Age | Commit message (Collapse) | Author |
|
[session.c]
set stderr to /dev/null for subsystems rather than just closing it.
avoids hangs if a subsystem or shell initialisation writes to stderr.
bz#1750; ok markus@
|
|
[mux.c]
set "detach_close" flag when registering channel cleanup callbacks.
This causes the channel to close normally when its fds close and
hangs when terminating a mux slave using ~. bz#1758; ok markus@
|
|
- djm@cvs.openbsd.org 2010/04/23 01:47:41
[ssh-keygen.c]
bz#1740: display a more helpful error message when $HOME is
inaccessible while trying to create .ssh directory. Based on patch
from jchadima AT redhat.com; ok dtucker@
|
|
(closes: #579843).
|
|
|
|
textual changes in error output, it's only relevant for direct upgrades
from truly ancient versions, and it breaks upgrades if
/etc/ssh/ssh_host_key can't be loaded (closes: #579570).
|
|
alternatives exist (closes: #579285).
|
|
in the openssl install directory (some newer openssl versions do this on at
least some amd64 platforms).
|
|
file.
|
|
- djm@cvs.openbsd.org 2010/04/16 01:58:45
[regress/cert-hostkey.sh regress/cert-userkey.sh]
regression tests for v01 certificate format
includes interop tests for v00 certs
|
|
[sshconnect.c]
oops, %r => remote username, not %u
|
|
[ssh-keygen.1 ssh-keygen.c]
tweak previous; ok djm
|
|
- jmc@cvs.openbsd.org 2010/04/16 06:45:01
[ssh_config.5]
tweak previous; ok djm
|
|
|
|
more carefully (thanks, Julien Cristau).
|
|
|
|
- Unbreak sshd_config's AuthorizedKeysFile option for $HOME-relative
paths.
- Include a language tag when sending a protocol 2 disconnection
message.
- Make logging of certificates used for user authentication more clear
and consistent between CAs specified using TrustedUserCAKeys and
authorized_keys.
|
|
|
|
|
|
|
|
[PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c]
[auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c]
[ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c]
[sshconnect.c sshconnect2.c sshd.c]
revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the
following changes:
move the nonce field to the beginning of the certificate where it can
better protect against chosen-prefix attacks on the signature hash
Rename "constraints" field to "critical options"
Add a new non-critical "extensions" field
Add a serial number
The older format is still support for authentication and cert generation
(use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
ok markus@
|
|
[ssh-pkcs11.c]
retry lookup for private key if there's no matching key with CKA_SIGN
attribute enabled; this fixes fixes MuscleCard support (bugzilla #1736)
ok djm@
|
|
[ssh_config.5 sshconnect.c]
expand %r => remote username in ssh_config:ProxyCommand;
ok deraadt markus
|
|
[mux.c]
fix NULL dereference; from matthew.haub AT alumni.adelaide.edu.au
|
|
[sshconnect2.c]
show the key type that we are offering in debug(), helps distinguish
between certs and plain keys as the path to the private key is usually
the same.
|
|
[clientloop.c]
bz#1698: kill channel when pty allocation requests fail. Fixed
stuck client if the server refuses pty allocation.
ok dtucker@ "think so" markus@
|
|
[sshconnect.c]
fix terminology: we didn't find a certificate in known_hosts, we found
a CA key
|
|
[ssh.c]
bz#1746 - suppress spurious tty warning when using -O and stdin
is not a tty; ok dtucker@ markus@
|
|
[ssh_config.5]
tweak previous; ok dtucker
|
|
[ssh.1]
tweak previous;
|
|
- djm@cvs.openbsd.org 2010/03/26 03:13:17
[bufaux.c]
allow buffer_get_int_ret/buffer_get_int64_ret to take a NULL pointer
argument to allow skipping past values in a buffer
|
|
|
|
back so we disable the IPv6 tests if we don't have it.
|
|
|
|
previous unofficial builds (closes: #231472).
|
|
utmpx support on FreeBSD where possible. Patch from Ed Schouten, ok djm@
|
|
have it and the path is not provided to --with-libedit. Based on a patch
from Iain Morgan.
|
|
ones. Based on a patch from Roumen Petrov.
|
|
|
|
handling
|
|
with debhelper v3 anyway
|
|
|
|
|
|
installed, the host key is published in an SSHFP RR secured with DNSSEC,
and VerifyHostKeyDNS=yes, then ssh will no longer prompt for host key
verification (closes: #572049).
|
|
|
|
|
|
- Add a Homepage field.
|
|
introduced to match the behaviour of non-free SSH, in which -q does not
suppress fatal errors, but matching the behaviour of OpenSSH upstream is
much more important nowadays. We no longer document that -q does not
suppress fatal errors (closes: #280609). Migrate "LogLevel SILENT" to
"LogLevel QUIET" in sshd_config on upgrade.
|
|
the two patchlevel nybbles now, which is sufficient to address the
original reason this change was introduced, and it appears that any
change in the major/minor/fix nybbles would involve a new libssl package
name. (We'd still lose if the status nybble were ever changed, but that
would mean somebody had packaged a development/beta version rather than
a proper release, which doesn't appear to be normal practice.)
|
|
itself non-OOM-killable, and doesn't require configuration to avoid log
spam in virtualisation containers (closes: #555625).
|