Age | Commit message (Collapse) | Author |
|
Bug #974: Teach sshd to write failed login records to btmp for failed auth
attempts (currently only for password, kbdint and C/R, only on Linux and
HP-UX), based on code from login.c from util-linux. With ashok_kovai at
hotmail.com, ok djm@
|
|
the process. Since we also unset KRB5CCNAME at startup, if it's set after
authentication it must have been set by the platform's native auth system.
This was already done for AIX; this enables it for the general case.
|
|
Make record_failed_login() call provide hostname rather than having the
implementations having to do lookups themselves. Only affects AIX and
UNICOS (the latter only uses the "user" parameter anyway). ok djm@
|
|
rev 1.11 from OpenBSD and make it use fchdir if available. ok djm@
|
|
keyboard-interactive since this is no longer the case.
|
|
platforms syslog will revert to its default values. This may result in
messages from external libraries (eg libwrap) being sent to a different
facility.
|
|
[auth-passwd.c]
#if -> #ifdef so builds without HAVE_LOGIN_CAP work too; ok djm@ otto@
|
|
[moduli]
Import new moduli; requested by deraadt@ a week ago
|
|
[scp.c sftp.c]
Have scp and sftp wait for the spawned ssh to exit before they exit
themselves. This prevents ssh from being unable to restore terminal
modes (not normally a problem on OpenBSD but common with -Portable
on POSIX platforms). From peak at argo.troja.mff.cuni.cz (bz#950);
ok djm@ markus@
|
|
[cipher.c]
config option "Ciphers" should be case-sensitive; ok dtucker@
|
|
[auth.c]
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and
DenyGroups. bz #909, ok djm@
|
|
[auth-passwd.c sshd.c]
Warn in advance for password and account expiry; initialize loginmsg
buffer earlier and clear it after privsep fork. ok and help dtucker@
markus@
|
|
the list of available kbdint devices if UsePAM=no. ok djm@
|
|
bytes to prevent errors from login_init_entry() when the username is
exactly 64 bytes(!) long. From brhamon at cisco.com, ok djm@
|
|
|
|
[cipher-ctr.c cipher.c]
remove fallback AES support for old OpenSSL, as OpenBSD has had it for
many years now; ok deraadt@
(Id sync only: Portable will continue to support older OpenSSLs)
|
|
existence via keyboard-interactive/pam, in conjunction with previous
auth2-chall.c change; with Colin Watson and djm.
|
|
[auth-bsdauth.c auth2-chall.c]
Have keyboard-interactive code call the drivers even for responses for
invalid logins. This allows the drivers themselves to decide how to
handle them and prevent leaking information where possible. Existing
behaviour for bsdauth is maintained by checking authctxt->valid in the
bsdauth driver. Note that any third-party kbdint drivers will now need
to be able to handle responses for invalid logins. ok markus@
|
|
[sshd.c]
Make debugging output continue after reexec; ok djm@
|
|
[moduli.c]
Correct spelling: SCHNOOR->SCHNORR; ok djm@
|
|
[sshd_config.5]
`login'(n) -> `log in'(v);
|
|
[sshconnect.c]
remove dead code, log connect() failures with level error, ok djm@
|
|
[servconf.c servconf.h sshd.c sshd_config sshd_config.5]
bz #898: support AddressFamily in sshd_config. from
peak@argo.troja.mff.cuni.cz; ok deraadt@
|
|
[ssh-keygen.c]
leak; from mpech
|
|
[session.c]
check for NULL; from mpech
|
|
ccver-v and ccver-V.
|
|
"make survey" and "make send-survey". This will provide data on the
configure parameters, platform and platform features to the development
team, which will allow (among other things) better targetting of testing.
It's entirely voluntary and is off be default. ok djm@
|
|
on some wacky platforms (eg old AIXes), dd will refuse to create an output
file if it doesn't exist.
|
|
from prngd is enabled at compile time but fails at run time, eg because
prngd is not running. Note that if you have prngd running when OpenSSH is
built, OpenSSL will consider itself internally seeded and rand-helper won't
be built at all unless explicitly enabled via --with-rand-helper. ok djm@
|
|
amarendra.godbole at ge com.
|
|
[auth-rsa.c auth2-pubkey.c authfile.c misc.c misc.h]
Fix debug call in error path of authorized_keys processing and fix related
warnings; ok djm@
|
|
[sftp.c]
- fix globbed ls for paths the same lenght as the globbed path when
we have a unique matching.
- fix globbed ls in case of a directory when we have a unique matching.
- as a side effect, if the path does not exist error (used to silently
ignore).
- don't do extra do_lstat() if we only have one matching file.
djm@ ok
|
|
- markus@cvs.openbsd.org 2004/12/06 16:00:43
[bufaux.c]
use 0x00 not \0 since buf[] is a bignum
|
|
case statement. Suggested and OK by dtucker@
|
|
|
|
[test-exec.sh]
Check if TEST_SSH_SSHD is a full path to sshd before searching; ok markus@
|
|
[test-exec.sh]
Remove obsolete RhostsAuthentication from test config; ok markus@
|
|
[multiplex.sh]
regression tests for new multiplex commands
|
|
[Makefile added brokenkeys.sh]
regression test for handling of corrupt keys in authorized_keys file
|
|
[reexec.sh]
shrink and tidy; ok dtucker@
|
|
[Makefile]
add a missing CLEANFILES used in the re-exec test
|
|
[scp.sh]
Regress test for bz #863 (scp double-error), requires $SUDO. ok markus@
|
|
[reexec.sh]
don't change the name of the copied sshd for the reexec fallback test,
makes life simpler for portable
|
|
|
|
[auth-rsa.c auth2-pubkey.c authfile.c misc.c misc.h ssh.h sshd.8]
Discard over-length authorized_keys entries rather than complaining when
they don't decode. bz #884, with & ok djm@
|
|
[sftp.1]
- explain that patterns can be used as arguments in get/put/ls/etc
commands (prodded by Michael Knudsen)
- describe ls flags as a list
- other minor improvements
ok jmc, djm
|
|
[sftp-client.h sftp.c]
Some small fixes from moritz@jodeit.org. ok deraadt@
|
|
[sftp.1]
missing full stop;
|
|
- markus@cvs.openbsd.org 2004/11/25 22:22:14
[sftp-client.c sftp.c]
leak; from mpech
|
|
|