s390; patch from Eduardo Barretto via bz#2752;
ok dtucker
|
|
functionality; bz#2869 ok dtucker@
OpenBSD-Commit-ID: 1c06ee08eb78451b5837fcfd8cbebc5ff3a67a01
|
|
macdonell
OpenBSD-Commit-ID: ef1bdbc936b2ea693ee37a4c20a94d4d43f5fda3
|
|
and that users should specify an explicit Tunnel directive if they don't want
this. bz#2365.
OpenBSD-Commit-ID: 1a8d9c67ae213ead180481900dbbb3e04864560d
|
|
revision 1.17
date: 2018/05/14 04:39:04; author: djm; state: Exp; lines: +5 -2;
commitid: 53zY8GjViUBnWo8Z;
constrain fractional part to [0-9] (less confusing to static analysis); ok ian@
|
|
Skip the pty tests if the platform lacks openpty(3) and has to chown(2)
the pty device explicitly. This typically requires root permissions that
this test lacks.
bz#2856 ok dtucker@
|
|
fd rlimit and stop accepting new connections when it is exceeded (with some
grace). Accept is resumed when enough connections are closed.
bz#2576. feedback deraadt; ok dtucker@
OpenBSD-Commit-ID: 6a85d9cec7b85741961e7116a49f8dae777911ea
|
|
warnings on platforms where int64 is long not long long. ok djm@
OpenBSD-Commit-ID: 9c5359e2fbfce11dea2d93f7bc257e84419bd001
|
|
failing. The sftp program terminated with the wrong exit code as sftp called
fatal() instad of exit(0). So when the sigchld handler waits for the child,
remember that it was found. Then don't expect that main() can wait again. OK
dtucker@
OpenBSD-Commit-ID: bfafd940c0de5297940c71ddf362053db0232266
|
|
This ensures it picks up the definition of DEF_WEAK, the lack of which
can cause compile errors in some cases (eg modern AIX). From
michael at felt.demon.nl.
|
|
Patch from hongxu.jia at windriver.com, ok djm@
|
|
without version numbers since they choke on them under some circumstances.
https://twistedmatrix.com/trac/ticket/9422 via Colin Watson
Newer Conch versions have a version number in their ident string and
handle debug messages okay. https://twistedmatrix.com/trac/ticket/9424
OpenBSD-Commit-ID: 6cf7be262af0419c58ddae11324d9c0dc1577539
|
|
LocalCommand
OpenBSD-Commit-ID: 857b5cb37b2d856bfdfce61289a415257a487fb1
|
|
patch from Thomas Kuthan in bz2719; ok dtucker@
OpenBSD-Commit-ID: 78fac88c2f08054d1fc5162c43c24162b131cf78
|
|
The new timing attack mitigation code uses nanosleep in the preauth
codepath, allow in systrace andbox too.
|
|
The new timing attack mitigation code uses nanosleep in the preauth
codepath, allow in sandbox.
|
|
establishes a minimum time for each failed authentication attempt (5ms) and
adds a per-user constant derived from a host secret (0-4ms). Based on work
by joona.kannisto at tut.fi, ok markus@ djm@.
OpenBSD-Commit-ID: b7845b355bb7381703339c8fb0e57e81a20ae5ca
|
|
Patch from rsbecker at nexbridge.com.
|
|
bz2855, ok dtucker@
|
|
Only applies when built --without-openssl. Thanks Jann Horn for
reminder.
|
|
Revert 3fd2d229 and subsequent changes as they turned out to be a
portability hassle.
|
|
Spotted using https://github.com/lucasdemarchi/codespell
|
|
OpenBSD-Regress-ID: d906a2aea0663810a658b7d0bc61a1d2907d4d69
|
|
OpenBSD-Regress-ID: 62f7b9e055e8dfaab92b3825f158beeb4ca3f963
|
|
after checking with codespell tool
(https://github.com/lucasdemarchi/codespell)
OpenBSD-Commit-ID: 373222f12d7ab606598a2d36840c60be93568528
|
|
fail to accept a connection; bz#2837, patch from Lukas Kuster
OpenBSD-Commit-ID: 52413f5069179bebf30d38f524afe1a2133c738f
|
|
ok dtucker
OpenBSD-Commit-ID: 7080be73a64d68e21f22f5408a67a0ba8b1b6b06
|
|
OpenBSD-Commit-ID: 2b9c23022ea7b9dddb62864de4e906000f9d7474
|
|
OpenBSD-Commit-ID: 38e347b6f8e888f5e0700d01abb1eba7caa154f9
|
|
previously labeled for sendind. bz#1285 ok dtucker@
OpenBSD-Commit-ID: f6fec9e3d0f366f15903094fbe1754cb359a0df9
|
|
options to allow underscores in variable names (regression introduced in
7.7). bz2851, ok deraadt@
OpenBSD-Commit-ID: 69690ffe0c97ff393f2c76d25b4b3d2ed4e4ac9c
|
|
from Jakub Jelen via bz2835
OpenBSD-Commit-ID: 5970adadf6ef206bee0dddfc75d24c2019861446
|
|
Include keyword is for configuration files only. bz#2840, patch from Jakub
Jelen
OpenBSD-Commit-ID: 32d052b4a7a7f22df35fe3f71c368c02b02cacb0
|
|
Renaud Allard (via otto@)
OpenBSD-Commit-ID: a559b1eef741557dd959ae378b665a2977d92dca
|
|
interactive and CS1 for bulk
AF21 was selected as this is the highest priority within the low-latency
service class (and it is higher than what we have today). SSH is elastic
and time-sensitive data, where a user is waiting for a response via the
network in order to continue with a task at hand. As such, these flows
should be considered foreground traffic, with delays or drops to such
traffic directly impacting user-productivity.
For bulk SSH traffic, the CS1 "Lower Effort" marker was chosen to enable
networks implementing a scavanger/lower-than-best effort class to
discriminate scp(1) below normal activities, such as web surfing. In
general this type of bulk SSH traffic is a background activity.
An advantage of using "AF21" for interactive SSH and "CS1" for bulk SSH
is that they are recognisable values on all common platforms (IANA
https://www.iana.org/assignments/dscp-registry/dscp-registry.xml), and
for AF21 specifically a definition of the intended behavior exists
https://tools.ietf.org/html/rfc4594#section-4.7 in addition to the definition
of the Assured Forwarding PHB group https://tools.ietf.org/html/rfc2597, and
for CS1 (Lower Effort) there is https://tools.ietf.org/html/rfc3662
The first three bits of "AF21" map to the equivalent IEEEE 802.1D PCP, IEEE
802.11e, MPLS EXP/CoS and IP Precedence value of 2 (also known as "Immediate",
or "AC_BE"), and CS1's first 3 bits map to IEEEE 802.1D PCP, IEEE 802.11e,
MPLS/CoS and IP Precedence value 1 ("Background" or "AC_BK").
OK deraadt@, "no objection" djm@
OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
|
|
OpenBSD-Commit-ID: 1de0e85522051eb2ffa00437e1885e9d7b3e0c2e
|
|
bz#2849.
OpenBSD-Regress-ID: 6985cd32f38596882a3ac172ff8c510693b65283
|
|
bz#2408, patch from Radoslaw Ejsmont; ok dtucker@
|
|
|
|
Closes: #894730
|
|
The EP11 crypto card needs to make an ioctl call, which receives an
specific argument. This crypto card is for s390 only.
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
Last-Update: 2017-08-28
Patch-Name: seccomp-s390-ioctl-ep11-crypto.patch
|
|
getuid and geteuid are needed when using an openssl engine that calls a
crypto card, e.g. ICA (libica).
Those syscalls are also needed by the distros for audit code.
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
Last-Update: 2017-08-28
Patch-Name: seccomp-getuid-geteuid.patch
|
|
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
implementation) which calls the libraries that will communicate with the
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
this is only need on s390 architecture.
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
Last-Update: 2017-08-28
Patch-Name: seccomp-s390-flock-ipc.patch
|
|
Upstream seems to intend to gradually phase this out, so don't assume
that this will remain the default forever. However, we were late in
adopting the upstream sshd_config changes, so it makes sense to extend
the grace period.
Bug-Debian: https://bugs.debian.org/852320
Forwarded: not-needed
Last-Update: 2017-03-05
Patch-Name: restore-authorized_keys2.patch
|
|
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).
ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.
ssh: Enable GSSAPIAuthentication by default.
sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
PrintMotd.
sshd: Enable X11Forwarding.
sshd: Set 'AcceptEnv LANG LC_*' by default.
sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
Document all of this.
Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2017-10-04
Patch-Name: debian-config.patch
|
|
Bug-Debian: https://bugs.debian.org/778913
Forwarded: no
Last-Update: 2017-08-22
Patch-Name: systemd-readiness.patch
|
|
Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152
Last-Update: 2010-02-28
Patch-Name: gnome-ssh-askpass2-icon.patch
|