summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2017-07-28upstream commitdtucker@openbsd.org
Make WinSCP patterns for SSH_OLD_DHGEX more specific to exclude WinSCP 5.10.x and up. bz#2748, from martin at winscp.net, ok djm@ Upstream-ID: 6fd7c32e99af3952db007aa180e73142ddbc741a
2017-07-24upstream commitdjm@openbsd.org
g/c unused variable; make a little more portable Upstream-ID: 3f5980481551cb823c6fb2858900f93fa9217dea
2017-07-24upstream commitdjm@openbsd.org
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@ Upstream-ID: 77906ff8c7b660b02ba7cb1e47b17d66f54f1f7e
2017-07-21mention libeditDamien Miller
2017-07-21upstream commitmarkus@openbsd.org
fix support for unknown key types; ok djm@ Upstream-ID: 53fb29394ed04d616d65b3748dee5aa06b07ab48
2017-07-21upstream commitdjm@openbsd.org
switch from select() to poll() for the ssh-agent mainloop; ok markus Upstream-ID: 4a94888ee67b3fd948fd10693973beb12f802448
2017-07-21upstream commitdtucker@openbsd.org
Make ""Killed by signal 1" LogLevel verbose so it's not shown at the default level. Prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744, feedback&ok markus@ Upstream-ID: debfaa7e859b272246c2f2633335d288d2e2ae28
2017-07-21upstream commitjmc@openbsd.org
man pages with pseudo synopses which list filenames end up creating very ugly output in man -k; after some discussion with ingo, we feel the simplest fix is to remove such SYNOPSIS sections: the info is hardly helpful at page top, is contained already in FILES, and there are sufficiently few that just zapping them is simple; ok schwarze, who also helpfully ran things through a build to check output; Upstream-ID: 3e211b99457e2f4c925c5927d608e6f97431336c
2017-07-21upstream commitespie@openbsd.org
zap redundant Makefile variables. okay djm@ Upstream-ID: e39b3902fe1d6c4a7ba6a3c58e072219f3c1e604
2017-07-21upstream commitjmc@openbsd.org
slightly rework previous, to avoid an article issue; Upstream-ID: 15a315f0460ddd3d4e2ade1f16d6c640a8c41b30
2017-07-21upstream commitdjm@openbsd.org
When generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed part way through generating them, so avoid that case too. bz#2561 reported by Krzysztof Cieplucha; ok dtucker@ Upstream-ID: f662201c28ab8e1f086b5d43c59cddab5ade4044
2017-07-21upstream commitdjm@openbsd.org
actually remove these files Upstream-ID: 1bd41cba06a7752de4df304305a8153ebfb6b0ac
2017-07-21upstream commitdjm@openbsd.org
remove post-SSHv1 removal dead code from rsa.c and merge the remaining bit that it still used into ssh-rsa.c; ok markus Upstream-ID: ac8a048d24dcd89594b0052ea5e3404b473bfa2f
2017-07-14make explicit_bzero/memset safe for sz=0Damien Miller
2017-07-11modified: configure.acTim Rice
UnixWare needs BROKEN_TCGETATTR_ICANON like Solaris Analysis by Robbie Zhang
2017-07-07typoDamien Miller
2017-06-30upstream commitdtucker@openbsd.org
Only call close once in confree(). ssh_packet_close will close the FD so only explicitly close non-SSH channels. bz#2734, from bagajjal at microsoft.com, ok djm@ Upstream-ID: a81ce0c8b023527167739fccf1732b154718ab02
2017-06-29Update link for my patches.Darren Tucker
2017-06-28upstream commitdjm@openbsd.org
Allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 ok markus Upstream-ID: fb42e920b592edcbb5b50465739a867c09329c8f
2017-06-24upstream commitdjm@openbsd.org
regress test for ExposeAuthInfo Upstream-Regress-ID: 190e5b6866376f4061c411ab157ca4d4e7ae86fd
2017-06-24upstream commitdjm@openbsd.org
correct env var name Upstream-ID: 721e761c2b1d6a4dcf700179f16fd53a1dadb313
2017-06-24upstream commitjmc@openbsd.org
spelling; Upstream-ID: 606f933c8e2d0be902ea663946bc15e3eee40b25
2017-06-24upstream commitdjm@openbsd.org
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker Upstream-ID: 2eab434c09bdf549dafd7da3e32a0d2d540adbe0
2017-06-24upstream commitdjm@openbsd.org
refactor authentication logging optionally record successful auth methods and public credentials used in a file accessible to user sessions feedback and ok markus@ Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
2017-06-24upstream commitjmc@openbsd.org
word fix; Upstream-ID: 8539bdaf2366603a34a9b2f034527ca13bb795c5
2017-06-24upstream commitdjm@openbsd.org
switch sshconnect.c from (slightly abused) select() to poll(); ok deraadt@ a while back Upstream-ID: efc1937fc591bbe70ac9e9542bb984f354c8c175
2017-06-24upstream commitdjm@openbsd.org
use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728; ok dtucker@ Upstream-ID: dc2e11c83ae9201bbe74872a0c895ae9725536dd
2017-06-24upstream commitdjm@openbsd.org
no need to call log_init to reinitialise logged PID in child sessions, since we haven't called openlog() in log_init() since 1999; ok markus@ Upstream-ID: 0906e4002af5d83d3d544df75e1187c932a3cf2e
2017-06-24upstream commitmestre@openbsd.org
When using the escape sequence &~ the code path is client_loop() -> client_simple_escape_filter() -> process_escapes() -> fork() and the pledge for this path lacks the proc promise and therefore aborts the process. The solution is to just add proc the promise to this specific pledge. Reported by Gregoire Jadi gjadi ! omecha.info Insight with tb@, OK jca@ Upstream-ID: 63c05e30c28209519f476023b65b0b1b0387a05b
2017-06-24upstream commitdtucker@openbsd.org
Import regenerated moduli. Upstream-ID: b25bf747544265b39af74fe0716dc8d9f5b63b95
2017-06-24upstream commitdtucker@openbsd.org
Run the screen twice so we end up with more candidate groups. ok djm@ Upstream-ID: b92c93266d8234d493857bb822260dacf4366157
2017-06-16upstream commitdtucker@openbsd.org
Add user@host prefix to client's "Permisison denied" messages, useful in particular when using "stacked" connections where it's not clear which host is denying. bz#2720, ok djm@ markus@ Upstream-ID: de88e1e9dcb050c98e85377482d1287a9fe0d2be
2017-06-13upstream commitdjm@openbsd.org
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value. Reported by Denis Bider; ok markus@ Upstream-ID: 030e10fdc605563c040244c4b4f1d8ae75811a5c
2017-06-13upstream commitdjm@openbsd.org
missing prototype. Upstream-ID: f443d2be9910fd2165a0667956d03343c46f66c9
2017-06-10portability for sftp globbed ls sort by mtimeDamien Miller
Include replacement timespeccmp() for systems that lack it. Support time_t struct stat->st_mtime in addition to timespec stat->st_mtim, as well as unsorted fallback.
2017-06-10upstream commitdjm@openbsd.org
print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 ok dtucker@ Upstream-ID: c611f98a66302cea452ef10f13fff8cf0385242e
2017-06-10upstream commitdjm@openbsd.org
implement sorting for globbed ls; bz#2649 ok dtucker@ Upstream-ID: ed3110f351cc9703411bf847ba864041fb7216a8
2017-06-10upstream commitdjm@openbsd.org
return failure rather than fatal() for more cases during mux negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 ok dtucker@ Upstream-ID: d2a7892f464d434e1f615334a1c9d0cdb83b29ab
2017-06-10upstream commitdjm@openbsd.org
in description of public key authentication, mention that the server will send debug messages to the client for some error conditions after authentication has completed. bz#2709 ok dtucker Upstream-ID: 750127dbd58c5a2672c2d28bc35fe221fcc8d1dd
2017-06-10upstream commitdjm@openbsd.org
better translate libcrypto errors by looking deeper in the accursed error stack for codes that indicate the wrong passphrase was supplied for a PEM key. bz#2699 ok dtucker@ Upstream-ID: 4da4286326d570f4f0489459bb71f6297e54b681
2017-06-10upstream commitdtucker@openbsd.org
Add comments referring to the relevant RFC sections for rekeying behaviour. Upstream-ID: 6fc8e82485757a27633f9175ad00468f49a07d40
2017-06-09drop two more privileges in the Solaris sandboxDamien Miller
Drop PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO. Patch from huieying.lee AT oracle.com via bz#2723
2017-06-09Wrap stdint.h include in #ifdef.Darren Tucker
2017-06-08upstream commitdjm@openbsd.org
unbreak after sshv1 purge Upstream-Regress-ID: 8ea01a92d5f571b9fba88c1463a4254a7552d51b
2017-06-07upstream commitdtucker@openbsd.org
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@ Upstream-ID: 83a1903b95ec2e4ed100703debb4b4a313b01016
2017-06-07upstream commitdjm@openbsd.org
rationalise the long list of manual CDIAGFLAGS that we add; most of these were redundant to -Wall -Wextra Upstream-ID: ea80f445e819719ccdcb237022cacfac990fdc5c
2017-06-07upstream commitdjm@openbsd.org
no need to bzero allocated space now that we use use recallocarray; ok deraadt@ Upstream-ID: 53333c62ccf97de60b8cb570608c1ba5ca5803c8
2017-06-07upstream commitdjm@openbsd.org
unconditionally zero init size of buffer; ok markus@ deraadt@ Upstream-ID: 218963e846d8f26763ba25afe79294547b99da29
2017-06-01avoid compiler warningDamien Miller
2017-06-01upstream commitdjm@openbsd.org
some warnings spotted by clang; ok markus@ Upstream-ID: 24381d68ca249c5cee4388ceb0f383fa5b43991b