summaryrefslogtreecommitdiff
path: root/Makefile.in
AgeCommit message (Collapse)Author
2017-10-04Install authorized_keys(5) as a symlink to sshd(8)Tomas Pospisek
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 Bug-Debian: http://bugs.debian.org/441817 Last-Update: 2013-09-14 Patch-Name: authorized-keys-man-symlink.patch
2017-10-04GSSAPI key exchange supportSimon Wilkinson
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2017-10-04 Patch-Name: gssapi.patch
2017-08-25Split platform_sys_dir_uid into its own fileDamien Miller
platform.o is too heavy for libssh.a use; it calls into the server on many platforms. Move just the function needed by misc.c into its own file.
2017-08-23misc.c needs functions from platform.c nowDamien Miller
2017-07-21upstream commitdjm@openbsd.org
remove post-SSHv1 removal dead code from rsa.c and merge the remaining bit that it still used into ssh-rsa.c; ok markus Upstream-ID: ac8a048d24dcd89594b0052ea5e3404b473bfa2f
2017-05-09clean up regress files and add a .gitignoreDamien Miller
2017-05-01upstream commitdjm@openbsd.org
remove the (in)famous SSHv1 CRC compensation attack detector. Despite your cameo in The Matrix movies, you will not be missed. ok markus Upstream-ID: 44261fce51a56d93cdb2af7b6e184be629f667e0
2017-05-01upstream commitdjm@openbsd.org
remove SSH1 make flag and associated files ok markus@ Upstream-ID: ba9feacc5787337c413db7cf26ea3d53f854cfef
2017-05-01upstream commitdjm@openbsd.org
remove SSHv1 ciphers; ok markus@ Upstream-ID: e5ebc5e540d7f23a8c1266db1839794d4d177890
2017-03-29Remove SHA256 EVP wrapper implementation.Darren Tucker
All supported versions of OpenSSL should now have SHA256 so remove our EVP wrapper implementaion. ok djm@
2017-03-14Plumb conversion test into makefile.Darren Tucker
2017-03-14Add a "unit" target to run only unit tests.Darren Tucker
2016-12-08Check for utf8 local support before testing it.Darren Tucker
Check for utf8 local support and if not found, do not attempt to run the utf8 tests. Suggested by djm@
2016-09-29upstream commitdjm@openbsd.org
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface. Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger. Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@ NB. pre-auth authentication has been disabled by default in sshd for >10 years. Upstream-ID: 32af9771788d45a0779693b41d06ec199d849caf
2016-08-23hook match and utf8 unittests up to MakefileDamien Miller
2016-08-14upstream commitmarkus@openbsd.org
remove ssh1 server code; ok djm@ Upstream-ID: c24c0c32c49b91740d5a94ae914fb1898ea5f534
2016-07-18Explicitly specify source files for regress tools.Darren Tucker
Since adding $(REGRESSLIBS), $? is wrong because it includes only the changed source files. $< seems like it'd be right however it doesn't seem to work on some non-GNU makes, so do what works everywhere.
2016-07-18Add dependency on libs for unit tests.Darren Tucker
Makes "./configure && make tests" work again. ok djm@
2016-07-18Correct location for kexfuzz in clean target.Darren Tucker
2016-07-15Map umac_ctx struct name too.Darren Tucker
Prevents size mismatch linker warnings on Solaris 11.
2016-06-15Move platform_disable_tracing into its own file.Darren Tucker
Prevents link errors resolving the extern "options" when platform.o gets linked into ssh-agent when building --with-pam.
2016-06-09Move prctl PR_SET_DUMPABLE into platform.c.Darren Tucker
This should make it easier to add additional platform support such as Solaris (bz#2584).
2016-06-06Fix utf->utf8 typo.Darren Tucker
2016-06-06upstream commitschwarze@openbsd.org
To prevent screwing up terminal settings when printing to the terminal, for ASCII and UTF-8, escape bytes not forming characters and bytes forming non-printable characters with vis(3) VIS_OCTAL. For other character sets, abort printing of the current string in these cases. In particular, * let scp(1) respect the local user's LC_CTYPE locale(1); * sanitize data received from the remote host; * sanitize filenames, usernames, and similar data even locally; * take character display widths into account for the progressmeter. This is believed to be sufficient to keep the local terminal safe on OpenBSD, but bad things can still happen on other systems with state-dependent locales because many places in the code print unencoded ASCII characters into the output stream. Using feedback from djm@ and martijn@, various aspects discussed with many others. deraadt@ says it should go in now, i probably already hesitated too long Upstream-ID: e66afbc94ee396ddcaffd433b9a3b80f387647e0
2016-03-14Pass supported malloc options to connect-privsep.Darren Tucker
This allows us to activate only the supported options during the malloc option portion of the connect-privsep test.
2016-03-08make a regress-binaries targetDamien Miller
Easier to build all the regression/unit test binaries in one pass than going through all of ${REGRESS_BINARIES}
2016-03-04hook unittests/misc/kexfuzz into buildDamien Miller
2016-02-23Disable tests where fs perms are incorrectDamien Miller
Some tests have strict requirements on the filesystem permissions for certain files and directories. This adds a regress/check-perm tool that copies the relevant logic from sshd to exactly test the paths in question. This lets us skip tests when the local filesystem doesn't conform to our expectations rather than continuing and failing the test run. ok dtucker@
2016-01-27upstream commitmarkus@openbsd.org
remove roaming support; ok djm@ Upstream-ID: 2cab8f4b197bc95776fb1c8dc2859dad0c64dc56
2016-01-08Support Illumos/Solaris fine-grained privilegesDamien Miller
Includes a pre-auth privsep sandbox and several pledge() emulations. bz#2511, patch by Alex Wilson. ok dtucker@
2015-11-09upstream commitjmc@openbsd.org
remove slogin links; ok deraadt markus djm Upstream-ID: 39ba08548acde4c54f2d4520c202c2a863a3c730
2015-10-14upstream commitderaadt@openbsd.org
Change all tame callers to namechange to pledge(2). Upstream-ID: 17e654fc27ceaf523c60f4ffd9ec7ae4e7efc7f2
2015-10-08hook tame(2) sandbox up to buildDamien Miller
OpenBSD only for now
2015-09-14Use ssh-keygen -A when generating host keys.Darren Tucker
Use ssh-keygen -A instead of per-keytype invocations when generating host keys. Add tests when doing host-key-force since we can't use ssh-keygen -A since it can't specify alternate locations. bz#2459, ok djm@
2015-02-25Revert "Work around finicky USL linker so netcat will build."Tim Rice
This reverts commit d1db656021d0cd8c001a6692f772f1de29b67c8b. No longer needed with commit 678e473e2af2e4802f24dd913985864d9ead7fb3
2015-02-24Work around finicky USL linker so netcat will build.Tim Rice
2015-02-21mkdir kex unit test directory so testing out of tree builds worksTim Rice
2015-02-22mkdir hostkey and bitmap unit test directoriesDamien Miller
2015-02-17hook up hostkeys unittest to portable MakefilesDamien Miller
2015-01-20fix kex testDamien Miller
2015-01-20upstream commitmarkus@openbsd.org
finally enable the KEX tests I wrote some years ago...
2015-01-20upstream commitmarkus@openbsd.org
add experimental api for packet layer; ok djm@
2015-01-20upstream commitmarkus@openbsd.org
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
2015-01-15make bitmap test compileDamien Miller
2015-01-15upstream commitdjm@openbsd.org
unit tests for KRL bitmap
2015-01-15support --without-openssl at configure timeDamien Miller
Disables and removes dependency on OpenSSL. Many features don't work and the set of crypto options is greatly restricted. This will only work on system with native arc4random or /dev/urandom. Considered highly experimental for now.
2015-01-15upstream commitdjm@openbsd.org
avoid BIGNUM in KRL code by using a simple bitmap; feedback and ok markus
2014-12-23include and use OpenBSD netcat in regress/Damien Miller
2014-08-30 - (djm) [Makefile.in] Make TEST_SHELL a variable; "good idea" tim@Damien Miller
2014-08-21 - (djm) [Makefile.in] fix reference to libtest_helper.a in sshkey test too.Damien Miller