summaryrefslogtreecommitdiff
path: root/ssh.c
AgeCommit message (Collapse)Author
2014-05-15 - markus@cvs.openbsd.org 2014/04/29 18:01:49Damien Miller
[auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c] [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c] [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c] [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c] make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
2014-04-01 - (djm) Use full release (e.g. 6.5p1) in debug output rather than justDamien Miller
version. From des@des.no
2014-02-27 - djm@cvs.openbsd.org 2014/02/26 20:18:37Damien Miller
[ssh.c] bz#2205: avoid early hostname lookups unless canonicalisation is enabled; ok dtucker@ markus@
2014-02-24 - djm@cvs.openbsd.org 2014/02/23 20:11:36Damien Miller
[readconf.c readconf.h ssh.c ssh_config.5] reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes the hostname. This allows users to write configurations that always refer to canonical hostnames, e.g. CanonicalizeHostname yes CanonicalDomains int.example.org example.org CanonicalizeFallbackLocal no Host *.int.example.org Compression off Host *.example.org User djm ok markus@
2014-02-04 - djm@cvs.openbsd.org 2014/02/04 00:24:29Damien Miller
[ssh.c] delay lowercasing of hostname until right before hostname canonicalisation to unbreak case-sensitive matching of ssh_config; reported by Ike Devolder; ok markus@
2014-02-04 - tedu@cvs.openbsd.org 2014/01/31 16:39:19Damien Miller
[auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c] [channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c] [kexc25519.c krl.c monitor.c sandbox-systrace.c session.c] [sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c] [openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h] replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
2013-12-29 - djm@cvs.openbsd.org 2013/12/29 05:42:16Damien Miller
[ssh.c] don't forget to load Ed25519 certs too
2013-12-07 - markus@cvs.openbsd.org 2013/12/06 13:39:49Damien Miller
[authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c] [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c] [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c] [sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c] [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c] support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
2013-12-05 - jmc@cvs.openbsd.org 2013/11/26 12:14:54Damien Miller
[ssh.1 ssh.c] - put -Q in the right place - Ar was a poor choice for the arguments to -Q. i've chosen an admittedly equally poor Cm, at least consistent with the rest of the docs. also no need for multiple instances - zap a now redundant Nm - usage() sync
2013-12-05 - deraadt@cvs.openbsd.org 2013/11/25 18:04:21Damien Miller
[ssh.1 ssh.c] improve -Q usage and such. One usage change is that the option is now case-sensitive ok dtucker markus djm
2013-11-21 - djm@cvs.openbsd.org 2013/11/21 00:45:44Damien Miller
[Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c] [chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h] [dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1] [ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file. Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
2013-11-08 - dtucker@cvs.openbsd.org 2013/11/07 11:58:27Damien Miller
[cipher.c cipher.h kex.c kex.h mac.c mac.h servconf.c ssh.c] Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
2013-10-26 - djm@cvs.openbsd.org 2013/10/25 23:04:51Damien Miller
[ssh.c] fix crash when using ProxyCommand caused by previous commit - was calling freeaddrinfo(NULL); spotted by sthen@ and Tim Ruehsen, patch by sthen@
2013-10-24 - djm@cvs.openbsd.org 2013/10/24 08:19:36Damien Miller
[ssh.c] fix bug introduced in hostname canonicalisation commit: don't try to resolve hostnames when a ProxyCommand is set unless the user has forced canonicalisation; spotted by Iain Morgan
2013-10-23 - djm@cvs.openbsd.org 2013/10/23 03:05:19Damien Miller
[readconf.c ssh.c] comment
2013-10-17 - djm@cvs.openbsd.org 2013/10/17 00:46:49Damien Miller
[ssh.c] rearrange check to reduce diff against -portable (Id sync only)
2013-10-17 - djm@cvs.openbsd.org 2013/10/16 22:58:01Damien Miller
[ssh.c ssh_config.5] one I missed in previous: s/isation/ization/
2013-10-17 - djm@cvs.openbsd.org 2013/10/16 22:49:39Damien Miller
[readconf.c readconf.h ssh.1 ssh.c ssh_config.5] s/canonicalise/canonicalize/ for consistency with existing spelling, e.g. authorized_keys; pointed out by naddy@
2013-10-17 - djm@cvs.openbsd.org 2013/10/16 02:31:47Damien Miller
[readconf.c readconf.h roaming_client.c ssh.1 ssh.c ssh_config.5] [sshconnect.c sshconnect.h] Implement client-side hostname canonicalisation to allow an explicit search path of domain suffixes to use to convert unqualified host names to fully-qualified ones for host key matching. This is particularly useful for host certificates, which would otherwise need to list unqualified names alongside fully-qualified ones (and this causes a number of problems). "looks fine" markus@
2013-10-15 - [ssh.c] g/c unused variable.Damien Miller
2013-10-15 - djm@cvs.openbsd.org 2013/10/14 23:31:01Damien Miller
[ssh.c] whitespace at EOL; pointed out by markus@
2013-10-15 - djm@cvs.openbsd.org 2013/10/14 23:28:23Damien Miller
[canohost.c misc.c misc.h readconf.c sftp-server.c ssh.c] refactor client config code a little: add multistate option partsing to readconf.c, similar to servconf.c's existing code. move checking of options that accept "none" as an argument to readconf.c add a lowercase() function and use it instead of explicit tolower() in loops part of a larger diff that was ok markus@
2013-10-15 - djm@cvs.openbsd.org 2013/10/14 22:22:05Damien Miller
[readconf.c readconf.h ssh-keysign.c ssh.c ssh_config.5] add a "Match" keyword to ssh_config that allows matching on hostname, user and result of arbitrary commands. "nice work" markus@
2013-07-25 - djm@cvs.openbsd.org 2013/07/25 00:29:10Damien Miller
[ssh.c] daemonise backgrounded (ControlPersist'ed) multiplexing master to ensure it is fully detached from its controlling terminal. based on debugging
2013-07-20 - djm@cvs.openbsd.org 2013/07/20 01:44:37Damien Miller
[ssh-keygen.c ssh.c] More useful error message on missing current user in /etc/passwd
2013-07-18 - djm@cvs.openbsd.org 2013/07/12 05:48:55Damien Miller
[ssh.c] set TCP nodelay for connections started with -N; bz#2124 ok dtucker@
2013-06-02 - djm@cvs.openbsd.org 2013/05/17 00:13:13Darren Tucker
[xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c dns.c packet.c readpass.c authfd.c moduli.c] bye, bye xfree(); ok markus@
2013-04-23 - djm@cvs.openbsd.org 2013/04/19 11:10:18Damien Miller
[ssh.c] add -Q to usage; reminded by jmc@
2013-04-23 - djm@cvs.openbsd.org 2013/04/19 01:06:50Damien Miller
[authfile.c cipher.c cipher.h kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c] [key.c key.h mac.c mac.h packet.c ssh.1 ssh.c] add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
2013-04-23 - dtucker@cvs.openbsd.org 2013/04/07 02:10:33Damien Miller
[log.c log.h ssh.1 ssh.c sshd.8 sshd.c] Add -E option to ssh and sshd to append debugging logs to a specified file instead of stderr or syslog. ok markus@, man page help jmc@
2013-04-23 - djm@cvs.openbsd.org 2013/03/08 06:32:58Damien Miller
[ssh.c] allow "ssh -f none ..." ok markus@
2013-04-05 - djm@cvs.openbsd.org 2013/02/22 22:09:01Darren Tucker
[ssh.c] Allow IdenityFile=none; ok markus deraadt (and dtucker for an earlier version)
2013-04-05 - dtucker@cvs.openbsd.org 2013/02/22 04:45:09Darren Tucker
[ssh.c readconf.c readconf.h] Don't complain if IdentityFiles specified in system-wide configs are missing. ok djm, deraadt
2013-04-05 - dtucker@cvs.openbsd.org 2013/02/17 23:16:57Darren Tucker
[readconf.c ssh.c readconf.h sshconnect2.c] Keep track of which IndentityFile options were manually supplied and which were default options, and don't warn if the latter are missing. ok markus@
2012-07-06 - djm@cvs.openbsd.org 2012/07/06 01:47:38Damien Miller
[ssh.c] move setting of tty_flag to after config parsing so RequestTTY options are correctly picked up. bz#1995 patch from przemoc AT gmail.com; ok dtucker@
2012-07-02 - dtucker@cvs.openbsd.org 2012/07/02 08:50:03Darren Tucker
[ssh.c] set interactive ToS for forwarded X11 sessions. ok djm@
2011-11-04 - djm@cvs.openbsd.org 2011/10/24 02:10:46Darren Tucker
[ssh.c] bz#1943: unbreak stdio forwarding when ControlPersist is in user - ssh was incorrectly requesting the forward in both the control master and slave. skip requesting it in the master to fix. ok markus@
2011-11-04 - djm@cvs.openbsd.org 2011/10/18 05:15:28Darren Tucker
[ssh.c] ssh(1): skip attempting to create ~/.ssh when -F is passed; ok markus@
2011-10-02 - markus@cvs.openbsd.org 2011/09/23 07:45:05Darren Tucker
[mux.c readconf.h channels.h compat.h compat.c ssh.c readconf.c channels.c version.h] unbreak remote portforwarding with dynamic allocated listen ports: 1) send the actual listen port in the open message (instead of 0). this allows multiple forwardings with a dynamic listen port 2) update the matching permit-open entry, so we can identify where to connect to report: den at skbkontur.ru and P. Szczygielski feedback and ok djm@
2011-09-22 - djm@cvs.openbsd.org 2011/09/09 22:46:44Damien Miller
[channels.c channels.h clientloop.h mux.c ssh.c] support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings; ok markus@
2011-08-06 - djm@cvs.openbsd.org 2011/08/02 23:15:03Damien Miller
[ssh.c] typo in comment
2011-06-23 - djm@cvs.openbsd.org 2011/06/22 22:08:42Damien Miller
[channels.c channels.h clientloop.c clientloop.h mux.c ssh.c] hook up a channel confirm callback to warn the user then requested X11 forwarding was refused by the server; ok markus@
2011-06-03 - djm@cvs.openbsd.org 2011/06/03 00:54:38Damien Miller
[ssh.c] bz#1883 - setproctitle() to identify mux master; patch from Bert.Wesarg AT googlemail.com; ok dtucker@ NB. includes additional portability code to enable setproctitle emulation on platforms that don't support it.
2011-05-29 - djm@cvs.openbsd.org 2011/05/24 07:15:47Damien Miller
[readconf.c readconf.h ssh.c ssh_config.5 sshconnect.c sshconnect2.c] Remove undocumented legacy options UserKnownHostsFile2 and GlobalKnownHostsFile2 by making UserKnownHostsFile/GlobalKnownHostsFile accept multiple paths per line and making their defaults include known_hosts2; ok markus
2011-05-15 - djm@cvs.openbsd.org 2011/05/06 21:38:58Damien Miller
[ssh.c] fix dropping from previous diff
2011-05-15 - djm@cvs.openbsd.org 2011/05/06 21:34:32Damien Miller
[clientloop.c mux.c readconf.c readconf.h ssh.c ssh_config.5] Add a RequestTTY ssh_config option to allow configuration-based control over tty allocation (like -t/-T); ok markus@
2011-05-15 - djm@cvs.openbsd.org 2011/05/06 21:18:02Damien Miller
[ssh.c ssh_config.5] add a %L expansion (short-form of the local host name) for ControlPath; sync some more expansions with LocalCommand; ok markus@
2011-05-05 - djm@cvs.openbsd.org 2011/04/17 22:42:42Damien Miller
[PROTOCOL.mux clientloop.c clientloop.h mux.c ssh.1 ssh.c] allow graceful shutdown of multiplexing: request that a mux server removes its listener socket and refuse future multiplexing requests; ok markus@
2011-05-05 - (djm) [Makefile.in WARNING.RNG aclocal.m4 buildpkg.sh.in configure.ac]Damien Miller
[entropy.c ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c] [ssh-keysign.c ssh-pkcs11-helper.c ssh-rand-helper.8 ssh-rand-helper.c] [ssh.c ssh_prng_cmds.in sshd.c contrib/aix/buildbff.sh] [regress/README.regress] Remove ssh-rand-helper and all its tentacles. PRNGd seeding has been rolled into entropy.c directly. Thanks to tim@ for testing on affected platforms.
2011-01-25 - (djm) [configure.ac Makefile.in ssh.c openbsd-compat/port-linux.cDamien Miller
openbsd-compat/port-linux.h] Move SELinux-specific code from ssh.c to port-linux.c to avoid compilation errors. Add -lselinux to ssh when building with SELinux support to avoid linking failure; report from amk AT spamfence.net; ok dtucker