Age | Commit message (Collapse) | Author |
|
[compat.c]
missing wildcard; pointed out by naddy@
|
|
[compat.c compat.h sshconnect2.c sshd.c version.h]
OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
using the curve25519-sha256@libssh.org KEX exchange method to fail
when connecting with something that implements the spec properly.
Disable this KEX method when speaking to one of the affected
versions.
reported by Aris Adamantiadis; ok markus@
|
|
[ssh-agent.1]
remove the identity files from this manpage - ssh-agent doesn't deal
with them at all and the same information is duplicated in ssh-add.1
(which does deal with them); prodded by deraadt@
|
|
[bufaux.c]
skip leading zero bytes in buffer_put_bignum2_from_string();
reported by jan AT mojzis.com; ok markus@
|
|
[sshd.c]
avoid crash at exit: check that pmonitor!=NULL before dereferencing;
bz#2225, patch from kavi AT juniper.net
|
|
[packet.c]
demote a debug3 to PACKET_DEBUG; ok markus@
|
|
[sshconnect.c]
When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
certificate keys to plain keys and attempt SSHFP resolution.
Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
dialog by offering only certificate keys.
Reported by mcv21 AT cam.ac.uk
|
|
[ssh-keysign.c]
include fingerprint of key not found
use arc4random_buf() instead of loop+arc4random()
|
|
[ssh-keygen.1]
the text for the -K option was inserted in the wrong place in -r1.108;
fix From: Matthew Clarke
|
|
[ssh_config.5 sshd_config.5]
sync available and default algorithms, improve algorithm list formatting
help from jmc@ and schwarze@, ok deraadt@
|
|
[sshd.8 sshd.c]
remove libwrap support. ok deraadt djm mfriedl
|
|
[chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c
[misc.h poly1305.h ssh-pkcs11.c]
use __bounded(...) attribute recently added to sys/cdefs.h instead of
longform __attribute__(__bounded(...));
for brevity and a warning free compilation with llvm/clang
|
|
repeatedly):
- markus@cvs.openbsd.org 2014/03/25 09:40:03
[myproposal.h]
trimm default proposals.
This commit removes the weaker pre-SHA2 hashes, the broken ciphers
(arcfour), and the broken modes (CBC) from the default configuration
(the patch only changes the default, all the modes are still available
for the config files).
ok djm@, reminded by tedu@ & naddy@ and discussed with many
- deraadt@cvs.openbsd.org 2014/03/26 17:16:26
[myproposal.h]
The current sharing of myproposal[] between both client and server code
makes the previous diff highly unpallatable. We want to go in that
direction for the server, but not for the client. Sigh.
Brought up by naddy.
- markus@cvs.openbsd.org 2014/03/27 23:01:27
[myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
disable weak proposals in sshd, but keep them in ssh; ok djm@
|
|
[scp.1]
there is no need for rcp anymore
ok deraadt millert
|
|
[ssh.1]
old descriptions of des and blowfish are old. maybe ok deraadt
|
|
[ssh-agent.c ssh-keygen.1 ssh-keygen.c]
Improve usage() and documentation towards the standard form.
In particular, this line saves a lot of man page reading time.
usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
[-N new_passphrase] [-C comment] [-f output_keyfile]
ok schwarze jmc
|
|
[ssh-keyscan.1]
scan for Ed25519 keys by default too
|
|
[authfile.c]
correct test that kdf name is not "none" or "bcrypt"
|
|
[auth-bsdauth.c ssh-keygen.c]
don't count on things that accept arguments by reference to clear
things for us on error; most things do, but it's unsafe form.
|
|
[ssh-keyscan.c]
scan for Ed25519 keys by default too
|
|
[session.c]
ignore enviornment variables with embedded '=' or '\0' characters;
spotted by Jann Horn; ok deraadt@
Id sync only - portable already has this.
|
|
version. From des@des.no
|
|
from accessing /proc/self/{mem,maps}; patch from jann AT thejh.net
|
|
remind myself to add sandbox violation logging via the log socket.
|
|
- (tim) [opensshd.init.in] Add support for ed25519
|
|
|
|
[session.c]
ignore enviornment variables with embedded '=' or '\0' characters;
spotted by Jann Horn; ok deraadt@
|
|
no moduli file exists at the expected location.
|
|
|
|
[agent-ptrace.sh agent.sh]
keep return values that are printed in error messages;
from portable
(Id sync only)
|
|
[login-timeout.sh]
remove any existing LoginGraceTime from sshd_config before adding
a specific one for the test back in
|
|
[scp-ssh-wrapper.sh scp.sh]
make sure $SCP is tested on the remote end rather than whichever one
happens to be in $PATH; from portable
(Id sync only)
|
|
[regress/cert-hostkey.sh]
automatically generate revoked keys from listed keys rather than
manually specifying each type; from portable
(Id sync only)
|
|
[regress/Makefile regress/dhgex.sh]
Add a test for DH GEX sizes
|
|
[sftp-chroot.sh]
append to rather than truncating the log file
|
|
[regress/sftp-chroot.sh]
Don't use -q on sftp as it suppresses logging, instead redirect the
output to the regress logfile.
|
|
[contrib/suse/openssh.spec] Crank version numbers
|
|
[version.h]
openssh-6.6
|
|
[sshd_config.5]
bz#2184 clarify behaviour of a keyword that appears in multiple
matching Match blocks; ok dtucker@
|
|
[bufbn.c]
off by one in range check
|
|
[bufbn.c]
fix unsigned overflow that could lead to reading a short ssh protocol
1 bignum value; found by Ben Hawkes; ok deraadt@
|
|
[sshd.c]
ssh_gssapi_prepare_supported_oids needs GSSAPI
|
|
[channels.c]
don't assume that the socks4 username is \0 terminated;
spotted by Ben Hawkes; ok markus@
|
|
[auth2-gss.c gss-serv.c ssh-gss.h sshd.c]
bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep
sandboxing, as running this code in the sandbox can cause violations;
ok markus@
|
|
[ssh.c]
bz#2205: avoid early hostname lookups unless canonicalisation is enabled;
ok dtucker@ markus@
|
|
[readconf.c readconf.h ssh.c ssh_config.5]
reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes
the hostname. This allows users to write configurations that always
refer to canonical hostnames, e.g.
CanonicalizeHostname yes
CanonicalDomains int.example.org example.org
CanonicalizeFallbackLocal no
Host *.int.example.org
Compression off
Host *.example.org
User djm
ok markus@
|
|
[ssh-ed25519.c]
check for unsigned overflow; not reachable in OpenSSH but others might
copy our code...
|
|
[readconf.c]
when processing Match blocks, skip 'exec' clauses if previous predicates
failed to match; ok markus@
|
|
[channels.c]
avoid spurious "getsockname failed: Bad file descriptor" errors in ssh -W;
bz#2200, debian#738692 via Colin Watson; ok dtucker@
|
|
[cipher.c mac.c]
remove some logging that makes ssh debugging output very verbose;
ok markus
|