summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2017-01-30upstream commitdtucker@openbsd.org
Make forwarding test less racy by using unix domain sockets instead of TCP ports where possible. Patch from cjwatson at debian.org via bz#2659. Upstream-Regress-ID: 4756375aac5916ef9d25452a1c1d5fa9e90299a9
2017-01-30upstream commitdtucker@openbsd.org
Fix typo in ~C error message for bad port forward cancellation. bz#2672, from Brad Marshall via Colin Watson and Ubuntu's bugtracker. Upstream-ID: 0d4a7e5ead6cc59c9a44b4c1e5435ab3aada09af
2017-01-30upstream commitguenther@openbsd.org
The POSIX APIs that that sockaddrs all ignore the s*_len field in the incoming socket, so userspace doesn't need to set it unless it has its own reasons for tracking the size along with the sockaddr. ok phessler@ deraadt@ florian@ Upstream-ID: ca6e49e2f22f2b9e81d6d924b90ecd7e422e7437
2017-01-30upstream commitjmc@openbsd.org
keep the tokens list sorted; Upstream-ID: b96239dae4fb3aa94146bb381afabcc7740a1638
2017-01-30upstream commitdjm@openbsd.org
fix previous Upstream-ID: c107d6a69bc22325d79fbf78a2a62e04bcac6895
2017-01-30upstream commitdjm@openbsd.org
show a useful error message when included config files can't be opened; bz#2653, ok dtucker@ Upstream-ID: f598b73b5dfe497344cec9efc9386b4e5a3cb95b
2017-01-30upstream commitdjm@openbsd.org
sshd_config is documented to set GSSAPIStrictAcceptorCheck=yes by default, so actually make it do this. bz#2637 ok dtucker Upstream-ID: 99ef8ac51f17f0f7aec166cb2e34228d4d72a665
2017-01-30upstream commitdjm@openbsd.org
Avoid confusing error message when attempting to use ssh-keyscan built without SSH protocol v.1 to scan for v.1 keys; bz#2583 Upstream-ID: 5d214abd3a21337d67c6dcc5aa6f313298d0d165
2017-01-30upstream commitdtucker@openbsd.org
Re-add '%k' token for AuthorizedKeysCommand which was lost during the re-org in rev 1.235. bz#2656, from jboning at gmail.com. Upstream-ID: 2884e203c02764d7b3fe7472710d9c24bdc73e38
2017-01-30upstream commitdjm@openbsd.org
unbreak Unix domain socket forwarding for root; ok markus@ Upstream-ID: 6649c76eb7a3fa15409373295ca71badf56920a2
2017-01-16Remove LOGIN_PROGRAM.Darren Tucker
UseLogin is gone, remove leftover. bz#2665, from cjwatson at debian.org
2017-01-04upstream commitdjm@openbsd.org
relax PKCS#11 whitelist a bit to allow libexec as well as lib directories. Upstream-ID: cf5617958e2e2d39f8285fd3bc63b557da484702
2017-01-04upstream commitdjm@openbsd.org
check number of entries in SSH2_FXP_NAME response; avoids unreachable overflow later. Reported by Jann Horn Upstream-ID: b6b2b434a6d6035b1644ca44f24cd8104057420f
2017-01-03upstream commitdjm@openbsd.org
fix deadlock when keys/principals command produces a lot of output and a key is matched early; bz#2655, patch from jboning AT gmail.com Upstream-ID: e19456429bf99087ea994432c16d00a642060afe
2016-12-20Re-add missing "Prerequisites" header and fix typoDarren Tucker
Patch from HARUYAMA Seigo <haruyama at unixuser org>.
2016-12-20upstream commitdjm@openbsd.org
use standard /bin/sh equality test; from Mike Frysinger Upstream-Regress-ID: 7b6f0b63525f399844c8ac211003acb8e4b0bec2
2016-12-19crank version numbers for releaseDamien Miller
2016-12-19upstream commitdjm@openbsd.org
openssh-7.4 Upstream-ID: 1ee404adba6bbe10ae9277cbae3a94abe2867b79
2016-12-19upstream commitdjm@openbsd.org
remove testcase that depends on exact output and behaviour of snprintf(..., "%s", NULL) Upstream-Regress-ID: cab4288531766bd9593cb556613b91a2eeefb56f
2016-12-19upstream commitdtucker@openbsd.org
Use LOGNAME to get current user and fall back to whoami if not set. Mainly to benefit -portable since some platforms don't have whoami. Upstream-Regress-ID: e3a16b7836a3ae24dc8f8a4e43fdf8127a60bdfa
2016-12-17upstream commitdtucker@openbsd.org
Add regression test for AllowUsers and DenyUsers. Patch from Zev Weiss <zev at bewilderbeest.net> Upstream-Regress-ID: 8f1aac24d52728398871dac14ad26ea38b533fb9
2016-12-16Add missing monitor.h include.Darren Tucker
Fixes warning pointed out by Zev Weiss <zev at bewilderbeest.net>
2016-12-16upstream commitdjm@openbsd.org
revert to rev1.2; the new bits in this test depend on changes to ssh that aren't yet committed Upstream-Regress-ID: 828ffc2c7afcf65d50ff2cf3dfc47a073ad39123
2016-12-16upstream commitdtucker@openbsd.org
Move the "stop sshd" code into its own helper function. Patch from Zev Weiss <zev at bewilderbeest.net>, ok djm@ Upstream-Regress-ID: a113dea77df5bd97fb4633ea31f3d72dbe356329
2016-12-16upstream commitdjm@openbsd.org
regression test for certificates along with private key with no public half. bz#2617, mostly from Adam Eijdenberg Upstream-Regress-ID: 2e74dc2c726f4dc839609b3ce045466b69f01115
2016-12-16upstream commitdtucker@openbsd.org
Use $SUDO to read pidfile in case root's umask is restricted. From portable. Upstream-Regress-ID: f6b1c7ffbc5a0dfb7d430adb2883344899174a98
2016-12-16upstream commitdtucker@openbsd.org
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@ Upstream-ID: d747ace338dcf943b077925f90f85f789714b54e
2016-12-16upstream commitdtucker@openbsd.org
Fix text in error message. Patch from zev at bewilderbeest.net. Upstream-ID: deb0486e175e7282f98f9a15035d76c55c84f7f6
2016-12-14upstream commitdjm@openbsd.org
disable Unix-domain socket forwarding when privsep is disabled Upstream-ID: ab61516ae0faadad407857808517efa900a0d6d0
2016-12-14upstream commitdjm@openbsd.org
log connections dropped in excess of MaxStartups at verbose LogLevel; bz#2613 based on diff from Tomas Kuthan; ok dtucker@ Upstream-ID: 703ae690dbf9b56620a6018f8a3b2389ce76d92b
2016-12-13Get default of TEST_SSH_UTF8 from environment.Darren Tucker
2016-12-13Remove commented-out includes.Darren Tucker
These commented-out includes have "Still needed?" comments. Since they've been commented out for ~13 years I assert that they're not.
2016-12-13Add prototype for strcasestr in compat library.Darren Tucker
2016-12-13Add strcasestr to compat library.Darren Tucker
Fixes build on (at least) Solaris 10.
2016-12-12Force Turkish locales back to C/POSIX; bz#2643Damien Miller
Turkish locales are unique in their handling of the letters 'i' and 'I' (yes, they are different letters) and OpenSSH isn't remotely prepared to deal with that. For now, the best we can do is to force OpenSSH to use the C/POSIX locale and try to preserve the UTF-8 encoding if possible. ok dtucker@
2016-12-09exit is in stdlib.h not unistd.h (that's _exit).Darren Tucker
2016-12-09Include <unistd.h> for exit in utf8 locale test.Darren Tucker
2016-12-08Check for utf8 local support before testing it.Darren Tucker
Check for utf8 local support and if not found, do not attempt to run the utf8 tests. Suggested by djm@
2016-12-08Use AC_PATH_TOOL for krb5-config.Darren Tucker
This will use the host-prefixed version when cross compiling; patch from david.michael at coreos.com.
2016-12-06upstream commitdjm@openbsd.org
make IdentityFile successfully load and use certificates that have no corresponding bare public key. E.g. just a private id_rsa and certificate id_rsa-cert.pub (and no id_rsa.pub). bz#2617 ok dtucker@ Upstream-ID: c1e9699b8c0e3b63cc4189e6972e3522b6292604
2016-12-06Add a gnome-ssh-askpass3 target for GTK+3 versionDamien Miller
Based on patch from Colin Watson via bz#2640
2016-12-06Make gnome-ssh-askpass2.c GTK+3-friendlyDamien Miller
Patch from Colin Watson via bz#2640
2016-12-05upstream commitdjm@openbsd.org
Fix public key authentication when multiple authentication is in use. Instead of deleting and re-preparing the entire keys list, just reset the 'used' flags; the keys list is already in a good order (with already- tried keys at the back) Analysis and patch from Vincent Brillault on bz#2642; ok dtucker@ Upstream-ID: 7123f12dc2f3bcaae715853035a97923d7300176
2016-12-05upstream commitdtucker@openbsd.org
Unlink PidFile on SIGHUP and always recreate it when the new sshd starts. Regression tests (and possibly other things) depend on the pidfile being recreated after SIGHUP, and unlinking it means it won't contain a stale pid if sshd fails to restart. ok djm@ markus@ Upstream-ID: 132dd6dda0c77dd49d2f15b2573b5794f6160870
2016-11-30upstream commitdjm@openbsd.org
test new behaviour of cert force-command restriction vs. authorized_key/ principals Upstream-Regress-ID: 399efa7469d40c404c0b0a295064ce75d495387c
2016-11-30upstream commitjmc@openbsd.org
tweak previous; while here fix up FILES and AUTHORS; Upstream-ID: 93f6e54086145a75df8d8ec7d8689bdadbbac8fa
2016-11-30upstream commitdjm@openbsd.org
add a whitelist of paths from which ssh-agent will load (via ssh-pkcs11-helper) a PKCS#11 module; ok markus@ Upstream-ID: fe79769469d9cd6d26fe0dc15751b83ef2a06e8f
2016-11-30upstream commitdjm@openbsd.org
Add a sshd_config DisableForwaring option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. This, like the 'restrict' authorized_keys flag, is intended to be a simple and future-proof way of restricting an account. Suggested as a complement to 'restrict' by Jann Horn; ok markus@ Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
2016-11-30upstream commitdjm@openbsd.org
When a forced-command appears in both a certificate and an authorized keys/principals command= restriction, refuse to accept the certificate unless they are identical. The previous (documented) behaviour of having the certificate forced- command override the other could be a bit confused and more error-prone. Pointed out by Jann Horn of Project Zero; ok dtucker@ Upstream-ID: 79d811b6eb6bbe1221bf146dde6928f92d2cd05f
2016-11-30upstream commitdtucker@openbsd.org
On startup, check to see if sshd is already daemonized and if so, skip the call to daemon() and do not rewrite the PidFile. This means that when sshd re-execs itself on SIGHUP the process ID will no longer change. Should address bz#2641. ok djm@ markus@. Upstream-ID: 5ea0355580056fb3b25c1fd6364307d9638a37b9