| Age | Commit message (Collapse) | Author |
|---|
|
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be
group-writable, provided that the group in question contains only the file's
owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding
about the contents of gr->gr_mem). Given that per-user groups and umask 002
are the default setup in Debian (for good reasons - this makes operating in
setgid directories with other groups much easier), we need to permit this by
default.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
Last-Update: 2013-09-14
Patch-Name: user-group-modes.patch
|
|
On startup, check to see if sshd is already daemonized
and if so, skip the call to daemon() and do not rewrite the PidFile. This
means that when sshd re-execs itself on SIGHUP the process ID will no longer
change. Should address bz#2641. ok djm@ markus@.
Upstream-ID: 5ea0355580056fb3b25c1fd6364307d9638a37b9
|
|
Factor out "can bind to low ports" check into its own function. This will
make it easier for Portable to support platforms with permissions models
other than uid==0 (eg bz#2625). ok djm@, "doesn't offend me too much"
deraadt@.
Upstream-ID: 86213df4183e92b8f189a6d2dac858c994bfface
|
|
Add a ProxyJump ssh_config(5) option and corresponding -J
ssh(1) command-line flag to allow simplified indirection through a SSH
bastion or "jump host".
These options construct a proxy command that connects to the
specified jump host(s) (more than one may be specified) and uses
port-forwarding to establish a connection to the next destination.
This codifies the safest way of indirecting connections through SSH
servers and makes it easy to use.
ok markus@
Upstream-ID: fa899cb8b26d889da8f142eb9774c1ea36b04397
|
|
don't record duplicate LocalForward and RemoteForward
entries; fixes failure with ExitOnForwardFailure+hostname canonicalisation
where the same forwards are added on the second pass through the
configuration file. bz#2562; ok dtucker@
Upstream-ID: 40a51d68b6300f1cc61deecdb7d4847b8b7b0de1
|
|
Another use for fcntl() and thus of the superfluous 3rd
parameter is when sanitising standard fd's before calling daemon().
Use a tweaked version of the ssh(1) function in all three places
found using fcntl() this way.
ok jca@ beck@
Upstream-ID: f16811ffa19a1c5f4ef383c5f0fecb843c84e218
|
|
Apply all of the portability changes in monotime() to monotime() double.
Fixes build on at least older FreeBSD systems.
|
|
Improve precision of progressmeter for sftp and scp by
storing sub-second timestamps. Pointed out by mmcc@, ok deraadt@ markus@
Upstream-ID: 38fd83a3d83dbf81c8ff7b5d1302382fe54970ab
|
|
Include sys/time.h for gettimeofday. From sortie at
maxsi.org.
Upstream-ID: 6ed0c33b836d9de0a664cd091e86523ecaa2fb3b
|
|
It isn't necessary and runs afoul of pledge(2) restrictions.
|
|
Properly handle invalid %-format by calling fatal.
ok deraadt, djm
Upstream-ID: 5692bce7d9f6eaa9c488cb93d3b55e758bef1eac
|
|
Handle the split of tun(4) "link0" into tap(4) in ssh
tun-forwarding. Adapted from portable (using separate devices for this is the
normal case in most OS). ok djm@
Upstream-ID: 90facf4c59ce73d6741db1bc926e578ef465cd39
|
|
don't try to change tun device flags if they are already
what we need; makes it possible to use tun/tap networking as non- root user
if device permissions and interface flags are pre-established; based on patch
by Ossi Herrala
Upstream-ID: 89099ac4634cd477b066865acf54cb230780fd21
|
|
rename xrealloc() to xreallocarray() since it follows
that form. ok djm
|
|
Replace <sys/param.h> with <limits.h> and other less
dirty headers where possible. Annotate <sys/param.h> lines with their
current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1,
LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of
MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution.
These are the files confirmed through binary verification. ok guenther,
millert, doug (helped with the verification protocol)
|
|
Remove unnecessary include: netinet/in_systm.h is not needed
by these programs.
NB. skipped for portable
ok deraadt@ millert@
|
|
|
|
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
[auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
[auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
[clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
[readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
[ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
[sshd_config.5 sshlogin.c]
Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@
|
|
when it is available. It takes into account time spent suspended,
thereby ensuring timeouts (e.g. for expiring agent keys) fire
correctly. bz#2228 reported by John Haxby
|
|
[misc.c misc.h umac.c]
use get/put_u32 to load values rather than *((UINT32 *)p) that breaks on
strict-alignment architectures; reported by and ok stsp@
|
|
[canohost.c misc.c misc.h readconf.c sftp-server.c ssh.c]
refactor client config code a little:
add multistate option partsing to readconf.c, similar to servconf.c's
existing code.
move checking of options that accept "none" as an argument to readconf.c
add a lowercase() function and use it instead of explicit tolower() in
loops
part of a larger diff that was ok markus@
|
|
mistakenly included in the previous commit.
|
|
CLOCK_MONOTONIC...) fails. Some older versions of RHEL have the
CLOCK_MONOTONIC define but don't actually support it. Found and tested
by Kevin Brott, ok djm.
|
|
[misc.c]
in ssh_gai_strerror() don't fallback to strerror for EAI_SYSTEM when
errno == 0. Avoids confusing error message in some broken resolver
cases. bz#2122 patch from plautrba AT redhat.com; ok dtucker
|
|
back to time(NULL) if we can't find it anywhere.
|
|
[ssh-agent.c clientloop.c misc.h packet.c progressmeter.c misc.c
channels.c sandbox-systrace.c]
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like
keepalives and rekeying will work properly over clock steps. Suggested by
markus@, "looks good" djm@.
|
|
[xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c
ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c
gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c
auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c
servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c
auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c
sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c
kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c
kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c
monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c
ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c
sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c
ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c
dns.c packet.c readpass.c authfd.c moduli.c]
bye, bye xfree(); ok markus@
|
|
[misc.c]
remove extra parens noticed by nicm
|
|
[misc.c]
use xasprintf instead of a series of strlcats and strdup. ok djm
|
|
platforms, such as Android, that lack struct passwd.pw_gecos. Report
and initial patch from Nathan Osman bz#2086; feedback tim@ ok dtucker@
|
|
[misc.c]
fix typo in IPQoS parsing: there is no "AF14" class, but there is
an "AF21" class. Spotted by giesen AT snickers.org; ok markus stevesk
|
|
[misc.c misc.h servconf.c]
print ipqos friendly string for sshd -T; ok markus
# sshd -Tf sshd_config|grep ipqos
ipqos lowdelay throughput
|
|
|
|
[clientloop.c misc.c misc.h ssh-agent.1 ssh-agent.c]
honour $TMPDIR for client xauth and ssh-agent temporary directories;
feedback and ok markus@
|
|
[clientloop.c misc.c misc.h packet.c packet.h readconf.c readconf.h]
[servconf.c servconf.h session.c ssh.c ssh_config.5 sshd_config.5]
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of
hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
|
[misc.c misc.h configure.ac openbsd-compat/openbsd-compat.h]
[openbsd-compat/timingsafe_bcmp.c]
Add timingsafe_bcmp(3) to libc, mention that it's already in the
kernel in kern(9), and remove it from OpenSSH.
ok deraadt@, djm@
NB. re-added under openbsd-compat/ for portable OpenSSH
|
|
[atomicio.c atomicio.h misc.c misc.h scp.c sftp-client.c]
[sftp-client.h sftp.1 sftp.c]
add an option per-read/write callback to atomicio
factor out bandwidth limiting code from scp(1) into a generic bandwidth
limiter that can be attached using the atomicio callback mechanism
add a bandwidth limit option to sftp(1) using the above
"very nice" markus@
|
|
[misc.c]
sync timingsafe_bcmp() with the one dempsky@ committed to sys/lib/libkern
|
|
[auth-rsa.c channels.c jpake.c key.c misc.c misc.h monitor.c packet.c]
[ssh-rsa.c]
s/timing_safe_cmp/timingsafe_bcmp/g
|
|
[auth-rsa.c channels.c jpake.c key.c misc.c misc.h monitor.c]
[packet.c ssh-rsa.c]
implement a timing_safe_cmp() function to compare memory without leaking
timing information by short-circuiting like memcmp() and use it for
some of the more sensitive comparisons (though nothing high-value was
readily attackable anyway); "looks ok" markus@
|
|
[misc.c]
unbreak strdelim() skipping past quoted strings, e.g.
AllowUsers "blah blah" blah
was broken; report and fix in bz#1757 from bitman.zhou AT centrify.com
ok dtucker;
|
|
- djm@cvs.openbsd.org 2010/05/21 05:00:36
[misc.c]
colon() returns char*, so s/return (0)/return NULL/
|
|
[channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h
ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c
readconf.h scp.1 sftp.1 ssh_config.5 misc.h]
Remove RoutingDomain from ssh since it's now not needed. It can be
replaced with "route exec" or "nc -V" as a proxycommand. "route exec"
also ensures that trafic such as DNS lookups stays withing the specified
routingdomain. For example (from reyk):
# route -T 2 exec /usr/sbin/sshd
or inherited from the parent process
$ route -T 2 exec sh
$ ssh 10.1.2.3
ok deraadt@ markus@ stevesk@ reyk@
|
|
Remove hacks add for RoutingDomain in preparation for its removal.
|
|
have it.
|
|
to eliminate an unused variable warning.
|
|
be created.
|
|
RoutingDomain an unsupported option on platforms that don't have it.
|
|
[readconf.c servconf.c misc.h ssh-keyscan.c misc.c]
validate routing domain is in range 0-RT_TABLEID_MAX.
'Looks right' deraadt@
|
|
[misc.c]
correct off-by-one in percent_expand(): we would fatal() when trying
to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually
work. Note that nothing in OpenSSH actually uses close to this limit at
present. bz#1607 from Jan.Pechanec AT Sun.COM
|
