| Age | Commit message (Collapse) | Author |
|---|
|
make IdentityFile successfully load and use certificates that
have no corresponding bare public key. E.g. just a private id_rsa and
certificate id_rsa-cert.pub (and no id_rsa.pub).
bz#2617 ok dtucker@
Upstream-ID: c1e9699b8c0e3b63cc4189e6972e3522b6292604
|
|
Based on patch from Colin Watson via bz#2640
|
|
Patch from Colin Watson via bz#2640
|
|
Fix public key authentication when multiple
authentication is in use. Instead of deleting and re-preparing the entire
keys list, just reset the 'used' flags; the keys list is already in a good
order (with already- tried keys at the back)
Analysis and patch from Vincent Brillault on bz#2642; ok dtucker@
Upstream-ID: 7123f12dc2f3bcaae715853035a97923d7300176
|
|
Unlink PidFile on SIGHUP and always recreate it when the
new sshd starts. Regression tests (and possibly other things) depend on the
pidfile being recreated after SIGHUP, and unlinking it means it won't contain
a stale pid if sshd fails to restart. ok djm@ markus@
Upstream-ID: 132dd6dda0c77dd49d2f15b2573b5794f6160870
|
|
test new behaviour of cert force-command restriction vs.
authorized_key/ principals
Upstream-Regress-ID: 399efa7469d40c404c0b0a295064ce75d495387c
|
|
tweak previous; while here fix up FILES and AUTHORS;
Upstream-ID: 93f6e54086145a75df8d8ec7d8689bdadbbac8fa
|
|
add a whitelist of paths from which ssh-agent will load
(via ssh-pkcs11-helper) a PKCS#11 module; ok markus@
Upstream-ID: fe79769469d9cd6d26fe0dc15751b83ef2a06e8f
|
|
Add a sshd_config DisableForwaring option that disables
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as
anything else we might implement in the future.
This, like the 'restrict' authorized_keys flag, is intended to be a
simple and future-proof way of restricting an account. Suggested as
a complement to 'restrict' by Jann Horn; ok markus@
Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
|
|
When a forced-command appears in both a certificate and
an authorized keys/principals command= restriction, refuse to accept the
certificate unless they are identical.
The previous (documented) behaviour of having the certificate forced-
command override the other could be a bit confused and more error-prone.
Pointed out by Jann Horn of Project Zero; ok dtucker@
Upstream-ID: 79d811b6eb6bbe1221bf146dde6928f92d2cd05f
|
|
On startup, check to see if sshd is already daemonized
and if so, skip the call to daemon() and do not rewrite the PidFile. This
means that when sshd re-execs itself on SIGHUP the process ID will no longer
change. Should address bz#2641. ok djm@ markus@.
Upstream-ID: 5ea0355580056fb3b25c1fd6364307d9638a37b9
|
|
Add a call to RAND_poll() to ensure than more than pid+time gets
stirred into child processes states. Prompted by analysis from Jann
Horn at Project Zero. ok dtucker@
|
|
Allow PuTTY interop tests to run unattended. bz#2639,
patch from cjwatson at debian.org.
Upstream-Regress-ID: 4345253558ac23b2082aebabccd48377433b6fe0
|
|
Reverse args to sshd-log-wrapper. Matches change in
portable, where it allows sshd do be optionally run under Valgrind.
Upstream-Regress-ID: b438d1c6726dc5caa2a45153e6103a0393faa906
|
|
Fix typo in trace message; from portable.
Upstream-Regress-ID: 4c4a2ba0d37faf5fd230a91b4c7edb5699fbd73a
|
|
Clean up MALLOC_OPTIONS. For the unittests, move
MALLOC_OPTIONS and TEST_ENV to unittets/Makefile.inc.
ok otto
Upstream-Regress-ID: 890d497e0a38eeddfebb11cc429098d76cf29f12
|
|
Remove the obsolete A and P flags from MALLOC_OPTIONS.
ok dtucker
Upstream-Regress-ID: 6cc25024c8174a87e5734a0dc830194be216dd59
|
|
Factor out code to disconnect from controlling terminal
into its own function. ok djm@
Upstream-ID: 39fd9e8ebd7222615a837312face5cc7ae962885
|
|
use sshbuf_allocate() to pre-allocate the buffer used for
loading keys. This avoids implicit realloc inside the buffer code, which
might theoretically leave fragments of the key on the heap. This doesn't
appear to happen in practice for normal sized keys, but was observed for
novelty oversize ones.
Pointed out by Jann Horn of Project Zero; ok markus@
Upstream-ID: d620e1d46a29fdea56aeadeda120879eddc60ab1
|
|
split allocation out of sshbuf_reserve() into a separate
sshbuf_allocate() function; ok markus@
Upstream-ID: 11b8a2795afeeb1418d508a2c8095b3355577ec2
|
|
allow ClientAlive{Interval,CountMax} in Match; ok dtucker,
djm
Upstream-ID: 8beb4c1eadd588f1080b58932281983864979f55
|
|
unbreak DenyUsers; reported by henning@
Upstream-ID: 1c67d4148f5e953c35acdb62e7c08ae8e33f7cb2
|
|
Validate address ranges for AllowUser/DenyUsers at
configuration load time and refuse to accept bad ones. It was previously
possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and
these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for
a previous diff version)
Upstream-ID: 9dfcdd9672b06e65233ea4434c38226680d40bfb
|
|
Improve pkcs11_add_provider() logging: demote some
excessively verbose error()s to debug()s, include PKCS#11 provider name and
slot in log messages where possible. bz#2610, based on patch from Jakub Jelen
Upstream-ID: 3223ef693cfcbff9079edfc7e89f55bf63e1973d
|
|
|
|
ok dtucker@
|
|
Move OPENSSL_NO_RIPEMD160 to compat and add ifdefs to mac.c around the
ripemd160 MACs.
|
|
|
|
cipher-3des1.c and cipher-bf1.c are specific to sshv1 so don't even try
to compile them when Protocol 1 is not enabled.
|
|
Fix logic in add_local_forward() that inverted a test
when code was refactored out into bind_permitted(). This broke ssh port
forwarding for non-priv ports as a non root user.
ok dtucker@ 'looks good' deraadt@
Upstream-ID: ddb8156ca03cc99997de284ce7777536ff9570c9
|
|
Remove dead breaks, found via opencoverage.net. ok
deraadt@
Upstream-ID: ad9cc655829d67fad219762810770787ba913069
|
|
getdefaultproj() returns a pointer so test it for NULL inequality
instead of >0. Fixes compiler warning and is more correct. Patch from
David Binderman.
|
|
Factor out "can bind to low ports" check into its own function. This will
make it easier for Portable to support platforms with permissions models
other than uid==0 (eg bz#2625). ok djm@, "doesn't offend me too much"
deraadt@.
Upstream-ID: 86213df4183e92b8f189a6d2dac858c994bfface
|
|
When tearing down ControlMaster connecctions, don't
pollute stderr when LogLevel=quiet. Patch from Tim Kuijsten via tech@.
Upstream-ID: d9b3a68b2a7c2f2fc7f74678e29a4618d55ceced
|
|
|
|
|
|
www.openssh.com now supports https and ftp.openbsd.org no longer
supports ftp. Make all links to these https.
|
|
Remove ssh1 host key generation, add ssh-keygen -A
|
|
Make links to openssh.com HTTPS now that it's supported, point release
notes link to the HTML release notes page, and update a couple of other
links and bits of text.
|
|
These files were incorrectly added during an OpenBSD sync.
|
|
Remove channel_input_port_forward_request(); the only caller
was the recently-removed SSH1 server code so it's now dead code. ok markus@
Upstream-ID: 05453983230a1f439562535fec2818f63f297af9
|
|
Install a signal handler for tty-generated signals and
wait for the ssh child to suspend before suspending sftp. This lets ssh
restore the terminal mode as needed when it is suspended at the password
prompt. OK dtucker@
Upstream-ID: a31c1f42aa3e2985dcc91e46e6a17bd22e372d69
|
|
various formatting fixes, specifically removing Dq;
Upstream-ID: 81e85df2b8e474f5f93d66e61d9a4419ce87347c
|
|
Author: miller@openbsd.org:
Avoid generate SIGTTOU when restoring the terminal mode. If we get
SIGTTOU it means the process is not in the foreground process group
which, in most cases, means that the shell has taken control of the tty.
Requiring the user the fg the process in this case doesn't make sense
and can result in both SIGTSTP and SIGTTOU being sent which can lead to
the process being suspended again immediately after being brought into
the foreground.
|
|
Wrap <readpassphrase.h> so internal calls go direct and
readpassphrase is weak.
(DEF_WEAK is a no-op in portable.)
|
|
As well pull in more recent changes from OpenBSD these will start to
arrive so put it where the definition is shared.
|
|
The callers of do_pam_set_tty were removed in 2008, so this is now dead
code. bz#2604, pointed out by jjelen at redhat.com.
|
|
Undo inconsistetly updated variable name.
|
|
fix the KEX fuzzer - the previous method of obtaining the
packet contents was broken. This now uses the new per-packet input hook, so
it sees exact post-decrypt packets and doesn't have to pass packet integrity
checks. ok markus@
Upstream-Regress-ID: 402fb6ffabd97de590e8e57b25788949dce8d2fd
|
|
Move USER out of the way to unbreak the BUILDUSER
mechanism. ok tb
Upstream-Regress-ID: 74ab9687417dd071d62316eaadd20ddad1d5af3c
|
