summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2015-01-14upstream commitdjm@openbsd.org
sync changes from libopenssh; prepared by markus@ mostly debug output tweaks, a couple of error return value changes and some other minor stuff
2015-01-13add --without-ssh1 option to configureDamien Miller
Allows disabling support for SSH protocol 1.
2015-01-13upstream commitdjm@openbsd.org
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
2015-01-13upstream commitmarkus@openbsd.org
unbreak parsing of pubkey comments; with gerhard; ok djm/deraadt
2015-01-13upstream commitmarkus@openbsd.org
missing error assigment on sshbuf_put_string()
2015-01-13upstream commitdjm@openbsd.org
apparently memcpy(x, NULL, 0) is undefined behaviour according to C99 (cf. sections 7.21.1 and 7.1.4), so check skip memcpy calls when length==0; ok markus@
2015-01-13upstream commitmarkus@openbsd.org
free->sshkey_free; ok djm@
2015-01-13upstream commitmarkus@openbsd.org
allow WITH_OPENSSL w/o WITH_SSH1; ok djm@
2015-01-09upstream commitdjm@openbsd.org
adjust for sshkey_load_file() API change
2015-01-09upstream commitdjm@openbsd.org
fix ssh_config FingerprintHash evaluation order; from Petr Lautrbach
2015-01-09upstream commitdjm@openbsd.org
reorder hostbased key attempts to better match the default hostkey algorithms order in myproposal.h; ok markus@
2015-01-09upstream commitdjm@openbsd.org
deprecate key_load_private_pem() and sshkey_load_private_pem() interfaces. Refactor the generic key loading API to not require pathnames to be specified (they weren't really used). Fixes a few other things en passant: Makes ed25519 keys work for hostbased authentication (ssh-keysign previously used the PEM-only routines). Fixes key comment regression bz#2306: key pathnames were being lost as comment fields. ok markus@
2015-01-09upstream committedu@openbsd.org
workaround for the Meyer, et al, Bleichenbacher Side Channel Attack. fake up a bignum key before RSA decryption. discussed/ok djm markus
2015-01-09upstream commitdjm@openbsd.org
KNF and add a little more debug()
2015-01-09upstream commitjmc@openbsd.org
add fingerprinthash to the options list;
2015-01-09upstream commitjmc@openbsd.org
tweak previous;
2014-12-30avoid uninitialised free of ldns_resDamien Miller
If an invalid rdclass was passed to getrrsetbyname() then this would execute a free on an uninitialised pointer. OpenSSH only ever calls this with a fixed and valid rdclass. Reported by Joshua Rogers
2014-12-29pull updated OpenBSD BCrypt PBKDF implementationDamien Miller
Includes fix for 1 byte output overflow for large key length requests (not reachable in OpenSSH). Pointed out by Joshua Rogers
2014-12-23fix variable name for IPv6 case in construct_utmpxDamien Miller
patch from writeonce AT midipix.org via bz#2296
2014-12-23include and use OpenBSD netcat in regress/Damien Miller
2014-12-22upstream commitdjm@openbsd.org
mention ssh -Q feature to list supported { MAC, cipher, KEX, key } algorithms in more places and include the query string used to list the relevant information; bz#2288
2014-12-22upstream commitjmc@openbsd.org
tweak previous;
2014-12-22upstream commitdjm@openbsd.org
regression test for multiple required pubkey authentication; ok markus@
2014-12-22upstream commitdjm@openbsd.org
correct description of what will happen when a AuthorizedKeysCommand is specified but AuthorizedKeysCommandUser is not (sshd will refuse to start)
2014-12-22upstream commitdjm@openbsd.org
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised. Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
2014-12-22upstream commitdjm@openbsd.org
remember which public keys have been used for authentication and refuse to accept previously-used keys. This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys. ok markus@
2014-12-22upstream commitdjm@openbsd.org
fix passing of wildcard forward bind addresses when connection multiplexing is in use; patch from Sami Hartikainen via bz#2324; ok dtucker@
2014-12-22upstream commitdjm@openbsd.org
make this slightly easier to diff against portable
2014-12-22add missing regress output fileDamien Miller
2014-12-22upstream commitdjm@openbsd.org
adjust for new SHA256 key fingerprints and slightly-different MD5 hex fingerprint format
2014-12-22upstream commitdjm@openbsd.org
poll changes to netcat (usr.bin/netcat.c r1.125) broke this test; fix it by ensuring more stdio fds are sent to devnull
2014-12-22upstream commitjmc@openbsd.org
tweak previous;
2014-12-22upstream commitdjm@openbsd.org
document FingerprintHash here too
2014-12-22missing include for base64 encodingDamien Miller
2014-12-22upstream commitdjm@openbsd.org
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64. Feedback and ok naddy@ markus@
2014-12-22upstream commitdjm@openbsd.org
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
2014-12-18upstream commitdjm@openbsd.org
revert chunk I didn't mean to commit yet; via jmc@
2014-12-18upstream libc changeDamien Miller
revision 1.2 date: 2014/12/08 03:45:00; author: bcook; state: Exp; lines: +2 -2; commitid: 7zWEBgJJOCZ2hvTV; avoid left shift overflow in reallocarray. Some 64-bit platforms (e.g. Windows 64) have a 32-bit long. So, shifting 1UL 32-bits to the left causes an overflow. This replaces the constant 1UL with (size_t)1 so that we get the correct constant size for the platform. discussed with tedu@ & deraadt@
2014-12-18include CFLAGS in gnome askpass targetsDamien Miller
from Fedora
2014-12-11upstream commitdjm@openbsd.org
explicitly include sys/param.h in files that use the howmany() macro; from portable
2014-12-11upstream commitdjm@openbsd.org
mention AuthorizedKeysCommandUser must be set for AuthorizedKeysCommand to be run; bz#2287
2014-12-11upstream commitdjm@openbsd.org
show in debug output which hostkeys are being tried when attempting hostbased auth; patch from Iain Morgan
2014-12-11upstream commitdjm@openbsd.org
Make manual reflect reality: sftp-server's -d option accepts a "%d" option, not a "%h" one. bz#2316; reported by Kirk Wolf
2014-12-10upstream commitdjm@openbsd.org
better error value for invalid signature length
2014-12-10Resync more with OpenBSD's rijndael.c, in particular "#if 0"-ing out someDarren Tucker
unused code. Should fix compile error reported by plautrba at redhat.
2014-12-10Add reallocarray to compat libraryDarren Tucker
2014-12-05upstream commitdjm@openbsd.org
add tests for new client RevokedHostKeys option; refactor to make it a bit more readable
2014-12-05upstream commitkrw@openbsd.org
Nuke yet more obvious #include duplications. ok deraadt@
2014-12-05upstream commitdjm@openbsd.org
key_in_file() wrapper is no longer used
2014-12-05upstream commitdjm@openbsd.org
add RevokedHostKeys option for the client Allow textfile or KRL-based revocation of hostkeys.