| Age | Commit message (Collapse) | Author |
|---|
|
Remove more SSH1 server code: * Drop sshd's -k option. *
Retire configuration keywords that only apply to protocol 1, as well as the
"protocol" keyword. * Remove some related vestiges of protocol 1 support.
ok markus@
Upstream-ID: 9402f82886de917779db12f8ee3f03d4decc244d
|
|
|
|
|
|
--with-ldflags isn't used until after the -ftrapv test, so mention
LDFLAGS instead for now.
|
|
Since -portable switched to git the CVS $Id tags are no longer being
updated and are becoming increasingly misleading. Remove them.
|
|
Since -portable switched to git, the CVS $Id tags are no longer being
updated and are becoming increasingly misleading. Remove them.
|
|
Add a section for compiler specifics and document the runtime requirements
for clang's integer sanitization.
|
|
When using clang with -ftrapv or -sanitize=integer the tests would pass
but linking would fail with "undefined reference to __mulodi4".
Explicitly test for this before enabling -trapv.
|
|
Saves messing around with LOGIN_PROGRAM env var, which come
packaging environments make hard to do during configure phase.
|
|
Saves messing around with CFLAGS to do it.
|
|
Our explicit_bzero successfully confused clang -fsanitize-memory
in to thinking that memset is never called to initialise memory.
Ensure that it is called in a way that the compiler recognises.
|
|
remove ssh1 server code; ok djm@
Upstream-ID: c24c0c32c49b91740d5a94ae914fb1898ea5f534
|
|
Use 2001:db8::/32, the official IPv6 subnet for
configuration examples.
This makes the IPv6 example consistent with IPv4, and removes a dubious
mention of a 6bone subnet.
ok sthen@ millert@
Upstream-ID: b027f3d0e0073419a132fd1bf002e8089b233634
|
|
Update moduli file.
Upstream-ID: 6da9a37f74aef9f9cc639004345ad893cad582d8
|
|
|
|
Improve error message for overlong ControlPath. ok markus@
djm@
Upstream-ID: aed374e2e88dd3eb41390003e5303d0089861eb5
|
|
small refactor of cipher.c: make ciphercontext opaque to
callers feedback and ok markus@
Upstream-ID: 094849f8be68c3bdad2c0f3dee551ecf7be87f6f
|
|
Fix bug introduced in rev 1.467 which causes
"buffer_get_bignum_ret: incomplete message" errors when built with WITH_SSH1
and run such that no Protocol 1 ephemeral host key is generated (eg "Protocol
2", no SSH1 host key supplied). Reported by rainer.laatsch at t-online.de,
ok deraadt@
Upstream-ID: aa6b132da5c325523aed7989cc5a320497c919dc
|
|
better bounds check on iovcnt (we only ever use fixed,
positive values)
Upstream-ID: 9baa6eb5cd6e30c9dc7398e5fe853721a3a5bdee
|
|
|
|
NetBSD added an strnvis and unfortunately made it incompatible with the
existing one in OpenBSD and Linux's libbsd (the former having existed
for over ten years). Despite this incompatibility being reported during
development (see http://gnats.netbsd.org/44977) they still shipped it.
Even more unfortunately FreeBSD and later MacOS picked up this incompatible
implementation. Try to detect this mess, and assume the only safe option
if we're cross compiling.
OpenBSD 2.9 (2001): strnvis(char *dst, const char *src, size_t dlen, int flag);
NetBSD 6.0 (2012): strnvis(char *dst, size_t dlen, const char *src, int flag);
ok djm@
|
|
|
|
upstream commit 562f3512b3911ba0c77a7f68214881d1f241f46e
|
|
Mechanically replace spaces with tabs in compat files not synced with
OpenBSD.
|
|
Mechanically strip trailing whitespace on files not synced with OpenBSD
(or in the case of bsd-snprint.c, rsync).
|
|
|
|
|
|
Skip generating missing RSA1 key on startup unless ssh1 support is enabled.
Spotted by Jean-Pierre Radley
|
|
Report by and debugged with Hisashi T Fujinaka, dtucker nailed
the problem (lack of prototype causing return type confusion).
|
|
|
|
|
|
get_remote_ipaddr() was replaced with ssh_remote_ipaddr()
|
|
|
|
openssh-7.3
Upstream-ID: af106a7eb665f642648cf1993e162c899f358718
|
|
Patch from vinschen at redhat.com.
|
|
fix pledge violation with ssh -f; reported by Valentin
Kozamernik ok dtucker@
Upstream-ID: a61db7988db88d9dac3c4dd70e18876a8edf84aa
|
|
improve wording; suggested by jmc@
Upstream-ID: 55cb0a24c8e0618b3ceec80998dc82c85db2d2f8
|
|
Lower loglevel for "Authenticated with partial success"
message similar to other similar level. bz#2599, patch from cgallek at
gmail.com, ok markus@
Upstream-ID: 3faab814e947dc7b2e292edede23e94c608cb4dd
|
|
patch from Jakub Jelen on bz#2581; ok dtucker@
|
|
constify a few functions' arguments; patch from Jakub
Jelen bz#2581
Upstream-ID: f2043f51454ea37830ff6ad60c8b32b4220f448d
|
|
move debug("%p", key) to before key is free'd; probable
undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
Upstream-ID: 767f323e1f5819508a0e35e388ec241bac2f953a
|
|
reverse the order in which -J/JumpHost proxies are visited to
be more intuitive and document
reported by and manpage bits naddy@
Upstream-ID: 3a68fd6a841fd6cf8cedf6552a9607ba99df179a
|
|
Skip passwords longer than 1k in length so clients can't
easily DoS sshd by sending very long passwords, causing it to spend CPU
hashing them. feedback djm@, ok markus@.
Brought to our attention by tomas.kuthan at oracle.com, shilei-c at
360.cn and coredump at autistici.org
Upstream-ID: d0af7d4a2190b63ba1d38eec502bc4be0be9e333
|
|
Do not clobber the global jump_host variables when
parsing an inactive configuration. ok djm@
Upstream-ID: 5362210944d91417d5976346d41ac0b244350d31
|
|
tweak previous;
Upstream-ID: f3c1a5b3f05dff366f60c028728a2b43f15ff534
|
|
Allow wildcard for PermitOpen hosts as well as ports.
bz#2582, patch from openssh at mzpqnxow.com and jjelen at redhat.com. ok
markus@
Upstream-ID: af0294e9b9394c4e16e991424ca0a47a7cc605f2
|
|
Reduce timing attack against obsolete CBC modes by always
computing the MAC over a fixed size of data. Reported by Jean Paul
Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
Upstream-ID: f20a13279b00ba0afbacbcc1f04e62e9d41c2912
|
|
If the root account is locked (eg password "!!" or "*LK*") keep looking
until we find a user with a valid salt to use for crypting passwords of
invalid users. ok djm@
|
|
Since adding $(REGRESSLIBS), $? is wrong because it includes only the
changed source files. $< seems like it'd be right however it doesn't
seem to work on some non-GNU makes, so do what works everywhere.
|
|
|
