Age | Commit message (Collapse) | Author |
|
|
|
platform.c
|
|
the LOGIN_CAP case into platform.c.
|
|
|
|
platform.c
|
|
after the user's groups are established and move the selinux calls into it.
|
|
openbsd-compat/port-solaris.{c,h}] Bug #1824: Add Solaris Project support.
Patch from cory.erickson at csu mnscu edu with a bit of rework from me.
ok djm@
|
|
[channels.c session.c]
bz#1750: fix requirement for /dev/null inside ChrootDirectory for
internal-sftp accidentally introduced in r1.253 by removing the code
that opens and dup /dev/null to stderr and modifying the channels code
to read stderr but discard it instead; ok markus@
|
|
[session.c]
include the user name on "subsystem request for ..." log messages;
bz#1571; ok dtucker@
|
|
[session.c]
Missing check for chroot_director == "none" (we already checked against
NULL); bz#1564 from Jan.Pechanec AT Sun.COM
|
|
[session.c]
set stderr to /dev/null for subsystems rather than just closing it.
avoids hangs if a subsystem or shell initialisation writes to stderr.
bz#1750; ok markus@
|
|
set up SELinux execution context before chroot() call. From Russell
Coker via Colin watson; bz#1726 ok dtucker@
|
|
[auth-rhosts.c monitor.c monitor_wrap.c session.c auth-options.c sshd.c]
Hold authentication debug messages until after successful authentication.
Fixes an info leak of environment variables specified in authorized_keys,
reported by Jacob Appelbaum. ok djm@
|
|
setpcred.
|
|
do not set real uid, since that's needed for the chroot, and will be set
by permanently_set_uid.
|
|
[session.c]
Add explicit stat so we reliably detect nologin with bad perms.
ok djm markus
|
|
[session.c]
Do not allow logins if /etc/nologin exists but is not readable by the user
logging in. Noted by Jan.Pechanec at Sun, ok djm@ deraadt@
|
|
[session.c]
Warn but do not fail if stat()ing the subsystem binary fails. This helps
with chrootdirectory+forcecommand=sftp-server and restricted shells.
bz #1599, ok djm.
|
|
[session.c]
bz#1606: error when an attempt is made to connect to a server
with ForceCommand=internal-sftp with a shell session (i.e. not a
subsystem session). Avoids stuck client when attempting to ssh to such a
service. ok dtucker@
|
|
is enabled set the security context to "sftpd_t" before running the
internal sftp server Based on a patch from jchadima at redhat.
|
|
[session.c]
bz#1596: fflush(NULL) before exec() to ensure that everying (motd
in particular) has made it out before the streams go away.
|
|
the setpcred call on AIX to immediately before the permanently_set_uid().
Ensures that we still have privileges when we call chroot and
pam_open_sesson. Based on a patch from David Leonard.
|
|
header-order changes to reduce diff vs OpenBSD.
|
|
[session.c]
use INTERNAL_SFTP_NAME for setproctitle() of in-process sftp-server;
ok djm@ markus@
|
|
auth2-pubkey.c session.c openbsd-compat/bsd-cygwin_util.{c,h}
openbsd-compat/daemon.c] Remove support for Windows 95/98/ME and very old
version of Cygwin. Patch from vinschen at redhat com.
|
|
[channels.c channels.h session.c]
make Channel->path an allocated string, saving a few bytes here and
there and fixing bz#1380 in the process; ok markus@
|
|
[session.c ssh.1]
typo fixed (overriden -> overridden)
ok espie, jmc
|
|
[session.c]
Convert an unchecked strdup to xstrdup. OK deraadt@
|
|
[session.c]
allow ForceCommand internal-sftp with arguments. based on patch from
michael.barabanov AT gmail.com; ok markus@
|
|
[session.c channels.c]
Rename the isatty argument to is_tty so we don't shadow
isatty(3). ok markus@
|
|
[channels.c channels.h session.c]
don't call isatty() on a pty master, instead pass a flag down to
channel_set_fds() indicating that te fds refer to a tty. Fixes a
hang on exit on Solaris (bz#1463) in portable but is actually
a generic bug; ok dtucker deraadt markus
|
|
[session.c]
suppress the warning message from chdir(homedir) failures
when chrooted (bz#1461); ok dtucker
|
|
[session.c]
re-add the USE_PIPES code and enable it.
without pipes shutdown-read from the sshd does not trigger
a SIGPIPE when the forked program does a write.
ok djm@
(Id sync only, USE_PIPES never left portable OpenSSH)
|
|
[monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c]
[sshd_config sshd_config.5]
Make the maximum number of sessions run-time controllable via
a sshd_config MaxSessions knob. This is useful for disabling
login/shell/subsystem access while leaving port-forwarding working
(MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or
simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the
number of available file descriptors in sshd (which, at peak, might be
as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds
on error paths, and make it fail gracefully on out-of-fd conditions -
sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
|
[auth-options.c auth1.c channels.c channels.h clientloop.c gss-serv.c]
[monitor.c monitor_wrap.c nchan.c servconf.c serverloop.c session.c]
[ssh.c sshd.c]
Implement a channel success/failure status confirmation callback
mechanism. Each channel maintains a queue of callbacks, which will
be drained in order (RFC4253 guarantees confirm messages are not
reordered within an channel).
Also includes a abandonment callback to clean up if a channel is
closed without sending confirmation messages. This probably
shouldn't happen in compliant implementations, but it could be
abused to leak memory.
ok markus@ (as part of a larger diff)
|
|
[servconf.c servconf.h session.c sshd_config.5]
Enable the AllowAgentForwarding option in sshd_config (global and match
context), to specify if agents should be permitted on the server.
As the man page states:
``Note that disabling Agent forwarding does not improve security
unless users are also denied shell access, as they can always install
their own forwarders.''
ok djm@, ok and a mild frown markus@
|
|
[session.c]
remove unneccessary parentheses
|
|
[auth-options.c auth-options.h session.c sshd.8]
add no-user-rc authorized_keys option to disable execution of ~/.ssh/rc
|
|
[session.c]
last patch had backwards test; spotted by termim AT gmail.com
|
|
[session.c sshd_config.5]
ignore ~/.ssh/rc if a sshd_config ForceCommand is specified;
from dtucker@ ok deraadt@ djm@
|
|
chroot. Allows ChrootDirectory to work with selinux support compiled in
but not enabled. Using it with selinux enabled will require some selinux
support inside the chroot. "looks sane" djm@
|
|
crashes when used with ChrootDirectory
|
|
pam_open_session and pam_close_session into the privsep monitor, which
will ensure that pam_session_close is called as root. Patch from Tomas
Mraz.
|
|
[session.c]
closefrom() call was too early, delay it until just before we execute
the user's rc files (if any).
|
|
[session.c]
correct boolean encoding for coredump; der Mouse via dugsong
|
|
[servconf.h session.c sshd.c]
rekey arc4random and OpenSSL RNG in postauth child
closefrom fds > 2 before shell/command execution
ok markus@
|
|
[servconf.c session.c]
delay ~ expansion for ChrootDirectory so it expands to the logged-in user's
home, rather than the user who starts sshd (probably root)
|
|
[servconf.c servconf.h session.c sftp-server.c sftp.h sshd_config]
[sshd_config.5]
add sshd_config ChrootDirectory option to chroot(2) users to a directory
and tweak internal sftp server to work with it (no special files in
chroot required). ok markus@
|
|
[session.c sftp-server.c sftp.h]
link sftp-server into sshd; feedback and ok djm@
|
|
[session.c ssh-keygen.c sshlogin.c]
use strcspn to properly overwrite '\n' in fgets returned buffer
ok pyr@, ray@, millert@, moritz@, chl@
|