| Age | Commit message (Collapse) | Author |
|---|
|
Remove deprecated SSH1 options RSAAuthentication and
RhostsRSAAuthentication from regression test sshd_config.
Upstream-Regress-ID: 8066b753d9dce7cf02ff87af5c727ff680d99491
|
|
Do not show rsa1 key type in usage when compiled without
SSH1 support.
Upstream-ID: 068b5c41357a02f319957746fa4e84ea73960f57
|
|
ifdef out "rsa1" from the list of supported keytypes when
compiled without SSH1 support. Found by kdunlop at guralp.com, ok djm@
Upstream-ID: cea93a26433d235bb1d64b1d990f19a9c160a70f
|
|
For ProxyJump/-J, surround host name with brackets to
allow literal IPv6 addresses. From Dick Visser; ok dtucker@
Upstream-ID: 3a5d3b0171250daf6a5235e91bce09c1d5746bf1
|
|
Fix memory leaks in match_filter_list() error paths.
ok dtucker@ markus@
Upstream-ID: c7f96ac0877f6dc9188bbc908100a8d246cc7f0e
|
|
fix division by zero crash in "df" output when server
returns zero total filesystem blocks/inodes. Spotted by Guido Vranken; ok
dtucker@
Upstream-ID: 6fb6c2ae6b289aa07b6232dbc0be54682ef5419f
|
|
EVP_R_PRIVATE_KEY_DECODE_ERROR was added in OpenSSL 1.0.0 so ifdef out
for the benefit of OpenSSL versions prior to that.
|
|
bring back r1.34 that was backed out for problems loading
public keys:
translate OpenSSL error codes to something more
meaninful; bz#2522 reported by Jakub Jelen, ok dtucker@
with additional fix from Jakub Jelen to solve the backout.
bz#2525 bz#2523 re-ok dtucker@
Upstream-ID: a9d5bc0306f4473d9b4f4484f880e95f3c1cc031
|
|
Sanitise escape sequences in key comments sent to printf
but preserve valid UTF-8 when the locale supports it; bz#2520 ok dtucker@
Upstream-ID: e8eed28712ba7b22d49be534237eed019875bd1e
|
|
Avoid printf %s NULL. From semarie@, OK djm@
Upstream-ID: 06beef7344da0208efa9275d504d60d2a5b9266c
|
|
Restore \r\n newline sequence for server ident string. The CR
got lost in the flensing of SSHv1. Pointed out by Stef Bon
Upstream-ID: 5333fd43ce5396bf5999496096fac5536e678fac
|
|
unit test for match_filter_list() function; still want a
better name for this...
Upstream-Regress-ID: 840ad6118552c35111f0a897af9c8d93ab8de92a
|
|
use ssh_packet_set_log_preamble() to include connection
username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
Upstream-ID: 3591b88bdb5416d6066fb3d49d8fff2375bf1a15
|
|
add ssh_packet_set_log_preamble() to allow inclusion of a
preamble string in disconnect messages; ok markus@
Upstream-ID: 34cb41182cd76d414c214ccb01c01707849afead
|
|
support =- for removing methods from algorithms lists,
e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like
it" markus@
Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d
|
|
allow form-feed characters at EOL; bz#2431 ok dtucker@
Upstream-ID: 1f453afaba6da2ae69d6afdf1ae79a917552f1a2
|
|
Should fix bz#2603 - "Build with ldns and without kerberos support
fails if ldns compiled with kerberos support" by including correct
cflags/libs
ok dtucker@
|
|
Make ssh_packet_set_rekey_limits take u32 for the number of
seconds until rekeying (negative values are rejected at config parse time).
This allows the removal of some casts and a signed vs unsigned comparison
warning.
rekey_time is cast to int64 for the comparison which is a no-op
on OpenBSD, but should also do the right thing in -portable on
anything still using 32bit time_t (until the system time actually
wraps, anyway).
some early guidance deraadt@, ok djm@
Upstream-ID: c9f18613afb994a07e7622eb326f49de3d123b6c
|
|
In vasnmprintf() return an error if malloc fails and
don't set a function argument to the address of free'd memory.
ok djm@
Upstream-ID: 1efffffff2f51d53c9141f245b90ac23d33b9779
|
|
Return true reason for port forwarding failures where
feasible rather than always "administratively prohibited". bz#2674, ok djm@
Upstream-ID: d901d9887951774e604ca970e1827afaaef9e419
|
|
Small correction to the known_hosts section on when it is
updated. Patch from lkppo at free.fr some time ago, pointed out by smallm at
sdf.org
Upstream-ID: 1834d7af179dea1a12ad2137f84566664af225d5
|
|
Having _XOPEN_SOURCE unconditionally causes problems on some platforms
and configurations, notably Solaris 64-bit binaries. It was there for
the benefit of Linux put the required bits in the *-*linux* section.
Patch from yvoinov at gmail.com.
|
|
fully unbreak: some $SSH invocations did not have -F
specified and could pick up the ~/.ssh/config of the user running the tests
Upstream-Regress-ID: f362d1892c0d3e66212d5d3fc02d915c58ef6b89
|
|
partially unbreak: was not specifying hostname on some
$SSH invocations
Upstream-Regress-ID: bc8a5e98e57bad0a92ef4f34ed91c1d18294e2cc
|
|
revise keys/principals command hang fix (bz#2655) to
consume entire output, avoiding sending SIGPIPE to subprocesses early; ok
dtucker@
Upstream-ID: 7cb04b31a61f8c78c4e48ceededcd2fd5c4ee1bc
|
|
small cleanup post SSHv1 removal:
remove SSHv1-isms in commented examples
reorder token table to group deprecated and compile-time conditional tokens
better
fix config dumping code for some compile-time conditional options that
weren't being correctly skipped (SSHv1 and PKCS#11)
Upstream-ID: f2e96b3cb3158d857c5a91ad2e15925df3060105
|
|
some explicit NULL tests when dumping configured
forwardings; from Karsten Weiss
Upstream-ID: 40957b8dea69672b0e50df6b4a91a94e3e37f72d
|
|
misplaced braces in test; from Karsten Weiss
Upstream-ID: f7b794074d3aae8e35b69a91d211c599c94afaae
|
|
don't dereference authctxt before testing != NULL, it
causes compilers to make assumptions; from Karsten Weiss
Upstream-ID: 794243aad1e976ebc717885b7a97a25e00c031b2
|
|
use correct ssh-add program; bz#2654, from Colin Watson
Upstream-Regress-ID: 7042a36e1bdaec6562f6e57e9d047efe9c7a6030
|
|
Account for timeouts in the integrity tests as failures.
If the first test in a series for a given MAC happens to modify the low
bytes of a packet length, then ssh will time out and this will be
interpreted as a test failure. Patch from cjwatson at debian.org via
bz#2658.
Upstream-Regress-ID: e7467613b0badedaa300bc6fc7495ec2f44e2fb9
|
|
Make forwarding test less racy by using unix domain
sockets instead of TCP ports where possible. Patch from cjwatson at
debian.org via bz#2659.
Upstream-Regress-ID: 4756375aac5916ef9d25452a1c1d5fa9e90299a9
|
|
Fix typo in ~C error message for bad port forward
cancellation. bz#2672, from Brad Marshall via Colin Watson and Ubuntu's
bugtracker.
Upstream-ID: 0d4a7e5ead6cc59c9a44b4c1e5435ab3aada09af
|
|
The POSIX APIs that that sockaddrs all ignore the s*_len
field in the incoming socket, so userspace doesn't need to set it unless it
has its own reasons for tracking the size along with the sockaddr.
ok phessler@ deraadt@ florian@
Upstream-ID: ca6e49e2f22f2b9e81d6d924b90ecd7e422e7437
|
|
keep the tokens list sorted;
Upstream-ID: b96239dae4fb3aa94146bb381afabcc7740a1638
|
|
fix previous
Upstream-ID: c107d6a69bc22325d79fbf78a2a62e04bcac6895
|
|
show a useful error message when included config files
can't be opened; bz#2653, ok dtucker@
Upstream-ID: f598b73b5dfe497344cec9efc9386b4e5a3cb95b
|
|
sshd_config is documented to set
GSSAPIStrictAcceptorCheck=yes by default, so actually make it do this.
bz#2637 ok dtucker
Upstream-ID: 99ef8ac51f17f0f7aec166cb2e34228d4d72a665
|
|
Avoid confusing error message when attempting to use
ssh-keyscan built without SSH protocol v.1 to scan for v.1 keys; bz#2583
Upstream-ID: 5d214abd3a21337d67c6dcc5aa6f313298d0d165
|
|
Re-add '%k' token for AuthorizedKeysCommand which was
lost during the re-org in rev 1.235. bz#2656, from jboning at gmail.com.
Upstream-ID: 2884e203c02764d7b3fe7472710d9c24bdc73e38
|
|
unbreak Unix domain socket forwarding for root; ok
markus@
Upstream-ID: 6649c76eb7a3fa15409373295ca71badf56920a2
|
|
introduced in 1:7.4p1-1; closes: #852781).
|
|
|
|
|
|
#819361).
|
|
The client no longer accepts DSA host keys, and servers using the
default HostKey setting should have better host keys available.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2662
Bug-Debian: https://bugs.debian.org/850614
Last-Update: 2017-01-16
Patch-Name: no-dsa-host-key-by-default.patch
|
|
On Linux x32, the clock_gettime VDSO currently falls back to the x86-64
syscall, so allow that as well as its x32 sibling.
Bug-Debian: https://bugs.debian.org/849923
Forwarded: no
Last-Update: 2017-01-03
Patch-Name: sandbox-x32-workaround.patch
|
|
In some setups, creating the socket under OBJ may result in a path that
is too long for a Unix domain socket. Add a helper to let us portably
create a temporary directory instead.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2660
Last-Update: 2017-01-03
Patch-Name: regress-mktemp.patch
|
|
The forwarding tests sometimes seem to fail in a way that suggests ports
are in use even though they shouldn't be. Convert more of them to use a
mux socket rather than relying on sleeps in the hope that that makes
behaviour more consistent.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2659
Patch-Name: regress-forwarding-race.patch
Last-Update: 2017-01-02
|
|
If the first test in a series for a given MAC happens to modify the low
bytes of a packet length, then ssh will time out and this will be
interpreted as a test failure. Handle this failure mode.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2658
Patch-Name: regress-integrity-robust.patch
Last-Update: 2017-01-01
|
