| Age | Commit message (Collapse) | Author |
|---|
|
split allocation out of sshbuf_reserve() into a separate
sshbuf_allocate() function; ok markus@
Upstream-ID: 11b8a2795afeeb1418d508a2c8095b3355577ec2
|
|
allow ClientAlive{Interval,CountMax} in Match; ok dtucker,
djm
Upstream-ID: 8beb4c1eadd588f1080b58932281983864979f55
|
|
|
|
A while back I got a patch into PuTTY (although it hasn't yet made it
into an upstream release) to add passphrase-file options to puttygen.
Use these to make the PuTTY interop tests non-interactive.
Fix up a few details of the saved session.
When plink is given a saved session name, it expects that *instead* of
the host name (or IP address), not in addition to it. Drop "127.0.0.1"
from the various plink test command lines.
(It is possible that the last two of these represent compatibility
breaks of some kind; but if they are, then that ship sailed sufficiently
long ago - at least seven years, possibly more - that it's no longer
worth worrying about it. It's more useful to test interoperability with
current versions.)
Origin: https://bugzilla.mindrot.org/attachment.cgi?id=2891
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2639
Last-Update: 2016-11-19
Patch-Name: fix-putty-interop-tests.patch
|
|
target.
|
|
debian/.gitignore, in order to make the source tree more dgit-compatible.
|
|
|
|
sufficient.
|
|
unbreak DenyUsers; reported by henning@
Upstream-ID: 1c67d4148f5e953c35acdb62e7c08ae8e33f7cb2
|
|
Validate address ranges for AllowUser/DenyUsers at
configuration load time and refuse to accept bad ones. It was previously
possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and
these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for
a previous diff version)
Upstream-ID: 9dfcdd9672b06e65233ea4434c38226680d40bfb
|
|
Improve pkcs11_add_provider() logging: demote some
excessively verbose error()s to debug()s, include PKCS#11 provider name and
slot in log messages where possible. bz#2610, based on patch from Jakub Jelen
Upstream-ID: 3223ef693cfcbff9079edfc7e89f55bf63e1973d
|
|
|
|
|
|
|
|
|
|
|
|
ok dtucker@
|
|
Move OPENSSL_NO_RIPEMD160 to compat and add ifdefs to mac.c around the
ripemd160 MACs.
|
|
|
|
cipher-3des1.c and cipher-bf1.c are specific to sshv1 so don't even try
to compile them when Protocol 1 is not enabled.
|
|
Fix logic in add_local_forward() that inverted a test
when code was refactored out into bind_permitted(). This broke ssh port
forwarding for non-priv ports as a non root user.
ok dtucker@ 'looks good' deraadt@
Upstream-ID: ddb8156ca03cc99997de284ce7777536ff9570c9
|
|
Remove dead breaks, found via opencoverage.net. ok
deraadt@
Upstream-ID: ad9cc655829d67fad219762810770787ba913069
|
|
getdefaultproj() returns a pointer so test it for NULL inequality
instead of >0. Fixes compiler warning and is more correct. Patch from
David Binderman.
|
|
|
|
received (closes: #841884).
|
|
Unregister the KEXINIT handler after message has been
received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
allocation of up to 128MB -- until the connection is closed. Reported by
shilei-c at 360.cn
Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
Origin: https://anongit.mindrot.org/openssh.git/commit/?id=ec165c392ca54317dbe3064a8c200de6531e89ad
Bug-Debian: https://bugs.debian.org/841884
Bug-Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1384860
Last-Update: 2016-10-24
Patch-Name: unregister-kexinit.patch
|
|
Factor out "can bind to low ports" check into its own function. This will
make it easier for Portable to support platforms with permissions models
other than uid==0 (eg bz#2625). ok djm@, "doesn't offend me too much"
deraadt@.
Upstream-ID: 86213df4183e92b8f189a6d2dac858c994bfface
|
|
When tearing down ControlMaster connecctions, don't
pollute stderr when LogLevel=quiet. Patch from Tim Kuijsten via tech@.
Upstream-ID: d9b3a68b2a7c2f2fc7f74678e29a4618d55ceced
|
|
|
|
|
|
www.openssh.com now supports https and ftp.openbsd.org no longer
supports ftp. Make all links to these https.
|
|
Remove ssh1 host key generation, add ssh-keygen -A
|
|
Make links to openssh.com HTTPS now that it's supported, point release
notes link to the HTML release notes page, and update a couple of other
links and bits of text.
|
|
These files were incorrectly added during an OpenBSD sync.
|
|
Remove channel_input_port_forward_request(); the only caller
was the recently-removed SSH1 server code so it's now dead code. ok markus@
Upstream-ID: 05453983230a1f439562535fec2818f63f297af9
|
|
Install a signal handler for tty-generated signals and
wait for the ssh child to suspend before suspending sftp. This lets ssh
restore the terminal mode as needed when it is suspended at the password
prompt. OK dtucker@
Upstream-ID: a31c1f42aa3e2985dcc91e46e6a17bd22e372d69
|
|
various formatting fixes, specifically removing Dq;
Upstream-ID: 81e85df2b8e474f5f93d66e61d9a4419ce87347c
|
|
Author: miller@openbsd.org:
Avoid generate SIGTTOU when restoring the terminal mode. If we get
SIGTTOU it means the process is not in the foreground process group
which, in most cases, means that the shell has taken control of the tty.
Requiring the user the fg the process in this case doesn't make sense
and can result in both SIGTSTP and SIGTTOU being sent which can lead to
the process being suspended again immediately after being brought into
the foreground.
|
|
Wrap <readpassphrase.h> so internal calls go direct and
readpassphrase is weak.
(DEF_WEAK is a no-op in portable.)
|
|
As well pull in more recent changes from OpenBSD these will start to
arrive so put it where the definition is shared.
|
|
The callers of do_pam_set_tty were removed in 2008, so this is now dead
code. bz#2604, pointed out by jjelen at redhat.com.
|
|
Undo inconsistetly updated variable name.
|
|
fix the KEX fuzzer - the previous method of obtaining the
packet contents was broken. This now uses the new per-packet input hook, so
it sees exact post-decrypt packets and doesn't have to pass packet integrity
checks. ok markus@
Upstream-Regress-ID: 402fb6ffabd97de590e8e57b25788949dce8d2fd
|
|
Move USER out of the way to unbreak the BUILDUSER
mechanism. ok tb
Upstream-Regress-ID: 74ab9687417dd071d62316eaadd20ddad1d5af3c
|
|
In ssh tests set REGRESS_FAIL_EARLY with ?= so that the
environment can change it. OK djm@
Upstream-Regress-ID: 77bcb50e47b68c7209c7f0a5a020d73761e5143b
|
|
Add a per-packet input hook that is called with the
decrypted packet contents. This will be used for fuzzing; ok markus@
Upstream-ID: a3221cee6b1725dd4ae1dd2c13841b4784cb75dc
|
|
Unregister the KEXINIT handler after message has been
received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
allocation of up to 128MB -- until the connection is closed. Reported by
shilei-c at 360.cn
Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
|
|
revision 1.24
date: 2013/11/24 23:51:29; author: deraadt; state: Exp; lines: +4 -4;
most obvious unsigned char casts for ctype
ok jca krw ingo
|
|
revision 1.23
date: 2010/05/14 13:30:34; author: millert; state: Exp; lines: +41 -39;
Defer installing signal handlers until echo is disabled so that we
get suspended normally when not the foreground process. Fix potential
infinite loop when restoring terminal settings if process is in the
background when restore occurs. OK miod@
|
|
This makes it a no-op when we use it below, which allows us to re-sync
those lines with the upstream and make future updates easier.
|
