summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* upstream: Request RSA-SHA2 signatures forV_7_9djm@openbsd.org2018-12-281-3/+5
| | | | | | rsa-sha2-{256|512}-cert-v01@openssh.com cert algorithms; ok markus@ OpenBSD-Commit-ID: afc6f7ca216ccd821656d1c911d2a3deed685033
* fix configure test for OpenSSL versionDamien Miller2018-11-231-1/+1
| | | | | | square brackets in case statements may be eaten by autoconf. Report and fix from Filipp Gunbin; tweaked by naddy@
* upstream: fix bug in HostbasedAcceptedKeyTypes anddjm@openbsd.org2018-11-161-5/+34
| | | | | | | | | PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker OpenBSD-Commit-ID: 117bc3dc54578dbdb515a1d3732988cb5b00461b
* Remove hardcoded service name in cygwin setup.Darren Tucker2018-11-111-1/+1
| | | | | bz#2922, patch from Christian.Lupien at USherbrooke.ca, sanity check by vinschen at redhat.com.
* Fix pasto for HAVE_EVP_CIPHER_CTX_SET_IV.Darren Tucker2018-11-081-1/+1
| | | | Prevents unnecessary redefinition. Patch from mforney at mforney.org.
* Include openssl compatibility.Darren Tucker2018-10-222-0/+3
| | | | Patch from rosenp at gmail.com via openssh-unix-dev.
* fix compile for openssl 1.0.x w/ --with-ssl-engineDamien Miller2018-10-221-1/+1
| | | | bz#2921, patch from cotequeiroz
* Require OpenSSL 1.1.x series 1.1.0g or greaterV_7_9_P1Damien Miller2018-10-171-9/+13
| | | | | | | Previous versions have a bug with EVP_CipherInit() when passed a NULL EVP_CIPHER, per https://github.com/openssl/openssl/pull/4613 ok dtucker@
* unbreak compilation with --with-ssl-engineDamien Miller2018-10-171-1/+1
| | | | Missing last argument to OPENSSL_init_crypto()
* Remove gcc spectre mitigation flags.Darren Tucker2018-10-161-9/+0
| | | | | | Current impementions of the gcc spectre mitigation flags cause miscompilations when combined with other flags and do not provide much protection. Found by fweimer at redhat.com, ok djm@
* Avoid deprecated OPENSSL_config when using 1.1.xDamien Miller2018-10-161-0/+6
| | | | | OpenSSL 1.1.x soft-deprecated OPENSSL_config in favour of OPENSSL_init_crypto; pointed out by Jakub Jelen
* Don't avoid our *sprintf replacements.Darren Tucker2018-10-121-0/+9
| | | | | Don't let systems with broken printf(3) avoid our replacements via asprintf(3)/vasprintf(3) calling libc internally. From djm@
* Check if snprintf understands %zu.Darren Tucker2018-10-121-0/+23
| | | | | If the platforms snprintf and friends don't understand %zu, use the compat replacement. Prevents segfaults on those platforms.
* remove stale link, tweakDamien Miller2018-10-121-5/+1
|
* update version numbers ahead of releaseDamien Miller2018-10-123-3/+3
|
* upstream: don't send new-style rsa-sha2-*-cert-v01@openssh.com names todjm@openbsd.org2018-10-121-2/+3
| | | | | | older OpenSSH that can't handle them. spotted by Adam Eijdenberg; ok dtucker OpenBSD-Commit-ID: 662bbc402e3d7c9b6c322806269698106a6ae631
* update dependsDamien Miller2018-10-111-3/+3
|
* some more duplicated key algorithm linesDamien Miller2018-10-111-4/+0
| | | | From Adam Eijdenberg
* fix duplicated algorithm specification linesDamien Miller2018-10-111-4/+0
| | | | Spotted by Adam Eijdenberg
* upstream: typo in plain RSA algorithm counterpart names fordjm@openbsd.org2018-10-111-3/+3
| | | | | | certificates; spotted by Adam Eijdenberg; ok dtucker@ OpenBSD-Commit-ID: bfcdeb6f4fc9e7607f5096574c8f118f2e709e00
* check pw_passwd != NULL here tooDamien Miller2018-10-111-0/+3
| | | | | | Again, for systems with broken NIS implementations. Prompted by coolbugcheckers AT gmail.com
* check for NULL return from shadow_pw()Damien Miller2018-10-111-0/+3
| | | | | probably unreachable on this platform; pointed out by coolbugcheckers AT gmail.com
* upstream: introducing openssh 7.9deraadt@openbsd.org2018-10-111-2/+2
| | | | OpenBSD-Commit-ID: 42d526a9fe01a40dd299ac58014d3349adf40e25
* supply callback to PEM_read_bio_PrivateKeyDamien Miller2018-10-111-1/+15
| | | | | | | | | | | | OpenSSL 1.1.0i has changed the behaviour of their PEM APIs, so that empty passphrases are interpreted differently. This probabalistically breaks loading some keys, because the PEM format is terrible and doesn't include a proper MAC. Avoid this by providing a basic callback to avoid passing empty passphrases to OpenSSL in cases where one is required. Based on patch from Jakub Jelen in bz#2913; ok dtucker@
* in pick_salt() avoid dereference of NULL passwordsDamien Miller2018-10-101-1/+2
| | | | | | | Apparently some NIS implementations can leave pw->pw_passwd (or the shadow equivalent) NULL. bz#2909; based on patch from Todd Eigenschink
* upstream: Treat all PEM_read_bio_PrivateKey() errors when a passphrasedjm@openbsd.org2018-10-091-2/+11
| | | | | | | | | | | | | | | is specified as "incorrect passphrase" instead of trying to choose between that and "invalid format". libcrypto can return ASN1 parsing errors rather than the expected decrypt error in certain infrequent cases when trying to decrypt/parse PEM private keys when supplied with an invalid passphrase. Report and repro recipe from Thomas Deutschmann in bz#2901 ok markus@ OpenBSD-Commit-ID: b1d4cd92395f9743f81c0d23aab2524109580870
* upstream: Support using service names for port numbers.naddy@openbsd.org2018-10-072-10/+23
| | | | | | | | | | | * Try to resolve a port specification with getservbyname(3) if a numeric conversion fails. * Make the "Port" option in ssh_config handle its argument as a port rather than a plain integer. ok dtucker@ deraadt@ OpenBSD-Commit-ID: e7f03633133205ab3dfbc67f9df7475fabae660d
* upstream: when the peer sends a channel-close message, make sure wedjm@openbsd.org2018-10-041-1/+23
| | | | | | | | | | | close the local extended read fd (stderr) along with the regular read fd (stdout). Avoids weird stuck processed in multiplexing mode. Report and analysis by Nelson Elhage and Geoffrey Thomas in bz#2863 ok dtucker@ markus@ OpenBSD-Commit-ID: a48a2467fe938de4de69d2e7193d5fa701f12ae9
* upstream: factor out channel status formatting fromdjm@openbsd.org2018-10-041-13/+24
| | | | | | channel_open_message() so we can use it in other debug messages OpenBSD-Commit-ID: 9c3903ca28fcabad57f566c9d0045b41ab7d52ba
* upstream: include a little more information about the status anddjm@openbsd.org2018-10-044-29/+64
| | | | | | | disposition of channel's extended (stderr) fd; makes debugging some things a bit easier. No behaviour change. OpenBSD-Commit-ID: 483eb6467dc7d5dbca8eb109c453e7a43075f7ce
* upstream: explicit_bzero here to be consistent with other kex*.c;djm@openbsd.org2018-10-041-1/+2
| | | | | | report from coolbugcheckers AT gmail.com OpenBSD-Commit-ID: a90f146c5b5f5b1408700395e394f70b440856cb
* upstream: Allow ssh_config IdentityAgent directive to acceptdjm@openbsd.org2018-10-036-16/+72
| | | | | | environment variable names as well as explicit paths. ok dtucker@ OpenBSD-Commit-ID: 2f0996e103876c53d8c9dd51dcce9889d700767b
* upstream: mention INFO@openssh.com for sending SIGINFOdjm@openbsd.org2018-10-021-1/+8
| | | | OpenBSD-Commit-ID: 132471eeb0df658210afd27852fe65131b26e900
* only support SIGINFO on systems with SIGINFODamien Miller2018-10-021-0/+2
|
* upstream: Add server support for signalling sessions via the SSHdjm@openbsd.org2018-10-022-2/+77
| | | | | | | | | | | | channel/ session protocol. Signalling is only supported to sesssions that are not subsystems and were not started with a forced command. Long requested in bz#1424 Based on a patch from markus@ and reworked by dtucker@; ok markus@ dtucker@ OpenBSD-Commit-ID: 4bea826f575862eaac569c4bedd1056a268be1c3
* upstream: remove big ugly TODO comment from start of file. Some ofdjm@openbsd.org2018-09-261-14/+1
| | | | | | | the mentioned tasks are obsolete and, of the remainder, most are already captured in PROTOCOL.mux where they better belong OpenBSD-Commit-ID: 16d9d76dee42a5bb651c9d6740f7f0ef68aeb407
* upstream: Document mux proxy mode; added by Markus in openssh-7.4djm@openbsd.org2018-09-261-37/+107
| | | | | | Also add a little bit of information about the overall packet format OpenBSD-Commit-ID: bdb6f6ea8580ef96792e270cae7857786ad84a95
* upstream: s/process_mux_master/mux_master_process/ in mux masterdjm@openbsd.org2018-09-261-36/+38
| | | | | | | | | | | | | function names, Gives better symmetry with the existing mux_client_*() names and makes it more obvious when a message comes from the master vs client (they are interleved in ControlMaster=auto mode). no functional change beyond prefixing a could of log messages with __func__ where they were previously lacking. OpenBSD-Commit-ID: b01f7c3fdf92692e1713a822a89dc499333daf75
* Remove unused variable in _ssh_compat_fflush.Darren Tucker2018-09-221-4/+4
|
* Import updated moduli.Darren Tucker2018-09-221-437/+427
|
* upstream: Allow ssh_config ForwardX11Timeout=0 to disable thedjm@openbsd.org2018-09-212-16/+33
| | | | | | timeout and allow X11 connections in untrusted mode indefinitely. ok dtucker@ OpenBSD-Commit-ID: ea1ceed3f540b48e5803f933e59a03b20db10c69
* upstream: when compiled with GSSAPI support, cache supported methoddjm@openbsd.org2018-09-211-3/+2
| | | | | | | | | | | | | | | OIDs by calling ssh_gssapi_prepare_supported_oids() regardless of whether GSSAPI authentication is enabled in the main config. This avoids sandbox violations for configurations that enable GSSAPI auth later, e.g. Match user djm GSSAPIAuthentication yes bz#2107; ok dtucker@ OpenBSD-Commit-ID: a5dd42d87c74e27cfb712b15b0f97ab20e0afd1d
* upstream: In sshkey_in_file(), ignore keys that are considered fordjm@openbsd.org2018-09-211-4/+10
| | | | | | | | | | being too short (i.e. SSH_ERR_KEY_LENGTH). These keys will not be considered to be "in the file". This allows key revocation lists to contain short keys without the entire revocation list being considered invalid. bz#2897; ok dtucker OpenBSD-Commit-ID: d9f3d857d07194a42ad7e62889a74dc3f9d9924b
* upstream: Treat connections with ProxyJump specified the same as onesdjm@openbsd.org2018-09-212-7/+8
| | | | | | | | | | with a ProxyCommand set with regards to hostname canonicalisation (i.e. don't try to canonicalise the hostname unless CanonicalizeHostname is set to 'always'). Patch from Sven Wegener via bz#2896 OpenBSD-Commit-ID: 527ff501cf98bf65fb4b29ed0cb847dda10f4d37
* upstream: actually make CASignatureAlgorithms available as a configdjm@openbsd.org2018-09-211-1/+2
| | | | | | option OpenBSD-Commit-ID: 93fa7ff58314ed7b1ab7744090a6a91232e6ae52
* upstream: Import updated moduli.dtucker@openbsd.org2018-09-211-0/+1
| | | | OpenBSD-Commit-ID: 04431e8e7872f49a2129bf080a6b73c19d576d40
* upstream: reorder CASignatureAlgorithms, and add them to thejmc@openbsd.org2018-09-214-19/+22
| | | | | | various -o lists; ok djm OpenBSD-Commit-ID: ecb88baecc3c54988b4d1654446ea033da359288
* upstream: fix "ssh -Q sig" to show correct signature algorithm listdjm@openbsd.org2018-09-201-2/+2
| | | | | | (it was erroneously showing certificate algorithms); prompted by markus@ OpenBSD-Commit-ID: 1cdee002f2f0c21456979deeb887fc889afb154d
* upstream: add CASignatureAlgorithms option for the client, allowingdjm@openbsd.org2018-09-204-10/+42
| | | | | | | it to specify which signature algorithms may be used by CAs when signing certificates. Useful if you want to ban RSA/SHA1; ok markus@ OpenBSD-Commit-ID: 9159e5e9f67504829bf53ff222057307a6e3230f
* upstream: Add sshd_config CASignatureAlgorithms option to allowdjm@openbsd.org2018-09-205-9/+45
| | | | | | | | | | control over which signature algorithms a CA may use when signing certificates. In particular, this allows a sshd to ban certificates signed with RSA/SHA1. ok markus@ OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac
View Lorry Controller Status