Age | Commit message (Collapse) | Author |
|
- Add support for multiple required authentication in SSH protocol 2 via
an AuthenticationMethods option (closes: #195716).
- Fix Sophie Germain formula in moduli(5) (closes: #698612).
- Update ssh-copy-id to Phil Hands' greatly revised version (closes:
#99785, #322228, #620428; LP: #518883, #835901, #1074798).
|
|
|
|
[openbsd-compat/vis.h] FreeBSD's strnvis isn't compatible with OpenBSD's
so mark it as broken. Patch from des AT des.no
|
|
Add a usleep replacement for platforms that lack it; ok dtucker
|
|
an argument. Pointed out by djm.
|
|
group strto* function prototypes together.
|
|
openbsd-compat/openbsd-compat.h] Add strtoull to compat library for
platforms that don't have it.
|
|
|
|
Use getpgrp() if we don't have getpgid() (old BSDs, maybe others).
|
|
[Makefile.in acss.c acss.h cipher-acss.c cipher.c]
[openbsd-compat/openssl-compat.h]
remove ACSS, now that it is gone from libcrypto too
|
|
libcrypto that lacks EVP_CIPHER_CTX_ctrl
|
|
__attribute__ on return values and work around if necessary. ok djm@
|
|
version.
|
|
Move prototypes for replacement ciphers to openssl-compat.h; fix EVP
prototypes for openssl-1.0.0-fips.
|
|
Fix merge botch, automatically detect AES-GCM in OpenSSL, move a little
cipher compat code to openssl-compat.h
|
|
TAILQ_FOREACH_SAFE needed for upcoming changes.
|
|
openbsd-compat/bsd-setres_id.c openbsd-compat/bsd-setres_id.h
openbsd-compat/openbsd-compat.h] Move the fallback code for setting uids
and gids from uidswap.c to the compat library, which allows it to work with
the new setresuid calls in auth2-pubkey. with tim@, ok djm@
|
|
- Enable pre-auth sandboxing by default for new installs.
- Allow "PermitOpen none" to refuse all port-forwarding requests
(closes: #543683).
|
|
|
|
for compatibility with future mingw-w64 headers. Patch from vinschen at
redhat com.
|
|
platforms that don't have it. "looks good" tim@
|
|
pointer deref in the client when built with LDNS and using DNSSEC with a
CNAME. Patch from gregdlg+mr at hochet info.
|
|
- Fix IPQoS not being set on non-mapped v4-in-v6 addressed connections
(closes: #643312, #650512).
- Add a new privilege separation sandbox implementation for Linux's new
seccomp sandbox, automatically enabled on platforms that support it.
(Note: privilege separation sandboxing is still experimental.)
|
|
|
|
assumptions when building on Cygwin; patch from Corinna Vinschen
|
|
systems where sshd is run in te wrong context. Patch from Sven
Vermeulen; ok dtucker@
|
|
unsetenv due to rev 1.14 change to setenv.c. Cast unsetenv to void in sshd.c
ok dtucker@
|
|
preserved Cygwin environment variables; from Corinna Vinschen
|
|
null implementation of HMAC_CTX_init for the benefit of old versions
of OpenSSL that don't have it.
|
|
openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/getrrsetbyname.c]
bz 1320: Add optional support for LDNS, a BSD licensed DNS resolver library
which supports DNSSEC. Patch from Simon Vallet (svallet at genoscope cns fr)
with some rework from myself and djm. ok djm.
|
|
|
|
openbsd-compat/strnlen.c] Add strnlen to the compat library.
|
|
of static __findenv() function from upstream setenv.c
|
|
[openbsd-compat/inet_ntop.c]
fix inet_ntop(3) prototype; ok millert@ libc to be bumbed very soon
|
|
marker. The upstream API has changed (function and structure names)
enough to put it out of sync with other providers of this interface.
|
|
The file was totally rewritten between what we had in tree and -current.
|
|
[mktemp.c]
Remove useless code, the kernel will set errno appropriately if an
element in the path does not exist. OK deraadt@ pvalchev@
|
|
[mktemp.c]
use arc4random_uniform(); ok djm millert
|
|
upstream version is YPified and we don't want this
|
|
[mktemp.c]
Comment fix about time consumption of _gettemp.
FreeBSD did this in revision 1.20.
OK deraadt@, krw@
|
|
longer want to sync this file (OpenBSD uses a __getcwd syscall now, we
want this longhand version)
|
|
[openbsd-compat/strlcpy.c]
Convert do {} while loop -> while {} for clarity. No binary change
on most architectures. From Oliver Smith. OK deraadt@ and henning@
|
|
[glob.c]
fix GLOB_KEEPSTAT without GLOB_NOSORT; the implicit sort was being
applied only to the gl_pathv vector and not the corresponding gl_statv
array. reported in OpenSSH bz#1935; feedback and okay matthew@
|
|
[glob.c]
In glob(3), limit recursion during matching attempts. Similar to
fnmatch fix. Also collapse consecutive '*' (from NetBSD).
ok miod deraadt
|
|
[openbsd-compat/glob.c]
When the max number of items for a directory has reached GLOB_LIMIT_READDIR
an error is returned but closedir() is not called.
spotted and fix provided by Frank Denis obsd-tech@pureftpd.org
ok otto@, millert@
|
|
- Introduce sandboxing of the pre-auth privsep child using an optional
sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables
mandatory restrictions on the syscalls the privsep child can perform.
- Add new SHA256-based HMAC transport integrity modes from
http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt.
- The pre-authentication sshd(8) privilege separation slave process now
logs via a socket shared with the master process, avoiding the need to
maintain /dev/log inside the chroot (closes: #75043, #429243,
#599240).
- ssh(1) now warns when a server refuses X11 forwarding (closes:
#504757).
- sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths,
separated by whitespace (closes: #76312). The authorized_keys2
fallback is deprecated but documented (closes: #560156).
- ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4
ToS/DSCP (closes: #498297).
- ssh-add(1) now accepts keys piped from standard input. E.g. "ssh-add
- < /path/to/key" (closes: #229124).
- Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691).
- Say "required" rather than "recommended" in unprotected-private-key
warning (LP: #663455).
|
|
|
|
to switch SELinux context away from unconfined_t, based on patch from
Jan Chadima; bz#1919 ok dtucker@
|
|
binary_pipe is no longer required on Cygwin; patch from Corinna Vinschen
|
|
change error by reporting old and new context names Patch from
jchadima at redhat.
|