summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2020-01-25upstream: when AddKeysToAgent=yes is set and the key contains nodjm@openbsd.org
comment, add the key to the agent with the key's path as the comment. bz2564 OpenBSD-Commit-ID: 8dd8ca9340d7017631a27f4ed5358a4cfddec16f
2020-01-25upstream: group14-sha1 is no longer a default algorithmtedu@openbsd.org
OpenBSD-Commit-ID: a96f04d5e9c2ff760c6799579dc44f69b4ff431d
2020-01-25upstream: reword HashKnownHosts description a little more; somedjm@openbsd.org
people found the wording confusing (bz#2560) OpenBSD-Commit-ID: ac30896598694f07d498828690aecd424c496988
2020-01-25upstream: weaken the language for what HashKnownHosts provides withdjm@openbsd.org
regards to known_hosts name privacy, it's not practical for this option to offer any guarantee that hostnames cannot be recovered from a disclosed known_hosts file (e.g. by brute force). OpenBSD-Commit-ID: 13f1e3285f8acf7244e9770074296bcf446c6972
2020-01-25upstream: the GatewayPorts vs -R listen address selection logic isdjm@openbsd.org
still confusing people, so add another comment explaining the special handling of "localhost"; bz#3258 OpenBSD-Commit-ID: e6bf0f0fbf1c7092bf0dbd9c6eab105970b5b53a
2020-01-25upstream: mention that permitopen=/PermitOpen do no name to addressdjm@openbsd.org
translation; prompted by bz3099 OpenBSD-Commit-ID: 0dda8e54d566b29855e76bebf9cfecce573f5c23
2020-01-25include tunnel device path in error messageDamien Miller
2020-01-25upstream: unrevert this:djm@openbsd.org
> revision 1.217 > date: 2019/11/27 03:34:04; author: dtucker; state: Exp; lines: +5 -7; commitid: wkiMn49XJyjzoJIs; > Make channel_id u_int32_t and remove unnecessary check and cast that were > left over from the type conversion. Noted by t-hashida@amiya.co.jp in > bz#3098, ok markus@ djm@ Darren was right the first time; ok dtucker@ "agreed" markus@ OpenBSD-Commit-ID: 641dd1b99a6bbd85b7160da462ae1be83432c7c8
2020-01-25upstream: Move setting $NC into test-exec since it's now used bydtucker@openbsd.org
multiple tests, and in -portable we use our own local copy to avoid portability problems. OpenBSD-Regress-ID: ceb78445fcaac317bec2fc51b3f0d9589048c114
2020-01-25Put EC key export inside OPENSSL_HAS_ECC.Darren Tucker
Fixes link error when building against an OpenSSL that does not have ECC.
2020-01-25upstream: Wait a bit longer for the multiplex master to become readydtucker@openbsd.org
since on very slow hosts the current delay is not sufficient and the test will fail. OpenBSD-Regress-ID: 6d90c7475d67ac3a95610b64af700629ece51a48
2020-01-25upstream: Add a connection test for proxycommand. This would havedtucker@openbsd.org
caught the problem caused by ssh.c rev 1.507 wherein Host and Hostname were swapped. Prompted by beck@ OpenBSD-Regress-ID: d218500ae6aca4c479c27318fb5b09ebc00f7aae
2020-01-25upstream: set UpdateKnownHosts=ask by default; bz#2894; okdjm@openbsd.org
markus@ OpenBSD-Commit-ID: f09cb3177f3a14c96428e14f347e976a8a531fee
2020-01-25upstream: allow UpdateKnownHosts=yes to function when multipledjm@openbsd.org
known_hosts files are in use. When updating host keys, ssh will now search subsequent known_hosts files, but will add new/changed host keys to the first specified file only. bz#2738 ok markus@ OpenBSD-Commit-ID: 6ded6d878a03e57d5aa20bab9c31f92e929dbc6c
2020-01-25upstream: process security key provider via realpath() in agent,djm@openbsd.org
avoids malicious client from being able to cause agent to load arbitrary libraries into ssh-sk-helper. reported by puck AT puckipedia.com; ok markus OpenBSD-Commit-ID: 1086643df1b7eee4870825c687cf0c26a6145d1c
2020-01-25upstream: expose PKCS#11 key labels/X.509 subjects as commentsdjm@openbsd.org
Extract the key label or X.509 subject string when PKCS#11 keys are retrieved from the token and plumb this through to places where it may be used as a comment. based on https://github.com/openssh/openssh-portable/pull/138 by Danielle Church feedback and ok markus@ OpenBSD-Commit-ID: cae1fda10d9e10971dea29520916e27cfec7ca35
2020-01-25upstream: tweak proctitle to include sshd arguments, as these aredjm@openbsd.org
frequently used to distinguish between multiple independent instances of the server. New proctitle looks like this: $ pgrep -lf sshd 12844 sshd: /usr/sbin/sshd -f /etc/ssh/sshd_config [listener] 0 of 10-100 startups requested by sthen@ and aja@; ok aja@ OpenBSD-Commit-ID: cf235a561c655a3524a82003cf7244ecb48ccc1e
2020-01-25upstream: add xextendf() to extend a string with a formatdjm@openbsd.org
(reallocating as necessary). ok aja@ as part of a larger diff OpenBSD-Commit-ID: 30796b50d330b3e0e201747fe40cdf9aa70a77f9
2020-01-25upstream: minor tweaks to ssh-keygen -Y find-principals:djm@openbsd.org
emit matched principals one per line to stdout rather than as comma- separated and with a free-text preamble (easy confusion opportunity) emit "not found" error to stderr fix up argument testing for -Y operations and improve error message for unsupported operations OpenBSD-Commit-ID: 3d9c9a671ab07fc04a48f543edfa85eae77da69c
2020-01-25upstream: remove ssh-rsa (SHA1) from the list of allowed CAdjm@openbsd.org
signature algorithms ok markus OpenBSD-Commit-ID: da3481fca8c81e6951f319a86b7be67502237f57
2020-01-25upstream: when signing a certificate with an RSA key, default todjm@openbsd.org
a safe signature algorithm (rsa-sha-512) if not is explicitly specified by the user; ok markus@ OpenBSD-Commit-ID: e05f638f0be6c0266e1d3d799716b461011e83a9
2020-01-25upstream: allow PEM export of DSA and ECDSA keys; bz3091, patchdjm@openbsd.org
from Jakub Jelen ok markus@ OpenBSD-Commit-ID: a58edec8b9f07acab4b962a71a5125830d321b51
2020-01-25upstream: ssh-keygen -Y find-principals fixes based on feedbackdjm@openbsd.org
from Markus: use "principals" instead of principal, as allowed_signers lines may list multiple. When the signing key is a certificate, emit only principals that match the certificate principal list. NB. the command -Y name changes: "find-principal" => "find-principals" ok markus@ OpenBSD-Commit-ID: ab575946ff9a55624cd4e811bfd338bf3b1d0faf
2020-01-24upstream: Do not warn about permissions on symlinks.dtucker@openbsd.org
OpenBSD-Regress-ID: 339d4cbae224bd8743ffad9c3afb0cf3cb66c357
2020-01-23upstream: Handle zlib compression being disabled now that it'sdtucker@openbsd.org
optional. OpenBSD-Regress-ID: 0af4fbc5168e62f89d0350de524bff1cb00e707a
2020-01-23upstream: Fix typo in comment.dtucker@openbsd.org
OpenBSD-Commit-ID: d1d7a6553208bf439378fd1cf686a828aceb353a
2020-01-23upstream: When checking for unsafe directories, ignore non-directoriesdtucker@openbsd.org
(ie symlinks, where permissions are not relevant). OpenBSD-Regress-ID: fb6cfc8b022becb62b2dcb99ed3f072b3326e501
2020-01-23zlib is now optional.Darren Tucker
2020-01-23Plumb WITH_ZLIB into configure.Darren Tucker
This allows zlib support to be disabled by ./configure --without-zlib.
2020-01-23upstream: Make zlib optional. This adds a "ZLIB" build time optiondtucker@openbsd.org
that allows building without zlib compression and associated options. With feedback from markus@, ok djm@ OpenBSD-Commit-ID: 44c6e1133a90fd15a3aa865bdedc53bab28b7910
2020-01-23upstream: remove trailing period characters from pub/priv keydjm@openbsd.org
pathnames - they make them needlessly more difficult to cut and paste without error; ok markus@ & dtucker@ OpenBSD-Commit-ID: abdcfd1a5723fcac0711feee7665edc66ae2335a
2020-01-23Fix a couple of mysig_t leftovers.Darren Tucker
2020-01-23Remove mysignal wrapper.Darren Tucker
We switched the main code to use sigaction(), so the wrapper is no longer used.
2020-01-23upstream: new sentence, new line;jmc@openbsd.org
OpenBSD-Commit-ID: b6c3f2f36ec77e99198619b38a9f146655281925
2020-01-23upstream: Replace all calls to signal(2) with a wrapper arounddtucker@openbsd.org
sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations. OpenBSD-Commit-ID: 5e047663fd77a40d7b07bdabe68529df51fd2519
2020-01-23upstream: missing header change from previous; spotted by dtucker@djm@openbsd.org
OpenBSD-Commit-ID: 321ce74c0a5bbd0f02fa3f20cb5cf2a952c6b96f
2020-01-23upstream: Check for and warn about StrictModes permission problems. ok tb@dtucker@openbsd.org
OpenBSD-Regress-ID: 4841704ccdee50ee7efc6035bc686695c6ac2991
2020-01-23upstream: Also test PuTTY chacha20.dtucker@openbsd.org
OpenBSD-Regress-ID: 7af6a0e8763b05f1f8eee6bca5f31fcb16151040
2020-01-23upstream: Also test PuTTY ecdh kex methods.dtucker@openbsd.org
OpenBSD-Regress-ID: ec4017dce612131842398a03e93007a869c2c133
2020-01-23upstream: Remove unsupported algorithms from list of defaults at rundtucker@openbsd.org
time and remove ifdef and distinct settings for OPENSSL=no case. This will make things much simpler for -portable where the exact set of algos depends on the configuration of both OpenSSH and the libcrypto it's linked against (if any). ok djm@ OpenBSD-Commit-ID: e0116d0183dcafc7a9c40ba5fe9127805c5dfdd2
2020-01-23upstream: add a new signature operations "find-principal" to lookdjm@openbsd.org
up the principal associated with a signature from an allowed-signers file. Work by Sebastian Kinne; ok dtucker@ OpenBSD-Commit-ID: 6f782cc7e18e38fcfafa62af53246a1dcfe74e5d
2020-01-23upstream: Ignore whitespace when checking explict fingerprint.dtucker@openbsd.org
When confirming a host key using the fingerprint itself, ignore leading and trailing whitespace. ok deraadt@ djm@ OpenBSD-Commit-ID: cafd7f803bbdcd40c3a8f8f1a77747e6b6d8c011
2020-01-22upstream: Increase keyscan timeout from default. On slow hosts 3dtucker@openbsd.org
concurrent keyscans can hit the default 5 second timeout, so increase to 15 seconds. OpenBSD-Regress-ID: 16383dec166af369b7fb9948572856f5d544c93f
2020-01-22upstream: remove diffie-hellman-group14-sha1 from default kex totedu@openbsd.org
see what happens. general mostly ok OpenBSD-Commit-ID: 216b7b8462d2ef5f4531f26cb2cb839b2153dad9
2020-01-22upstream: For ssh-keygen -lF only add a space after key fingerprintclaudio@openbsd.org
when there is a comment. This makes copy-paste of fingerprints into ssh easier. OK djm@ OpenBSD-Commit-ID: fa01d95624f65c1eb4dc7c575d20d77c78010dfd
2020-01-22upstream: some __func__ and strerror(errno) here; no functionaldjm@openbsd.org
change OpenBSD-Commit-ID: 6c3ddd5f848b99ea560b31d3fba99ceed66cef37
2020-01-22upstream: factor out parsing of allowed-signers linesdjm@openbsd.org
OpenBSD-Commit-ID: 85ee6aeff608371826019ea85e55bfa87f79d06e
2020-01-22unbreak fuzzer support for recent ssh-sk.h changesDamien Miller
2020-01-22upstream: expose the number of currently-authenticating connectionsdjm@openbsd.org
along with the MaxStartups limit in the proctitle; suggestion from Philipp Marek, w/ feedback from Craig Miskell ok dtucker@ OpenBSD-Commit-ID: a4a6db2dc1641a5df8eddf7d6652176e359dffb3
2020-01-22upstream: document the default value of the ControlPersist option;naddy@openbsd.org
ok dtucker@ djm@ OpenBSD-Commit-ID: 0788e7f2b5a9d4e36d3d2ab378f73329320fef66