summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2015-07-20upstream commitdjm@openbsd.org
skip uninitialised PKCS#11 slots; patch from Jakub Jelen in bz#2427 ok markus@ Upstream-ID: 744c1e7796e237ad32992d0d02148e8a18f27d29
2015-07-20upstream commitdjm@openbsd.org
only query each keyboard-interactive device once per authentication request regardless of how many times it is listed; ok markus@ Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1
2015-07-17upstream commitdjm@openbsd.org
remove -u flag to diff (only used for error output) to make things easier for -portable Upstream-Regress-ID: a5d6777d2909540d87afec3039d9bb2414ade548
2015-07-17upstream commitdjm@openbsd.org
direct-streamlocal@openssh.com Unix domain foward messages do not contain a "reserved for future use" field and in fact, serverloop.c checks that there isn't one. Remove erroneous mention from PROTOCOL description. bz#2421 from Daniel Black Upstream-ID: 3d51a19e64f72f764682f1b08f35a8aa810a43ac
2015-07-17upstream commitdjm@openbsd.org
describe magic for setting up Unix domain socket fowards via the mux channel; bz#2422 patch from Daniel Black Upstream-ID: 943080fe3864715c423bdeb7c920bb30c4eee861
2015-07-17Check if realpath works on nonexistent files.Darren Tucker
On some platforms the native realpath doesn't work with non-existent files (this is actually specified in some versions of POSIX), however the sftp spec says its realpath with "canonicalize any given path name". On those platforms, use realpath from the compat library. In addition, when compiling with -DFORTIFY_SOURCE, glibc redefines the realpath symbol to the checked version, so redefine ours to something else so we pick up the compat version we want. bz#2428, ok djm@
2015-07-17upstream commitdjm@openbsd.org
fix incorrect test for SSH1 keys when compiled without SSH1 support Upstream-ID: 6004d720345b8e481c405e8ad05ce2271726e451
2015-07-15upstream commitdjm@openbsd.org
fix NULL-deref when SSH1 reenabled Upstream-ID: f22fd805288c92b3e9646782d15b48894b2d5295
2015-07-15upstream commitdjm@openbsd.org
regen RSA1 test keys; the last batch was missing their private parts Upstream-Regress-ID: 7ccf437305dd63ff0b48dd50c5fd0f4d4230c10a
2015-07-15upstream commitmarkus@openbsd.org
Adapt tests, now that DSA if off by default; use PubkeyAcceptedKeyTypes and PubkeyAcceptedKeyTypes to test DSA. Upstream-Regress-ID: 0ff2a3ff5ac1ce5f92321d27aa07b98656efcc5c
2015-07-15upstream commitmarkus@openbsd.org
regen test data after mktestdata.sh changes Upstream-Regress-ID: 3495ecb082b9a7c048a2d7c5c845d3bf181d25a4
2015-07-15upstream commitmarkus@openbsd.org
adapt tests to new minimum RSA size and default FP format Upstream-Regress-ID: a4b30afd174ce82b96df14eb49fb0b81398ffd0e
2015-07-15upstream commitdjm@openbsd.org
legacy v00 certificates are gone; adapt and don't try to test them; "sure" markus@ dtucker@ Upstream-Regress-ID: c57321e69b3cd4a3b3396dfcc43f0803d047da12
2015-07-15upstream commitdjm@openbsd.org
don't expect SSH v.1 in unittests Upstream-Regress-ID: f8812b16668ba78e6a698646b2a652b90b653397
2015-07-15upstream commitdjm@openbsd.org
turn SSH1 back on to match src/usr.bin/ssh being tested Upstream-Regress-ID: 6c4f763a2f0cc6893bf33983919e9030ae638333
2015-07-15upstream commitdtucker@openbsd.org
Add "PuTTY_Local:" to the clients to which we do not offer DH-GEX. This was the string that was used for development versions prior to September 2014 and they don't do RFC4419 DH-GEX, but unfortunately there are some extant products based on those versions. bx2424 from Jay Rouman, ok markus@ djm@ Upstream-ID: be34d41e18b966832fe09ca243d275b81882e1d5
2015-07-15upstream commitmarkus@openbsd.org
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@ Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
2015-07-15upstream commitmarkus@openbsd.org
re-enable ed25519-certs if compiled w/o openssl; ok djm Upstream-ID: e10c90808b001fd2c7a93778418e9b318f5c4c49
2015-07-15upstream commitmarkus@openbsd.org
no need to include the old buffer/key API Upstream-ID: fb13c9f7c0bba2545f3eb0a0e69cb0030819f52b
2015-07-15upstream commitmarkus@openbsd.org
typedefs for Cipher&CipherContext are unused Upstream-ID: 50e6a18ee92221d23ad173a96d5b6c42207cf9a7
2015-07-15upstream commitmarkus@openbsd.org
xmalloc.h is unused Upstream-ID: afb532355b7fa7135a60d944ca1e644d1d63cb58
2015-07-15upstream commitmarkus@openbsd.org
compress.c is gone Upstream-ID: 174fa7faa9b9643cba06164b5e498591356fbced
2015-07-15upstream commitdjm@openbsd.org
another SSH_RSA_MINIMUM_MODULUS_SIZE that needed cranking Upstream-ID: 9d8826cafe96aab4ae8e2f6fd22800874b7ffef1
2015-07-15upstream commitdjm@openbsd.org
add an XXX reminder for getting correct key paths from sshd_config Upstream-ID: feae52b209d7782ad742df04a4260e9fe41741db
2015-07-15upstream commitdjm@openbsd.org
refuse to generate or accept RSA keys smaller than 1024 bits; feedback and ok dtucker@ Upstream-ID: 7ea3d31271366ba264f06e34a3539bf1ac30f0ba
2015-07-15upstream commitdjm@openbsd.org
turn off 1024 bit diffie-hellman-group1-sha1 key exchange method (already off in server, this turns it off in the client by default too) ok dtucker@ Upstream-ID: f59b88f449210ab7acf7d9d88f20f1daee97a4fa
2015-07-15upstream commitdjm@openbsd.org
delete support for legacy v00 certificates; "sure" markus@ dtucker@ Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f
2015-07-15upstream commitdjm@openbsd.org
Compile-time disable SSH v.1 again Upstream-ID: 1d4b513a3a06232f02650b73bad25100d1b800af
2015-07-15upstream commitdjm@openbsd.org
twiddle PermitRootLogin back Upstream-ID: 2bd23976305d0512e9f84d054e1fc23cd70b89f2
2015-07-01upstream commitdjm@openbsd.org
twiddle; (this commit marks the openssh-6.9 release) Upstream-ID: 78500582819f61dd8adee36ec5cc9b9ac9351234
2015-07-01upstream commitdjm@openbsd.org
better refuse ForwardX11Trusted=no connections attempted after ForwardX11Timeout expires; reported by Jann Horn Upstream-ID: bf0fddadc1b46a0334e26c080038313b4b6dea21
2015-07-01upstream commitdjm@openbsd.org
put back default PermitRootLogin=no Upstream-ID: 7bdedd5cead99c57ed5571f3b6b7840922d5f728
2015-07-01upstream commitdjm@openbsd.org
openssh-6.9 Upstream-ID: 6cfe8e1904812531080e6ab6e752d7001b5b2d45
2015-07-01upstream commitdjm@openbsd.org
reset default PermitRootLogin to 'yes' (momentarily, for release) Upstream-ID: cad8513527066e65dd7a1c16363d6903e8cefa24
2015-07-01crank version numbers for releaseDamien Miller
2015-07-01s/--with-ssh1/--without-ssh1/Damien Miller
2015-06-30upstream commitdjm@openbsd.org
fatal() when a remote window update causes the window value to overflow. Reported by Georg Wicherski, ok markus@ Upstream-ID: ead397a9aceb3bf74ebfa5fcaf259d72e569f351
2015-06-30upstream commitdjm@openbsd.org
Fix math error in remote window calculations that causes eventual stalls for datagram channels. Reported by Georg Wicherski, ok markus@ Upstream-ID: be54059d11bf64e0d85061f7257f53067842e2ab
2015-06-30skip IPv6-related portions on hosts without IPv6Damien Miller
with Tim Rice
2015-06-30upstream commitdjm@openbsd.org
add getpid to sandbox, reachable by grace_alarm_handler reported by Jakub Jelen; bz#2419 Upstream-ID: d0da1117c16d4c223954995d35b0f47c8f684cd8
2015-06-27upstream commitdjm@openbsd.org
Fix \-escaping bug that caused forward path parsing to skip two characters and skip past the end of the string. Based on patch by Salvador Fandino; ok dtucker@ Upstream-ID: 7b879dc446335677cbe4cb549495636a0535f3bd
2015-06-25add missing pselect6Damien Miller
patch from Jakub Jelen
2015-06-25upstream commitdjm@openbsd.org
correct test to sshkey_sign(); spotted by Albert S. Upstream-ID: 5f7347f40f0ca6abdaca2edb3bd62f4776518933
2015-06-25upstream commitdtucker@openbsd.org
Revert previous commit. We still want to call setgroups in the case where there are zero groups to remove any that we might otherwise inherit (as pointed out by grawity at gmail.com) and since the 2nd argument to setgroups is always a static global it's always valid to dereference in this case. ok deraadt@ djm@ Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01
2015-06-25upstream commitdtucker@openbsd.org
Revert previous commit. We still want to call setgroups in the case where there are zero groups to remove any that we might otherwise inherit (as pointed out by grawity at gmail.com) and since the 2nd argument to setgroups is always a static global it's always valid to dereference in this case. ok deraadt@ djm@ Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01
2015-06-23upstream commitdjm@openbsd.org
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@ Upstream-ID: eb74b8e506714d0f649bd5c300f762a527af04a3
2015-06-23upstream commitdtucker@openbsd.org
Don't call setgroups if we have zero groups; there's no guarantee that it won't try to deref the pointer. Based on a patch from mail at quitesimple.org, ok djm deraadt Upstream-ID: 2fff85e11d7a9a387ef7fddf41fbfaf566708ab1
2015-06-18fix syntax errorDamien Miller
2015-06-17upstream commitjsing@openbsd.org
If AuthorizedPrincipalsCommand is specified, however AuthorizedPrincipalsFile is not (or is set to "none"), authentication will potentially fail due to key_cert_check_authority() failing to locate a principal that matches the username, even though an authorized principal has already been matched in the output of the subprocess. Fix this by using the same logic to determine if pw->pw_name should be passed, as is used to determine if a authorized principal must be matched earlier on. ok djm@ Upstream-ID: 43b42302ec846b0ea68aceb40677245391b9409d
2015-06-17upstream commitjsing@openbsd.org
Make the arguments to match_principals_command() similar to match_principals_file(), by changing the last argument a struct sshkey_cert * and dereferencing key->cert in the caller. No functional change. ok djm@ Upstream-ID: 533f99b844b21b47342b32b62e198dfffcf8651c