Age | Commit message (Collapse) | Author |
|
from accessing /proc/self/{mem,maps}; patch from jann AT thejh.net
|
|
remind myself to add sandbox violation logging via the log socket.
|
|
- (tim) [opensshd.init.in] Add support for ed25519
|
|
|
|
[session.c]
ignore enviornment variables with embedded '=' or '\0' characters;
spotted by Jann Horn; ok deraadt@
|
|
no moduli file exists at the expected location.
|
|
|
|
[agent-ptrace.sh agent.sh]
keep return values that are printed in error messages;
from portable
(Id sync only)
|
|
[login-timeout.sh]
remove any existing LoginGraceTime from sshd_config before adding
a specific one for the test back in
|
|
[scp-ssh-wrapper.sh scp.sh]
make sure $SCP is tested on the remote end rather than whichever one
happens to be in $PATH; from portable
(Id sync only)
|
|
[regress/cert-hostkey.sh]
automatically generate revoked keys from listed keys rather than
manually specifying each type; from portable
(Id sync only)
|
|
[regress/Makefile regress/dhgex.sh]
Add a test for DH GEX sizes
|
|
[sftp-chroot.sh]
append to rather than truncating the log file
|
|
[regress/sftp-chroot.sh]
Don't use -q on sftp as it suppresses logging, instead redirect the
output to the regress logfile.
|
|
[contrib/suse/openssh.spec] Crank version numbers
|
|
[version.h]
openssh-6.6
|
|
[sshd_config.5]
bz#2184 clarify behaviour of a keyword that appears in multiple
matching Match blocks; ok dtucker@
|
|
[bufbn.c]
off by one in range check
|
|
[bufbn.c]
fix unsigned overflow that could lead to reading a short ssh protocol
1 bignum value; found by Ben Hawkes; ok deraadt@
|
|
[sshd.c]
ssh_gssapi_prepare_supported_oids needs GSSAPI
|
|
[channels.c]
don't assume that the socks4 username is \0 terminated;
spotted by Ben Hawkes; ok markus@
|
|
[auth2-gss.c gss-serv.c ssh-gss.h sshd.c]
bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep
sandboxing, as running this code in the sandbox can cause violations;
ok markus@
|
|
[ssh.c]
bz#2205: avoid early hostname lookups unless canonicalisation is enabled;
ok dtucker@ markus@
|
|
[readconf.c readconf.h ssh.c ssh_config.5]
reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes
the hostname. This allows users to write configurations that always
refer to canonical hostnames, e.g.
CanonicalizeHostname yes
CanonicalDomains int.example.org example.org
CanonicalizeFallbackLocal no
Host *.int.example.org
Compression off
Host *.example.org
User djm
ok markus@
|
|
[ssh-ed25519.c]
check for unsigned overflow; not reachable in OpenSSH but others might
copy our code...
|
|
[readconf.c]
when processing Match blocks, skip 'exec' clauses if previous predicates
failed to match; ok markus@
|
|
[channels.c]
avoid spurious "getsockname failed: Bad file descriptor" errors in ssh -W;
bz#2200, debian#738692 via Colin Watson; ok dtucker@
|
|
[cipher.c mac.c]
remove some logging that makes ssh debugging output very verbose;
ok markus
|
|
- (tim) [configure.ac] Fix cut-and-paste error. Patch from Bryan Drewery.
|
|
code for older OpenSSL versions that don't have EVP_MD_CTX_copy_ex.
|
|
[sshconnect.c]
in ssh_create_socket(), only do the getaddrinfo for BindAddress when
BindAddress is actually specified. Fixes regression in 6.5 for
UsePrivilegedPort=yes; patch from Corinna Vinschen
|
|
[ssh-keygen.1 ssh-keygen.c]
tweak synopsis: calling ssh-keygen without any arguments is fine; ok jmc@
while here, fix ordering in usage(); requested by jmc@
|
|
__NR_shutdown; some go via the socketcall(2) multiplexer.
|
|
before freeing since free(NULL) is a no-op. ok djm.
|
|
headers/libc but not supported by the kernel. Patch from Loganaden
Velvindron @ AfriNIC
|
|
|
|
|
|
[ssh.c]
delay lowercasing of hostname until right before hostname
canonicalisation to unbreak case-sensitive matching of ssh_config;
reported by Ike Devolder; ok markus@
|
|
[digest-libc.c digest-openssl.c]
convert memset of potentially-private data to explicit_bzero()
|
|
[ssh-ecdsa.c]
fix memory leak; ECDSA_SIG_new() allocates 'r' and 's' for us, unlike
DSA_SIG_new. Reported by Batz Spear; ok markus@
|
|
[auth1.c auth2-chall.c auth2-passwd.c authfile.c bufaux.c bufbn.c]
[buffer.c cipher-3des1.c cipher.c clientloop.c gss-serv.c kex.c]
[kexdhc.c kexdhs.c kexecdhc.c kexgexc.c kexecdhs.c kexgexs.c key.c]
[monitor.c monitor_wrap.c packet.c readpass.c rsa.c serverloop.c]
[ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c]
[ssh-keygen.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c]
[sshd.c]
convert memset of potentially-private data to explicit_bzero()
|
|
[auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c]
[channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c]
[kexc25519.c krl.c monitor.c sandbox-systrace.c session.c]
[sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c]
[openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h]
replace most bzero with explicit_bzero, except a few that cna be memset
ok djm dtucker
|
|
[sandbox-systrace.c]
allow shutdown(2) syscall in sandbox - it may be called by packet_close()
from portable
(Id sync only; change is already in portable)
|
|
[sshd_config.5]
document kbdinteractiveauthentication;
requested From: Ross L Richardson
dtucker/markus helped explain its workings;
|
|
[Makefile.in auth.h auth2-jpake.c auth2.c jpake.c jpake.h monitor.c]
[monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h]
[schnorr.c schnorr.h servconf.c servconf.h ssh2.h sshconnect2.c]
remove experimental, never-enabled JPAKE code; ok markus@
|
|
[sshd.c]
use kill(0, ...) instead of killpg(0, ...); on most operating systems
they are equivalent, but SUSv2 describes the latter as having undefined
behaviour; from portable; ok dtucker
(Id sync only; change is already in portable)
|
|
[ssh-keyscan.1]
kill some bad Pa;
From: Jan Stary
|
|
[digest.c digest-openssl.c digest-libc.c Makefile.in]
rename digest.c to digest-openssl.c and add libc variant; ok djm@
|
|
[auth-rsa.c cipher.c ssh-agent.c sshconnect1.c sshd.c]
replace openssl MD5 with our ssh_digest_*; ok djm@
|
|
[Makefile.in digest.c digest.h hostfile.c kex.h mac.c hmac.c hmac.h]
replace openssl HMAC with an implementation based on our ssh_digest_*
ok and feedback djm@
|