| Age | Commit message (Collapse) | Author |
|---|
|
- djm@cvs.openbsd.org 2011/05/23 03:30:07
[auth-rsa.c auth.c auth.h auth2-pubkey.c monitor.c monitor_wrap.c pathnames.h servconf.c servconf.h sshd.8 sshd_config sshd_config.5]
allow AuthorizedKeysFile to specify multiple files, separated by spaces.
Bring back authorized_keys2 as a default search path (to avoid breaking
existing users of this file), but override this in sshd_config so it will
be no longer used on fresh installs. Maybe in 2015 we can remove it
entierly :)
feedback and ok markus@ dtucker@
|
|
[dynamic-forward.sh]
fix dumb error in dynamic-forward test
|
|
[dynamic-forward.sh]
Prevent races in dynamic forwarding test; ok djm
|
|
[cert-hostkey.sh]
another attempt to generate a v00 ECDSA key that broke the test
ID sync only - portable already had this somehow
|
|
[regress/cert-userkey.sh]
fatal() if asked to generate a legacy ECDSA cert (these don't exist)
and fix the regress test that was trying to generate them :)
|
|
[monitor.c monitor_wrap.c servconf.c servconf.h]
use a macro to define which string options to copy between configs
for Match. This avoids problems caused by forgetting to keep three
code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
|
[servconf.c]
Add comment documenting what should be after the preauth check. ok djm
|
|
[servconf.c]
the options TrustedUserCAKeys, RevokedKeysFile, AuthorizedKeysFile
and AuthorizedPrincipalsFile were not being correctly applied in
Match blocks, despite being overridable there; ok dtucker@
|
|
[key.c]
fatal() if asked to generate a legacy ECDSA cert (these don't exist)
and fix the regress test that was trying to generate them :)
|
|
- djm@cvs.openbsd.org 2011/05/15 08:09:01
[authfd.c monitor.c serverloop.c]
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
|
|
|
options, we should corresponding -W-option when trying to determine
whether it is accepted. Also includes a warning fix on the program
fragment uses (bad main() return type).
bz#1900 and bz#1901 reported by g.esp AT free.fr; ok dtucker@
|
|
options, we should corresponding -W-option when trying to determine
whether it is accepted. Also includes a warning fix on the program
fragment uses (bad main() return type).
bz#1900 and bz#1901 reported by g.esp AT free.fr; ok dtucker@
|
|
changes; bz#1891 reported by jchadima AT redhat.com; ok dtucker@
|
|
|
|
[authfile.c]
warn on unexpected key type in key_parse_private_type()
|
|
[auth.c auth.h auth2-pubkey.c pathnames.h servconf.c servconf.h]
remove support for authorized_keys2; it is a relic from the early days
of protocol v.2 support and has been undocumented for many years;
ok markus@
|
|
[authfile.c]
despam debug() logs by detecting that we are trying to load a private key
in key_try_load_public() and returning early; ok markus@
|
|
[PROTOCOL.mux clientloop.c clientloop.h mux.c]
improve our behaviour when TTY allocation fails: if we are in
RequestTTY=auto mode (the default), then do not treat at TTY
allocation error as fatal but rather just restore the local TTY
to cooked mode and continue. This is more graceful on devices that
never allocate TTYs.
If RequestTTY is set to "yes" or "force", then failure to allocate
a TTY is fatal.
ok markus@
|
|
[ssh.1]
+.It RequestTTY
|
|
[ssh_config.5]
- tweak previous
- come consistency fixes
ok djm
|
|
[PROTOCOL.mux]
fix numbering; from bert.wesarg AT googlemail.com
|
|
[ssh.c]
fix dropping from previous diff
|
|
[clientloop.c mux.c readconf.c readconf.h ssh.c ssh_config.5]
Add a RequestTTY ssh_config option to allow configuration-based
control over tty allocation (like -t/-T); ok markus@
|
|
[readconf.c ssh_config.5]
support negated Host matching, e.g.
Host *.example.org !c.example.org
User mekmitasdigoat
Will match "a.example.org", "b.example.org", but not "c.example.org"
ok markus@
|
|
[ssh.c ssh_config.5]
add a %L expansion (short-form of the local host name) for ControlPath;
sync some more expansions with LocalCommand; ok markus@
|
|
[packet.c packet.h]
set traffic class for IPv6 traffic as we do for IPv4 TOS;
patch from lionel AT mamane.lu via Colin Watson in bz#1855;
ok markus@
|
|
[sshconnect2.c]
fix memory leak; bz#1849 ok dtucker@
|
|
[sftp.1]
mention that IPv6 addresses must be enclosed in square brackets;
bz#1845
|
|
[sshd_config]
clarify language about overriding defaults. bz#1892, from Petr Cerny
|
|
[mux.c]
gracefully fall back when ControlPath is too large for a
sockaddr_un. ok markus@ as part of a larger diff
|
|
--with-ssl-engine which was broken with the change from deprecated
SSLeay_add_all_algorithms(). ok djm
|
|
for closefrom() in test code. Report from Dan Wallis via Gentoo.
|
|
|
|
so autoreconf 2.68 is happy.
|
|
[authfile.c authfile.h ssh-add.c]
allow "ssh-add - < key"; feedback and ok markus@
|
|
[ssh-keygen.c]
certificate options are supposed to be packed in lexical order of
option name (though we don't actually enforce this at present).
Move one up that was out of sequence
|
|
[PROTOCOL.mux clientloop.c clientloop.h mux.c ssh.1 ssh.c]
allow graceful shutdown of multiplexing: request that a mux server
removes its listener socket and refuse future multiplexing requests;
ok markus@
|
|
[ssh-keygen.1]
mention valid -b sizes for ECDSA keys; bz#1862
|
|
[ssh-keygen.1]
improve wording; bz#1861
|
|
[sshd.c]
exit with 0 status on SIGTERM; bz#1879
|
|
[ssh-keygen.c]
fix -Wshadow
|
|
[misc.c misc.h servconf.c]
print ipqos friendly string for sshd -T; ok markus
# sshd -Tf sshd_config|grep ipqos
ipqos lowdelay throughput
|
|
[ssh-keygen.c]
use strcasecmp() for "clear" cert permission option also; ok djm
|
|
[ssh-keygen.1]
zap trailing whitespace;
|
|
[ssh-keygen.c]
remove -d, documentation removed >10 years ago; ok markus
|
|
[ssh-keygen.1]
-q not used in /etc/rc now so remove statement.
|
|
[ssh-keygen.1 ssh-keygen.c]
Add -A option. For each of the key types (rsa1, rsa, dsa and ecdsa)
for which host keys do not exist, generate the host keys with the
default key file path, an empty passphrase, default bits for the key
type, and default comment. This will be used by /etc/rc to generate
new host keys. Idea from deraadt.
ok deraadt
|
|
[ssh-keyscan.c]
use timerclear macro
ok djm@
|
|
[auth.h]
allow GSSAPI authentication to detect when a server-side failure causes
authentication failure and don't count such failures against MaxAuthTries;
bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
