summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2014-04-20 - djm@cvs.openbsd.org 2014/03/26 04:55:35Damien Miller
[chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c [misc.h poly1305.h ssh-pkcs11.c] use __bounded(...) attribute recently added to sys/cdefs.h instead of longform __attribute__(__bounded(...)); for brevity and a warning free compilation with llvm/clang
2014-04-20Three commits in one (since they touch the same heavily-diverged fileDamien Miller
repeatedly): - markus@cvs.openbsd.org 2014/03/25 09:40:03 [myproposal.h] trimm default proposals. This commit removes the weaker pre-SHA2 hashes, the broken ciphers (arcfour), and the broken modes (CBC) from the default configuration (the patch only changes the default, all the modes are still available for the config files). ok djm@, reminded by tedu@ & naddy@ and discussed with many - deraadt@cvs.openbsd.org 2014/03/26 17:16:26 [myproposal.h] The current sharing of myproposal[] between both client and server code makes the previous diff highly unpallatable. We want to go in that direction for the server, but not for the client. Sigh. Brought up by naddy. - markus@cvs.openbsd.org 2014/03/27 23:01:27 [myproposal.h ssh-keyscan.c sshconnect2.c sshd.c] disable weak proposals in sshd, but keep them in ssh; ok djm@
2014-04-20 - tedu@cvs.openbsd.org 2014/03/19 14:42:44Damien Miller
[scp.1] there is no need for rcp anymore ok deraadt millert
2014-04-20 - tedu@cvs.openbsd.org 2014/03/17 19:44:10Damien Miller
[ssh.1] old descriptions of des and blowfish are old. maybe ok deraadt
2014-04-20 - deraadt@cvs.openbsd.org 2014/03/15 17:28:26Damien Miller
[ssh-agent.c ssh-keygen.1 ssh-keygen.c] Improve usage() and documentation towards the standard form. In particular, this line saves a lot of man page reading time. usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1] [-N new_passphrase] [-C comment] [-f output_keyfile] ok schwarze jmc
2014-04-20 - naddy@cvs.openbsd.org 2014/03/12 13:06:59Damien Miller
[ssh-keyscan.1] scan for Ed25519 keys by default too
2014-04-20 - djm@cvs.openbsd.org 2014/03/12 04:51:12Damien Miller
[authfile.c] correct test that kdf name is not "none" or "bcrypt"
2014-04-20 - djm@cvs.openbsd.org 2014/03/12 04:50:32Damien Miller
[auth-bsdauth.c ssh-keygen.c] don't count on things that accept arguments by reference to clear things for us on error; most things do, but it's unsafe form.
2014-04-20 - djm@cvs.openbsd.org 2014/03/12 04:44:58Damien Miller
[ssh-keyscan.c] scan for Ed25519 keys by default too
2014-04-20 - djm@cvs.openbsd.org 2014/03/03 22:22:30Damien Miller
[session.c] ignore enviornment variables with embedded '=' or '\0' characters; spotted by Jann Horn; ok deraadt@ Id sync only - portable already has this.
2014-04-01 - (djm) Use full release (e.g. 6.5p1) in debug output rather than justDamien Miller
version. From des@des.no
2014-04-01 - (djm) On platforms that support it, use prctl() to prevent sftp-serverDamien Miller
from accessing /proc/self/{mem,maps}; patch from jann AT thejh.net
2014-03-17 - (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX toDamien Miller
remind myself to add sandbox violation logging via the log socket.
2014-03-1420140314Tim Rice
- (tim) [opensshd.init.in] Add support for ed25519
2014-03-13 - (djm) Release OpenSSH 6.6Damien Miller
2014-03-04 - djm@cvs.openbsd.org 2014/03/03 22:22:30Damien Miller
[session.c] ignore enviornment variables with embedded '=' or '\0' characters; spotted by Jann Horn; ok deraadt@
2014-03-02 - (djm) [regress/Makefile] Disable dhgex regress test; it breaks whenDamien Miller
no moduli file exists at the expected location.
2014-02-28 - (djm) [regress/host-expand.sh] Add RCS IdDamien Miller
2014-02-28 - djm@cvs.openbsd.org 2014/02/27 21:21:25Damien Miller
[agent-ptrace.sh agent.sh] keep return values that are printed in error messages; from portable (Id sync only)
2014-02-28 - djm@cvs.openbsd.org 2014/02/27 20:04:16Damien Miller
[login-timeout.sh] remove any existing LoginGraceTime from sshd_config before adding a specific one for the test back in
2014-02-28 - djm@cvs.openbsd.org 2014/01/26 10:49:17Damien Miller
[scp-ssh-wrapper.sh scp.sh] make sure $SCP is tested on the remote end rather than whichever one happens to be in $PATH; from portable (Id sync only)
2014-02-28 - djm@cvs.openbsd.org 2014/01/26 10:22:10Damien Miller
[regress/cert-hostkey.sh] automatically generate revoked keys from listed keys rather than manually specifying each type; from portable (Id sync only)
2014-02-28 - dtucker@cvs.openbsd.org 2014/01/25 04:35:32Damien Miller
[regress/Makefile regress/dhgex.sh] Add a test for DH GEX sizes
2014-02-28 - dtucker@cvs.openbsd.org 2014/01/20 00:00:30Damien Miller
[sftp-chroot.sh] append to rather than truncating the log file
2014-02-28 - dtucker@cvs.openbsd.org 2014/01/19 23:43:02Damien Miller
[regress/sftp-chroot.sh] Don't use -q on sftp as it suppresses logging, instead redirect the output to the regress logfile.
2014-02-28 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]Damien Miller
[contrib/suse/openssh.spec] Crank version numbers
2014-02-28 - djm@cvs.openbsd.org 2014/02/27 22:57:40Damien Miller
[version.h] openssh-6.6
2014-02-28 - djm@cvs.openbsd.org 2014/02/27 22:47:07Damien Miller
[sshd_config.5] bz#2184 clarify behaviour of a keyword that appears in multiple matching Match blocks; ok dtucker@
2014-02-28 - djm@cvs.openbsd.org 2014/02/27 08:25:09Damien Miller
[bufbn.c] off by one in range check
2014-02-28 - djm@cvs.openbsd.org 2014/02/27 00:41:49Damien Miller
[bufbn.c] fix unsigned overflow that could lead to reading a short ssh protocol 1 bignum value; found by Ben Hawkes; ok deraadt@
2014-02-27 - markus@cvs.openbsd.org 2014/02/26 21:53:37Damien Miller
[sshd.c] ssh_gssapi_prepare_supported_oids needs GSSAPI
2014-02-27 - djm@cvs.openbsd.org 2014/02/26 20:29:29Damien Miller
[channels.c] don't assume that the socks4 username is \0 terminated; spotted by Ben Hawkes; ok markus@
2014-02-27 - djm@cvs.openbsd.org 2014/02/26 20:28:44Damien Miller
[auth2-gss.c gss-serv.c ssh-gss.h sshd.c] bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep sandboxing, as running this code in the sandbox can cause violations; ok markus@
2014-02-27 - djm@cvs.openbsd.org 2014/02/26 20:18:37Damien Miller
[ssh.c] bz#2205: avoid early hostname lookups unless canonicalisation is enabled; ok dtucker@ markus@
2014-02-24 - djm@cvs.openbsd.org 2014/02/23 20:11:36Damien Miller
[readconf.c readconf.h ssh.c ssh_config.5] reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes the hostname. This allows users to write configurations that always refer to canonical hostnames, e.g. CanonicalizeHostname yes CanonicalDomains int.example.org example.org CanonicalizeFallbackLocal no Host *.int.example.org Compression off Host *.example.org User djm ok markus@
2014-02-24 - djm@cvs.openbsd.org 2014/02/23 20:03:42Damien Miller
[ssh-ed25519.c] check for unsigned overflow; not reachable in OpenSSH but others might copy our code...
2014-02-24 - djm@cvs.openbsd.org 2014/02/22 01:32:19Damien Miller
[readconf.c] when processing Match blocks, skip 'exec' clauses if previous predicates failed to match; ok markus@
2014-02-24 - djm@cvs.openbsd.org 2014/02/15 23:05:36Damien Miller
[channels.c] avoid spurious "getsockname failed: Bad file descriptor" errors in ssh -W; bz#2200, debian#738692 via Colin Watson; ok dtucker@
2014-02-24 - djm@cvs.openbsd.org 2014/02/07 06:55:54Damien Miller
[cipher.c mac.c] remove some logging that makes ssh debugging output very verbose; ok markus
2014-02-2120140221Tim Rice
- (tim) [configure.ac] Fix cut-and-paste error. Patch from Bryan Drewery.
2014-02-13 - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] Add compatDarren Tucker
code for older OpenSSL versions that don't have EVP_MD_CTX_copy_ex.
2014-02-07 - djm@cvs.openbsd.org 2014/02/06 22:21:01Damien Miller
[sshconnect.c] in ssh_create_socket(), only do the getaddrinfo for BindAddress when BindAddress is actually specified. Fixes regression in 6.5 for UsePrivilegedPort=yes; patch from Corinna Vinschen
2014-02-07 - naddy@cvs.openbsd.org 2014/02/05 20:13:25Damien Miller
[ssh-keygen.1 ssh-keygen.c] tweak synopsis: calling ssh-keygen without any arguments is fine; ok jmc@ while here, fix ordering in usage(); requested by jmc@
2014-02-06 - (djm) [sandbox-seccomp-filter.c] Not all Linux architectures defineDamien Miller
__NR_shutdown; some go via the socketcall(2) multiplexer.
2014-02-06 - (dtucker) [openbsd-compat/bsd-poll.c] Don't bother checking for non-NULLDarren Tucker
before freeing since free(NULL) is a no-op. ok djm.
2014-02-05 - (djm) [sandbox-capsicum.c] Don't fatal if Capsicum is offered byDamien Miller
headers/libc but not supported by the kernel. Patch from Loganaden Velvindron @ AfriNIC
2014-02-04 - (djm) [regress/setuid-allowed.c] Missing string.h for strerror()Damien Miller
2014-02-04 - (djm) [openbsd-compat/Makefile.in] Add missing explicit_bzero.oDamien Miller
2014-02-04 - djm@cvs.openbsd.org 2014/02/04 00:24:29Damien Miller
[ssh.c] delay lowercasing of hostname until right before hostname canonicalisation to unbreak case-sensitive matching of ssh_config; reported by Ike Devolder; ok markus@
2014-02-04 - djm@cvs.openbsd.org 2014/02/04 00:24:29Damien Miller
[ssh.c] delay lowercasing of hostname until right before hostname canonicalisation to unbreak case-sensitive matching of ssh_config; reported by Ike Devolder; ok markus@