summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* upstream: lots of typos in comments/docs. Patch from Karsten Weissdjm@openbsd.org2018-04-1022-54/+54
| | | | | | | after checking with codespell tool (https://github.com/lucasdemarchi/codespell) OpenBSD-Commit-ID: 373222f12d7ab606598a2d36840c60be93568528
* upstream: don't kill ssh-agent's listening socket entriely if wedjm@openbsd.org2018-04-101-4/+3
| | | | | | fail to accept a connection; bz#2837, patch from Lukas Kuster OpenBSD-Commit-ID: 52413f5069179bebf30d38f524afe1a2133c738f
* upstream: the UseLogin option was removed, so remove it here too.tj@openbsd.org2018-04-101-2/+1
| | | | | | ok dtucker OpenBSD-Commit-ID: 7080be73a64d68e21f22f5408a67a0ba8b1b6b06
* upstream: tweak previous;jmc@openbsd.org2018-04-101-4/+4
| | | | OpenBSD-Commit-ID: 2b9c23022ea7b9dddb62864de4e906000f9d7474
* upstream: tweak previous;jmc@openbsd.org2018-04-101-5/+5
| | | | OpenBSD-Commit-ID: 38e347b6f8e888f5e0700d01abb1eba7caa154f9
* upstream: Allow "SendEnv -PATTERN" to clear environment variablesdjm@openbsd.org2018-04-062-9/+50
| | | | | | previously labeled for sendind. bz#1285 ok dtucker@ OpenBSD-Commit-ID: f6fec9e3d0f366f15903094fbe1754cb359a0df9
* upstream: relax checking of authorized_keys environment="..."djm@openbsd.org2018-04-061-2/+2
| | | | | | | options to allow underscores in variable names (regression introduced in 7.7). bz2851, ok deraadt@ OpenBSD-Commit-ID: 69690ffe0c97ff393f2c76d25b4b3d2ed4e4ac9c
* upstream: add a couple of missed options to the config dump; patchdjm@openbsd.org2018-04-061-1/+9
| | | | | | from Jakub Jelen via bz2835 OpenBSD-Commit-ID: 5970adadf6ef206bee0dddfc75d24c2019861446
* upstream: ssh does not accept -oInclude=... on the commandline, thedjm@openbsd.org2018-04-061-3/+2
| | | | | | | Include keyword is for configuration files only. bz#2840, patch from Jakub Jelen OpenBSD-Commit-ID: 32d052b4a7a7f22df35fe3f71c368c02b02cacb0
* upstream: We don't offer CBC cipher by default any more. Spotted bydjm@openbsd.org2018-04-061-4/+3
| | | | | | Renaud Allard (via otto@) OpenBSD-Commit-ID: a559b1eef741557dd959ae378b665a2977d92dca
* upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP AF21 forjob@openbsd.org2018-04-064-14/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | interactive and CS1 for bulk AF21 was selected as this is the highest priority within the low-latency service class (and it is higher than what we have today). SSH is elastic and time-sensitive data, where a user is waiting for a response via the network in order to continue with a task at hand. As such, these flows should be considered foreground traffic, with delays or drops to such traffic directly impacting user-productivity. For bulk SSH traffic, the CS1 "Lower Effort" marker was chosen to enable networks implementing a scavanger/lower-than-best effort class to discriminate scp(1) below normal activities, such as web surfing. In general this type of bulk SSH traffic is a background activity. An advantage of using "AF21" for interactive SSH and "CS1" for bulk SSH is that they are recognisable values on all common platforms (IANA https://www.iana.org/assignments/dscp-registry/dscp-registry.xml), and for AF21 specifically a definition of the intended behavior exists https://tools.ietf.org/html/rfc4594#section-4.7 in addition to the definition of the Assured Forwarding PHB group https://tools.ietf.org/html/rfc2597, and for CS1 (Lower Effort) there is https://tools.ietf.org/html/rfc3662 The first three bits of "AF21" map to the equivalent IEEEE 802.1D PCP, IEEE 802.11e, MPLS EXP/CoS and IP Precedence value of 2 (also known as "Immediate", or "AC_BE"), and CS1's first 3 bits map to IEEEE 802.1D PCP, IEEE 802.11e, MPLS/CoS and IP Precedence value 1 ("Background" or "AC_BK"). OK deraadt@, "no objection" djm@ OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
* upstream: Import regenerated moduli file.dtucker@openbsd.org2018-04-061-0/+1
| | | | OpenBSD-Commit-ID: 1de0e85522051eb2ffa00437e1885e9d7b3e0c2e
* upstream: Add test for username options parsing order, prompted bydtucker@openbsd.org2018-04-061-1/+12
| | | | | | bz#2849. OpenBSD-Regress-ID: 6985cd32f38596882a3ac172ff8c510693b65283
* Expose SSH_AUTH_INFO_0 to PAM auth modulesDamien Miller2018-04-061-20/+22
| | | | bz#2408, patch from Radoslaw Ejsmont; ok dtucker@
* Import regenerated moduli file.Darren Tucker2018-04-031-406/+437
|
* update versions in .spec filesV_7_7_P1Damien Miller2018-04-022-2/+2
|
* update version numberDamien Miller2018-04-021-1/+1
|
* Disable native strndup and strnlen on AIX.Darren Tucker2018-03-303-2/+4
| | | | | | | On at least some revisions of AIX, strndup returns unterminated strings under some conditions, apparently because strnlen returns incorrect values in those cases. Disable both on AIX and use the replacements from openbsd-compat. Fixes problem with ECDSA keys there, ok djm.
* Include ssh_api.h for struct ssh.Darren Tucker2018-03-263-0/+3
| | | | | | struct ssh is needed by implementations of sys_auth_passwd() that were converted in commit bba02a50. Needed to fix build on AIX, I assume for the other platforms too (although it should be harmless if not needed).
* Remove UNICOS code missed during removal.Darren Tucker2018-03-261-14/+0
| | | | Fixes compile error on AIX.
* upstream: openssh-7.7markus@openbsd.org2018-03-261-1/+1
| | | | OpenBSD-Commit-ID: 274e614352460b9802c905f38fb5ea7ed5db3d41
* Remove authinfo.sh test dependency on printenvDamien Miller2018-03-261-1/+1
| | | | | Some platforms lack printenv in the default $PATH. Reported by Tom G. Christensen
* Use libiaf on all sysv5 systemsTim Rice2018-03-251-5/+1
|
* modified: auth-sia.cTim Rice2018-03-253-3/+6
| | | | | | | | | modified: openbsd-compat/port-aix.c modified: openbsd-compat/port-uw.c propogate changes to auth-passwd.c in commit 7c856857607112a3dfe6414696bf4c7ab7fb0cb3 to other providers of sys_auth_passwd()
* upstream: openssh-7.7markus@openbsd.org2018-03-251-1/+1
| | | | OpenBSD-Commit-ID: 274e614352460b9802c905f38fb5ea7ed5db3d41
* upstream: fix bogus warning when signing cert keys using agent;markus@openbsd.org2018-03-251-1/+3
| | | | | | from djm; ok deraadt dtucker OpenBSD-Commit-ID: 12e50836ba2040042383a8b71e12d7ea06e9633d
* Replace /dev/stdin with "-".Darren Tucker2018-03-251-2/+2
| | | | | For some reason sftp -b doesn't work with /dev/stdin on Cygwin, as noted and suggested by vinschen at redhat.com.
* Provide $OBJ to paths in PuTTY interop tests.Darren Tucker2018-03-234-4/+7
|
* upstream: Tell puttygen to use /dev/urandom instead of /dev/random. Ondtucker@openbsd.org2018-03-231-1/+2
| | | | | | | OpenBSD they are both non-blocking, but on many other -portable platforms it blocks, stalling tests. OpenBSD-Regress-ID: 397d0d4c719c353f24d79f5b14775e0cfdf0e1cc
* upstream: ssh/xmss: fix build; ok djm@markus@openbsd.org2018-03-231-2/+2
| | | | OpenBSD-Commit-ID: c9374ca41d4497f1c673ab681cc33f6e7c5dd186
* upstream: ssh/xmss: fix deserialize for certs; ok djm@markus@openbsd.org2018-03-231-1/+6
| | | | OpenBSD-Commit-ID: f44c41636c16ec83502039828beaf521c057dddc
* Save $? before case statement.Darren Tucker2018-03-221-2/+3
| | | | | In some shells (FreeBSD 9, ash) the case statement resets $?, so save for later testing.
* upstream: rename recently-added "valid-before" key restriction todjm@openbsd.org2018-03-141-5/+5
| | | | | | | "expiry-time" as the former is confusing wrt similar terminology in X.509; pointed out by jsing@ OpenBSD-Regress-ID: ac8b41dbfd90cffd525d58350c327195b0937793
* upstream: check valid-before option in authorized_keysdjm@openbsd.org2018-03-141-2/+19
| | | | OpenBSD-Regress-ID: 7e1e4a84f7f099a290e5a4cbf4196f90ff2d7e11
* upstream: explicitly specify RSA/SHA-2 keytype here toodjm@openbsd.org2018-03-142-4/+5
| | | | OpenBSD-Regress-ID: 74d7b24e8c72c27af6b481198344eb077e993a62
* upstream: exlicitly include RSA/SHA-2 keytypes indjm@openbsd.org2018-03-141-4/+5
| | | | | | PubkeyAcceptedKeyTypes here OpenBSD-Regress-ID: 954d19e0032a74e31697fb1dc7e7d3d1b2d65fe9
* upstream: sort expiry-time;jmc@openbsd.org2018-03-141-5/+5
| | | | OpenBSD-Commit-ID: 8c7d82ee1e63e26ceb2b3d3a16514019f984f6bf
* upstream: rename recently-added "valid-before" key restriction todjm@openbsd.org2018-03-142-5/+5
| | | | | | | "expiry-time" as the former is confusing wrt similar terminology in X.509; pointed out by jsing@ OpenBSD-Commit-ID: 376939466a1f562f3950a22314bc6505733aaae6
* upstream: add valid-before="[time]" authorized_keys option. Adjm@openbsd.org2018-03-148-56/+128
| | | | | | simple way of giving a key an expiry date. ok markus@ OpenBSD-Commit-ID: 1793b4dd5184fa87f42ed33c7b0f4f02bc877947
* Add AC_LANG_PROGRAM to AC_COMPILE_IFELSE.Darren Tucker2018-03-121-4/+4
| | | | | The recently added MIPS ABI tests need AC_LANG_PROGRAM to prevent warnings from autoconf. Pointed out by klausz at haus-gisela.de.
* upstream: revert recent strdelim() change, it causes problems withdjm@openbsd.org2018-03-121-19/+8
| | | | | | | | | | | some configs. revision 1.124 date: 2018/03/02 03:02:11; author: djm; state: Exp; lines: +19 -8; commitid: nNRsCijZiGG6SUTT; Allow escaped quotes \" and \' in ssh_config and sshd_config quotes option strings. bz#1596 ok markus@ OpenBSD-Commit-ID: 59c40b1b81206d713c06b49d8477402c86babda5
* upstream: move the input format details to -f; remove the outputjmc@openbsd.org2018-03-121-24/+9
| | | | | | | | format details and point to sshd(8), where it is documented; ok dtucker OpenBSD-Commit-ID: 95f17e47dae02a6ac7329708c8c893d4cad0004a
* configure.ac: properly set seccomp_audit_arch for MIPS64Vicente Olivert Riera2018-03-081-2/+16
| | | | | | | | | | | | | | | | | | | | | | | | Currently seccomp_audit_arch is set to AUDIT_ARCH_MIPS64 or AUDIT_ARCH_MIPSEL64 (depending on the endinness) when openssh is built for MIPS64. However, that's only valid for n64 ABI. The right macros for n32 ABI defined in seccomp.h are AUDIT_ARCH_MIPS64N32 and AUDIT_ARCH_MIPSEL64N32, for big and little endian respectively. Because of that an sshd built for MIPS64 n32 rejects connection attempts and the output of strace reveals that the problem is related to seccomp audit: [pid 194] prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, {len=57, filter=0x555d5da0}) = 0 [pid 194] write(7, "\0\0\0]\0\0\0\5\0\0\0Ulist_hostkey_types: "..., 97) = ? [pid 193] <... poll resumed> ) = 2 ([{fd=5, revents=POLLIN|POLLHUP}, {fd=6, revents=POLLHUP}]) [pid 194] +++ killed by SIGSYS +++ This patch fixes that problem by setting the right value to seccomp_audit_arch taking into account the MIPS64 ABI. Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
* configure.ac: detect MIPS ABIVicente Olivert Riera2018-03-081-0/+21
| | | | Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
* Use https URLs for links that support it.Alan Yee2018-03-081-7/+7
|
* Disable UTMPX on SunOS4.Darren Tucker2018-03-051-0/+1
|
* Check for and work around buggy fflush(NULL).Darren Tucker2018-03-053-0/+30
| | | | | Some really old platforms (eg SunOS4) segfault on fflush(NULL) so check for and work around. With klausz at haus-gisela.de.
* Remove extra XMSS #endifDarren Tucker2018-03-051-1/+0
| | | | | Extra #endif breaks compile with -DWITH_XMSS. Pointed out by Jack Schmidt via github.
* upstream: Update RSA minimum modulus size to 1024. sshkey.h rev 1.18dtucker@openbsd.org2018-03-041-3/+3
| | | | | | bumped the minimum from 768 to 1024, update man page accordingly. OpenBSD-Commit-ID: 27563ab4e866cd2aac40a5247876f6787c08a338
* upstream: for the pty control tests, just check that the PTY pathdjm@openbsd.org2018-03-041-4/+9
| | | | | | | | points to something in /dev (rather than checking the device node itself); makes life easier for portable, where systems with dynamic ptys can delete nodes before we get around to testing their existence. OpenBSD-Regress-ID: b1e455b821e62572bccd98102f8dd9d09bb94994