Age | Commit message (Collapse) | Author |
|
authentication early enough to be available to PAM session modules when
privsep=yes. Patch from deengert at anl.gov, ok'ed in principle by Sam
Hartman and similar to Debian's ssh-krb5 package.
|
|
Unix; prevents problems relating to the location of -lresolv in the
link order.
|
|
by the system headers.
|
|
via mkstemp in some configurations. ok djm@
|
|
|
|
|
|
openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Bug #835: enable IPv6
on AIX where possible (see README.platform for details) and work around
a misfeature of AIX's getnameinfo. ok djm@
|
|
|
|
|
|
|
|
--disable-etc-default-login configure option.
|
|
the username to be passed to the passwd command when changing expired
passwords. ok djm@
|
|
paths. ok djm@
|
|
disable_forwarding() from compat library. Prevent linker errrors trying
to resolve it for binaries other than sshd. ok djm@
|
|
[sshd.c]
Provide reason in error message if getnameinfo fails; ok markus@
|
|
[monitor.c]
Make code match intent; ok djm@
|
|
[ssh_config.5]
wording;
ok markus@
|
|
[ssh_config.5]
grammar;
|
|
[ssh_config]
Make it clear that the example entries in ssh_config are only some of the
commonly-used options and refer the user to ssh_config(5) for more
details; ok djm@
|
|
monitor_wrap.c monitor_wrap.h session.c sshd.c]: Prepend all of the audit
defines and enums with SSH_ to prevent namespace collisions on some
platforms (eg AIX).
|
|
|
|
regress tests so newer versions of GNU head(1) behave themselves. Patch
by djm, so ok me.
|
|
|
|
|
|
|
|
monitor.h monitor_wrap.c monitor_wrap.h session.c sshd.c] Bug #125:
(first stage) Add audit instrumentation to sshd, currently disabled by
default. with suggestions from and djm@
|
|
Bug #974: Teach sshd to write failed login records to btmp for failed auth
attempts (currently only for password, kbdint and C/R, only on Linux and
HP-UX), based on code from login.c from util-linux. With ashok_kovai at
hotmail.com, ok djm@
|
|
the process. Since we also unset KRB5CCNAME at startup, if it's set after
authentication it must have been set by the platform's native auth system.
This was already done for AIX; this enables it for the general case.
|
|
Make record_failed_login() call provide hostname rather than having the
implementations having to do lookups themselves. Only affects AIX and
UNICOS (the latter only uses the "user" parameter anyway). ok djm@
|
|
rev 1.11 from OpenBSD and make it use fchdir if available. ok djm@
|
|
keyboard-interactive since this is no longer the case.
|
|
platforms syslog will revert to its default values. This may result in
messages from external libraries (eg libwrap) being sent to a different
facility.
|
|
[auth-passwd.c]
#if -> #ifdef so builds without HAVE_LOGIN_CAP work too; ok djm@ otto@
|
|
[moduli]
Import new moduli; requested by deraadt@ a week ago
|
|
[scp.c sftp.c]
Have scp and sftp wait for the spawned ssh to exit before they exit
themselves. This prevents ssh from being unable to restore terminal
modes (not normally a problem on OpenBSD but common with -Portable
on POSIX platforms). From peak at argo.troja.mff.cuni.cz (bz#950);
ok djm@ markus@
|
|
[cipher.c]
config option "Ciphers" should be case-sensitive; ok dtucker@
|
|
[auth.c]
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and
DenyGroups. bz #909, ok djm@
|
|
[auth-passwd.c sshd.c]
Warn in advance for password and account expiry; initialize loginmsg
buffer earlier and clear it after privsep fork. ok and help dtucker@
markus@
|
|
the list of available kbdint devices if UsePAM=no. ok djm@
|
|
bytes to prevent errors from login_init_entry() when the username is
exactly 64 bytes(!) long. From brhamon at cisco.com, ok djm@
|
|
[cipher-ctr.c cipher.c]
remove fallback AES support for old OpenSSL, as OpenBSD has had it for
many years now; ok deraadt@
(Id sync only: Portable will continue to support older OpenSSLs)
|
|
existence via keyboard-interactive/pam, in conjunction with previous
auth2-chall.c change; with Colin Watson and djm.
|
|
[auth-bsdauth.c auth2-chall.c]
Have keyboard-interactive code call the drivers even for responses for
invalid logins. This allows the drivers themselves to decide how to
handle them and prevent leaking information where possible. Existing
behaviour for bsdauth is maintained by checking authctxt->valid in the
bsdauth driver. Note that any third-party kbdint drivers will now need
to be able to handle responses for invalid logins. ok markus@
|
|
[sshd.c]
Make debugging output continue after reexec; ok djm@
|
|
[moduli.c]
Correct spelling: SCHNOOR->SCHNORR; ok djm@
|
|
[sshd_config.5]
`login'(n) -> `log in'(v);
|
|
[sshconnect.c]
remove dead code, log connect() failures with level error, ok djm@
|
|
[servconf.c servconf.h sshd.c sshd_config sshd_config.5]
bz #898: support AddressFamily in sshd_config. from
peak@argo.troja.mff.cuni.cz; ok deraadt@
|
|
[ssh-keygen.c]
leak; from mpech
|
|
[session.c]
check for NULL; from mpech
|