summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2018-07-03dependDamien Miller
2018-07-03upstream: some finesse to fix RSA-SHA2 certificate authenticationdjm@openbsd.org
for certs hosted in ssh-agent OpenBSD-Commit-ID: e5fd5edd726137dda2d020e1cdebc464110a010f
2018-07-03upstream: check correct variable; unbreak agent keysdjm@openbsd.org
OpenBSD-Commit-ID: c36981fdf1f3ce04966d3310826a3e1e6233d93e
2018-07-03upstream: crank version number to 7.8; needed for new compat flagdjm@openbsd.org
for prior version; part of RSA-SHA2 strictification, ok markus@ OpenBSD-Commit-ID: 84a11fc0efd2674c050712336b5093f5d408e32b
2018-07-03upstream: Improve strictness and control over RSA-SHA2 signaturedjm@openbsd.org
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself. In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature. Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2. Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys. feedback and ok markus@ OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
2018-07-03upstream: allow sshd_config PermitUserEnvironment to accept adjm@openbsd.org
pattern-list of whitelisted environment variable names in addition to yes|no. bz#1800, feedback and ok markus@ OpenBSD-Commit-ID: 77dc2b468e0bf04b53f333434ba257008a1fdf24
2018-07-03upstream: Fix "WARNING: line 6 disappeared in /etc/moduli, giving up"millert@openbsd.org
when choosing a prime. An extra increment of linenum snuck in as part of the conversion to getline(). OK djm@ markus@ OpenBSD-Commit-ID: 0019225cb52ed621b71cd9f19ee2e78e57e3dd38
2018-07-03upstream: One ampersand is enough to backgroud an process. OpenBSDdtucker@openbsd.org
doesn't seem to mind, but some platforms in -portable object to the second. OpenBSD-Regress-ID: d6c3e404871764343761dc25c3bbe29c2621ff74
2018-07-02Add implementation of getline.Darren Tucker
Add getline for the benefit of platforms that don't have it. Sourced from NetBSD (OpenBSD's implementation is a little too chummy with the internals of FILE).
2018-06-26upstream: whitespacedjm@openbsd.org
OpenBSD-Commit-ID: 9276951caf4daf555f6d262e95720e7f79244572
2018-06-26upstream: fix NULL dereference in open_listen_match_tcpip()djm@openbsd.org
OpenBSD-Commit-ID: c968c1d29e392352383c0f9681fcc1e93620c4a9
2018-06-26upstream: spelling;jmc@openbsd.org
OpenBSD-Commit-ID: db542918185243bea17202383a581851736553cc
2018-06-19upstream: test PermitListen with bare port numbersdjm@openbsd.org
OpenBSD-Regress-ID: 4b50a02dfb0ccaca08247f3877c444126ba901b3
2018-06-19upstream: allow bare port numbers to appear in PermitListen directives,djm@openbsd.org
e.g. PermitListen 2222 8080 is equivalent to: PermitListen *:2222 *:8080 Some bonus manpage improvements, mostly from markus@ "looks fine" markus@ OpenBSD-Commit-ID: 6546b0cc5aab7f53d65ad0a348ca0ae591d6dd24
2018-06-15upstream: invalidate supplemental group cache used bydjm@openbsd.org
temporarily_use_uid() when the target uid differs; could cause failure to read authorized_keys under some configurations. patch by Jakub Jelen via bz2873; ok dtucker, markus OpenBSD-Commit-ID: 48a345f0ee90f6c465a078eb5e89566b23abd8a1
2018-06-11upstream: unbreak SendEnv; patch from tb@djm@openbsd.org
OpenBSD-Commit-ID: fc808daced813242563b80976e1478de95940056
2018-06-11upstream: sort previous;jmc@openbsd.org
OpenBSD-Commit-ID: 27d80d8b8ca99bc33971dee905e8ffd0053ec411
2018-06-11upstream: slightly better wording re handing of $TERM, from Jakubdjm@openbsd.org
Jelen via bz2386 OpenBSD-Commit-ID: 14bea3f069a93c8be66a7b97794255a91fece964
2018-06-09upstream: add a SetEnv directive for sshd_config to allow andjm@openbsd.org
administrator to explicitly specify environment variables set in sessions started by sshd. These override the default environment and any variables set by user configuration (PermitUserEnvironment, etc), but not the SSH_* variables set by sshd itself. ok markus@ OpenBSD-Commit-ID: b6a96c0001ccd7dd211df6cae9e961c20fd718c0
2018-06-09upstream: add a SetEnv directive to ssh_config that allows settingdjm@openbsd.org
environment variables for the remote session (subject to the server accepting them) refactor SendEnv to remove the arbitrary limit of variable names. ok markus@ OpenBSD-Commit-ID: cfbb00d9b0e10c1ffff1d83424351fd961d1f2be
2018-06-09upstream: reorder child environment preparation so that variablesdjm@openbsd.org
read from ~/.ssh/environment (if enabled) do not override SSH_* variables set by the server. OpenBSD-Commit-ID: 59f9d4c213cdcef2ef21f4b4ae006594dcf2aa7a
2018-06-09upstream: fix incorrect expansion of %i indjm@openbsd.org
load_public_identity_files(); reported by Roumen Petrov OpenBSD-Commit-ID: a827289e77149b5e0850d72a350c8b0300e7ef25
2018-06-09upstream: fix some over-long lines and __func__ up some debugdjm@openbsd.org
messages OpenBSD-Commit-ID: c70a60b4c8207d9f242fc2351941ba50916bb267
2018-06-09upstream: tweak previous;jmc@openbsd.org
OpenBSD-Commit-ID: f98f16af10b28e24bcecb806cb71ea994b648fd6
2018-06-08Remove ability to override $LD.Darren Tucker
Since autoconf always uses $CC to link C programs, allowing users to override LD caused mismatches between what LD_LINK_IFELSE thought worked and what ld thought worked. If you do need to do this kind of thing you need to set a compiler flag such as gcc's -fuse-ld in LDFLAGS.
2018-06-08Better detection of unsupported compiler options.Darren Tucker
Should prevent "unsupported -Wl,-z,retpoline" warnings during linking. ok djm@
2018-06-08upstream: test the correct configuration option namedjm@openbsd.org
OpenBSD-Regress-ID: 492279ea9f65657f97a970e0e7c7fd0b339fee23
2018-06-07upstream: some permitlisten fixes from markus@ that I missed in mydjm@openbsd.org
insomnia-fueled commits last night OpenBSD-Commit-ID: 26f23622e928996086e85b1419cc1c0f136e359c
2018-06-07upstream: permitlisten/PermitListen unit test from Markusdjm@openbsd.org
OpenBSD-Regress-ID: ab12eb42f0e14926980441cf7c058a6d1d832ea5
2018-06-07upstream: fix regression caused by recent permitlisten option commit:djm@openbsd.org
authorized_keys lines that contained permitopen/permitlisten were being treated as invalid. OpenBSD-Commit-ID: 7ef41d63a5a477b405d142dc925b67d9e7aaa31b
2018-06-07upstream: switch config file parsing to getline(3) as this avoidsmarkus@openbsd.org
static limits noted by gerhard@; ok dtucker@, djm@ OpenBSD-Commit-ID: 6d702eabef0fa12e5a1d75c334a8c8b325298b5c
2018-06-07upstream: regress test for PermitOpendjm@openbsd.org
OpenBSD-Regress-ID: ce8b5f28fc039f09bb297fc4a92319e65982ddaf
2018-06-07upstream: man bits for permitlisten authorized_keys optiondjm@openbsd.org
OpenBSD-Commit-ID: 86910af8f781a4ac5980fea125442eb25466dd78
2018-06-07upstream: man bits for PermitListendjm@openbsd.org
OpenBSD-Commit-ID: 35b200cba4e46a16a4db6a80ef11838ab0fad67c
2018-06-07upstream: permitlisten option for authorized_keys; ok markus@djm@openbsd.org
OpenBSD-Commit-ID: 8650883018d7aa893173d703379e4456a222c672
2018-06-07upstream: Add a PermitListen directive to control which server-sidedjm@openbsd.org
addresses may be listened on when the client requests remote forwarding (ssh -R). This is the converse of the existing PermitOpen directive and this includes some refactoring to share much of its implementation. feedback and ok markus@ OpenBSD-Commit-ID: 15a931238c61a3f2ac74ea18a98c933e358e277f
2018-06-06Use ssh-keygen -A to generate missing host keys.Darren Tucker
Instead of testing for each specific key type, use ssh-keygen -A to generate any missing host key types.
2018-06-04upstream: add missing punctuation after %i in ssh_config.5, andjmc@openbsd.org
make the grammatical format in sshd_config.5 match that in ssh_config.5; OpenBSD-Commit-ID: e325663b9342f3d556e223e5306e0d5fa1a74fa0
2018-06-04upstream: oops - further adjustment to text neccessary;jmc@openbsd.org
OpenBSD-Commit-ID: 23585576c807743112ab956be0fb3c786bdef025
2018-06-04upstream: %U needs to be escaped; tweak text;jmc@openbsd.org
OpenBSD-Commit-ID: 30887b73ece257273fb619ab6f4e86dc92ddc15e
2018-06-04upstream: Apply umask to all incoming files and directories notdtucker@openbsd.org
just files. This makes sure it gets applied to directories too, and prevents a race where files get chmodded after creation. bz#2839, ok djm@ OpenBSD-Commit-ID: 3168ee6c7c39093adac4fd71039600cfa296203b
2018-06-01upstream: Adapt to extra default verboisity from ssh-keygen whendjm@openbsd.org
searching for and hashing known_hosts entries in a single operation (ssh-keygen -HF ...) Patch from Anton Kremenetsky OpenBSD-Regress-ID: 519585a4de35c4611285bd6a7272766c229b19dd
2018-06-01upstream: Add TEST_SSH_FAIL_FATAL variable, to force all failuresdjm@openbsd.org
to instantly abort the test. Useful in capturing clean logs for individual failure cases. OpenBSD-Regress-ID: feba18cf338c2328b9601bd4093cabdd9baa3af1
2018-06-01upstream: Clean up comment.dtucker@openbsd.org
OpenBSD-Regress-ID: 6adb35f384d447e7dcb9f170d4f0d546d3973e10
2018-06-01upstream: whitespacedjm@openbsd.org
OpenBSD-Commit-ID: e5edb5e843ddc9b73a8e46518899be41d5709add
2018-06-01upstream: make ssh_remote_ipaddr() capable of being called afterdjm@openbsd.org
the ssh->state has been torn down; bz#2773 OpenBSD-Commit-ID: 167f12523613ca3d16d7716a690e7afa307dc7eb
2018-06-01upstream: return correct exit code when searching for and hashingdjm@openbsd.org
known_hosts entries in a single operation (ssh-keygen -HF hostname); bz2772 Report and fix from Anton Kremenetsky OpenBSD-Commit-ID: ac10ca13eb9bb0bc50fcd42ad11c56c317437b58
2018-06-01upstream: make UID available as a %-expansion everywhere that thedjm@openbsd.org
username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@ OpenBSD-Commit-ID: c7e912b0213713316cb55db194b3a6415b3d4b95
2018-06-01upstream: prefer argv0 to "ssh" when re-executing ssh for ProxyJumpdjm@openbsd.org
directive; bz2831, feedback and ok dtucker@ OpenBSD-Commit-ID: 3cec709a131499fbb0c1ea8a0a9e0b0915ce769e
2018-05-25upstream: Do not ban PTY allocation when a sshd session is restricteddjm@openbsd.org
because the user password is expired as it breaks password change dialog. regression in openssh-7.7 reported by Daniel Wagner OpenBSD-Commit-ID: 9fc09c584c6f1964b00595e3abe7f83db4d90d73