summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2018-07-10upstream: replace cast with call to sshbuf_mutable_ptr(); ok djm@markus@openbsd.org
OpenBSD-Commit-ID: 4dfe9d29fa93d9231645c89084f7217304f7ba29
2018-07-10upstream: remove legacy buffer API emulation layer; ok djm@markus@openbsd.org
OpenBSD-Commit-ID: 2dd5dc17cbc23195be4299fa93be2707a0e08ad9
2018-07-10upstream: sshd: switch monitor to sshbuf API; lots of help & okmarkus@openbsd.org
djm@ OpenBSD-Commit-ID: d89bd02d33974fd35ca0b8940d88572227b34a48
2018-07-10upstream: sshd: switch GSSAPI to sshbuf API; ok djm@markus@openbsd.org
OpenBSD-Commit-ID: e48449ab4be3f006f7ba33c66241b7d652973e30
2018-07-10upstream: sshd: switch authentication to sshbuf API; ok djm@markus@openbsd.org
OpenBSD-Commit-ID: 880aa06bce4b140781e836bb56bec34873290641
2018-07-10upstream: sshd: switch config to sshbuf API; ok djm@markus@openbsd.org
OpenBSD-Commit-ID: 72b02017bac7feac48c9dceff8355056bea300bd
2018-07-10upstream: sshd: switch loginmsg to sshbuf API; ok djm@markus@openbsd.org
OpenBSD-Commit-ID: f3cb4e54bff15c593602d95cc43e32ee1a4bac42
2018-07-10upstream: ttymodes: switch to sshbuf API; ok djm@markus@openbsd.org
OpenBSD-Commit-ID: 5df340c5965e822c9da21e19579d08dea3cbe429
2018-07-10upstream: client: switch mux to sshbuf API; with & ok djm@markus@openbsd.org
OpenBSD-Commit-ID: 5948fb98d704f9c4e075b92edda64e0290b5feb2
2018-07-10upstream: client: switch to sshbuf API; ok djm@markus@openbsd.org
OpenBSD-Commit-ID: 60cb0356114acc7625ab85105f6f6a7cd44a8d05
2018-07-10upstream: pkcs11: switch to sshbuf API; ok djm@markus@openbsd.org
OpenBSD-Commit-ID: 98cc4e800f1617c51caf59a6cb3006f14492db79
2018-07-10upstream: Revert previous two commitssf@openbsd.org
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits: date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB Only delayed compression is supported nowadays. ok markus@ date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit. ok markus@ OpenBSD-Commit-ID: cdfef526357e4e1483c86cf599491b2dafb77772
2018-07-10upstream: Rename COMP_DELAYED to COMP_ZLIBsf@openbsd.org
Only delayed compression is supported nowadays. ok markus@ OpenBSD-Commit-ID: 5b1dbaf3d9a4085aaa10fec0b7a4364396561821
2018-07-10upstream: Remove leftovers from pre-authentication compressionsf@openbsd.org
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit. ok markus@ OpenBSD-Commit-ID: 6a99616c832627157113fcb0cf5a752daf2e6b58
2018-07-10upstream: Remove unused ssh_packet_start_compression()sf@openbsd.org
ok markus@ OpenBSD-Commit-ID: 9d34cf2f59aca5422021ae2857190578187dc2b4
2018-07-06Defer setting bufsiz in getdelim.Darren Tucker
Do not write to bufsiz until we are sure the malloc has succeeded, in case any callers rely on it (which they shouldn't). ok djm@
2018-07-05Fix other callers of read_environment_file.Darren Tucker
read_environment_file recently gained an extra argument Some platform specific code also calls it so add the argument to those too. Fixes build on Solaris and AIX.
2018-07-04upstream: deal with API rename: match_filter_list() =>djm@openbsd.org
match_filter_blacklist() OpenBSD-Regress-ID: 2da342be913efeb51806351af906fab01ba4367f
2018-07-04upstream: exercise new expansion behaviour ofdjm@openbsd.org
PubkeyAcceptedKeyTypes and, by proxy, test kex_assemble_names() ok markus@ OpenBSD-Regress-ID: 292978902e14d5729aa87e492dd166c842f72736
2018-07-04upstream: add a comment that could have saved me 45 minutes of wilddjm@openbsd.org
goose chasing OpenBSD-Regress-ID: d469b29ffadd3402c090e21b792d627d46fa5297
2018-07-04upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSAdjm@openbsd.org
signature work - returns ability to add/remove/specify algorithms by wildcard. Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected. Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation. (lots of) feedback, ok markus@ OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
2018-07-04upstream: some magic for RSA-SHA2 checksdjm@openbsd.org
OpenBSD-Regress-ID: e5a9b11368ff6d86e7b25ad10ebe43359b471cd4
2018-07-03dependDamien Miller
2018-07-03upstream: some finesse to fix RSA-SHA2 certificate authenticationdjm@openbsd.org
for certs hosted in ssh-agent OpenBSD-Commit-ID: e5fd5edd726137dda2d020e1cdebc464110a010f
2018-07-03upstream: check correct variable; unbreak agent keysdjm@openbsd.org
OpenBSD-Commit-ID: c36981fdf1f3ce04966d3310826a3e1e6233d93e
2018-07-03upstream: crank version number to 7.8; needed for new compat flagdjm@openbsd.org
for prior version; part of RSA-SHA2 strictification, ok markus@ OpenBSD-Commit-ID: 84a11fc0efd2674c050712336b5093f5d408e32b
2018-07-03upstream: Improve strictness and control over RSA-SHA2 signaturedjm@openbsd.org
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself. In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature. Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2. Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys. feedback and ok markus@ OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
2018-07-03upstream: allow sshd_config PermitUserEnvironment to accept adjm@openbsd.org
pattern-list of whitelisted environment variable names in addition to yes|no. bz#1800, feedback and ok markus@ OpenBSD-Commit-ID: 77dc2b468e0bf04b53f333434ba257008a1fdf24
2018-07-03upstream: Fix "WARNING: line 6 disappeared in /etc/moduli, giving up"millert@openbsd.org
when choosing a prime. An extra increment of linenum snuck in as part of the conversion to getline(). OK djm@ markus@ OpenBSD-Commit-ID: 0019225cb52ed621b71cd9f19ee2e78e57e3dd38
2018-07-03upstream: One ampersand is enough to backgroud an process. OpenBSDdtucker@openbsd.org
doesn't seem to mind, but some platforms in -portable object to the second. OpenBSD-Regress-ID: d6c3e404871764343761dc25c3bbe29c2621ff74
2018-07-02Add implementation of getline.Darren Tucker
Add getline for the benefit of platforms that don't have it. Sourced from NetBSD (OpenBSD's implementation is a little too chummy with the internals of FILE).
2018-06-26upstream: whitespacedjm@openbsd.org
OpenBSD-Commit-ID: 9276951caf4daf555f6d262e95720e7f79244572
2018-06-26upstream: fix NULL dereference in open_listen_match_tcpip()djm@openbsd.org
OpenBSD-Commit-ID: c968c1d29e392352383c0f9681fcc1e93620c4a9
2018-06-26upstream: spelling;jmc@openbsd.org
OpenBSD-Commit-ID: db542918185243bea17202383a581851736553cc
2018-06-19upstream: test PermitListen with bare port numbersdjm@openbsd.org
OpenBSD-Regress-ID: 4b50a02dfb0ccaca08247f3877c444126ba901b3
2018-06-19upstream: allow bare port numbers to appear in PermitListen directives,djm@openbsd.org
e.g. PermitListen 2222 8080 is equivalent to: PermitListen *:2222 *:8080 Some bonus manpage improvements, mostly from markus@ "looks fine" markus@ OpenBSD-Commit-ID: 6546b0cc5aab7f53d65ad0a348ca0ae591d6dd24
2018-06-15upstream: invalidate supplemental group cache used bydjm@openbsd.org
temporarily_use_uid() when the target uid differs; could cause failure to read authorized_keys under some configurations. patch by Jakub Jelen via bz2873; ok dtucker, markus OpenBSD-Commit-ID: 48a345f0ee90f6c465a078eb5e89566b23abd8a1
2018-06-11upstream: unbreak SendEnv; patch from tb@djm@openbsd.org
OpenBSD-Commit-ID: fc808daced813242563b80976e1478de95940056
2018-06-11upstream: sort previous;jmc@openbsd.org
OpenBSD-Commit-ID: 27d80d8b8ca99bc33971dee905e8ffd0053ec411
2018-06-11upstream: slightly better wording re handing of $TERM, from Jakubdjm@openbsd.org
Jelen via bz2386 OpenBSD-Commit-ID: 14bea3f069a93c8be66a7b97794255a91fece964
2018-06-09upstream: add a SetEnv directive for sshd_config to allow andjm@openbsd.org
administrator to explicitly specify environment variables set in sessions started by sshd. These override the default environment and any variables set by user configuration (PermitUserEnvironment, etc), but not the SSH_* variables set by sshd itself. ok markus@ OpenBSD-Commit-ID: b6a96c0001ccd7dd211df6cae9e961c20fd718c0
2018-06-09upstream: add a SetEnv directive to ssh_config that allows settingdjm@openbsd.org
environment variables for the remote session (subject to the server accepting them) refactor SendEnv to remove the arbitrary limit of variable names. ok markus@ OpenBSD-Commit-ID: cfbb00d9b0e10c1ffff1d83424351fd961d1f2be
2018-06-09upstream: reorder child environment preparation so that variablesdjm@openbsd.org
read from ~/.ssh/environment (if enabled) do not override SSH_* variables set by the server. OpenBSD-Commit-ID: 59f9d4c213cdcef2ef21f4b4ae006594dcf2aa7a
2018-06-09upstream: fix incorrect expansion of %i indjm@openbsd.org
load_public_identity_files(); reported by Roumen Petrov OpenBSD-Commit-ID: a827289e77149b5e0850d72a350c8b0300e7ef25
2018-06-09upstream: fix some over-long lines and __func__ up some debugdjm@openbsd.org
messages OpenBSD-Commit-ID: c70a60b4c8207d9f242fc2351941ba50916bb267
2018-06-09upstream: tweak previous;jmc@openbsd.org
OpenBSD-Commit-ID: f98f16af10b28e24bcecb806cb71ea994b648fd6
2018-06-08Remove ability to override $LD.Darren Tucker
Since autoconf always uses $CC to link C programs, allowing users to override LD caused mismatches between what LD_LINK_IFELSE thought worked and what ld thought worked. If you do need to do this kind of thing you need to set a compiler flag such as gcc's -fuse-ld in LDFLAGS.
2018-06-08Better detection of unsupported compiler options.Darren Tucker
Should prevent "unsupported -Wl,-z,retpoline" warnings during linking. ok djm@
2018-06-08upstream: test the correct configuration option namedjm@openbsd.org
OpenBSD-Regress-ID: 492279ea9f65657f97a970e0e7c7fd0b339fee23
2018-06-07upstream: some permitlisten fixes from markus@ that I missed in mydjm@openbsd.org
insomnia-fueled commits last night OpenBSD-Commit-ID: 26f23622e928996086e85b1419cc1c0f136e359c