summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2019-05-08upstream: Use the correct (according to POSIX) format fordtucker@openbsd.org
left-justification in snmprintf. bz#3002, patch from velemas at gmail.com, ok markus@. OpenBSD-Commit-ID: 65d252b799be0cc8f68b6c47cece0a57bb00fea7
2019-05-08upstream: Free channel objects on exit path. Patch from markus atdtucker@openbsd.org
blueflash.cc, ok deraadt OpenBSD-Commit-ID: dbe4db381603909482211ffdd2b48abd72169117
2019-05-08upstream: Free host on exit path. Patch from markus atdtucker@openbsd.org
blueflash.cc, ok djm@ OpenBSD-Commit-ID: c54e9945d93c4ce28350d8b9fa8b71f744ef2b5a
2019-05-08upstream: Wrap XMSS including in ifdef. Patch from markus atdtucker@openbsd.org
blueflash.cc, ok djm OpenBSD-Commit-ID: e3b34fc35cf12d33bde91ac03633210a3bc0f8b5
2019-05-08upstream: Import regenerated moduli.dtucker@openbsd.org
OpenBSD-Commit-ID: db6375fc302e3bdf07d96430c63c991b2c2bd3ff
2019-05-08upstream: Use the LogLevel typdef instead of int where appropriate. Patch ↵dtucker@openbsd.org
from Markus Schmidt via openssh-unix-dev, ok markus@ OpenBSD-Commit-ID: 4c0f0f458e3da7807806b35e3eb5c1e8403c968a
2019-05-08upstream: Document new default RSA key size. Fromdtucker@openbsd.org
sebastiaanlokhorst at gmail.com via bz#2997. OpenBSD-Commit-ID: bdd62ff5d4d649d2147904e91bf7cefa82fe11e1
2019-05-08upstream: When running sshd -T, assume any attibute not provided bydtucker@openbsd.org
-C does not match, which allows it to work when sshd_config contains a Match directive with or without -C. bz#2858, ok djm@ OpenBSD-Commit-ID: 1a701f0a33e3bc96753cfda2fe0b0378520b82eb
2019-05-08upstream: Remove crc32.{c,h} which were only used by the now-gonedtucker@openbsd.org
SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt. OpenBSD-Commit-ID: cceda5876c5ba6b4d8abcd52335329198cee3240
2019-04-30Remove unused variables from RLIMIT_NOFILE test.Darren Tucker
2019-04-26Import regenerated moduli.Darren Tucker
2019-04-26Whitespace resync w/OpenBSD.Darren Tucker
Patch from markus at blueflash.cc via openssh-unix-dev.
2019-04-26Don't install duplicate STREAMS modules on SolarisDarren Tucker
Check if STREAMS modules are already installed on pty before installing since when compiling with XPG>=4 they will likely be installed already. Prevents hangs and duplicate lines on the terminal. bz#2945 and bz#2998, patch from djm@
2019-04-18makedependDamien Miller
2019-04-05second thoughts: leave README in placeDamien Miller
A number of contrib/* files refer to the existing README so let's leave it in place for release and add the new markdown version in parallel. I'll get rid of README after release.
2019-04-05Revert "rewrite README"Damien Miller
This reverts commit 9444d82678cb7781820da4d1c23b3c2b9fb1e12f.
2019-04-05rewrite READMEDamien Miller
Include basic build instructions and comments on commonly-used build- time flags, links to the manual pages and other resources. Now in Markdown format for better viewing on github, etc.
2019-04-05update versionsDamien Miller
2019-04-05upstream: openssh-8.0djm@openbsd.org
OpenBSD-Commit-ID: 5aafdf218679dab982fea20771afd643be9a127b
2019-04-04session: Do not use removed APIDamien Miller
from Jakub Jelen
2019-04-03upstream: when logging/fataling on error, include a bit more detaildjm@openbsd.org
than just the function name and the error message OpenBSD-Commit-ID: dd72d7eba2215fcb89be516c378f633ea5bcca9f
2019-04-03Remove "struct ssh" from sys_auth_record_login.Darren Tucker
It's not needed, and is not available from the call site in loginrec.c Should only affect AIX, spotted by Kevin Brott.
2019-04-02Adapt custom_failed_login to new prototype.Darren Tucker
Spotted by Kevin Brott.
2019-04-01Add includes.h for compat layer.Darren Tucker
Should fix build on AIX 7.2.
2019-03-31Stop USL compilers for erroring with "integral constant expression expected"Tim Rice
2019-03-31Only use O_NOFOLLOW in fchownat and fchmodat if definedTim Rice
2019-03-29Adjust softhsm2 path on Fedora Linux for regressJakub Jelen
The SoftHSM lives in Fedora in /usr/lib64/pkcs11/libsofthsm2.so
2019-03-28Only use O_NOFOLLOW in utimensat if defined.Darren Tucker
Fixes build on systems that don't have it (Solaris <=9) Found by Tom G. Christensen.
2019-03-28drop old Cygwin considerationsCorinna Vinschen
- Cygwin supports non-DOS characters in filenames - Cygwin does not support Windows XP anymore Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
2019-03-27upstream: fix interaction between ClientAliveInterval and RekeyLimitdjm@openbsd.org
that could cause connection to close incorrectly; Report and patch from Jakub Jelen in bz#2757; ok dtucker@ markus@ OpenBSD-Commit-ID: 17229a8a65bd8e6c2080318ec2b7a61e1aede3fb
2019-03-26upstream: Fix authentication failures when "AuthenticationMethodsdjm@openbsd.org
any" in a Match block overrides a more restrictive global default. Spotted by jmc@, ok markus@ OpenBSD-Commit-ID: a90a4fe2ab81d0eeeb8fdfc21af81f7eabda6666
2019-03-26upstream: whitespacedjm@openbsd.org
OpenBSD-Commit-ID: 106e853ae8a477e8385bc53824d3884a8159db07
2019-03-26upstream: Expand comment to document rationale for default keydtucker@openbsd.org
sizes. "seems worthwhile" deraadt. OpenBSD-Commit-ID: 72e5c0983d7da1fb72f191870f36cb58263a2456
2019-03-26upstream: Increase the default RSA key size to 3072 bits. Based ondtucker@openbsd.org
the estimates from NIST Special Publication 800-57, 3k bits provides security equivalent to 128 bits which is the smallest symmetric cipher we enable by default. ok markus@ deraadt@ OpenBSD-Commit-ID: 461dd32ebe808f88f4fc3ec74749b0e6bef2276b
2019-03-26upstream: full stop in the wrong place;jmc@openbsd.org
OpenBSD-Commit-ID: 478a0567c83553a2aebf95d0f1bd67ac1b1253e4
2019-03-26upstream: benno helped me clean up the tcp forwarding section;jmc@openbsd.org
OpenBSD-Commit-ID: d4bec27edefde636fb632b7f0b7c656b9c7b7f08
2019-03-26upstream: fix use-after-free in ssh-pkcs11; found by hshoexer w/AFLmarkus@openbsd.org
OpenBSD-Commit-ID: febce81cca72b71f70513fbee4ff52ca050f675c
2019-03-14Fix build when configured --without-openssl.Darren Tucker
ok djm@
2019-03-14On Cygwin run sshd as SYSTEM where possible.Darren Tucker
Seteuid now creates user token using S4U. We don't create a token from scratch anymore, so we don't need the "Create a process token" privilege. The service can run under SYSTEM again... ...unless Cygwin is running on Windows Vista or Windows 7 in the WOW64 32 bit emulation layer. It turns out that WOW64 on these systems didn't implement MsV1_0 S4U Logon so we still need the fallback to NtCreateToken for these systems. Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
2019-03-13Replace alloca with xcalloc.Darren Tucker
The latter checks for memory exhaustion and integer overflow and may be at a less predictable place. Sanity check by vinschen at redhat.com, ok djm@
2019-03-12Use Cygwin-specific matching only for users+groups.Darren Tucker
Patch from vinschen at redhat.com, updated a little by me.
2019-03-08upstream: Move checks for lists of users or groups into their owndtucker@openbsd.org
function. This is a no-op on OpenBSD but will make things easier in -portable, eg on systems where these checks should be case-insensitive. ok djm@ OpenBSD-Commit-ID: 8bc9c8d98670e23f8eaaaefe29c1f98e7ba0487e
2019-03-08upstream: Reset last-seen time when sending a keepalive. Preventsdtucker@openbsd.org
sending two keepalives successively and prematurely terminating connection when ClientAliveCount=1. While there, collapse two similar tests into one. ok markus@ OpenBSD-Commit-ID: 043670d201dfe222537a2a4bed16ce1087de5ddd
2019-03-08upstream: PKCS#11 support is no longer limited to RSA; ok benno@naddy@openbsd.org
kn@ OpenBSD-Commit-ID: 1a9bec64d530aed5f434a960e7515a3e80cbc826
2019-03-08upstream: in ssh_set_newkeys(), mention the direction that we'redjm@openbsd.org
keying in debug messages. Previously it would be difficult to tell which direction it was talking about OpenBSD-Commit-ID: c2b71bfcceb2a7389b9d0b497fb2122a406a522d
2019-03-01upstream: Fix two race conditions in sshd relating to SIGHUP:djm@openbsd.org
1. Recently-forked child processes will briefly remain listening to listen_socks. If the main server sshd process completes its restart via execv() before these sockets are closed by the child processes then it can fail to listen at the desired addresses/ports and/or fail to restart. 2. When a SIGHUP is received, there may be forked child processes that are awaiting their reexecution state. If the main server sshd process restarts before passing this state, these child processes will yield errors and use a fallback path of reading the current sshd_config from the filesystem rather than use the one that sshd was started with. To fix both of these cases, we reuse the startup_pipes that are shared between the main server sshd and forked children. Previously this was used solely to implement tracking of pre-auth child processes for MaxStartups, but this extends the messaging over these pipes to include a child->parent message that the parent process is safe to restart. This message is sent from the child after it has completed its preliminaries: closing listen_socks and receiving its reexec state. bz#2953, reported by Michal Koutný; ok markus@ dtucker@ OpenBSD-Commit-ID: 7df09eacfa3ce13e9a7b1e9f17276ecc924d65ab
2019-03-01upstream: mention PKCS11Provide=none, reword a little and removedjm@openbsd.org
mention of RSA keys only (since we support ECDSA now and might support others in the future). Inspired by Jakub Jelen via bz#2974 OpenBSD-Commit-ID: a92e3686561bf624ccc64ab320c96c9e9a263aa5
2019-03-01upstream: let PKCS11Provider=none do what users expectdjm@openbsd.org
print PKCS11Provider instead of obsolete SmartcardDevice in config dump. bz#2974 ok dtucker@ OpenBSD-Commit-ID: c303d6f0230a33aa2dd92dc9b68843d56a64f846
2019-03-01upstream: dup stdout/in for proxycommand=-, otherwise stdout mightmarkus@openbsd.org
be redirected to /dev/null; ok djm@ OpenBSD-Commit-ID: 97dfce4c47ed4055042de8ebde85b7d88793e595
2019-02-24upstream: openssh-7.9 accidentally reused the server's algorithm listsdjm@openbsd.org
in the client for KEX, ciphers and MACs. The ciphers and MACs were identical between the client and server, but the error accidentially disabled the diffie-hellman-group-exchange-sha1 KEX method. This fixes the client code to use the correct method list, but because nobody complained, it also disables the diffie-hellman-group-exchange-sha1 KEX method. Reported by nuxi AT vault24.org via bz#2697; ok dtucker OpenBSD-Commit-ID: e30c33a23c10fd536fefa120e86af1842e33fd57