summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Import updated moduli.Darren Tucker2018-09-221-437/+427
|
* upstream: Allow ssh_config ForwardX11Timeout=0 to disable thedjm@openbsd.org2018-09-212-16/+33
| | | | | | timeout and allow X11 connections in untrusted mode indefinitely. ok dtucker@ OpenBSD-Commit-ID: ea1ceed3f540b48e5803f933e59a03b20db10c69
* upstream: when compiled with GSSAPI support, cache supported methoddjm@openbsd.org2018-09-211-3/+2
| | | | | | | | | | | | | | | OIDs by calling ssh_gssapi_prepare_supported_oids() regardless of whether GSSAPI authentication is enabled in the main config. This avoids sandbox violations for configurations that enable GSSAPI auth later, e.g. Match user djm GSSAPIAuthentication yes bz#2107; ok dtucker@ OpenBSD-Commit-ID: a5dd42d87c74e27cfb712b15b0f97ab20e0afd1d
* upstream: In sshkey_in_file(), ignore keys that are considered fordjm@openbsd.org2018-09-211-4/+10
| | | | | | | | | | being too short (i.e. SSH_ERR_KEY_LENGTH). These keys will not be considered to be "in the file". This allows key revocation lists to contain short keys without the entire revocation list being considered invalid. bz#2897; ok dtucker OpenBSD-Commit-ID: d9f3d857d07194a42ad7e62889a74dc3f9d9924b
* upstream: Treat connections with ProxyJump specified the same as onesdjm@openbsd.org2018-09-212-7/+8
| | | | | | | | | | with a ProxyCommand set with regards to hostname canonicalisation (i.e. don't try to canonicalise the hostname unless CanonicalizeHostname is set to 'always'). Patch from Sven Wegener via bz#2896 OpenBSD-Commit-ID: 527ff501cf98bf65fb4b29ed0cb847dda10f4d37
* upstream: actually make CASignatureAlgorithms available as a configdjm@openbsd.org2018-09-211-1/+2
| | | | | | option OpenBSD-Commit-ID: 93fa7ff58314ed7b1ab7744090a6a91232e6ae52
* upstream: Import updated moduli.dtucker@openbsd.org2018-09-211-0/+1
| | | | OpenBSD-Commit-ID: 04431e8e7872f49a2129bf080a6b73c19d576d40
* upstream: reorder CASignatureAlgorithms, and add them to thejmc@openbsd.org2018-09-214-19/+22
| | | | | | various -o lists; ok djm OpenBSD-Commit-ID: ecb88baecc3c54988b4d1654446ea033da359288
* upstream: fix "ssh -Q sig" to show correct signature algorithm listdjm@openbsd.org2018-09-201-2/+2
| | | | | | (it was erroneously showing certificate algorithms); prompted by markus@ OpenBSD-Commit-ID: 1cdee002f2f0c21456979deeb887fc889afb154d
* upstream: add CASignatureAlgorithms option for the client, allowingdjm@openbsd.org2018-09-204-10/+42
| | | | | | | it to specify which signature algorithms may be used by CAs when signing certificates. Useful if you want to ban RSA/SHA1; ok markus@ OpenBSD-Commit-ID: 9159e5e9f67504829bf53ff222057307a6e3230f
* upstream: Add sshd_config CASignatureAlgorithms option to allowdjm@openbsd.org2018-09-205-9/+45
| | | | | | | | | | control over which signature algorithms a CA may use when signing certificates. In particular, this allows a sshd to ban certificates signed with RSA/SHA1. ok markus@ OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac
* upstream: Make "ssh-add -q" do what it says on the tin: silencedjm@openbsd.org2018-09-201-23/+39
| | | | | | | | output from successful operations. Based on patch from Thijs van Dijk; ok dtucker@ deraadt@ OpenBSD-Commit-ID: c4f754ecc055c10af166116ce7515104aa8522e1
* upstream: When choosing a prime from the moduli file, avoidmillert@openbsd.org2018-09-201-6/+8
| | | | | | | | | re-using the linenum variable for something that is not a line number to avoid the confusion that resulted in the bug in rev. 1.64. This also lets us pass the actual linenum to parse_prime() so the error messages include the correct line number. OK markus@ some time ago. OpenBSD-Commit-ID: 4d8e5d3e924d6e8eb70053e3defa23c151a00084
* Fix openssl-1.1 fallout for --without-openssl.Darren Tucker2018-09-151-0/+4
| | | | ok djm@
* add futex(2) syscall to seccomp sandboxDamien Miller2018-09-151-0/+3
| | | | | | Apparently needed for some glibc/openssl combinations. Patch from Arkadiusz Miƛkiewicz
* really add source for authopt_fuzz this timeDamien Miller2018-09-151-0/+33
|
* remove accidentally checked-in authopt_fuzz binaryDamien Miller2018-09-151-0/+0
|
* upstream: second try, deals properly with missing and private-onlydjm@openbsd.org2018-09-141-26/+53
| | | | | | | | | | | Use consistent format in debug log for keys readied, offered and received during public key authentication. This makes it a little easier to see what is going on, as each message now contains (where available) the key filename, its type and fingerprint, and whether the key is hosted in an agent or a token. OpenBSD-Commit-ID: f1c6a8e9cfc4e108c359db77f24f9a40e1e25ea7
* fuzzer harness for authorized_keys option parsingDamien Miller2018-09-142-2/+5
|
* upstream: revert following; deals badly with agent keysdjm@openbsd.org2018-09-141-47/+26
| | | | | | | | | | | | | revision 1.285 date: 2018/09/14 04:17:12; author: djm; state: Exp; lines: +47 -26; commitid: lflGFcNb2X2HebaK; Use consistent format in debug log for keys readied, offered and received during public key authentication. This makes it a little easier to see what is going on, as each message now contains the key filename, its type and fingerprint, and whether the key is hosted in an agent or a token. OpenBSD-Commit-ID: e496bd004e452d4b051f33ed9ae6a54ab918f56d
* upstream: garbage-collect moribund ssh_new_private() API.djm@openbsd.org2018-09-143-22/+10
| | | | OpenBSD-Commit-ID: 7c05bf13b094093dfa01848a9306c82eb6e95f6c
* upstream: Use consistent format in debug log for keys readied,djm@openbsd.org2018-09-141-26/+47
| | | | | | | | | | offered and received during public key authentication. This makes it a little easier to see what is going on, as each message now contains the key filename, its type and fingerprint, and whether the key is hosted in an agent or a token. OpenBSD-Commit-ID: 2a01d59285a8a7e01185bb0a43316084b4f06a1f
* upstream: Fix warnings caused by user_from_uid() and group_from_gid()millert@openbsd.org2018-09-141-2/+2
| | | | | | now returning const char *. OpenBSD-Commit-ID: b5fe571ea77cfa7b9035062829ab05eb87d7cc6f
* allow SIGUSR1 as synonym for SIGINFODamien Miller2018-09-142-6/+5
| | | | | Lets users on those unfortunate operating systems that lack SIGINFO still be able to obtain progress information from unit tests :)
* add compat headerDamien Miller2018-09-131-0/+2
|
* upstream: missed a bit of openssl-1.0.x API in this unittestdjm@openbsd.org2018-09-134-65/+96
| | | | OpenBSD-Regress-ID: a73a54d7f7381856a3f3a2d25947bee7a9a5dbc9
* upstream: use only openssl-1.1.x API here toodjm@openbsd.org2018-09-131-38/+67
| | | | OpenBSD-Regress-ID: ae877064597c349954b1b443769723563cecbc8f
* adapt -portable to OpenSSL 1.1x APIDamien Miller2018-09-1320-41/+916
| | | | Polyfill missing API with replacement functions extracted from LibreSSL
* forgot to stage these test files in commit d70d061Damien Miller2018-09-132-2/+32
|
* upstream: hold our collective noses and use the openssl-1.1.x API indjm@openbsd.org2018-09-1320-438/+619
| | | | | | OpenSSH; feedback and ok tb@ jsing@ markus@ OpenBSD-Commit-ID: cacbcac87ce5da0d3ca7ef1b38a6f7fb349e4417
* upstream: Include certs with multiple RSA signature variants indjm@openbsd.org2018-09-126-0/+34
| | | | | | test data Ensure that cert->signature_key is populated correctly OpenBSD-Regress-ID: 56e68f70fe46cb3a193ca207385bdb301fd6603a
* upstream: test revocation by explicit hash and by fingerprintdjm@openbsd.org2018-09-121-15/+34
| | | | OpenBSD-Regress-ID: 079c18a9ab9663f4af419327c759fc1e2bc78fd8
* upstream: s/sshkey_demote/sshkey_from_private/gdjm@openbsd.org2018-09-121-5/+5
| | | | OpenBSD-Regress-ID: 782bde7407d94a87aa8d1db7c23750e09d4443c4
* delete the correct thing; kexfuzz binaryDamien Miller2018-09-121-1/+1
|
* upstream: fix edit mistake; spotted by jmc@djm@openbsd.org2018-09-121-2/+2
| | | | OpenBSD-Commit-ID: dd724e1c52c9d6084f4cd260ec7e1b2b138261c6
* upstream: add SSH_ALLOWED_CA_SIGALGS - the default list ofdjm@openbsd.org2018-09-121-1/+13
| | | | | | | | | signature algorithms that are allowed for CA signatures. Notably excludes ssh-dsa. ok markus@ OpenBSD-Commit-ID: 1628e4181dc8ab71909378eafe5d06159a22deb4
* upstream: add sshkey_check_cert_sigtype() that checks adjm@openbsd.org2018-09-122-2/+24
| | | | | | cert->signature_type against a supplied whitelist; ok markus OpenBSD-Commit-ID: caadb8073292ed7a9535e5adc067d11d356d9302
* upstream: add cert->signature_type field and keep it in sync withdjm@openbsd.org2018-09-122-27/+69
| | | | | | certificate signature wrt loading and certification operations; ok markus@ OpenBSD-Commit-ID: e8b8b9f76b66707a0cd926109c4383db8f664df3
* upstream: Add "ssh -Q sig" to allow listing supported signaturedjm@openbsd.org2018-09-122-6/+19
| | | | | | algorithms ok markus@ OpenBSD-Commit-ID: 7a8c6eb6c249dc37823ba5081fce64876d10fe2b
* upstream: allow key revocation by SHA256 hash and allow ssh-keygendjm@openbsd.org2018-09-125-49/+193
| | | | | | to create KRLs using SHA256/base64 key fingerprints; ok markus@ OpenBSD-Commit-ID: a0590fd34e7f1141f2873ab3acc57442560e6a94
* upstream: log certificate fingerprint in authenticationdjm@openbsd.org2018-09-121-9/+13
| | | | | | | | | success/failure message (previously we logged only key ID and CA key fingerprint). ok markus@ OpenBSD-Commit-ID: a8ef2d172b7f1ddbcce26d6434b2de6d94f6c05d
* upstream: Add FALLTHROUGH comments where appropriate. Patch fromdtucker@openbsd.org2018-09-091-1/+3
| | | | | | jjelen at redhat via bz#2687. OpenBSD-Commit-ID: c48eb457be697a19d6d2950c6d0879f3ccc851d3
* upstream: ssh -MM requires confirmation for all operations thatdjm@openbsd.org2018-09-091-3/+6
| | | | | | | | change the multiplexing state, not just new sessions. mention that confirmation is checked via ssh-askpass OpenBSD-Commit-ID: 0f1b45551ebb9cc5c9a4fe54ad3b23ce90f1f5c2
* upstream: fix misplaced parenthesis inside if-clause. it's harmlessmestre@openbsd.org2018-09-091-2/+2
| | | | | | | | | and the only issue is showing an unknown error (since it's not defined) during fatal(), if it ever an error occurs inside that condition. OK deraadt@ markus@ djm@ OpenBSD-Commit-ID: acb0a8e6936bfbe590504752d01d1d251a7101d8
* upstream: fix build with DEBUG_PK enabledmestre@openbsd.org2018-09-091-2/+2
| | | | | | OK dtucker@ OpenBSD-Commit-ID: ec1568cf27726e9638a0415481c20c406e7b441c
* Handle ngroups>_SC_NGROUPS_MAX.Darren Tucker2018-09-071-3/+8
| | | | | | | Based on github pull request #99 from Darren Maffat at Oracle: Solaris' getgrouplist considers _SC_NGROUPS_MAX more of a guideline and can return a larger number of groups. In this case, retry getgrouplist with a larger array and defer allocating groups_byname. ok djm@
* Initial len for the fmt=NULL case.Darren Tucker2018-09-071-1/+1
| | | | | Patch from jjelen at redhat via bz#2687. (OpenSSH never calls setproctitle with a null format so len is always initialized).
* Include stdlib.h.Darren Tucker2018-09-071-0/+1
| | | | Patch from jjelen at redhat via bz#2687.
* document some more regress control env variablesDamien Miller2018-08-271-8/+15
| | | | | | | Specifically SKIP_UNIT, USE_VALGRING and LTESTS. Sort the list of environment variables. Based on patch from Jakub Jelen
* shorten temporary SSH_REGRESS_TMP pathV_7_8_P1V_7_8Damien Miller2018-08-231-1/+1
| | | | Previous path was exceeding max socket length on at least one platform (OSX)
View Lorry Controller Status