summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2020-05-27upstream: Enable credProtect extension when generating a residentdjm@openbsd.org
key. The FIDO 2.1 Client to Authenticator Protocol introduced a "credProtect" feature to better protect resident keys. This option allows (amone other possibilities) requiring a PIN prior to all operations that may retrieve the key handle. Patch by Pedro Martelletto; ok djm and markus OpenBSD-Commit-ID: 013bc06a577dcaa66be3913b7f183eb8cad87e73
2020-05-27upstream: always call fido_init(); previous behaviour only calleddjm@openbsd.org
fido_init() when SK_DEBUG was defined. Harmless with current libfido2, but this isn't guaranteed in the future. OpenBSD-Commit-ID: c7ea20ff2bcd98dd12015d748d3672d4f01f0864
2020-05-27upstream: preserve group/world read permission on known_hostsdjm@openbsd.org
file across runs of "ssh-keygen -Rf /path". The old behaviour was to remove all rights for group/other. bz#3146 ok dtucker@ OpenBSD-Commit-ID: dc369d0e0b5dd826430c63fd5f4b269953448a8a
2020-05-27upstream: when ordering the hostkey algorithms to request from adjm@openbsd.org
server, prefer certificate types if the known_hosts files contain a key marked as a @cert-authority; bz#3157 ok markus@ OpenBSD-Commit-ID: 8f194573e5bb7c01b69bbfaabc68f27c9fa5e0db
2020-05-27upstream: fix non-ASCII quote that snuck in; spotted by Gabrieldjm@openbsd.org
Kihlman OpenBSD-Commit-ID: 04bcde311de2325d9e45730c744c8de079b49800
2020-05-27upstream: clarify role of FIDO tokens in multi-factordjm@openbsd.org
authentictation; mostly from Pedro Martelletto OpenBSD-Commit-ID: fbe05685a1f99c74b1baca7130c5a03c2df7c0ac
2020-05-27upstream: fix compilation with DEBUG_KEXDH; bz#3160 ok dtucker@djm@openbsd.org
OpenBSD-Commit-ID: 832e771948fb45f2270e8b8895aac36d176ba17a
2020-05-14prefer ln to cp for temporary copy of sshdDamien Miller
I saw failures on the reexec fallback test on Darwin 19.4 where fork()ed children of a process that had it's executable removed would instantly fail. Using ln to preserve the inode avoids this.
2020-05-13Actually skip pty tests when needed.Darren Tucker
2020-05-13Skip building sk-dummy library if no SK support.Darren Tucker
2020-05-13explicitly manage .depend and .depend.bakDamien Miller
Bring back removal of .depend to give the file a known state before running makedepend, but manually move aside the current .depend file and restore it as .depend.bak afterwards so the stale .depend check works as expected.
2020-05-13make dependDamien Miller
2020-05-13revert removal of .depend before makedependDamien Miller
Commit 83657eac4 started removing .depend before running makedepend to reset the contents of .depend to a known state. Unfortunately this broke the depend-check step as now .depend.bak would only ever be created as an empty file. ok dtucker
2020-05-12prepare for 8.3 releaseDamien Miller
2020-05-08Ensure SA_SIGNAL test only signals itself.Darren Tucker
When the test's child signals its parent and it exits the result of getppid changes. On Ubuntu 20.04 this results in the ppid being that of the GDM session, causing it to exit. Analysis and testing from pedro at ambientworks.net
2020-05-08sync config.guess/config.sub with latest versionsDamien Miller
ok dtucker@
2020-05-07upstream: openssh-8.3; ok deraadt@djm@openbsd.org
OpenBSD-Commit-ID: c8831ec88b9c750f5816aed9051031fb535d22c1
2020-05-07upstream: another case where a utimes() failure could make scp senddjm@openbsd.org
a desynchronising error; reminded by Aymeric Vincent ok deraadt markus OpenBSD-Commit-ID: 2ea611d34d8ff6d703a7a8bf858aa5dbfbfa7381
2020-05-07Check if -D_REENTRANT is needed for localtime_r.Darren Tucker
On at least HP-UX 11.11, the localtime_r declararation is behind ifdef _REENTRANT. Check for and add if needed.
2020-05-05Skip security key tests if ENABLE_SK not set.Darren Tucker
2020-05-04upstream: sure enough, some of the test data that we though were indjm@openbsd.org
new format were actually in the old format; fix from Michael Forney OpenBSD-Regress-ID: a41a5c43a61b0f0b1691994dbf16dfb88e8af933
2020-05-04upstream: make mktestdata.sh generate old/new format keys that wedjm@openbsd.org
expect. This script was written before OpenSSH switched to new-format private keys by default and was never updated to the change (until now) From Michael Forney OpenBSD-Regress-ID: 38cf354715c96852e5b71c2393fb6e7ad28b7ca7
2020-05-04upstream: portability fix for sed that always emil a newline evendjm@openbsd.org
if the input does not contain one; from Michael Forney OpenBSD-Regress-ID: 9190c3ddf0d2562ccc02c4a95fce0e392196bfc7
2020-05-04upstream: remove obsolete RSA1 test keys; spotted by Michael Forneydjm@openbsd.org
OpenBSD-Regress-ID: 6384ba889594e217d166908ed8253718ab0866da
2020-05-02Update .depend.Darren Tucker
2020-05-02Remove use of tail for 'make depend'.Darren Tucker
Not every tail supports +N and we can do with out it so just remove it. Prompted by mforney at mforney.org.
2020-05-02upstream: we have a sshkey_save_public() function to save public keys;djm@openbsd.org
use it and save a bunch of redundant code. Patch from loic AT venez.fr; ok markus@ djm@ OpenBSD-Commit-ID: f93e030a0ebcd0fd9054ab30db501ec63454ea5f
2020-05-01Use LONG_LONG_MAX and friends if available.Darren Tucker
If we don't have LLONG_{MIN,MAX} but do have LONG_LONG_{MIN,MAX} then use those instead. We do calculate these values in configure, but it turns out that at least one compiler (old HP ANSI C) can't parse "-9223372036854775808LL" without mangling it. (It can parse "-9223372036854775807LL" which is presumably why its limits.h defines LONG_LONG_MIN as the latter minus 1.) Fixes rekey test when compiled with the aforementioned compiler.
2020-05-01upstream: when receving a file in sink(), be careful to send atdjm@openbsd.org
most a single error response after the file has been opened. Otherwise the source() and sink() can become desyncronised. Reported by Daniel Goujot, Georges-Axel Jaloyan, Ryan Lahfa, and David Naccache. ok deraadt@ markus@ OpenBSD-Commit-ID: 6c14d233c97349cb811a8f7921ded3ae7d9e0035
2020-05-01upstream: expose vasnmprintf(); ok (as part of other commit) markusdjm@openbsd.org
deraadt OpenBSD-Commit-ID: 2e80cea441c599631a870fd40307d2ade5a7f9b5
2020-05-01upstream: avoid NULL dereference when attempting to convert invaliddjm@openbsd.org
ssh.com private keys using "ssh-keygen -i"; spotted by Michael Forney OpenBSD-Commit-ID: 2e56e6d26973967d11d13f56ea67145f435bf298
2020-05-01See if SA_RESTART signals will interrupt select().Darren Tucker
On some platforms (at least older HP-UXes such as 11.11, possibly others) setting SA_RESTART on signal handers will cause it to not interrupt select(), at least for calls that do not specify a timeout. Try to detect this and if found, don't use SA_RESTART. POSIX says "If SA_RESTART has been set for the interrupting signal, it is implementation-dependent whether select() restarts or returns with [EINTR]" so this behaviour is within spec.
2020-05-01fix reversed testDamien Miller
2020-05-01wrap sha2.h inclusion in #ifdef HAVE_SHA2_HDamien Miller
2020-05-01upstream: adapt dummy FIDO middleware to API change; ok markus@djm@openbsd.org
OpenBSD-Regress-ID: 8bb84ee500c2eaa5616044314dd0247709a1790f
2020-05-01upstream: tweak previous; ok markusjmc@openbsd.org
OpenBSD-Commit-ID: 41895450ce2294ec44a5713134491cc31f0c09fd
2020-05-01upstream: bring back debug() removed in rev 1.74; noted by pradeepmarkus@openbsd.org
kumar OpenBSD-Commit-ID: 8d134d22ab25979078a3b48d058557d49c402e65
2020-05-01upstream: run the 2nd ssh with BatchMode for scp -3markus@openbsd.org
OpenBSD-Commit-ID: 77994fc8c7ca02d88e6d0d06d0f0fe842a935748
2020-05-01upstream: when signing a challenge using a FIDO toke, perform thedjm@openbsd.org
hashing in the middleware layer rather than in ssh code. This allows middlewares that call APIs that perform the hashing implicitly (including Microsoft's AFAIK). ok markus@ OpenBSD-Commit-ID: c9fc8630aba26c75d5016884932f08a5a237f37d
2020-05-01upstream: Fix comment typo. Patch from mforney at mforney.org.dtucker@openbsd.org
OpenBSD-Commit-ID: 3565f056003707a5e678e60e03f7a3efd0464a2b
2020-05-01upstream: We've standardized on memset over bzero, replace a coupledtucker@openbsd.org
that had slipped in. ok deraadt markus djm. OpenBSD-Commit-ID: f5be055554ee93e6cc66b0053b590bef3728dbd6
2020-05-01Include sys/byteorder.h for htons and friends.Darren Tucker
These are usually in netinet/in.h but on HP-UX they are not defined if _XOPEN_SOURCE_EXTENDED is set. Only needed for netcat in the regression tests.
2020-05-01Fix conditional for openssl-based chacha20.Darren Tucker
Fixes warnings or link errors when building against older OpenSSLs. ok djm
2020-04-24Error out if given RDomain if unsupported.Darren Tucker
If the config contained 'RDomain %D' on a platform that did not support it, the error would not be detected until runtime resulting in a broken sshd. Detect this earlier and error out if found. bz#3126, based on a patch from jjelen at redhat.com, tweaks and ok djm@
2020-04-24upstream: Fix incorrect error message for "too many known hosts files."dtucker@openbsd.org
bz#3149, patch from jjelen at redhat.com. OpenBSD-Commit-ID: e0fcb07ed5cf7fd54ce340471a747c24454235e5
2020-04-24upstream: Remove leave_non_blocking() which is now dead codedtucker@openbsd.org
because nothing sets in_non_blocking_mode any more. Patch from michaael.meeks at collabora.com, ok djm@ OpenBSD-Commit-ID: c403cefe97a5a99eca816e19cc849cdf926bd09c
2020-04-24upstream: ce examples of "Ar arg Ar arg" with "Ar arg arg" andjmc@openbsd.org
stop the spread; OpenBSD-Commit-ID: af0e952ea0f5e2019c2ce953ed1796eca47f0705
2020-04-24Update .depend.Darren Tucker
2020-04-22Mailing list is now closed to non-subscribers.Darren Tucker
While there, add a reference to the bugzilla. ok djm@
2020-04-22Put the values from env vars back.Darren Tucker
This merges the values from the recently removed environment into make's command line arguments since we actually need those.