Age | Commit message (Collapse) | Author |
|
[regress/unittests/sshkey/mktestdata.sh]
Sign test certs with ed25519 instead of ecdsa so that they'll work in
-portable on platforms that don't have ECDSA in their OpenSSL. ok djm
|
|
[regress/multiplex.sh]
change the test for still-open Unix domain sockets to be robust against
nc implementations that produce error messages. from -portable
(Id sync only)
|
|
[umac.c]
Convert from <sys/endian.h> to the shiney new <endian.h>
ok dtucker@, who also confirmed that -portable handles this already
(ID sync only, includes.h pulls in endian.h if available.)
|
|
[key.c]
Prevent spam from key_load_private_pem during hostbased auth. ok djm@
|
|
specific tests inside OPENSSL_HAS_ECC.
|
|
domain sockets to be robust against nc implementations that produce
error messages.
|
|
put it back
|
|
OPENSSL_HAS_ECC.
|
|
|
|
[forwarding.sh multiplex.sh]
Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@
|
|
{common,test_file,test_fuzz,test_sshkey}.c] Wrap stdint.h includes in
ifdefs.
|
|
needed to build AES CTR mode against OpenSSL 0.9.8f and above. ok djm
|
|
in servconf.h.
|
|
|
|
tests.
|
|
in servconf.h.
|
|
[ssh-agent.c]
restore umask around listener socket creation (dropped in streamlocal patch
merge)
|
|
[mux.c ssh.c]
reflect stdio-forward ("ssh -W host:port ...") failures in exit status.
previously we were always returning 0. bz#2255 reported by Brendan
Germain; ok dtucker
|
|
[key.c]
silence "incorrect passphrase" error spam; reported and ok dtucker@
|
|
[mux.c]
preserve errno across syscall
|
|
[sandbox-systrace.c]
ifdef SYS_sendsyslog so this will compile without patching on -stable
|
|
[ssh.1]
add the streamlocal* options to ssh's -o list; millert says they're
irrelevant for scp/sftp;
ok markus millert
|
|
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
[auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
[auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
[clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
[readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
[ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
[sshd_config.5 sshlogin.c]
Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@
|
|
[myproposal.h]
by popular demand, add back hamc-sha1 to server proposal for better compat
with many clients still in use. ok deraadt
|
|
[sandbox-systrace.c]
Permit use of SYS_sendsyslog from inside the sandbox. Clock is ticking,
update your kernels and sshd soon.. libc will start using sendsyslog()
in about 4 days.
|
|
Reported by Petr Lautrbach.
|
|
has been located; fixes builds agains libressl-portable
|
|
- benno@cvs.openbsd.org 2014/07/09 14:15:56
[ssh-add.c]
fix ssh-add crash while loading more than one key
ok markus@
|
|
[multiplex.sh]
remove forced-fatal that I stuck in there to test the new cleanup
logic and forgot to remove...
|
|
[multiplex.sh test-exec.sh]
add a hook to the cleanup() function to kill $SSH_PID if it is set
use it to kill the mux master started in multiplex.sh (it was being left
around on fatal failures)
|
|
[key.c]
downgrade more error() to debug() to better match what old authfile.c
did; suppresses spurious errors with hostbased authentication enabled
|
|
[sftp.c]
more useful error message when GLOB_NOSPACE occurs;
bz#2254, patch from Orion Poplawski
|
|
[ssh_config.5]
mention that ProxyCommand is executed using shell "exec" to avoid
a lingering process; bz#1977
|
|
[channels.c]
fix remote-forward cancel regression; ok markus@
|
|
[authfile.h]
remove leakmalloc droppings
|
|
[servconf.c servconf.h session.c sshd.8 sshd_config.5]
Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is
executed, mirroring the no-user-rc authorized_keys option;
bz#2160; ok markus@
|
|
[channels.c]
allow explicit ::1 and 127.0.0.1 forwarding bind addresses when
GatewayPorts=no; allows client to choose address family;
bz#2222 ok markus@
|
|
[sshconnect.c]
when rekeying, skip file/DNS lookup if it is the same as the key sent
during initial key exchange. bz#2154 patch from Iain Morgan; ok markus@
|
|
[cipher-chachapoly.c]
Call chacha_ivsetup() immediately before chacha_encrypt_bytes() - this
makes it easier to verify that chacha_encrypt_bytes() is only called once
per chacha_ivsetup() call.
ok djm@
|
|
[auth.c auth.h auth1.c auth2.c]
make the "Too many authentication failures" message include the
user, source address, port and protocol in a format similar to the
authentication success / failure messages; bz#2199, ok dtucker
|
|
[ssh_config.5]
escape %C since groff thinks it part of an Rs/Re block;
|
|
[ssh.c ssh_config.5]
Add a %C escape sequence for LocalCommand and ControlPath that expands
to a unique identifer based on a has of the tuple of (local host,
remote user, hostname, port).
Helps avoid exceeding sockaddr_un's miserly pathname limits for mux
control paths.
bz#2220, based on patch from mancha1 AT zoho.com; ok markus@
|
|
[ssh.1]
document that -g will only work in the multiplexed case if applied to
the mux master
|
|
[ssh_config.5]
mention '%%' escape sequence in HostName directives and how it may
be used to specify IPv6 link-local addresses
|
|
[digest.h]
forward-declare struct sshbuf so consumers don't need to include sshbuf.h
|
|
[ssh-keygen.c]
When hashing or removing hosts using ssh-keygen, don't choke on
@revoked markers and don't remove @cert-authority markers;
bz#2241, reported by mlindgren AT runelind.net
|
|
[gss-serv.c session.c ssh-keygen.c]
standardise on NI_MAXHOST for gethostname() string lengths; about
1/2 the cases were using it already. Fixes bz#2239 en passant
|
|
[digest-openssl.c]
use EVP_Digest() for one-shot hash instead of creating, updating,
finalising and destroying a context.
bz#2231, based on patch from Timo Teras
|
|
[ssh-add.c]
make stdout line-buffered; saves partial output getting lost when
ssh-add fatal()s part-way through (e.g. when listing keys from an
agent that supports key types that ssh-add doesn't);
bz#2234, reported by Phil Pennock
|
|
[ssh-agent.c]
Only cleanup agent socket in the main agent process and not in any
subprocesses it may have started (e.g. forked askpass). Fixes
agent sockets being zapped when askpass processes fatal();
bz#2236 patch from Dmitry V. Levin
|