| Age | Commit message (Collapse) | Author |
|---|
|
signature work - returns ability to add/remove/specify algorithms by
wildcard.
Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
|
|
OpenBSD-Regress-ID: e5a9b11368ff6d86e7b25ad10ebe43359b471cd4
|
|
|
|
for certs hosted in ssh-agent
OpenBSD-Commit-ID: e5fd5edd726137dda2d020e1cdebc464110a010f
|
|
OpenBSD-Commit-ID: c36981fdf1f3ce04966d3310826a3e1e6233d93e
|
|
for prior version; part of RSA-SHA2 strictification, ok markus@
OpenBSD-Commit-ID: 84a11fc0efd2674c050712336b5093f5d408e32b
|
|
In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
"rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.
feedback and ok markus@
OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
|
|
pattern-list of whitelisted environment variable names in addition to yes|no.
bz#1800, feedback and ok markus@
OpenBSD-Commit-ID: 77dc2b468e0bf04b53f333434ba257008a1fdf24
|
|
when choosing a prime. An extra increment of linenum snuck in as part of the
conversion to getline(). OK djm@ markus@
OpenBSD-Commit-ID: 0019225cb52ed621b71cd9f19ee2e78e57e3dd38
|
|
doesn't seem to mind, but some platforms in -portable object to the second.
OpenBSD-Regress-ID: d6c3e404871764343761dc25c3bbe29c2621ff74
|
|
Add getline for the benefit of platforms that don't have it. Sourced
from NetBSD (OpenBSD's implementation is a little too chummy with the
internals of FILE).
|
|
OpenBSD-Commit-ID: 9276951caf4daf555f6d262e95720e7f79244572
|
|
OpenBSD-Commit-ID: c968c1d29e392352383c0f9681fcc1e93620c4a9
|
|
OpenBSD-Commit-ID: db542918185243bea17202383a581851736553cc
|
|
OpenBSD-Regress-ID: 4b50a02dfb0ccaca08247f3877c444126ba901b3
|
|
e.g.
PermitListen 2222 8080
is equivalent to:
PermitListen *:2222 *:8080
Some bonus manpage improvements, mostly from markus@
"looks fine" markus@
OpenBSD-Commit-ID: 6546b0cc5aab7f53d65ad0a348ca0ae591d6dd24
|
|
temporarily_use_uid() when the target uid differs; could cause failure to
read authorized_keys under some configurations. patch by Jakub Jelen via
bz2873; ok dtucker, markus
OpenBSD-Commit-ID: 48a345f0ee90f6c465a078eb5e89566b23abd8a1
|
|
OpenBSD-Commit-ID: fc808daced813242563b80976e1478de95940056
|
|
OpenBSD-Commit-ID: 27d80d8b8ca99bc33971dee905e8ffd0053ec411
|
|
Jelen via bz2386
OpenBSD-Commit-ID: 14bea3f069a93c8be66a7b97794255a91fece964
|
|
administrator to explicitly specify environment variables set in sessions
started by sshd. These override the default environment and any variables set
by user configuration (PermitUserEnvironment, etc), but not the SSH_*
variables set by sshd itself.
ok markus@
OpenBSD-Commit-ID: b6a96c0001ccd7dd211df6cae9e961c20fd718c0
|
|
environment variables for the remote session (subject to the server accepting
them)
refactor SendEnv to remove the arbitrary limit of variable names.
ok markus@
OpenBSD-Commit-ID: cfbb00d9b0e10c1ffff1d83424351fd961d1f2be
|
|
read from ~/.ssh/environment (if enabled) do not override SSH_* variables set
by the server.
OpenBSD-Commit-ID: 59f9d4c213cdcef2ef21f4b4ae006594dcf2aa7a
|
|
load_public_identity_files(); reported by Roumen Petrov
OpenBSD-Commit-ID: a827289e77149b5e0850d72a350c8b0300e7ef25
|
|
messages
OpenBSD-Commit-ID: c70a60b4c8207d9f242fc2351941ba50916bb267
|
|
OpenBSD-Commit-ID: f98f16af10b28e24bcecb806cb71ea994b648fd6
|
|
Since autoconf always uses $CC to link C programs, allowing users to
override LD caused mismatches between what LD_LINK_IFELSE thought worked
and what ld thought worked. If you do need to do this kind of thing you
need to set a compiler flag such as gcc's -fuse-ld in LDFLAGS.
|
|
Should prevent "unsupported -Wl,-z,retpoline" warnings during linking.
ok djm@
|
|
OpenBSD-Regress-ID: 492279ea9f65657f97a970e0e7c7fd0b339fee23
|
|
insomnia-fueled commits last night
OpenBSD-Commit-ID: 26f23622e928996086e85b1419cc1c0f136e359c
|
|
OpenBSD-Regress-ID: ab12eb42f0e14926980441cf7c058a6d1d832ea5
|
|
authorized_keys lines that contained permitopen/permitlisten were being
treated as invalid.
OpenBSD-Commit-ID: 7ef41d63a5a477b405d142dc925b67d9e7aaa31b
|
|
static limits noted by gerhard@; ok dtucker@, djm@
OpenBSD-Commit-ID: 6d702eabef0fa12e5a1d75c334a8c8b325298b5c
|
|
OpenBSD-Regress-ID: ce8b5f28fc039f09bb297fc4a92319e65982ddaf
|
|
OpenBSD-Commit-ID: 86910af8f781a4ac5980fea125442eb25466dd78
|
|
OpenBSD-Commit-ID: 35b200cba4e46a16a4db6a80ef11838ab0fad67c
|
|
OpenBSD-Commit-ID: 8650883018d7aa893173d703379e4456a222c672
|
|
addresses may be listened on when the client requests remote forwarding (ssh
-R).
This is the converse of the existing PermitOpen directive and this
includes some refactoring to share much of its implementation.
feedback and ok markus@
OpenBSD-Commit-ID: 15a931238c61a3f2ac74ea18a98c933e358e277f
|
|
Instead of testing for each specific key type, use ssh-keygen -A to
generate any missing host key types.
|
|
make the grammatical format in sshd_config.5 match that in ssh_config.5;
OpenBSD-Commit-ID: e325663b9342f3d556e223e5306e0d5fa1a74fa0
|
|
OpenBSD-Commit-ID: 23585576c807743112ab956be0fb3c786bdef025
|
|
OpenBSD-Commit-ID: 30887b73ece257273fb619ab6f4e86dc92ddc15e
|
|
just files. This makes sure it gets applied to directories too, and prevents
a race where files get chmodded after creation. bz#2839, ok djm@
OpenBSD-Commit-ID: 3168ee6c7c39093adac4fd71039600cfa296203b
|
|
searching for and hashing known_hosts entries in a single operation
(ssh-keygen -HF ...) Patch from Anton Kremenetsky
OpenBSD-Regress-ID: 519585a4de35c4611285bd6a7272766c229b19dd
|
|
to instantly abort the test. Useful in capturing clean logs for individual
failure cases.
OpenBSD-Regress-ID: feba18cf338c2328b9601bd4093cabdd9baa3af1
|
|
OpenBSD-Regress-ID: 6adb35f384d447e7dcb9f170d4f0d546d3973e10
|
|
OpenBSD-Commit-ID: e5edb5e843ddc9b73a8e46518899be41d5709add
|
|
the ssh->state has been torn down; bz#2773
OpenBSD-Commit-ID: 167f12523613ca3d16d7716a690e7afa307dc7eb
|
|
known_hosts entries in a single operation (ssh-keygen -HF hostname); bz2772
Report and fix from Anton Kremenetsky
OpenBSD-Commit-ID: ac10ca13eb9bb0bc50fcd42ad11c56c317437b58
|
|
username is available currently. In the client this is via %i, in the server
%U (since %i was already used in the client in some places for this, but used
for something different in the server); bz#2870, ok dtucker@
OpenBSD-Commit-ID: c7e912b0213713316cb55db194b3a6415b3d4b95
|
